CL
Uploaded byCole Libby
246 views

HIPAA and Security Management for Physician Practices

The document outlines a comprehensive security management framework for physician practices, emphasizing the importance of HIPAA compliance and the need for clear policies and procedures. It details various safeguards—administrative, physical, and technical—and stresses the role of documentation and auditing in maintaining security and regulatory adherence. Additionally, the implementation steps for security management include reviewing policies, assigning responsibilities, and conducting regular risk assessments.

Healthcare
Related topics:
Security Management

Embed presentation

Download to read offline
HIPAA &HIPAA &HIPAA &HIPAA & SecuritySecuritySecuritySecurity ManagementManagementManagementManagement How to get started with practical security management in a physician practice
Security Management FrameworkSecurity Management FrameworkSecurity Management FrameworkSecurity Management Framework • A map to organize security efforts to create: • A process of continual improvement • Shared understanding of everyone’s role • Ability to demonstrate the consistent use of appropriate controls to management and third parties Security Management Documentation Procedures Policies Laws and Regulations
Laws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and Accreditations • Define the obligations and provide motivation for security. Determine the laws, regulations and accreditations that apply to your organization. • HIPAA1 • Original 1996 law has been amended twice to add security, breach reporting and stronger enforcement mechanisms. • State Breach Reporting Laws • California, New York, Massachusetts and others have laws covering unauthorized access to computer data compromises security, privacy or integrity of private information • Several other laws do not generally apply to physician’s practices. • Sarbannes-Oxley (Public companies) • Gramm-Leach-Bliely (Financial Firms) • PCI-DSS (Payment Card Industry) 1 www.hhs.gov/hipaahipaahipaahipaa/ 2 http://www.ag.ny.gov/internet/data-breach Security Management Documentation Procedures Policies Laws and Regulations A1
Slide 3 A1 Author, 9/1/2016
PoliciesPoliciesPoliciesPolicies • Define what the practice will do to address security requirements • Provide guidance to employees and staff. Ensure everyone has the same playbook. • Policies are often organized to correspond to HIPAA regulations structure • Administrative Safeguards – business practices followed to protect information such as employee training, audits and risk assessments • Physical Safeguards – locks, cameras, screen protectors, etc. • Technical Safeguards - passwords, virus protection, encryption, backups, etc. Security Management Documentation Procedures Policies Laws and Regulations
ProceduresProceduresProceduresProcedures • Detailed instructions for each policy requirement. • Procedures include: • Responsibility – The person or role that is responsible. • Methods – The techniques to be used. • Process – The steps to complete the procedure. • Timing - When and how often will the procedure be used. • Record Keeping – The content and format of information that is required to document that the procedure has been followed correctly. Security Management Documentation Procedures Policies Laws and Regulations
DocumentationDocumentationDocumentationDocumentation • Information to demonstrate that policies and procedures are followed. • The most important aspect of security management • Allows practice to demonstrate compliance to 3rd parties • Supports continual improvement • Provides confidence that the environment maintains the same level of security. • Examples are: • System logs • Completed Checklists • Inventories and Lists • Notes Security Management Documentation Procedures Policies Laws and Regulations
Security ManagementSecurity ManagementSecurity ManagementSecurity Management • Security Management provides oversight to: • Ensure that procedures and policies are being followed • Assess changes in policies and procedures regularly and after change. • Prioritize investments to mitigate the highest security risks. • Security Management activities include: • Audits – review of access logs to ensure patient records are not viewed outside the requirement of a job function • Risk Assessments – review of all locations of patient data to consider vulnerabilities and threats and the likelihood and impact of an security event. • Risk Management Plans – Remediation actions identified and planned in response to Risk Assessments. • Incident Management – Effective response and review to limit damage, recover from an event, address legal requirements and improve security. Security Management Documentation Procedures Policies Laws and Regulations
ExampleExampleExampleExample • Workforce Security Policy requires • CareNet Medical Group, PC will use a Minimum NecessaryMinimum NecessaryMinimum NecessaryMinimum Necessary PolicyPolicyPolicyPolicy … as the basis for the type and extent of authorized access to ePHI. • CareNet Medical Group, PC will implement procedures to ensure that only workforce members with a need to access ePHI are granted access to ePHI. • Procedures • Map staff roles to required permission/access in each system. • Document staff role assignment and set system permissions appropriately • Track changes in roles and update system permissions • Audit • Periodically review system permissions to ensure compliance with role assignment. Document findings.
Implementation TimelineImplementation TimelineImplementation TimelineImplementation Timeline Management and Oversight Policy Development Procedure/Documentation Development Implementation and Staff Training Execution
Required PoliciesRequired PoliciesRequired PoliciesRequired Policies PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Security Management Administrative Prescribes actions to manage security risk Security Officer Administrative Names and defines duties of HIPAA security officer Workforce Security Administrative Prescribes steps to ensure staff are not security risks. Information Access Management Administrative Prescribes steps to ensure staff has access to only the information needed for their job. Security Awareness Administrative Prescribes security and education programs for staff
Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Incident Response Administrative Prescribes how responses to security incidents will be managed Contingency Planning Administrative Prescribes actions required to ensure practice continues to operate in event of failure or disaster Evaluation Administrative Business Associates Administrative Prescribes how business associates are managed.
Required Policies (3 of 4)Required Policies (3 of 4)Required Policies (3 of 4)Required Policies (3 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Facility Access Physical Prescribes steps to protect against physical threats – fire, theft, etc. Workstation Use Physical Prescribes proper use of workstations Workstation Security Physical Prescribes methods to protect workstations Device and Media Physical Prescribes how devices and removeable media may used and how they are manaed
Required Policies (4 of 4)Required Policies (4 of 4)Required Policies (4 of 4)Required Policies (4 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection Access Control Technical Technical methods to control access to electronic data Integrity Policy Technical Defines mechanism to ensure data is not altered or destroyed Audit Controls Technical Methods required to ensure systems can be auditted Authentication Technical Prescribes methods to manage authentication Transmission Technical Prescribes methods to protect data while it is being transmitted.
Implementing Security ManagementImplementing Security ManagementImplementing Security ManagementImplementing Security Management 1. Review, Revise and Approve Policies 2. Document procedures and record keeping artifacts to implement policies 3. Assign activities to responsible parties to execute 4. Management review of record keeping to ensure compliance with policies and procedures 5. Regular risk assessments leading to management approved risk management plans.
About CTAAbout CTAAbout CTAAbout CTA • Clinical Technology Advisors providers management and technology consulting services to healthcare providers covering: • Medical Technology Systems Integration including EMR, PM, Patient Portal and Imaging Systems • Compliance with HIPAA, MACRA, Meaningful Use, PQRS. • Technology Infrastructure including networking, systems, office applciations, cloud computing. • Contact CTA at: • Info@clinictec.com • 518-595-9246

More Related Content

PPTX
HIPAA omnibus rule update
byO'Connor Davies CPAs
 
PDF
Ch09 Information Security Best Practices
byphanleson
 
PDF
Ch06 Policy
byphanleson
 
PPTX
Hm300 week 7 part 2 of 2
byBHUOnlineDepartment
 
PPT
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
PPTX
Compliance
byPriyank Hada
 
PPT
Security policy
byDhani Ahmad
 
PPT
It Audit Expectations High Detail
byecarrow
 
HIPAA omnibus rule update
byO'Connor Davies CPAs
 
Ch09 Information Security Best Practices
byphanleson
 
Ch06 Policy
byphanleson
 
Hm300 week 7 part 2 of 2
byBHUOnlineDepartment
 
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
Compliance
byPriyank Hada
 
Security policy
byDhani Ahmad
 
It Audit Expectations High Detail
byecarrow
 

What's hot

PPT
Chapter008
byJeanie Delos Arcos
 
PPT
Chapter005
byJeanie Delos Arcos
 
PPT
Security audit
byRosaria Dee
 
PPT
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
PPT
Ais Romney 2006 Slides 06 Control And Ais Part 1
bySharing Slides Training
 
PDF
It Security Audit Process
byRam Srivastava
 
PPTX
Meaningful Use and Security Risk Analysis
byEvan Francen
 
PPT
Lesson 2
byMLG College of Learning, Inc
 
PPTX
Security Audit View
byPLN9 Security Services Pvt. Ltd.
 
PPT
Lesson 1- Information Policy
byMLG College of Learning, Inc
 
PPTX
Auditing information System
byDr. Rosemarie Sibbaluca-Guirre
 
PPT
Network security policies
byUsman Mukhtar
 
PPTX
General and Application Control - Security and Control Issues in Informatio...
byDr. Rosemarie Sibbaluca-Guirre
 
PPTX
The Fundamentals of HIPAA Privacy & Security Risk Management
byKeySys Health
 
PDF
Hipaa Gap Assessment.Sanitized Report
bytbeckwith
 
PPT
5.4 it security audit (mauritius)
byCorporate Registers Forum
 
PPTX
Security
bya1aass
 
PPTX
Safety Management System SMS
byKhan Mohammad Shinwaray Lecturer at ADU , Kardan , Bakhtar University
 
PPTX
Security Architecture
byPriyank Hada
 
Chapter008
byJeanie Delos Arcos
 
Chapter005
byJeanie Delos Arcos
 
Security audit
byRosaria Dee
 
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
bySharing Slides Training
 
It Security Audit Process
byRam Srivastava
 
Meaningful Use and Security Risk Analysis
byEvan Francen
 
Lesson 2
byMLG College of Learning, Inc
 
Security Audit View
byPLN9 Security Services Pvt. Ltd.
 
Lesson 1- Information Policy
byMLG College of Learning, Inc
 
Auditing information System
byDr. Rosemarie Sibbaluca-Guirre
 
Network security policies
byUsman Mukhtar
 
General and Application Control - Security and Control Issues in Informatio...
byDr. Rosemarie Sibbaluca-Guirre
 
The Fundamentals of HIPAA Privacy & Security Risk Management
byKeySys Health
 
Hipaa Gap Assessment.Sanitized Report
bytbeckwith
 
5.4 it security audit (mauritius)
byCorporate Registers Forum
 
Security
bya1aass
 
Safety Management System SMS
byKhan Mohammad Shinwaray Lecturer at ADU , Kardan , Bakhtar University
 
Security Architecture
byPriyank Hada
 

Viewers also liked

PDF
Ideal 2012-programme-and-abstracts-book
byGissely Souza
 
PDF
Pearl academy pg general profficiency test 2009
byAcademy of Fashion & Design
 
PDF
SNHU | 2013 Faculty Professional Development Showcase
byAndy Lynch
 
PDF
whirlpool Shareholders and Other Information
byfinance13
 
PPTX
Puentes de Acero
bySerrano6
 
PDF
José luis rodríguez zapatero
bySpain View Travel Guide
 
PDF
Harvard referencing 2007
bybunny101
 
PDF
Directorio CAPATEC 2013-2014
byCAPATEC
 
PDF
Nombramientos. el nuevo lunes
byEAE Business School
 
PDF
White paper downtown baltimore office market
byRobert Manekin
 
PPTX
School as Sustainable Enterprise
byJeremy Williams
 
PDF
The Spanish Business Think Tank of reference
byCírculo de Empresarios
 
PDF
O papel da história na Economia: a afirmação da Economia Política como teoria...
byGrupo de Economia Política IE-UFRJ
 
PPTX
Data communication Part 11
byAlex Fernandez
 
PPTX
NELSON ROLIHLAHLA MANDELA
byVale-Feijoo
 
PDF
schering plough Company_overview
byfinance22
 
PDF
Johnson johnson-u.s.-exhibits-12-35
byBehn Wyetzner, Chartered
 
PDF
Cologuard (colorectal cancer test) physician labeling_fda
byoncoportal.net
 
DOCX
resume counseling
byJohn Kelly
 
DOC
Managing Engineering In A Time Of Change Rev 1
bykarnold3
 
Ideal 2012-programme-and-abstracts-book
byGissely Souza
 
Pearl academy pg general profficiency test 2009
byAcademy of Fashion & Design
 
SNHU | 2013 Faculty Professional Development Showcase
byAndy Lynch
 
whirlpool Shareholders and Other Information
byfinance13
 
Puentes de Acero
bySerrano6
 
José luis rodríguez zapatero
bySpain View Travel Guide
 
Harvard referencing 2007
bybunny101
 
Directorio CAPATEC 2013-2014
byCAPATEC
 
Nombramientos. el nuevo lunes
byEAE Business School
 
White paper downtown baltimore office market
byRobert Manekin
 
School as Sustainable Enterprise
byJeremy Williams
 
The Spanish Business Think Tank of reference
byCírculo de Empresarios
 
O papel da história na Economia: a afirmação da Economia Política como teoria...
byGrupo de Economia Política IE-UFRJ
 
Data communication Part 11
byAlex Fernandez
 
NELSON ROLIHLAHLA MANDELA
byVale-Feijoo
 
schering plough Company_overview
byfinance22
 
Johnson johnson-u.s.-exhibits-12-35
byBehn Wyetzner, Chartered
 
Cologuard (colorectal cancer test) physician labeling_fda
byoncoportal.net
 
resume counseling
byJohn Kelly
 
Managing Engineering In A Time Of Change Rev 1
bykarnold3
 

Similar to HIPAA and Security Management for Physician Practices

PPTX
HIPAA Safeguard Slides
byprojectwinner
 
PPTX
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
PDF
The Basics of Security and Risk Analysis
bylearfield
 
PPTX
HIPAA education importance Presentation .pptx
byfawadmushtaqwork
 
PDF
ONC Privacy and Security Best Practices for HIPAA
byDavid Sweigert
 
PDF
Electronic Health Information- Guide to Privacy & Security
byDr Dev Kambhampati
 
PDF
Privacy and Security Guide
byDorlee Michaeli, MBA, LMSW
 
PPT
hipaa presentation
byRenee Bell
 
PDF
Explain the security implications of HIPPA requirements for hospital.pdf
byarjunenterprises1978
 
PPTX
Privacy, Confidentiality, and Security Lecture 3_slides
byZakCooper1
 
PPTX
Privacy, Confidentiality, and Security Lecture 4_slides
byZakCooper1
 
PPSX
Mbm Hipaa Hitech Ss Compliance Risk Assessment
byMBMeHealthCareSolutions
 
PPTX
how to really implement hipaa presentation
byProvider Resources Group
 
PPTX
Leading your HIPAA Compliance Culture in 2016
byLance King
 
PDF
Hipaa basics
byMichaelRodriguesdosS1
 
PDF
Everything You Need to Know about HIPAA Compliance.pdf
byTriyam Inc
 
PDF
Healthcare Cybersecurity Whitepaper FINAL
bySteve Knapp
 
PPTX
Confidentiality, HIPAA and HITECH
byDr. DawnElise Snipes ★AllCEUs★ Unlimited Counselor Training
 
PPTX
Comp8 unit6a lecture_slides
byCMDLMS
 
PDF
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bykrichrajub69
 
HIPAA Safeguard Slides
byprojectwinner
 
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
The Basics of Security and Risk Analysis
bylearfield
 
HIPAA education importance Presentation .pptx
byfawadmushtaqwork
 
ONC Privacy and Security Best Practices for HIPAA
byDavid Sweigert
 
Electronic Health Information- Guide to Privacy & Security
byDr Dev Kambhampati
 
Privacy and Security Guide
byDorlee Michaeli, MBA, LMSW
 
hipaa presentation
byRenee Bell
 
Explain the security implications of HIPPA requirements for hospital.pdf
byarjunenterprises1978
 
Privacy, Confidentiality, and Security Lecture 3_slides
byZakCooper1
 
Privacy, Confidentiality, and Security Lecture 4_slides
byZakCooper1
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
byMBMeHealthCareSolutions
 
how to really implement hipaa presentation
byProvider Resources Group
 
Leading your HIPAA Compliance Culture in 2016
byLance King
 
Hipaa basics
byMichaelRodriguesdosS1
 
Everything You Need to Know about HIPAA Compliance.pdf
byTriyam Inc
 
Healthcare Cybersecurity Whitepaper FINAL
bySteve Knapp
 
Confidentiality, HIPAA and HITECH
byDr. DawnElise Snipes ★AllCEUs★ Unlimited Counselor Training
 
Comp8 unit6a lecture_slides
byCMDLMS
 
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bykrichrajub69
 

Recently uploaded

PDF
The Science Behind Why Accountability Works in Alcohol Recovery.pdf
byClear Mind Sobriety
 
PDF
Hospital and Hospice Integration: A Formula for Quality and Efficiency
byVITASAuthor
 
PPT
National child policy.ppt child health nursing
byPooja Rani
 
PDF
Dr. David Wilson Utah - Dedicated To Patient Wellness
byDr. David Wilson Utah
 
PPTX
FACTORS AFFECTING IMAGE QUALITY IN MRI RITAM MOHAPATRA.pptx
bymohapatraritam29
 
PPTX
Healthcare SEO Audit & Growth Strategy for Apollo Hospitals
byRAHUL KACHHAL
 
PPTX
Compassionate Hospice Care Services in Orange County, NY
bysn036847
 
PPTX
BANDAGING,purposes, types, principles.pptx
byLINU ZACHARIAH
 
PDF
Final NABH Checklist 6TH ED JULY 2025 - Dr J L Meena.pdf
byDr Jitu Lal Meena
 
PPTX
PPTS HEALTHCARE.pptx NON-COMMUNICABLE DISEASES
bysohilnaik18
 
PPTX
Chapter 5 Integumentary System ( Anatomy and Physiology) .pptx
byAllanTateishi1
 
PPTX
INTRODUCTION TO MOLECULAR DIAGNOSTIC IN LEVEL 100
bysolomonasare355
 
PDF
A Guide to Your Benefits: 2026 MVP Medicare Advantage Plans
byMVP Health Care
 
PDF
OOS vs OOT vs OOE.pdf the investigation procedure for five why jsjjjhd ijj
by3star3nath
 
PDF
Patient lifting robot concept presentation
byEevastiinaRindell
 
PPTX
LEARNING PROCESS.Shilpa Hotakar Psychology.pptx
bySHILPA HOTAKAR
 
PDF
How Google Reviews Build Patient Trust in Hospitals
byHMS Advisors Pvt Ltd
 
PDF
How Private Duty Agencies in Oakland Help Seniors Age at Home.pdf
byHomestead Home Health Care
 
PPTX
Spectral CT Imaging: Principle and Applications of Dual-Energy and Photon Cou...
byJoginder Singh
 
PPTX
Intelligence tests for children.pptx1233334
byNikitaBhati27
 
The Science Behind Why Accountability Works in Alcohol Recovery.pdf
byClear Mind Sobriety
 
Hospital and Hospice Integration: A Formula for Quality and Efficiency
byVITASAuthor
 
National child policy.ppt child health nursing
byPooja Rani
 
Dr. David Wilson Utah - Dedicated To Patient Wellness
byDr. David Wilson Utah
 
FACTORS AFFECTING IMAGE QUALITY IN MRI RITAM MOHAPATRA.pptx
bymohapatraritam29
 
Healthcare SEO Audit & Growth Strategy for Apollo Hospitals
byRAHUL KACHHAL
 
Compassionate Hospice Care Services in Orange County, NY
bysn036847
 
BANDAGING,purposes, types, principles.pptx
byLINU ZACHARIAH
 
Final NABH Checklist 6TH ED JULY 2025 - Dr J L Meena.pdf
byDr Jitu Lal Meena
 
PPTS HEALTHCARE.pptx NON-COMMUNICABLE DISEASES
bysohilnaik18
 
Chapter 5 Integumentary System ( Anatomy and Physiology) .pptx
byAllanTateishi1
 
INTRODUCTION TO MOLECULAR DIAGNOSTIC IN LEVEL 100
bysolomonasare355
 
A Guide to Your Benefits: 2026 MVP Medicare Advantage Plans
byMVP Health Care
 
OOS vs OOT vs OOE.pdf the investigation procedure for five why jsjjjhd ijj
by3star3nath
 
Patient lifting robot concept presentation
byEevastiinaRindell
 
LEARNING PROCESS.Shilpa Hotakar Psychology.pptx
bySHILPA HOTAKAR
 
How Google Reviews Build Patient Trust in Hospitals
byHMS Advisors Pvt Ltd
 
How Private Duty Agencies in Oakland Help Seniors Age at Home.pdf
byHomestead Home Health Care
 
Spectral CT Imaging: Principle and Applications of Dual-Energy and Photon Cou...
byJoginder Singh
 
Intelligence tests for children.pptx1233334
byNikitaBhati27
 

HIPAA and Security Management for Physician Practices

  • 1.
    HIPAA &HIPAA &HIPAA&HIPAA & SecuritySecuritySecuritySecurity ManagementManagementManagementManagement How to get started with practical security management in a physician practice
  • 2.
    Security Management FrameworkSecurityManagement FrameworkSecurity Management FrameworkSecurity Management Framework • A map to organize security efforts to create: • A process of continual improvement • Shared understanding of everyone’s role • Ability to demonstrate the consistent use of appropriate controls to management and third parties Security Management Documentation Procedures Policies Laws and Regulations
  • 3.
    Laws, Regulations andAccreditationsLaws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and Accreditations • Define the obligations and provide motivation for security. Determine the laws, regulations and accreditations that apply to your organization. • HIPAA1 • Original 1996 law has been amended twice to add security, breach reporting and stronger enforcement mechanisms. • State Breach Reporting Laws • California, New York, Massachusetts and others have laws covering unauthorized access to computer data compromises security, privacy or integrity of private information • Several other laws do not generally apply to physician’s practices. • Sarbannes-Oxley (Public companies) • Gramm-Leach-Bliely (Financial Firms) • PCI-DSS (Payment Card Industry) 1 www.hhs.gov/hipaahipaahipaahipaa/ 2 http://www.ag.ny.gov/internet/data-breach Security Management Documentation Procedures Policies Laws and Regulations A1
  • 4.
  • 5.
    PoliciesPoliciesPoliciesPolicies • Define whatthe practice will do to address security requirements • Provide guidance to employees and staff. Ensure everyone has the same playbook. • Policies are often organized to correspond to HIPAA regulations structure • Administrative Safeguards – business practices followed to protect information such as employee training, audits and risk assessments • Physical Safeguards – locks, cameras, screen protectors, etc. • Technical Safeguards - passwords, virus protection, encryption, backups, etc. Security Management Documentation Procedures Policies Laws and Regulations
  • 6.
    ProceduresProceduresProceduresProcedures • Detailed instructionsfor each policy requirement. • Procedures include: • Responsibility – The person or role that is responsible. • Methods – The techniques to be used. • Process – The steps to complete the procedure. • Timing - When and how often will the procedure be used. • Record Keeping – The content and format of information that is required to document that the procedure has been followed correctly. Security Management Documentation Procedures Policies Laws and Regulations
  • 7.
    DocumentationDocumentationDocumentationDocumentation • Information todemonstrate that policies and procedures are followed. • The most important aspect of security management • Allows practice to demonstrate compliance to 3rd parties • Supports continual improvement • Provides confidence that the environment maintains the same level of security. • Examples are: • System logs • Completed Checklists • Inventories and Lists • Notes Security Management Documentation Procedures Policies Laws and Regulations
  • 8.
    Security ManagementSecurity ManagementSecurityManagementSecurity Management • Security Management provides oversight to: • Ensure that procedures and policies are being followed • Assess changes in policies and procedures regularly and after change. • Prioritize investments to mitigate the highest security risks. • Security Management activities include: • Audits – review of access logs to ensure patient records are not viewed outside the requirement of a job function • Risk Assessments – review of all locations of patient data to consider vulnerabilities and threats and the likelihood and impact of an security event. • Risk Management Plans – Remediation actions identified and planned in response to Risk Assessments. • Incident Management – Effective response and review to limit damage, recover from an event, address legal requirements and improve security. Security Management Documentation Procedures Policies Laws and Regulations
  • 9.
    ExampleExampleExampleExample • Workforce SecurityPolicy requires • CareNet Medical Group, PC will use a Minimum NecessaryMinimum NecessaryMinimum NecessaryMinimum Necessary PolicyPolicyPolicyPolicy … as the basis for the type and extent of authorized access to ePHI. • CareNet Medical Group, PC will implement procedures to ensure that only workforce members with a need to access ePHI are granted access to ePHI. • Procedures • Map staff roles to required permission/access in each system. • Document staff role assignment and set system permissions appropriately • Track changes in roles and update system permissions • Audit • Periodically review system permissions to ensure compliance with role assignment. Document findings.
  • 10.
    Implementation TimelineImplementation TimelineImplementationTimelineImplementation Timeline Management and Oversight Policy Development Procedure/Documentation Development Implementation and Staff Training Execution
  • 11.
    Required PoliciesRequired PoliciesRequiredPoliciesRequired Policies PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Security Management Administrative Prescribes actions to manage security risk Security Officer Administrative Names and defines duties of HIPAA security officer Workforce Security Administrative Prescribes steps to ensure staff are not security risks. Information Access Management Administrative Prescribes steps to ensure staff has access to only the information needed for their job. Security Awareness Administrative Prescribes security and education programs for staff
  • 12.
    Required Policies (2of 4)Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Incident Response Administrative Prescribes how responses to security incidents will be managed Contingency Planning Administrative Prescribes actions required to ensure practice continues to operate in event of failure or disaster Evaluation Administrative Business Associates Administrative Prescribes how business associates are managed.
  • 13.
    Required Policies (3of 4)Required Policies (3 of 4)Required Policies (3 of 4)Required Policies (3 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription Facility Access Physical Prescribes steps to protect against physical threats – fire, theft, etc. Workstation Use Physical Prescribes proper use of workstations Workstation Security Physical Prescribes methods to protect workstations Device and Media Physical Prescribes how devices and removeable media may used and how they are manaed
  • 14.
    Required Policies (4of 4)Required Policies (4 of 4)Required Policies (4 of 4)Required Policies (4 of 4) PolicyPolicyPolicyPolicy SectionSectionSectionSection Access Control Technical Technical methods to control access to electronic data Integrity Policy Technical Defines mechanism to ensure data is not altered or destroyed Audit Controls Technical Methods required to ensure systems can be auditted Authentication Technical Prescribes methods to manage authentication Transmission Technical Prescribes methods to protect data while it is being transmitted.
  • 15.
    Implementing Security ManagementImplementingSecurity ManagementImplementing Security ManagementImplementing Security Management 1. Review, Revise and Approve Policies 2. Document procedures and record keeping artifacts to implement policies 3. Assign activities to responsible parties to execute 4. Management review of record keeping to ensure compliance with policies and procedures 5. Regular risk assessments leading to management approved risk management plans.
  • 16.
    About CTAAbout CTAAboutCTAAbout CTA • Clinical Technology Advisors providers management and technology consulting services to healthcare providers covering: • Medical Technology Systems Integration including EMR, PM, Patient Portal and Imaging Systems • Compliance with HIPAA, MACRA, Meaningful Use, PQRS. • Technology Infrastructure including networking, systems, office applciations, cloud computing. • Contact CTA at: • Info@clinictec.com • 518-595-9246