The current healthcare system in the United States is heavily influenced by HIPAA Security. This translates into a need to understand technology and cybersecurity beyond the use of anti-malware applications. This presentation presents some of the basics Covered Entities and Business Associates must be aware of as it relates to HIPAA Security.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
HIPAA consent is the state of being in alignment with guidelines et by Health Insurance Portability and Accountability Act of 1996 passed by the congress.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...Skoda Minotti
Most medical practices are aware of the HIPAA HITECH requirements that affect their organizations, and the fines that they face if they are not compliant in the ways they handle patient health information (PHI).
What a lot of professionals don’t know is that HIPAA HITECH regulations also hold business associates, (i.e. other professionals from other companies who could also have access to PHI) just as responsible for protecting the data as the medical practices who own that information.
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
An overview of the HIPAA Security Rule for office managers, receptionists, doctors, physicians, and IT professionals. Need to get HIPAA compliant?
Learn more here: www.securitymetrics.com/sm/pub/hipaa/overview
ControlCase will discusses the following:
- Healthcare compliance in general
- What is HIPAA
- What is HITRUST
- How do they relate?
- Advantages of being HITRUST certified
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
CHAPTER
3 Maintaining Compliance
MANY LAWS AND REGULATIONS ARE IN PLACE regarding the protection of
information technology (IT) systems. Companies have a requirement to comply with the laws that
apply to them. The first step is to understand the laws. You’re not expected to be a lawyer, but you
should understand the basics of relevant laws.
Once you have an idea of which laws and regulations apply, you can then dig in deeper to
ensure your organization is in compliance. The cost of not complying can sometimes be
expensive. Fines can be in the hundreds of thousands of dollars. Some offenses can result in jail
time.
Chapter 3 Topics
This chapter covers the following topics and concepts:
• What U.S. compliance laws exist
• What some relevant regulations related to compliance are
• What organizational policies for compliance should be considered
• What standards and guidelines for compliance exist
Chapter 3 Goals
When you complete this chapter, you will be able to:
• Define compliance
• Describe the purpose of FISMA
• Identify the purpose and scope of HIPAA
• Describe GLBA and SOX, and the impact for IT
• Describe the purpose of FERPA
• Identify the purpose and scope of CIPA
• List some federal entities that control regulations related to IT
• Describe the purpose of PCI DSS
• Describe the contents of SP 800-30
• Describe the purpose of COBIT
• Describe the purpose of ISO and identify some relevant security standards
• Identify the purpose of ITIL
• Identify the purpose of CMMI
U.S. Compliance Laws
Many laws exist in the United States related to information technology (IT). Companies affected
by the laws are expected to comply with the laws. This is commonly referred to as compliance.
Many organizations have internal programs in place to ensure they remain in compliance with
relevant laws and regulations. These programs commonly use internal audits. They can also use
certification and accreditation programs. When compliance is mandated by law, external audits are
often done. These external audits provide third-party verification that the requirements are being
met.
An old legal saying is “ignorance is no excuse.” In other words, you can’t break the law and
then say “I didn’t know.” The same goes for laws that apply to any organization. It’s important for
any organization to know what the relevant laws and regulations are.
You aren’t expected to be an expert on any of these laws. However, as a manager or executive,
you should be aware of them. You can roll any of the relevant laws and regulations into a
compliance program for more detailed checks.
This section covers the following U.S. laws:
• Federal Information Security Management Act (FISMA) 2002
• Health Insurance Portability and Accountability Act (HIPAA) 1996
• Gramm-Leach-Bliley Act (GLBA) 1999
• Sarbanes-Oxley Act (SOX) 2002
• Family Educational Rights and Privacy Act (FERPA) 1974
• Children’s Internet Protection Act (CIPA) 2000
Federal Information ...
HIPAA consent is the state of being in alignment with guidelines et by Health Insurance Portability and Accountability Act of 1996 passed by the congress.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...Skoda Minotti
Most medical practices are aware of the HIPAA HITECH requirements that affect their organizations, and the fines that they face if they are not compliant in the ways they handle patient health information (PHI).
What a lot of professionals don’t know is that HIPAA HITECH regulations also hold business associates, (i.e. other professionals from other companies who could also have access to PHI) just as responsible for protecting the data as the medical practices who own that information.
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
An overview of the HIPAA Security Rule for office managers, receptionists, doctors, physicians, and IT professionals. Need to get HIPAA compliant?
Learn more here: www.securitymetrics.com/sm/pub/hipaa/overview
ControlCase will discusses the following:
- Healthcare compliance in general
- What is HIPAA
- What is HITRUST
- How do they relate?
- Advantages of being HITRUST certified
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
CHAPTER
3 Maintaining Compliance
MANY LAWS AND REGULATIONS ARE IN PLACE regarding the protection of
information technology (IT) systems. Companies have a requirement to comply with the laws that
apply to them. The first step is to understand the laws. You’re not expected to be a lawyer, but you
should understand the basics of relevant laws.
Once you have an idea of which laws and regulations apply, you can then dig in deeper to
ensure your organization is in compliance. The cost of not complying can sometimes be
expensive. Fines can be in the hundreds of thousands of dollars. Some offenses can result in jail
time.
Chapter 3 Topics
This chapter covers the following topics and concepts:
• What U.S. compliance laws exist
• What some relevant regulations related to compliance are
• What organizational policies for compliance should be considered
• What standards and guidelines for compliance exist
Chapter 3 Goals
When you complete this chapter, you will be able to:
• Define compliance
• Describe the purpose of FISMA
• Identify the purpose and scope of HIPAA
• Describe GLBA and SOX, and the impact for IT
• Describe the purpose of FERPA
• Identify the purpose and scope of CIPA
• List some federal entities that control regulations related to IT
• Describe the purpose of PCI DSS
• Describe the contents of SP 800-30
• Describe the purpose of COBIT
• Describe the purpose of ISO and identify some relevant security standards
• Identify the purpose of ITIL
• Identify the purpose of CMMI
U.S. Compliance Laws
Many laws exist in the United States related to information technology (IT). Companies affected
by the laws are expected to comply with the laws. This is commonly referred to as compliance.
Many organizations have internal programs in place to ensure they remain in compliance with
relevant laws and regulations. These programs commonly use internal audits. They can also use
certification and accreditation programs. When compliance is mandated by law, external audits are
often done. These external audits provide third-party verification that the requirements are being
met.
An old legal saying is “ignorance is no excuse.” In other words, you can’t break the law and
then say “I didn’t know.” The same goes for laws that apply to any organization. It’s important for
any organization to know what the relevant laws and regulations are.
You aren’t expected to be an expert on any of these laws. However, as a manager or executive,
you should be aware of them. You can roll any of the relevant laws and regulations into a
compliance program for more detailed checks.
This section covers the following U.S. laws:
• Federal Information Security Management Act (FISMA) 2002
• Health Insurance Portability and Accountability Act (HIPAA) 1996
• Gramm-Leach-Bliley Act (GLBA) 1999
• Sarbanes-Oxley Act (SOX) 2002
• Family Educational Rights and Privacy Act (FERPA) 1974
• Children’s Internet Protection Act (CIPA) 2000
Federal Information ...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
ControlCases discusses the following:
– Healthcare compliance in general
– What is HIPAA
– What is HITRUST
– How do they relate?
– Advantages of being HITRUST certified
Healthcare Compliance: HIPAA and HITRUSTControlCase
ControlCase discusses the following:
•Healthcare compliance in general
•What is HIPAA
•What is HITRUST
•How do they relate?
•Advantages of being HITRUST certified
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondConference Panel
This advanced webinar on HIPAA Changes for 2024 delves into the intricate federal regulatory process of notice and comment rulemaking, highlighting the considerable authority granted to federal agencies like the HHS in shaping new regulations.
The webinar delves into responding to security incidents using lessons learned from recent HHS sanctioning cases, emphasizing cybersecurity sanction policies as a means to enforce HIPAA compliance. The session concludes with valuable tips and techniques to anticipate and navigate HIPAA changes in 2024, offering insights to minimize risk and liability. The discussion begins by addressing the 2023 proposed changes to HIPAA exploring the reasons for their extension into 2024.
HIPAA Compliance and Security in a Mobile WorldRyan Snell
With healthcare regulations evolving to account for the explosion of mobile devices (BYOD) being used at work, HIPAA compliance is critical for all healthcare organizations who are facing security breaches and hefty fines.
Michelle Caswell, Senior Director of Legal & Compliance at Clearwater Compliance, reviews HIPAA, violations and effective compliance. Having worked as a HIPAA Investigator at the Office for Civil Rights, Michelle brings first-hand understanding and passion to the discussion, focusing on the future of HIPAA and how BYOD solutions affect healthcare organizations’ compliance and patient record safety.
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
Radical advancements in health IT development and implementation have pushed the issue of health data security to the forefront of the collective healthcare provider mindset as they attempt to strike a balance between patient access to electronic health record protected health information (PHI) and data protection. The fact that so many health IT vendors now have access to and possess protected health information necessitated shift changes in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 which was enacted to establish ground rules for the privacy protection of individually identifiable health information.
We invited Mac McMillan, Chair of the HIMSS Privacy and Security Task Force to discuss what these new changes are, define their parameters, the mission of the HIMSS PRivacy & Security Task Force, his definition of what “privacy” actually is, comments on new technology that are viable options for healthcare providers to implement as a way to protect access to sensitive patient data, and his thoughts on the increased adoption of PHI management applications such as Microsoft HealthVault.
Listen in to this podcast for more information on the latest health IT industry developments and regulations that govern PHI and for insight from Mac on why healthcare providers and third party vendors should pay close attention to compliance with recent HIPAA changes.
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
HIPAA Compliance Made Easy: Conducting a Risk AssessmentConference Panel
Conducting a HIPAA risk assessment is a legal requirement, and this webinar will equip healthcare organizations with the knowledge and tools necessary to fulfill this obligation. By understanding the risks that threaten the confidentiality, integrity, and availability of protected health information, organizations can take proactive measures to mitigate these risks and establish a robust compliance framework.
Attending the "How to Conduct a HIPAA Risk Assessment Webinar" will empower healthcare organizations to embark on a continuous risk assessment process, enabling them to stay informed about evolving threats and ensure ongoing compliance with HIPAA standards and implementation specifications. By embracing the insights and best practices shared in the webinar, organizations can strengthen their security posture and safeguard patient information effectively.
Register,
https://conferencepanel.com/conference/how-to-conduct-a-hipaa-risk-assessment-and-the-surprising-danger-of-not-doing-one
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)
In today's rapidly advancing technological landscape, the intersection of privacy and innovation has become a paramount concern. One area that has sparked considerable debate and regulatory scrutiny is the use of tracking technologies in the healthcare sector. As healthcare providers strive to improve patient care and streamline operations, they have turned to various tracking technologies to enhance efficiency and data collection. However, the implementation of these technologies raises significant questions about patient privacy and compliance with the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA, enacted in 1996, was designed to safeguard the privacy and security of individuals' medical information. It sets strict guidelines and standards for the handling, storage, and transmission of protected health information (PHI). The law not only applies to healthcare providers but also to their business associates, such as technology vendors and service providers. HIPAA's primary objective is to strike a balance between the need for healthcare organizations to collect and share patient data for treatment and administrative purposes while ensuring the confidentiality and privacy of individuals' sensitive medical information.
Tracking technologies, such as electronic health records (EHRs), wearable devices, and location tracking systems, have shown immense potential in revolutionizing healthcare delivery. EHRs enable healthcare providers to access patient information instantaneously, leading to quicker diagnoses and improved treatment outcomes. Wearable devices, such as fitness trackers and smartwatches, provide real-time health data that can help individuals monitor their well-being and make informed decisions about their lifestyle. Location tracking systems are utilized in hospitals and nursing homes to ensure patient safety and streamline workflows.
While these tracking technologies offer undeniable benefits, they also raise concerns about patient privacy. The vast amount of data generated by these technologies, ranging from personal identifiers to sensitive medical records, demands robust safeguards and strict adherence to HIPAA regulations. Unauthorized access, data breaches, and misuse of patient information can result in severe consequences, including legal repercussions, reputational damage, and loss of patient trust.
In this context, it becomes crucial for healthcare organizations to strike a delicate balance between leveraging tracking technologies to improve patient care and compliance with HIPAA regulations. Robust security measures, such as encryption, access controls, and regular audits, must be implemented to protect patient information from unauthorized access or breaches. Additionally, transparent communication and patient consent are vital to ensure individuals are aware of how their data is being collected, stored, and used.
Medicare Access and Chip Reauthorization Act (MACRA) is the law that changes how Providers are to be reimbursed. One of the key characteristics is that it rewards Providers based on value and not volume.
Monthly series covering key subjects regarding healthcare business in the USA. This seminar covers: Affordable Care Act section 1557, HIPAA Security, Medicare Payment models and Chronic conditions.
Brief presentation regarding key topics in the USA healthcare industry. Some of the basic topics include: MACRA, ICD 10, Meaningful Use and a very brief comment about diabetes as a chronic condition.
Interesting codes found in ICD-10 and a quick way to code using ICD 9 as a basis. Codes presented are real but presented to simply relax health professionals as they tackle this subject.
Meaningful Use Audits and healthcare compliance course offered to Physicians and healthcare professionals to explain the basics of Meaningful Use and HITECH audits. Course is general in nature as many Physicians and organizations are in different stages of meaningful use.
Presentations that briefly covers HIPAA and concentrates of the Risk Assessment portion which is a requirement for overall compliance and meaningful use.
Basic explanation of the physician quality reporting system. Some of the due dates and actions that could be taken before Dec 31st to prevent losing money in the future.
Based on misconceptions regarding the exchanges and healthcare reform I created a presentation that covers some of the basic issues and actions to consider.
Review of the health business status in the United States as of July 2013. Brief description of ICD 10 implementation status and potential repercussions and HIPAA Title 2 requirements.
Steps to consider when moving from paper to digital in any business. Solutions presented have been developed by TC Inc. and or Networking team. Steps provided should work on just about any environment and allows for expansion while minimizing growing pains.
Navigating Challenges: Mental Health, Legislation, and the Prison System in B...Guillermo Rivera
This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.
How many patients does case series should have In comparison to case reports.pdfpubrica101
Pubrica’s team of researchers and writers create scientific and medical research articles, which may be important resources for authors and practitioners. Pubrica medical writers assist you in creating and revising the introduction by alerting the reader to gaps in the chosen study subject. Our professionals understand the order in which the hypothesis topic is followed by the broad subject, the issue, and the backdrop.
https://pubrica.com/academy/case-study-or-series/how-many-patients-does-case-series-should-have-in-comparison-to-case-reports/
We understand the unique challenges pickleball players face and are committed to helping you stay healthy and active. In this presentation, we’ll explore the three most common pickleball injuries and provide strategies for prevention and treatment.
Navigating the Health Insurance Market_ Understanding Trends and Options.pdfEnterprise Wired
From navigating policy options to staying informed about industry trends, this comprehensive guide explores everything you need to know about the health insurance market.
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfSachin Sharma
This content provides an overview of preventive pediatrics. It defines preventive pediatrics as preventing disease and promoting children's physical, mental, and social well-being to achieve positive health. It discusses antenatal, postnatal, and social preventive pediatrics. It also covers various child health programs like immunization, breastfeeding, ICDS, and the roles of organizations like WHO, UNICEF, and nurses in preventive pediatrics.
Telehealth Psychology Building Trust with Clients.pptxThe Harvest Clinic
Telehealth psychology is a digital approach that offers psychological services and mental health care to clients remotely, using technologies like video conferencing, phone calls, text messaging, and mobile apps for communication.
2. Introduction
This presentation covers:
• HIPAA’s Importance – beyond the regulation
• What is HIPAA
• HIPAA Security Key Components
• Cybersecurity
• Lessons Learned
• Recommendations
3. Disclaimer
This information is not intended to be legal advice
and does not intend to create an attorney-client
relationship. The information hereby presented is for
educational purposes only.
5. Perspective on
the law
Practicing without license
• Jail or prison.
• Misdemeanor maximum jail sentence of up
to one year.
• Felony offenses can face eight years or more
in a state prison.
• Fines.
• Misdemeanor fines normally do not exceed
$1,000
• Felony fines exceed $10,000.
6. Perspective on
the Law
HIPAA Security Violation
• Civil Violations
• $100 to $50,000 per violation (or record)
• Maximum penalty of $1.5 million per year per
violation’s type
• Criminal Violations
• "knowingly" obtain or release information
• fine of up to $50,000, as well as imprisonment up
to 1 year.
• Offenses committed under false pretenses
• $100,000 fine, with up to 5 years in prison.
• Offenses committed with the intent to sell, transfer or
use for commercial advantage, personal gain or
malicious harm
• fines of $250,000 and imprisonment up to 10 years.
7. State
Attorneys
American Recovery and Reinvestment Act of 2009,
• The Health Information Technology for Clinical and Economic
Health (HITECH) Act gave State Attorneys General the authority
to bring civil actions on behalf of state residents for HIPAA
violations
The HITECH Act permits State Attorneys General to:
• Obtain damages on behalf of state residents
• Enjoin further violations of the HIPAA Privacy and Security
Rules.
OCR developed HIPAA Enforcement Training for
State Attorneys designed to:
• Teach how to use their new authority to enforce the HIPAA
• Aid in investigating and seeking damages for HIPAA violations
8. Violations and Outcomes
• Who: Insurance company, Triple-S (Puerto Rico)
• What/Why: Widespread non-compliance
• Failure to implement Administrative, Privacy, and
Technical safeguards
• Lack of appropriate Business Associate
Agreements
• Failure to conduct accurate/thorough Risk Analysis
• Settlement: $3.5 Million
• Corrective Action Plan:
• Conduct Risk Analysis and Implement Risk
Management Plan
• Implement Process for Evaluating Environmental
and Operational Changes
• Distribution and Updating of Policies and
Procedures
• Training
9. Violations and
Outcomes
• Who: Raleigh Orthopedic (North Carolina)
• What: Breach report, 17,300 patient
records
• Why: Handed over x-rays and associated
PHI to potential business partner without
first executing a business associate
agreement.
• Settlement: $750,000
• Corrective Action Plan:
• Business Associate Agreements
• Revise Policies and Procedures Related
to Business Associate Relationships
• Training
10. Violations and
Outcomes
• Who: Anthem Inc
• What: Breach report, 79 million patient
records
• Why: Series of cyberattacks led to the
largest U.S. health data breach in history
and exposed the electronic protected
health information of almost 79 million
people.
• Settlement: $16,000,000
• Corrective Action Plan:
• Security Management Process
• Development and Distribution of
Policies and Procedures
11. Violations and
Outcomes
• Who: Advanced Care Hospitalists PL (ACH)
• What: Breach report, 400 patient records
• Why: Handed over billing data and
associated PHI to potential business partner
without first executing a business associate
agreement.
• Settlement: $500,000
• Corrective Action Plan:
• Business Associate Agreement
• Risk Analysis and Risk Management
• Adoption, Distribution, and Updating of
Policies and Procedures
• Training
12. What is HIPAA
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act
that was passed by Congress in 1996. HIPAA does the following:
• Provides the ability to transfer and continue health insurance coverage for
millions of American workers and their families when they change or lose
their jobs;
• Reduces health care fraud and abuse;
• Mandates industry-wide standards for health care information on electronic
billing and other processes; and
• Requires the protection and confidential handling of protected health
information
HIPAA is organized into five separate "Titles."
13. HIPAA
Title 1 Title 2
Preventing
Health Care
Fraud
Medical Liability
Reform
Administrative
Simplification
Electronic Data
Interchange
Privacy Security
Security
Standards
Genera Rule
Administrative
Safeguards
9 Standards
21 Specifications
Technical
Safeguards
5 Standards
7 Specifications
Physical
Safeguards
4 Standards
8 Specifications
Organizational
Requirements
Policies and
Procedures
Title 3 Title 4 Title 5
14. Privacy vs Security
Privacy Security
Applies to Protected Health Information Applies to Electronic Protected Health Information
Requires HIPAA Privacy Officer Requires HIPAA Security Officer
Guidelines are broad Guidelines are specific
Requires Annual Training Requires Annual Training plus Security Reminders
Requires Policies and Procedures Requires Policies and Procedures
15. Security Categories
Administrative safeguards: Administrative functions including but not
limited to assignment or delegation of security responsibility to an
individual and security training requirements.
Physical safeguards: Facility, entry points and access. Includes restricting
access to EPHI and retaining off site computer backups.
Technical safeguards: Refers to the technology used as well as automated
processes used to protect data and control access to data.
16. Required and
Addressable
Required - If a particular specification is “required”,
then the covered entity must take action to
implement the specification.
Addressable - Implement the specification if
reasonable and appropriate
• If implementing the specification is not reasonable and
appropriate –
• Document the rationale supporting the decision and,
• Implement an equivalent measure that is reasonable and
appropriate and that would accomplish the same purpose or
• Not implement the addressable implementation specification
or an equivalent alternative measure, if the standard could
still be met and implementing the specification or an
alternative would not be reasonable or appropriate.
Under no conditions should any covered entity considered
addressable specifications as optional requirements.
17. Business Associate
• A Business Associate is a
person or entity that creates,
receives, maintains, or
transmits protected health
information on behalf of a
Covered Entity.
• A Covered Entity may be a
Business Associate of
another Covered Entity.
18. Omnibus Rule
Business
Associate
Definition
• A health information organization, e-prescribing gateway,
or other entity that provides data transmission services
to a covered entity and requires access on a routine basis
to protected health information (PHI).
• an entity that is a mere conduit that does not require
access to PHI is not included.
• A subcontractor. If a business associate subcontracts part
of its function requiring access or use of PHI to another
organization, that subcontractor is also subject to HIPAA.
• There must be a HIPAA compliant business associate
agreement between the business associate and its
subcontractor.
• A person who creates, receives, maintains or transmits
PHI on behalf of a covered entity.
• Physical storage facilities or companies that store
electronic PHI are business associates.
19. Key About Business Associates
Covered Entities must
have a valid Business
Associate Agreement
01
Covered Entities must
obtain assurances
that Business
Associates are in
Compliance with
HIPAA
02
Covered Entities must
terminate relationship
with Business
Associates that refuse
to be compliant with
HIPAA Security
03
20. Examples of Business
Associates
• Data processing companies
• Medical Transcription specialists
• Data Transmission companies
• Medical Equipment suppliers
• Document Shredding companies
• Data Storage Firms
• Audit Consultants
• Accountants
• External Auditors
• Electronic Health Data Exchange
21. Business
Associates
and risk*
59% of Business Associates
reported a data breach
29% of business Associates
experienced two breaches or more
80% of BAs reported malware
attacks and nearly half were hit by
advanced persistent threats
*Fifth Annual Benchmark Study on Privacy and Security of
Healthcare Data by the Ponemon Institute
22. Cybersecurity Ventures 2019 Report
• Cybercrime will cost the world in excess of $6
trillion annually by 2021, up from $3 trillion in
2015.
• Cyber attacks are the fastest growing crime in the
U.S.
• Cloud computing will wipe out data centers
altogether over the next 3-4 years.
• Microsoft helps frame digital growth with its
estimate that data volumes online will be 50
times greater in 2020 than they were in 2016.
• Cisco confirmed that cloud data center traffic
will represent 95 percent of total data center
traffic by 2021.
23. Cybersecurity
Reports
Global spending on cybersecurity will exceed $1 trillion
cumulatively for the 5 year period from 2017-2021, according
to Cybersecurity Ventures
Cybersecurity Ventures predicts that a business will fall victim
to a ransomware attack every 14 seconds by 2019, and every
11 seconds by 2021
Cybercrime will more than triple the number of job openings
to 3.5 million
Healthcare providers have been the bullseye for hackers over
the past three years and are expected to continued to be so
Medical information is worth more than 10-times your
credit card number on the black market
26. Internet of Things (IoT)
System of interrelated computing devices,
mechanical and digital machines, objects, animals
or people that are provided with unique
identifiers ( UIDs ) and the ability to transfer data
over a network without requiring human-to-
human or human-to-computer interaction.
• Amiko.IO focuses on providing products for
respiratory disease management, complete
with an AI-powered platform.
• InfoBionic’s MoMe Kardia provides remote
monitoring of cardiac arrhythmia.
• PillCamTM , by Medtronic, is a line of
swallowable capsules that allow visualization
of the esophagus, stomach, small bowel,
and colon.
27. Services to
Consider
Update Security Patches
Automatic monitoring systems
Antimalware systems
• Antivirus
• Ransomware Protection
• Backups and Contingency Plans
28. Plan of Action
Assign a Security Officer
Have a third party perform a Security Risk Assessment
Introduce automated audits and measures
Develop and implement Policies
Conduct Education/training Annual Training and Security Reminders
Review Business Associate Agreements and Compliance
29. Reminder
Security is not a one-time project, but rather an on-
going, dynamic process that will create new
challenges as covered entities’ organizations and
technologies change.
30. Dr. Jose I. Delgado
Taino Consultants Inc., CEO
DrDelgado@tainoconsultants.com
tainoconsultants.com