The document provides an overview of the steps startups need to take to achieve HIPAA compliance when working with health systems and protected health information. It discusses the key rules under HIPAA including the Privacy Rule, Security Rule, and Breach Notification Rule. It outlines a high-level roadmap for startups to become HIPAA compliant which involves developing an understanding of HIPAA, embedding it into operations, documenting efforts, and ultimately conducting a self-assessment and audit. The document aims to prepare entrepreneurs to address the compliance concerns of health systems regarding data security and privacy.
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?
In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.
The webinar will cover:
• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices
Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Application Developers Guide to HIPAA ComplianceTrueVault
Software developers building mobile health applications need to be HIPAA compliant if their application will be collecting and sharing protected health information. This free plain language guide gives developers everything they need to know about mobile health app development and HIPAA.
Not every mHealth app needs to be HIPAA compliant. Not sure whether your mHealth application needs to be HIPAA compliant or not? Read the guide to find out!
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps
As a follow-up on the previous session (4th of December), we run through the GDPR part of the ISO/IEC 27701 standard which has been published in August 2019.
We'll take it from another angle and use the ISO/IEC 27701 as a guide to complete the checklist for the GDPR implementation.
Also, with the help of the (new) PECB ISO/IEC 27701 lead auditor course, we'll have an auditor's look at the ISO certification and compliance. It's important to see how it works, to make sure your GDPR implementation can withstand the increasing demand for maturity from customers, subjects and data protection authorities that start to exercise their rights.
The ISO27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
- The GDRP view of the ISO/IEC 27701
- Mapping the GDPR to-do and the ISO/IEC 27701 to-do list.
- The ISO/IEC 27701 auditor mindset
- Compliance AND/OR/XOR solid data protection?
- Status of GDPR certification
Date: December 04, 2019
Recorded Webinar: https://www.youtube.com/watch?v=P80So3ryvJ8&feature=youtu.be
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?
In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.
The webinar will cover:
• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices
Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Threat Modelling and managed risks for medical devicesFrédéric Sagez
In the development of cybersecurity strategy that follows FDA and MDCG recommendations for the commercialization of medical imaging software devices, threat modeling helps customers to manage better risks.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
Based on online data, GDPR fines increased by 40% in 2020, compared to the previous years since the law came into force, and they are expected to increase even more in the upcoming years.
In this light, organizations are facing challenges when it comes to compliance with the increased number of data privacy laws and regulations worldwide.
The webinar covers
• ISO/IEC 27701 standard and its requirements
• GDPR requirements and principles mapped against ISO/IEC 27701
• An overview of CCPA requirements
• Upcoming US privacy laws
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/QGqJsh4kedM
Website link: https://pecb.com/
BSI British Standards' presentation of EU Medical Devices Directive M5 Amendment 93 42 EEC regulatory updates.
Presented at the HKTDC Hong Kong International Medical Devices and Supplies Fair 2009.
By Jan van Lochem, Gert Bos and Suzanne Halliday.
Seminar “Regulatory update on medical devices in Asia and EU”.
It covers the revision of the EU medical device directive, implementation of the revised directive, the key changes, changes to clinical requirements, introduction of technical file sampling, and the impact revision on technical or design dossiers.
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
PECB Webinar: Aligning ISO 25000 and CMMI for DevelopmentPECB
We will cover:
• Overview of ISO 25000 - Software Product Quality Requirements and Evaluation (SQuaRE)
• How CMMI for Development best practices address development activities
• Complementary values that ISO 25000 and CMMI bring
• How ISO 25000 and CMMI help software development and service companies to improve customer satisfaction
Presenter:
This webinar will be presented by PECB Trainer Orlando Olumide Odejide, an experienced Enterprise Architect and Chief Trainer for Training Heights Limited
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Threat Modelling and managed risks for medical devicesFrédéric Sagez
In the development of cybersecurity strategy that follows FDA and MDCG recommendations for the commercialization of medical imaging software devices, threat modeling helps customers to manage better risks.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
Based on online data, GDPR fines increased by 40% in 2020, compared to the previous years since the law came into force, and they are expected to increase even more in the upcoming years.
In this light, organizations are facing challenges when it comes to compliance with the increased number of data privacy laws and regulations worldwide.
The webinar covers
• ISO/IEC 27701 standard and its requirements
• GDPR requirements and principles mapped against ISO/IEC 27701
• An overview of CCPA requirements
• Upcoming US privacy laws
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/QGqJsh4kedM
Website link: https://pecb.com/
BSI British Standards' presentation of EU Medical Devices Directive M5 Amendment 93 42 EEC regulatory updates.
Presented at the HKTDC Hong Kong International Medical Devices and Supplies Fair 2009.
By Jan van Lochem, Gert Bos and Suzanne Halliday.
Seminar “Regulatory update on medical devices in Asia and EU”.
It covers the revision of the EU medical device directive, implementation of the revised directive, the key changes, changes to clinical requirements, introduction of technical file sampling, and the impact revision on technical or design dossiers.
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
In this session, we have looked into the ISO/IEC 27701 standard that has been published in August 2019. This standard glues together the ISO/IEC 27001, ISO/IEC 27002, ISO 29100 and their sub-standards with the GDPR.
For certification and compliance, it's important to understand these standards and regulations, as the GDPR and other legislation have heated the discussion about certification. The ISO/IEC 27701 contains important requirements and implementation guidance for implementing a PIMS (Privacy Information Management System), which will set the baseline for the future of privacy and data protection.
The webinar covers:
• Walkthrough of the ISO/IEC 27701
• Links with ISO/IEC 2700x series standards, ISO 29100 series...
• ISO/IEC 2700x and GDPR mapping
• Audit & certification
Presenter:
Our presenter for this webinar, Peter Geelen is director and managing consultant at CyberMinute and Owner of Quest For Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms.
Peter is an accredited Lead Auditor for ISO/IEC 27001/ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified Sr. Lead Cybersecurity Manager, ISO/IEC 27001 Master, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, CDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Date: December 04, 2019
The recorded webinar: https://www.youtube.com/watch?v=ilw4UmMSlU4&feature=emb_logo
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Google +: https://plus.google.com/+PECBGroup
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
PECB Webinar: Aligning ISO 25000 and CMMI for DevelopmentPECB
We will cover:
• Overview of ISO 25000 - Software Product Quality Requirements and Evaluation (SQuaRE)
• How CMMI for Development best practices address development activities
• Complementary values that ISO 25000 and CMMI bring
• How ISO 25000 and CMMI help software development and service companies to improve customer satisfaction
Presenter:
This webinar will be presented by PECB Trainer Orlando Olumide Odejide, an experienced Enterprise Architect and Chief Trainer for Training Heights Limited
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
Leading your HIPAA Compliance Culture in 2016Lance King
http://hcsiinc.com
Breaches happen every day! Why not prevent having a breach turn into a 90 day audit? This presentation helps you develop your HIPAA Privacy and HIPAA Security program.
If interested in help, many companies are a hit and run operation. From day one and every quarter of the year, HCSI guides the compliance representative through the HIPAA process of preparing for an audit. The practice will have everything an auditor would need, resulting in the audit taking minutes instead of days.
"This session brings together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. We'll discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You'll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility.
This session helps security and compliance experts see what's technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We map the Security Rule's Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers."
Presentations that briefly covers HIPAA and concentrates of the Risk Assessment portion which is a requirement for overall compliance and meaningful use.
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
The Importance of HIPAA Compliance in Digital Healthcare Solutions.pptxMocDoc
As the healthcare industry continues to digitize, it's more important than ever to make sure that your healthcare software solutions are HIPAA compliant. Here's why HIPAA compliance is so important in the digital healthcare space, and how you can ensure that your solutions are compliant.
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
This is an article about HIPAA-compliant app development for the healthcare industry. It discusses the importance of HIPAA compliance and the risks of non-compliance. The article also outlines the steps involved in developing a HIPAA-compliant app. Some of the important points from this article are that HIPAA compliance is an ongoing process and that there is no certification required to build a HIPAA-secure app.
Overview of hipaa & tools for hipaa complianceSquare 9
http://www.square-9.com/document-management-software | Square 9’s SmartSearch document management system makes it easy to organize and protect confidential patient information and maintain HIPAA compliance. SmartSearch is enterprise-class software that eliminates paper in organizations of all sizes.
Similar to The Startup Path to HIPAA Compliance (20)
One of the most developed cities of India, the city of Chennai is the capital of Tamilnadu and many people from different parts of India come here to earn their bread and butter. Being a metropolitan, the city is filled with towering building and beaches but the sad part as with almost every Indian city
Medical Technology Tackles New Health Care Demand - Research Report - March 2...pchutichetpong
M Capital Group (“MCG”) predicts that with, against, despite, and even without the global pandemic, the medical technology (MedTech) industry shows signs of continuous healthy growth, driven by smaller, faster, and cheaper devices, growing demand for home-based applications, technological innovation, strategic acquisitions, investments, and SPAC listings. MCG predicts that this should reflects itself in annual growth of over 6%, well beyond 2028.
According to Chris Mouchabhani, Managing Partner at M Capital Group, “Despite all economic scenarios that one may consider, beyond overall economic shocks, medical technology should remain one of the most promising and robust sectors over the short to medium term and well beyond 2028.”
There is a movement towards home-based care for the elderly, next generation scanning and MRI devices, wearable technology, artificial intelligence incorporation, and online connectivity. Experts also see a focus on predictive, preventive, personalized, participatory, and precision medicine, with rising levels of integration of home care and technological innovation.
The average cost of treatment has been rising across the board, creating additional financial burdens to governments, healthcare providers and insurance companies. According to MCG, cost-per-inpatient-stay in the United States alone rose on average annually by over 13% between 2014 to 2021, leading MedTech to focus research efforts on optimized medical equipment at lower price points, whilst emphasizing portability and ease of use. Namely, 46% of the 1,008 medical technology companies in the 2021 MedTech Innovator (“MTI”) database are focusing on prevention, wellness, detection, or diagnosis, signaling a clear push for preventive care to also tackle costs.
In addition, there has also been a lasting impact on consumer and medical demand for home care, supported by the pandemic. Lockdowns, closure of care facilities, and healthcare systems subjected to capacity pressure, accelerated demand away from traditional inpatient care. Now, outpatient care solutions are driving industry production, with nearly 70% of recent diagnostics start-up companies producing products in areas such as ambulatory clinics, at-home care, and self-administered diagnostics.
Navigating the Health Insurance Market_ Understanding Trends and Options.pdfEnterprise Wired
From navigating policy options to staying informed about industry trends, this comprehensive guide explores everything you need to know about the health insurance market.
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...ILC- UK
The Healthy Ageing and Prevention Index is an online tool created by ILC that ranks countries on six metrics including, life span, health span, work span, income, environmental performance, and happiness. The Index helps us understand how well countries have adapted to longevity and inform decision makers on what must be done to maximise the economic benefits that comes with living well for longer.
Alongside the 77th World Health Assembly in Geneva on 28 May 2024, we launched the second version of our Index, allowing us to track progress and give new insights into what needs to be done to keep populations healthier for longer.
The speakers included:
Professor Orazio Schillaci, Minister of Health, Italy
Dr Hans Groth, Chairman of the Board, World Demographic & Ageing Forum
Professor Ilona Kickbusch, Founder and Chair, Global Health Centre, Geneva Graduate Institute and co-chair, World Health Summit Council
Dr Natasha Azzopardi Muscat, Director, Country Health Policies and Systems Division, World Health Organisation EURO
Dr Marta Lomazzi, Executive Manager, World Federation of Public Health Associations
Dr Shyam Bishen, Head, Centre for Health and Healthcare and Member of the Executive Committee, World Economic Forum
Dr Karin Tegmark Wisell, Director General, Public Health Agency of Sweden
Welcome to Secret Tantric, London’s finest VIP Massage agency. Since we first opened our doors, we have provided the ultimate erotic massage experience to innumerable clients, each one searching for the very best sensual massage in London. We come by this reputation honestly with a dynamic team of the city’s most beautiful masseuses.
Navigating Challenges: Mental Health, Legislation, and the Prison System in B...Guillermo Rivera
This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfSachin Sharma
This content provides an overview of preventive pediatrics. It defines preventive pediatrics as preventing disease and promoting children's physical, mental, and social well-being to achieve positive health. It discusses antenatal, postnatal, and social preventive pediatrics. It also covers various child health programs like immunization, breastfeeding, ICDS, and the roles of organizations like WHO, UNICEF, and nurses in preventive pediatrics.
1. The Startup Path
to HIPAA
Compliance
MATTER Workshop
Jim Anfield
June 8, 2016
2. 1
About Me
• Finance
• Strategy
• M&A
• Bus dev • Prod Dev
• IT
• Startups
• Technology
• Prod Dev
• Finance
• Bus Dev
Fortune 500 Dot Com Healthcare Healthcare Consulting
3. 2
Today As Advertised
Every healthcare startup needs to comply with HIPAA and data
security regulations, especially when selling to health systems.
The provider chief compliance officer and the chief information
security officer must agree that a solution is HIPAA compliant
and does not pose a security risk. Jim Anfield will prepare
entrepreneurs to partner with health systems who care about
compliance and security above all. He will offer insights on
HIPAA compliance for startups and walk through common
pitfalls when communicating how solutions incorporate
compliance and security requirements.
5. 4
The Federal Government has leveled several large scale HIPAA fines…
Covered Entity Media Fine Amount Violation
Alaskan Department of
Health and Social Services
$1.7 million
Portable unsecured electronic
storage device (USB hard drive)
possibly containing PHI was stolen
from the vehicle of a DHHS
employee
Puerto Rican insurer
Triple S Salud
$6.8 million
Mailed a pamphlet displaying the
Medicare Health Insurance Claim
Number of approximately 70,000 of
its Medicare Advantage
beneficiaries.
WellPoint (aka Anthem),
Blue Cross Blue Shield
plans in 14 states
$1.5 million
Cyber attack data breach affecting
80 million customers resulting in
account information stolen
Stanford University's Lucile
Packard Children's Hospital
$4.0 million
Stolen unencrypted laptop
containing medical information on
13,000 pediatric patients
6. 5
HIPAA impacts not only large entities but also much smaller organizations…
Covered Entity Media Fine Amount Violation
Skagit County, State of
Washington
$215,000
Electronic receipts for 1,600
patients containing their protected
health information had been
improperly placed online and
accessed.
Massachusetts medical
billing practice and four
pathology groups
$140,000
Sensitive medical records and
confidential billing information for
tens of thousands of Massachusetts
patients were improperly disposed
of at a public dump
Phoenix Cardiac Surgeons,
LLC
$100,000
Group’s clinical and surgical
appointments were available to the
public on an Internet-based
calendar
Cornell Prescription
Pharmacy
$125,000
Disposal of unshredded documents
containing the protected health
information of 1,610 patients in an
open dumpster.
7. 6
Several major brands have suffered bad publicity and damage…
Anthem BlueCross BlueShield – data
breach affecting 80 million members
Advocate HC – stolen unencrypted
laptops affecting 4 million patients
Walgreens – employee breach of
customer data for personal gain
Premera BlueCross BlueShield – data
breach affecting 11 million members
Sony Pictures – data breach impacting
health records of 30,000 employees
BCBS TN – 57 hard drives stolen
impacting 1 million members
8. 7
Not only does HIPAA impact entitles, it reaches down to the employee level -
loss of job, personal fines, and prison time.
UCLA Medical Center – 4 months in
prison for illegally viewing PHI
NE Arkansas nurse fired, sentenced to
probation for illegally viewing PHI
Dentist paid $12,000 for dumping files
on an unsecured basis
University of Iowa Hospital – 4
employees fired for illegally viewing PHI
East TX Hospital employee sentenced
to 18 months for illegally viewing PHI
Lake Health (OH) fired several
employees for illegally viewing PHI
9. 8
Your strategy for HIPAA as it pertains to selling to providers…
The best defense is a good offense.
10. 9
Proactively address HIPAA and be ready to go
Market requirements will require you to become HIPAA compliant
• If you are working with providers and their patient data, it will be mandatory that
you are compliant with HIPAA.
• You will avoid lengthy hospital provider conversations, especially with the
hospital compliance office.
• You will be able to take this risk off of the table in your business development
meetings.
• You will have to sign a Business Associates Agreement (BAA) and agree to
Master Services Agreement (MSA) language with warranties, representations,
and indemnification regarding all aspects of HIPAA.
Be prepared to talk to the following people as they will vet your solution for
HIPAA
• Chief Medical Officer
• Chief Information Officer
• Chief Medical Information Officer
• Chief Information Security Officer
• Chief Compliance Officer
11. 10
High Level HIPAA Roadmap
Become compliant with HIPAA
• Develop an enterprise fluent understanding of HIPAA
• Embed HIPAA into your culture and operations
• Develop game plan to implement HIPAA requirements
• Completely document your HIPAA efforts
• At this stage, you are compliant with HIPAA
Ultimately, you will need to achieve HIPAA Compliance
• Conduct a HIPAA self assessment
• When ready, contract out and conduct a HIPAA audit
• The HIPAA audit and successful audit remediation will achieve HIPAA
Compliance
• If successful, the satisfactory audit report will be your certification
12. 11
How do you become HIPAA Compliant?
Here’s the blueprint.
13. 12
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States
Congress and signed by President Bill Clinton on August 21, 1996. It has been known as the Kassebaum-
Kennedy Act after two of its leading sponsors.
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose
their jobs. Title I also regulates the availability and breadth of group health plans and certain individual
health insurance policies.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of
individually identifiable health information as well as outlining numerous offenses relating to health care and
sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse
within the health care system.
However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires
the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the
health care system by creating standards for the use and dissemination of health care information.
These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health
plans, health care clearinghouses, such as billing services and community health information systems, and
health care providers that transmit health care data in a way that is regulated by HIPAA.
Per the requirements of Title II, the HHS has promulgated rules regarding Administrative Simplification: the
Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, the
Breach Notification Rule, and the Enforcement Rule.
Source: Wikipedia,.
14. 13
Four major rules to understand on the path to HIPAA Compliance…
HIPAA Privacy
Rule
HIPAA Breach
Notification Rule
HIPAA
Enforcement
Rule
• HIPAA Privacy Rule establishes national standards to protect individuals’ medical records
and other PHI. Requires appropriate safeguards to protect PHI privacy and sets
conditions/limits/disclosures with patient authorization. Defines patients’ rights regarding
access to their records.
• HIPAA Breach Notification Rule requires most healthcare providers to notify patients when
there is a breach of unsecured PHI. Requires the entities to promptly notify HHS if there is
any breach of unsecured PHI and notify the media/public if the breach affects more than 500
patients.
• HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings.
Penalties can include fines and/or prison time.
Overview and key points
HIPAA Security
Rule
• HIPAA Security Rule requires appropriate Administrative, Physical, and Technical
Safeguards to ensure confidentiality, integrity, and security of protected health information
(PHI).
15. 14
The HIPAA Privacy Rule provides the definitions of compliance…
Privacy Rule
Rule Summary
• The Privacy Rule addresses the use and disclosure of individual’s Protected Health Information (PHI) by organizations
subject to the Privacy Rule (Covered Entities) as well as standards for individuals privacy rights to understand and
control how their PHI is used.
• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the
flow of health information needed to provide and promote high quality health care and to protect the public’s health and
well being.
• The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services has the responsibility for
promoting and enforcing the Privacy Rule.
Health Plans
Health Plan Covered Entities include
individual and group health insurance
plans that provide or pay the cost of
medical care including health, dental,
vision, prescription drug insurers,
health maintenance organizations,
Medicare, Medicaid, Medicare
supplemental insurers, and long-term-
care insurers.
Health Care Providers
All health care providers who provide
medical or health services, regardless
of size, who electronically transmit
health information in connection with
certain transactions. Transactions
include claims, benefit eligibility,
referral authorization, and other
HIPAA transactions.
Health Care Clearinghouses
Entities that process non-standard
information they receive from another
entity. Clearinghouses only receive
PHI only when they are providing
services to a Health Plan or Health
Care Provider. Clearinghouses
include billing services, community
health management information
systems, and repricing companies.
Who are the Covered Entities subject to the Privacy Rule?
16. 15
Know the Privacy Rule Definitions
Term Definition
Protected Health
Information (PHI)
All individually identifiable health information held or transmitted by a Covered Entity or its
Business Associate in any form or media including electronic or paper. PHI includes any
information that relates to the individuals’ past, present, or future physical or mental
health/condition as well as the provision of past, present, or future provision or payment for
health care to the individual that identifies the individual or there is a reasonable basis to
identify the individual.
Business Associate
Person or organization that performs certain functions or activities on behalf or to a covered
entity that includes the use or disclosure of PHI and can include claims processing, data
analysis, utilization review, legal, actuarial, consulting, accounting, data aggregation,
management, administrative, accreditation, or financial services.
Business Associate
Agreement (BAA)
Agreement necessary to be put in place when a Covered Entity engages a Business
Associate perform functionality that requires access or exposure to PHI.
De-Identified Health
Information
De-Identified Health Information neither identifies or provides a reasonable basis to identify
the individual. There are two ways to de-identify PHI: 1) a formal determination by an expert;
or 2) the removal of specified identifiers of the individual.
Authorization
A Covered Entity must obtain the individual’s written authorization for any use or disclosure
of PHI that is not for payment, treatment, or operations. The Covered Entity may not
condition payment, treatment, or operations on an individual granting authorization.
Communication for treatment of the individual or care coordination for the individual to
recommend treatment are not subject to Authorization.
Minimum Necessary
A Covered Entity must make reasonable efforts to use, disclose, and request only the
minimum amount of PHI to accomplish the intended purpose of the use, disclosure, or
request. The Covered Entity must develop/implement a Minimum Use Policy and Procedure.
17. 16
Understand Privacy Rule – Permitted Uses and Disclosures of PHI
Permitted
Uses and
Disclosures
Individual
Payment,
Treatment,
Operations
Permitted by
Individual
Incidental
Use and
Disclosure
Public
Interest and
Benefit *
De-Identified
Limited Data
Set
Basic Principle
A major use of the Privacy Rule is to define
and limit the circumstances in which a
individual’s PHI may be used or disclosed by
Covered Entities.
Required Disclosures
A Covered Entity must disclose PHI in two
situations: 1) upon request by the individual;
2) to HHS when undertaking a compliance
investigation.
Permitted Use and Disclosures
A Covered Entity is permitted but not
required to use and disclose PHI without and
individual’s authorization for the reasons
listed in the diagram to the right.
* Public Interest and Benefit
Includes required by law, public health,
abuse or domestic violence cases, law
enforcement, research, worker’s comp,
serious threat to health/safety, etc.
18. 17
The Privacy Notice is a key component of the Privacy Rule.
Each Covered Entity must provide a copy of its Notice of Privacy Practices and it must contain the following elements:
• Describe the ways in which the Covered Entity may use and disclose PHI.
• State the Covered Entity’s duties to protect privacy
• Provide a notice of privacy practices and abide by the current notice
• Describe the individual’s rights including the right to complain to HHS and the Covered Entity if they believe their privacy
rights have been violated.
• Include a point of contact for further information and for making complaints
In addition to the Privacy Notice, individuals have the following rights with regards to PHI held by a Covered Entity:
• Access – To review and obtain a copy of their PHI in the Covered Entity’s dataset
• Ability to Amend PHI – To have Covered Entities amend their PHI when they feel the information is inaccurate or incorrect
• Disclosure Accounting – Access to an accounting of the disclosures of their PHI by a Covered Entity for a maximum of six
years.
• Restriction Request – To request that a Covered Entity restrict use or disclosure of PHI for payment, treatment, and
operations. However, Covered Entity is under no obligation to agree to requests for restrictions.
19. 18
Action Description Implementation
Privacy
Policies and
Procedures
Covered Entity must develop and implement written privacy policies and
procedures.
Develop Policies and
Procedures manual
Privacy
Personnel
Covered Entity must designate a privacy official responsible for developing and
implementing privacy policies and procedures and also provide a contact
person for receiving complaints and inquiries.
Assign this duty to a
company leader
Policies and
Procedures
Workforce
Training and
Management
Covered Entity must train all employees on its policies and procedures which
include sanctions for policy violations.
Training program
Sourced Computer
Based Training
Mitigation
Covered Entity must mitigate any harmful effect that was caused by use or
disclosure of PHI in violation of its Policies and Procedures or the Privacy Rule.
Business/IT functional
response as needed
Data
Safeguards
Covered Entity must maintain administrative, technical, and physical safeguards
to prevent intentional or unintentional of PHI in violation of its Policies and
Procedures or the Privacy Rule.
See Security Rule for
implementation.
Complaints
Covered Entity must have procedures for individuals to complain about its
compliance with its policies and procedures and the Privacy Rule.
Policies and
Procedures
Implement at the web
HIPAA Privacy Rule – implementation
20. 19
HIPAA Privacy – implementation continued
Action Description Implementation
Documentation
and Record
Retention
Covered Entity must maintain for at least six years its privacy policies and
procedures, its privacy practices notices, disposition of complaints, and other
actions that the Privacy Rule requires to be documented.
Policies and
Procedures
Store historical
information on Cloud
Privacy Policy
Covered Entity must establish and publish its Privacy Policy with the elements
listed per the Privacy Rule. Typically, the Privacy Policy is linked from the
company website.
Policy and Procedure
Post Privacy Policy on
the web.
Retaliation and
Waiver
Covered Entity may not retaliate against a person for exercising rights provided
by the Privacy Rule, for assisting with an investigation by HHS, or opposing an
action that the person believes in good faith violates the Privacy Rule.
Policy and Procedure
21. 20
HIPAA defines the way PHI breaches are handled.
Breach Notification Rule
Definition of PHI Breach
Unauthorized use or disclosure of unsecured protected health information unless the HIPAA
covered entity can demonstrate that the probability of the PHI being compromised is a low
probability
To show low probability, a risk assessment should be completed:
1. What kind of PHI was involved – identifiers and likelihood of re-identification?
2. Who was the person who had the unsecured PHI?
3. What was the PHI that was actually viewed?
4. What is the actual risk to the PHI?
Three exceptions to the definition of Breach:
1. Unintentional access to the PHI in the workplace or acting under the authority of the Covered
Entity
2. Accidental disclosure of PHI by someone who is authorized to access the PHI
3. Covered Entity has a good belief that the person who accessed the PHI was unauthorized and
was not able to retain the PHI
22. 21
There are specific steps to notify those affected by a breach.
• Breach Notification should be sent to the affected individuals by first class mail or email if the
individual has selected this method.
• Must be sent out within 60 days of discovery of the breach.
• Notification should include:
- Description of breach
- Type of information breached
- Steps individuals need to take to protect themselves
- Steps the Covered Entity is taking to investigate and prevent further breaches
• If the individual contact information is out of date for more than 10 individuals, then the Covered
Entity is required to post a notice on its website for 90 days or send a media notice. Toll free
number needs to be posted.
• Media notice is required in addition to individual notification.
• Media notice takes the form of a press release within 60 days to the media outlets that serve the
areas that are affected.
• Notification of the breach also needs to be sent to the office of the U.S. Secretary of Health and
Human Services (HHS).
• An investigation by the Office for Civil Rights under HHS may be initiated to determine cause
as well as potential penalties under the Enforcement Rule.
More than 500
individuals
23. 22
HIPAA defines the penalties for breaches.
Enforcement Rule
Violation Category Penalty for Each Violation
Maximum for All Violations of
an Identical Provision in a
Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000
• HHS is mandated to conduct HIPAA investigations if a preliminary review indicates a potential violation
is due to willful neglect. Otherwise, investigations are discretionary.
• HHS will not impose the maximum penalty in all cases but will determine the fine amount on a case by
case basis depending upon the nature and extent of the violation, the nature and extent of resulting
harm, the history of non-compliance of the entity, and the financial condition of the entity.
• Previous history of non-compliance is major factor as HHS will use the history as either a mitigating or
punitive factor.
• The Enforcement Rule prohibits the imposition of a civil monetary penalty for any violation of than willful
neglect if the violation is corrected within 30 days of the entity realization of the violation.
24. 23
The Security Rule defines requirements to protect PHI.
Security Rule
Technical
Safeguards
Physical Safeguards
Administrative
Safeguards
1. Access Control
2. Audit Controls
3. Integrity
4. Authentication
5. Transmission Security
1. Facility Access Control
2. Workstation Use
3. Workstation Security
4. Device and Media Controls
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
8. Evaluation of Business/Law
Changes
9. BAA Contracts and Other
Agreements
Technical Safeguards focus on the
technology that protects PHI and
controls access to it. The standards of
the Security Rule do not require you to
us specific technologies and are
designed to be “technology neutral.”
Physical Safeguards are a set of rules
and guidelines that focus on the
physical access to PHI.
Administrative Standards are a
collection of policies and procedures
that govern the conduct of the
workforce and the security measures
put in place to protect PHI.
25. 24
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Access
Control
Unique User
Identification
Assign a unique name and/or number for
identifying and tracking user identity
User authentication
Access
Control
Emergency
Access
Procedure
Establish procedure for obtaining necessary PHI
during an emergency.
Policy and Procedure
Business process set up to fulfill
requests
Access
Control
Automatic Logoff
Implement electronic procedures that terminate
an electronic session after a predetermined time
of inactivity
Build timeout into technology
Access
Control
Encryption and
Decryption
Implement technology to encrypt and decrypt
data both at rest and in transmission
Database encryption
Audit Controls Audit Controls
Implement hardware, software, and/or
procedural mechanisms to corroborate that
record and examine activity in information
systems that contain or use PHI
Build logging and audit
capability
Integrity
Mechanism to
Authenticate PHI
Implement electronic mechanisms to
corroborate that PHI has not been altered or
destroyed in an unauthorized manner.
Build tracking, logging, and
audit into technology
Authentication Authentication
Implement procedures to verify that a person or
entity seeking access to PHI is the one claimed
Build user authentication in
technology
26. 25
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Transmission
Security
Integrity
Controls
Implement security measures to ensure that
electronically transmitted PHI is not improperly
modified without detection until disposed of.
Build audit, logging, and
tracking in technology
Transmission
Security
Encryption
Implement a mechanism to encrypt PHI whenever
deemed appropriate.
Encrypt data wherever needed
Facility Access
Controls
Contingency
Operations
Establish (and implement as needed) procedures
that allow facility access in support of restoration
of lost data under the Disaster Recovery Plan and
emergency mode operations in the event of an
emergency.
Develop and test DR/BC plan
Facility Access
Controls
Facility Security
Plan
Implement policies and procedures to safeguard
the facility and the equipment therein from
unauthorized physical access, tampering, and
theft.
Alarm systems
Keys policy
Facility Access
Controls
Access Control
and Validation
Procedures
Implement procedures to control and validate a
person’s access to facilities based upon their role
or function, including visitor control, and control
of access to software programs for testing and
revision.
Policy and Procedure
Role based access
Business process to support
Facility Access
Controls
Maintenance
Records
Implement policies and procedures to document
repairs and modifications to the physical
components of a facility which are related to
security (e.g., hardware, walls, doors, and locks).
Policy and Procedure
Alarm system
Keys policy
27. 26
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Workstation
Use
Workstation Use
Implement policies and procedures that specify
the proper functions to be performed, the manner
in which those functions are to be performed,
and the physical attributes of the surroundings of
a specific workstation or class of workstation
that can access PHI.
Policies and Procedures
Workstation
Security
Workstation
Security
Implement physical safeguards for all
workstations that access PHI, to restrict access
to authorized users.
Laptop encryption
No laptop PHI
Policy and Procedure
Device and
Media Controls
Disposal
Implement policies and procedures to address
the final disposition of PHI and/or the hardware
or electronic media on which it is stored.
Policy and Procedure
Build PHI destruction in the
database
Device and
Media Controls
Media Re-Use
Implement procedures for removal of PHI from
electronic media before the media are made
available for re-use
Flash drive/CD destruction
Policy and Procedure
Device and
Media Controls
Accountability
Maintain a record of the movements of hardware
and electronic media and any person responsible
therefore.
Develop record database,
maintain database, and store on
the network
Security
Management
Process
Risk Analysis
Perform and document a risk analysis to see
where PHI is being used and stored in order to
determine all the ways that HIPAA could be
violated.
Perform Risk Analysis using
Risk Analysis Tool
28. 27
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Management
Process
Risk
Management
Implement sufficient measures to reduce these
risks to an appropriate level.
Policies and Procedures
Security
Management
Process
Sanction Policy
Implement sanction policies for employees who
fail to comply.
Policy and Procedure
Security
Management
Process
Information
Systems Activity
Review
Regularly review system activity, logs, audit
trails, etc.
Business process to review logs
Assigned
Security
Responsibility
Officer Designate HIPAA Security and Privacy Officers.
Assign this role to a company
leader
Workforce
Security
Employee
Oversight
Implement procedures to authorize and supervise
employees who work with PHI, and for granting
and removing PHI access to employees. Ensure
that an employee’s access to PHI ends with
termination of employment.
Policy and Procedure
Business process to support
Information
Access
Management
Multiple
Organizations
Ensure that PHI is not accessed by parent or
partner organizations or subcontractors that are
not authorized for access.
Put BAA in place for appropriate
organizations
29. 28
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Security
Awareness and
Training
Security
Reminders
Periodically send updates and reminders about
security and privacy policies to employees.
Annual employee training
Develop ongoing HIPAA
program for employees
Security
Awareness and
Training
Protection
Against Malware
Have procedures for guarding against, detecting,
and reporting malicious software.
Implementation of firewalls,
anti-virus, and other security
protections
Security
Awareness and
Training
Password
Management
Ensure that there are procedures for creating,
changing, and protecting passwords.
Create and implement password
change policy
Security
Awareness and
Training
Login Monitoring
Institute monitoring of logins to systems and
reporting of discrepancies.
Build logging and monitoring
into technology
Security
Incident
Procedures
Response and
Reporting
Identify, document, and respond to security
incidents.
Policy and Procedure
Security business process
Contingency
Plan
Contingency
Plan
Ensure that there are accessible backups of PHI
and that there are procedures for restoration of
any lost data.
Create frequent backups for the
database
Contingency
Plan
Contingency
Plans Updates
and Analysis
Have procedures for periodic testing and revision
of contingency plans. Assess the relative
criticality of specific applications and data in
support of other contingency plans components.
Test DR/BC plans
30. 29
HIPAA Security Rule - implementation
Safeguard Standard Action Description Implementation
Contingency
Plan
Emergency Mode
Establish (and implement as needed) procedures
to enable continuation of critical business
procedures for protection of the security of PHI
while operating in emergency mode.
DR/BC Plan
Evaluations Evaluations
Perform periodic evaluations to see if any
changes in your business or the law require
changes to your HIPAA compliance procedures.
HIPAA seminars and education
Business
Associate
Agreements
Business
Associate
Agreements
Have special contracts with business partners
who will have access to your PHI in order to
ensure that they will be compliant. Choose
partners that have similar agreements with any of
their partners to which they are also extending
access.
BAA
31. 30
Summary - Achieving HIPAA Compliance
Key Activities
• Develop HIPAA Policies and
Procedures and implement
• Name Chief Compliance Officer
• Implement enterprise training for Policy
and Procedures
• Mandatory annual HIPAA training for
employees and onboarded new
employees
• Put BAA agreements in place with both
vendors and customers
• Develop security measures for laptops
including encryption
• Implement ongoing HIPAA employee
communication program
• Post Privacy Notice on website
• Build into technology
- Database encryption – at rest and
in transit
- Role Based Access to systems
- Authentication – two factor
- Access audit records
- Documented technology
configurations
- Data corroboration
• Develop Breach Notification Plan
• Conduct preliminary enterprise risk
assessment and analysis using National
Institute of Standards and Technology
(NIST) Assessment Tool
• Remediate any issues flagged by the
NIST Assessment Tool
• When ready, contract out for a HIPAA
Compliance Audit.
• Remediate any issues flagged by the
audit.
• Receive final Compliance Audit report
showing documented HIPAA compliance
• Maintain and adhere to HIPAA Policies
and Procedures
• Maintain ongoing employee HIPAA
program
• Defend against PHI breaches.
• Conduct periodic Risk Assessments
• Prepare for and assist with any customer
HIPAA audits
• Respond, if necessary, to any and all
breaches.
• Achieve SOC 2 compliance
Become HIPAA compliant Achieve HIPAA Compliance HIPAA Maturity
32. 31
When in doubt, go to the source
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html