Preparing for an OCR Audit: What is Expected of You

Size: px
Start display at page:

Download "Preparing for an OCR Audit: What is Expected of You"

Transcription

1 Preparing for an OCR Audit: What is Expected of You

2 Speakers Chuck Burbank CISO and Director of Managed Privacy Services FairWarning Robert Mireles, CIPM Sr. Healthcare Privacy Specialist for Managed Privacy Services FairWarning Kurt J. Long Founder and CEO FairWarning

3 Agenda This webinar is a follow-up to our March 9 th webinar where Nicholas Heesters from the Office for Civil Rights covered common findings associated to audit controls and access rights management. How to conduct an application risk analysis to create written documentation of why you monitor an application or not Key elements of your acceptable use policies for authorized users of your applications holding ephi Key aspects of a successful awareness training program What generally to expect from an OCR Audit Insights into protecting your organization from affiliated staff Breakdown of the recent OCR audit control resolution agreement

4 Application Risk Analysis Understanding, Documenting and Mitigating Your Risk Identify where all your ephi resides Complete an application inventory Develop criteria to evaluate the risks involved Prioritize the order to integrate into FairWarning based on the risk criteria Proactively monitor applications for inappropriate use

5 Documentation of Decisions Document plan to integrate applications into FairWarning Document criteria used to select applications holding ephi Executive sign-off on all documentation You may reach out to your customer success manager to request educational materials

6 Acceptable Use of ephi Policy Key Elements Set expectation that users have zero rights to privacy within organizations application systems Who is responsible for setting use and access? What is considered business appropriate? How can users access records for personal use? i.e. patient portal What happens if a user sees inappropriate behavior?

7 Awareness Training Evolving threat landscape requires evolving the human firewall Educate staff as new threats emerge Empower them on how to prevent threats from happening Change users behavior with proactive training Reinforce organization s expectations Train users to be ambassadors Document that all users are periodically trained

8 FairWarning Educational Materials Reach out to your customer success manager to request educational materials

9 OCR Enforcement June 2016 Iliana Peters cited covered entities lacked appropriate auditing controls January 2017 OCR offers guidance on the importance of Audit Controls February 16, 2017 OCR issues first of its kind Resolution Agreement highlighting the importance of audit controls February 20, 2017 We are going to continue to execute our enforcement authorities business as usual - Deven McGraw, Deputy Director of HHS Office for Civil Rights To hear more on 2017 OCR enforcement from Deven McGraw

10 What to Expect - Initial Request Assign individuals designated to work with the OCR Documentation of investigative reports for all incidents along with response to mitigate Copy of notification letters Evidence that the organization notified media of breach greater than 500 Policies and procedures regarding security incidents Policies and procedures surrounding security awareness and training Proof that staff completed training Policies and procedures for reviewing system activity Policies and procedures regarding access controls Policies and procedures detailing sanctions P&P for proper use of workstations Documentation that all staff trained for new members and anytime changes to P&P are made

11 OCR/HIPAA Review/Audit Timeline Notification Receipt Timestamp or date of time receipt Document Discovery 10 days to supply Review of Documents 4-8 weeks for audit team to review materials Onsite Visits They will notify you of dates (3-14 days onsite) Preliminary Report Provided at out brief last day onsite Final Report days after onsite Management Response 14 days to provide Package to OCR After the 14 day period ends for management response

12 Don t Be One of These Lessons Learned Do not recycle user ID s Policies were not reviewed and do not support your program Staff not given any training prior to start of monitoring program No plan or process to follow-up on alerts for potentially unwanted behavior Zero tolerance policy day one No plan or process on how and where to document the follow-ups Turning on too many automated alerts at one time Leaving investigations Open and Active past notification deadlines

13 Security Management Process (1)(i)Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

14 Access Control (a)(1) Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

15 What You Need to Evidence That you are using unique user IDs for all users That you are reviewing system activity in systems that contain ephi That you are following up on potential violations That you are sanctioning employees that fail to comply with the policies

16 The Evidence

17 The Evidence

18 The Evidence

19 The Evidence

20 The Evidence

21 The Evidence

22 Keys to Win Executive Support Risk is Leaving the Business Greater trust between the patients Less likelihood of lawsuits Fewer patient complaints Less likelihood of OCR breach

23 Breakdown of the Recent OCR Audit Control Resolution Agreement The protected health information (PHI) of 115,143 individuals was accessed by its employees and impermissibly disclosed to affiliated physician office staff. Failed to implement procedures with respect to reviewing, modifying and/or terminating users' right of access. Failed to regularly review records of information system activity on applications that maintain ephi by workforce users and users at affiliated physician practices. The login credentials of a former employee of an affiliated physician's office had been used to access the ephi on a daily basis without detection, affecting 80,000 individuals.

24 Prevalent Industry Challenges Non-Employees w/ Access Vendors Contractors Affiliate Physicians FairWarning Dynamic Identity Intelligence Lawson + AD Healthcare System Network: 3 rd Party Physicians and Diagnostics Clinics, etc AD Application Access Logs ACCESS LOGS LOCAL USERS Employees Discover Known Users Unmatched Users Dormant Users Enables Access after termination Access Control Review Dynamic Identity on Roles, Profiles, History Data Integrity Foundational to FairWarning ACCESS LOGS LOCAL USERS AD Cerner ACCESS LOGS LOCAL USERS ACCESS LOGS Others LOCAL USERS ACCESS LOGS

25 Dynamic Identity Intelligence Discover unmatched/unknown users Report on access after termination Reporting on HIPAA s access rights management

26 Patient Privacy Intelligence Monitors access to PHI in EHR's, app's, cloud and big data Insider threats - OCR issued an advisory august 2016 HIPAA audit controls Managed Privacy Services Trained and certified FairWarning staff members who review your potential incidents as well as guide you toward continual HIPAA compliance readiness Dynamic Identity Intelligence Identify and monitor affiliated, non-employee users Reporting on HIPAA's access rights management Cloud Highest Services Levels Ease of Use Secure Affordable

27 Audit Control References HHS Announcement: Understanding the Importance of Audit Controls Review the NIST guidance on Risk Analysis FairWarning Executive Webinar: Director of OCR Enforcement announced there would be an upcoming emphasis on Audit Controls FairWarning Executive Webinar: Implications of OCR Audit Controls Enforcement and the Role of Audit Trails in Litigation

28 Questions? Contact us Chuck Burbank CISO and Director of Managed Privacy Services FairWarning Robert Mireles, CIPM Sr. Healthcare Privacy Specialist for Managed Privacy Services FairWarning Kurt J. Long Founder and CEO FairWarning

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits View the Replay From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits June 16, 2016 Executive Series Webinar Today s Speakers Carla Wagner, HCISPP Privacy Officer Beacon Health System Trish A.

More information

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update November 17 th, 2011 View the Recording Learning objectives Enforcement update and lessons learned from past HIPAA audits Accounting

More information

Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller

Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller Text What the Heck is a HIPAA AUDIT? Presented by Sue Miller What to do before you are Audited? What to do after you are Audited? AGENDA Types of Enforcement Review 2016 OCR HIPAA Audits, Phase 2 Effective

More information

a physicians guide to security risk assessment

a physicians guide to security risk assessment PAGE//1 a physicians guide to security risk assessment isalus healthcare isalus healthcare a physicians guide to security risk assessment table of contents INTRO 1 DO I NEED TO OUTSOURCE MY SECURITY RISK

More information

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What? You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas

More information

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What? You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas

More information

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies Unified SaaS Solution for Cybersecurity and Risk Curran Data Technologies 317-974-1009 www.currandata.com Solution Discover the effective simplicity of a unified RSC solution Discover Solution Diagnose

More information

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan Chris Apgar, CISSP Ron Moser, CISA, CRISC Overview The Culture of Compliance First Steps What are the risks? Making a plan Whatever You

More information

HIPAA and Electronic Information

HIPAA and Electronic Information HIPAA and Electronic Information Are you still acting like it s a paper world? Rebecca Wahler, MS, CHPC, CHC Compliance & Privacy Officer, NMHIC, LCF Research, Albuquerque, NM Overall Goal Develop basic

More information

Big Data, Security and Privacy: The EHR Vendor View

Big Data, Security and Privacy: The EHR Vendor View Taking a step towards Big Data, Security and Privacy: proactive health + care The EHR Vendor View Bob Harmon, MD Physician Executive, Cerner Corporation Presented to Preventive Medicine 2016 Washington,

More information

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute

More information

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute

More information

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment Caroline Hamilton caroline.r.hamilton@gmail.com Risk & Security LLC As channeled by Dr. HIPAA Meaningful Use was the Hottest

More information

Top 5 Must Do IT Audits

Top 5 Must Do IT Audits Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org Background on Sharp HealthCare Sharp s Co-sourcing

More information

The Relationship Between HIPAA Compliance and Business Associates

The Relationship Between HIPAA Compliance and Business Associates The Relationship Between HIPAA Compliance and Business Associates 2007-2016 1 What is HIPAA? HIPAA / HITECH Protect patient confidentiality while furthering innovation and patient care Omnibus (September

More information

North Shore LIJ Health System, Inc.

North Shore LIJ Health System, Inc. North Shore LIJ Health System, Inc. POLICY TITLE: Information System Review and Audit Controls Policy POLICY #: 900.27 System Approval Date: 1/15/2015 ADMINISTRATIVE POLICY AND PROCEDURE MANUAL CATEGORY:

More information

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA 1 ADDING VALUE BY AUDITING HEALTH INFORMATION EXCHANGE IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA PROTIVITI AHIA 31 st Annual Conference August 26-29, 2012 Philadelphia PA www.ahia.org Speakers Alex Robison

More information

Meaningful Use Audits

Meaningful Use Audits Meaningful Use Audits Bruce Wacker Executive Director of Customer and Regulatory Services Adventist Health System Mike Hourigan Director, Regulatory Consulting Cerner Corporation 1 Copyright 2013. All

More information

OCR Audits: 2012 Results Overview

OCR Audits: 2012 Results Overview April 4 th, 2013 OCR Audits: 2012 Results Overview Presented by: Mac McMillan FHIMSS, CISM Name of Presentation CEO, CynergisTek www.cynergistek.com Advancing the Standard of Care Through Healthcare IT

More information

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016 Managing the Business Associate Relationship: From Onboarding to Breaches March 27, 2016 HCCA s 21 st Annual Compliance Institute National Harbor, MD Today s Agenda Onboarding: Health care providers and

More information

Welcome to today s Live Event we will begin shortly. Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance

Welcome to today s Live Event we will begin shortly. Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance Welcome to today s Live Event we will begin shortly Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance 1 Welcome to How to Develop Your HIPAA Security Policies

More information

They re Back! Phase 2 OCR Audits Are Underway

They re Back! Phase 2 OCR Audits Are Underway They re Back! Phase 2 OCR Audits Are Underway Adam Greene, JD, MPH Partner, Davis Wright Tremaine LLP How You Get to Meet OCR 1. Complaint 2. Compliance Review 3. Breach Report 4. Audit 2 Background on

More information

Assessments for Certified and Non-Certified Vendors

Assessments for Certified and Non-Certified Vendors Assessments for Certified and Non-Certified Vendors 3rd party Vendors Security Risk Profile 63% of all 2016 data breaches resulted from third party vendor s risk Small companies are high risk - security

More information

Simple, Scalable, Real-time Protection

Simple, Scalable, Real-time Protection Data Sheet Simple, Scalable, Real-time Protection Practical Content Security With Egnyte Protect, companies can quickly find and safeguard the content that matters most. It is simple to use, requires almost

More information

On the Alert: Incident Response Plan for Healthcare 111/13/2017

On the Alert: Incident Response Plan for Healthcare 111/13/2017 On the Alert: Incident Response Plan for Healthcare 111/13/2017 Presenter Introductions Nadia Fahim-Koster Managing Director, IT Risk Management Meditology Services Kevin Henry Senior Associate, IT Risk

More information

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule BEST PRACTICES Iron Mountain Document Conversion Services HEALTHCARE HIPAA Omnibus and the Implications for Document Conversion Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule Contents

More information

AWS Life Sciences Competency Consulting Partner Validation Checklist

AWS Life Sciences Competency Consulting Partner Validation Checklist AWS Life Sciences Competency February 2018 Version 2.2 Table of Contents Introduction... 3 Competency Application and Audit Process... 3 Program Policies... 3 AWS Life Sciences Competency Program Prerequisites...

More information

2012 HIPAA Privacy and Security OCR Audits

2012 HIPAA Privacy and Security OCR Audits 2012 HIPAA Privacy and Security OCR Audits Mark M. Johnson National HIPAA Security Director Overview of HIPAA Compliance High Interest Areas 1 Program Objectives The objectives for the audit program are

More information

Securing Access of Health Information Using Identity Management

Securing Access of Health Information Using Identity Management Securing Access of Health Information Using Identity Management Steve Whicker Manager Security Compliance HIPAA Security Officer AHIS Central Region St Vincent Health sawhicke@stvincent.org Chris Bidleman

More information

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mønsted

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mønsted Accelerate GDPR compliance with the Microsoft Cloud Henrik Mønsted Cloud Solutions Architect Microsoft Denmark This presentation is intended to provide an overview of GDPR and is not a definitive statement

More information

Automatically Find and Fix Insecure Database settings with Oracle Management Cloud PRO4284

Automatically Find and Fix Insecure Database settings with Oracle Management Cloud PRO4284 Automatically Find and Fix Insecure Database settings with Oracle Management Cloud PRO4284 David Wolf Snr Dir of Product Management - Oracle Oct 25, 2018 Session : PRO4284 Title: Automatically Find and

More information

Navigating the New Health Economy

Navigating the New Health Economy Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA

More information

Visualize Your Compliance

Visualize Your Compliance Visualize Your Compliance Compliance is hard. Standards evolve, new regulations are introduced, and reputational and financial risks only escalate. Before you know it, resources that could otherwise be

More information

Does your organization have a designated Compliance Officer? a. Yes b. No c. Don't know

Does your organization have a designated Compliance Officer? a. Yes b. No c. Don't know Developing a Compliance Workplan Uri Bilek Feldesman Tucker Leifer Fidell LLP Does your organization have a designated Compliance Officer? a. Yes b. No c. Don't know Does your organization have an established

More information

Third Party Vendor Management and FDR Compliance

Third Party Vendor Management and FDR Compliance Smart decisions. Lasting value. Third Party Vendor Management and FDR Compliance Healthcare Summit 2018: Simplifying Healthcare September 18, 2018 Jason Lackey, Cigna-HealthSpring Scott Gerard, Crowe Matt

More information

THERE S AN APP FOR THAT

THERE S AN APP FOR THAT PRIVACY + SECURITY FORUM DIGITAL HEALTH PRIVACY: THERE S AN APP FOR THAT October 6, 2017 2017 Morgan, Lewis & Bockius LLP A Note on Format The content of these slides was developed solely by Morgan Lewis,

More information

Capability Statement

Capability Statement Simple. Automated. Affordable. Capability Statement 14 February 2013 Contact: Steven Marco 801-770-1199 Office smarco@hipaaone.com Contents COMPANY BACKGROUND... 3 HEALTHCARE COMPLIANCE CAPABILITIES...

More information

Fulfilling CDM Phase II with Identity Governance and Provisioning

Fulfilling CDM Phase II with Identity Governance and Provisioning SOLUTION BRIEF Fulfilling CDM Phase II with Identity Governance and Provisioning SailPoint has been selected as a trusted vendor by the Continuous Diagnostics and Mitigation (CDM) and Continuous Monitoring

More information

The Eight Elements of a Compliance Plan and What Has Changed

The Eight Elements of a Compliance Plan and What Has Changed The Eight Elements of a Compliance Plan and What Has Changed Lori Laubach, CHC Principal Thursday, June 9 8:30AM 10AM 1 The material appearing in this presentation is for informational purposes only and

More information

Auditing Identity & Access Management: Addressing the Root Causes

Auditing Identity & Access Management: Addressing the Root Causes Auditing Identity & Access Management: Addressing the Root Causes HCCA Compliance Institute April 18, 2018 Johan Lidros CISA, CISM, CGEIT, CRISC, HITRUST CCSFP, ITIL-F President Eminere Group Table of

More information

Smart Net Total Care. Realizing the Promise of Automation for Network Support Operations

Smart Net Total Care. Realizing the Promise of Automation for Network Support Operations Smart Net Total Care Realizing the Promise of Automation for Network Support Operations Even as networks become more complex to meet the growing demands of cloud, big data, social media, and mobile initiatives,

More information

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach WHITE PAPER Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach JULY 2009 Executive Summary The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis

More information

Stacey Carr, Division Privacy Officer. Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives

Stacey Carr, Division Privacy Officer. Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives Stacey Carr, Division Privacy Officer Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives 1 HIPAA & Healthcare Industry Overview Overview of Omnibus Rule Changes

More information

Compliance Plans. Kelly S. McIntosh July 20, 2017

Compliance Plans. Kelly S. McIntosh July 20, 2017 Compliance Plans Kelly S. McIntosh July 20, 2017 Roadmap The importance of compliance and compliance programs Common compliance issues know your risk areas! Guidance for drafting or updating your compliance

More information

Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan

Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan Shane Eaker Director, Information Security Encompass Health Rich Curtiss Managing Consultant Clearwater June 12, 2018 About

More information

MOBILE TECHNOLOGY TRENDS FOR HOME HEALTH CARE

MOBILE TECHNOLOGY TRENDS FOR HOME HEALTH CARE MOBILE TECHNOLOGY TRENDS FOR HOME HEALTH CARE Participants are in a listen-only mode. To ask a question during the event, use the chat feature at the bottom left of your screen. Technical questions will

More information

All-in-One Compliance for All.

All-in-One Compliance for All. All-in-One Compliance for All. Compliance Manager Meet the only total compliance management solution that will ensure your organization is compliant, even when audited. Benefits TOTAL MANAGEMENT COMPLETE

More information

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities EU Data Protection Officer: Roles and responsibilities Robert Bond, CCEP Head of Data Protection and Cyber Security Law and DPO charlesrussellspeechlys.com Robert Bond Partner Robert Bond has over 36 years'

More information

11.0 FDA-Regulated Research

11.0 FDA-Regulated Research 11.0 FDA-Regulated Research The HSC evaluates the safety or efficacy of all drugs and devices used in research. Studies involving unapproved or investigational drugs or devices will be reviewed to ensure

More information

CLOUD ACCESS CONTROL 6 REASONS WHY IT S A MUST FOR YOUR COMPANY

CLOUD ACCESS CONTROL 6 REASONS WHY IT S A MUST FOR YOUR COMPANY CLOUD ACCESS CONTROL 6 REASONS WHY IT S A MUST FOR YOUR COMPANY 6 Reasons Why It s a Must... Whether you have one office door or one hundred, you can t always be around to manage who is accessing your

More information

The Data Opportunity: Using data for economic and social benefit reaping the

The Data Opportunity: Using data for economic and social benefit reaping the The Data Opportunity: Using data for economic and social benefit reaping the benefits while addressing the challenges. Joseph Alhadeff/Vice President Global Public Policy, Chief Privacy

More information

THIRD-PARTY REMOTE ACCESS: CHALLENGES FOR ENTERPRISES AND TECHNOLOGY VENDORS

THIRD-PARTY REMOTE ACCESS: CHALLENGES FOR ENTERPRISES AND TECHNOLOGY VENDORS THIRD-PARTY REMOTE ACCESS: CHALLENGES FOR ENTERPRISES AND TECHNOLOGY VENDORS Overview According to data from the nonprofit ID Theft Resource Center, there have been more than 500 data breaches and more

More information

CA Network Automation

CA Network Automation PRODUCT SHEET: CA Network Automation agility made possible CA Network Automation Help reduce risk and improve IT efficiency by automating network configuration and change management. Overview Traditionally,

More information

3 AREAS WHERE HEALTHCARE PROVIDERS NEED YOUR MSP EXPERTISE ENTER EBOOK

3 AREAS WHERE HEALTHCARE PROVIDERS NEED YOUR MSP EXPERTISE ENTER EBOOK 3 AREAS WHERE HEALTHCARE PROVIDERS NEED YOUR MSP EXPERTISE ENTER EBOOK Introduction The healthcare market represents a huge opportunity for managed services providers (MSPs), and analysts predict this

More information

Emerging Technology and Security Update

Emerging Technology and Security Update Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy

More information

Confidence is contagious; it empowers your staff, encourages your patients, and infuses your practice.

Confidence is contagious; it empowers your staff, encourages your patients, and infuses your practice. Confidence is contagious; it empowers your staff, encourages your patients, and infuses your practice. Table of Contents Our mission To provide our clients with the tools needed to achieve a healthier

More information

IT Risk Advisory & Management Services

IT Risk Advisory & Management Services IT Advisory & Management Services The (Ever) Evolving IT Management Organizations today, view IT risk management as a necessity. As a consequence, organizations need to realign their IT risk management

More information

E. FOCUS: The electronic medical record system and billing platform utilized by MCCMH.

E. FOCUS: The electronic medical record system and billing platform utilized by MCCMH. IV. Definitions A. Appropriate Access: Access to read, write, modify, or communicate EPHI via FOCUS, in the amount minimally necessary in light of an individual s role within the organization, and consistent

More information

11.0 FDA-Regulated Research Research Involving Investigational Drugs and Biologics

11.0 FDA-Regulated Research Research Involving Investigational Drugs and Biologics 11.0 FDA-Regulated Research The IRB evaluates the safety or efficacy of all drugs and devices used in research. Studies involving unapproved or investigational drugs or devices will be reviewed to ensure

More information

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER INTRODUCTION Many healthcare security professionals understand the need to enhance their security and privacy

More information

What is GDPR and Should You Care?

What is GDPR and Should You Care? What is GDPR and Should You Care? Ingram Micro Inc. 1 Overview of Privacy Climate & Concerns 2 2 Today We Live In A World Where Advertisers read key words in your Facebook posts and emails and decide what

More information

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant! 1 HIPAA compliance Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant! HITECH/EHR incentive requires: Stage 1. Risk Assessment for Meaningful Use

More information

Quality Insights Quality Innovation Network Security Risk Assessments: Meaningful Use and HIPAA Perspectives Webinar August 26, 2015

Quality Insights Quality Innovation Network Security Risk Assessments: Meaningful Use and HIPAA Perspectives Webinar August 26, 2015 Quality Insights Quality Innovation Network Security Risk Assessments: Meaningful Use and HIPAA Perspectives Webinar August 26, 2015 On behalf of the Quality Insights Innovation Team, I welcome you to

More information

TOP 6 SECURITY USE CASES

TOP 6 SECURITY USE CASES Solution Brief: Top 6 Security Use Cases for Automated Asset Inventory page 1 SOLUTION BRIEF TOP 6 SECURITY USE CASES for Automated Asset Inventory Solution Brief: Top 6 Security Use Cases for Automated

More information

AWS MSP Partner Program Validation Checklist v3.2 Mapping

AWS MSP Partner Program Validation Checklist v3.2 Mapping DATASHEET AWS MSP Partner Program Validation Checklist v3.2 Mapping OVERVIEW The AWS MSP Validation Checklist Mapping is designed to provide CloudCheckr partners with a practical means to validate the

More information

Contract and Procurement Fraud. Detection and Prevention

Contract and Procurement Fraud. Detection and Prevention Contract and Procurement Fraud Detection and Prevention Introduction Procurement schemes have certain characteristics that make them particularly difficult to detect and prevent. Organizations can protect

More information

RSAM User Conference. Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

RSAM User Conference. Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013 RSAM User Conference Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013 Reflection A journey of a thousand miles begins with a single step. Lao-tzu, The Way of Lao-tzu Chinese philosopher

More information

Compliance System Management Integrity and Compliance Program Policy Number: Approval Date: Approved by: Nancy Oetinger

Compliance System Management Integrity and Compliance Program Policy Number: Approval Date: Approved by: Nancy Oetinger Compliance System Management Policy Name: Integrity and Compliance Program Policy Number: 96-101-15 Approval Date: Approved by: Nancy Oetinger POLICY Consistent with our core values of Integrity and Stewardship,

More information

Data protection in light of the GDPR

Data protection in light of the GDPR Data protection in light of the GDPR How to protect your organization s most sensitive data Why is data protection important? Your data is one of your most prized assets. Your clients entrust you with

More information

PNC8.2. Transforming today, taking care of tomorrow

PNC8.2. Transforming today, taking care of tomorrow PNC8.2 Transforming today, taking care of tomorrow Introducing PNC8.2 The latest version of our market leading PNC software smooths the transition to the digital future, helping monitoring centres to provide

More information

PRESENTERS OVERVIEW. Richard Kusserow, SMS CEO/Former HHS IG Jillian Bower, MPA, CRC Vice President

PRESENTERS OVERVIEW. Richard Kusserow, SMS CEO/Former HHS IG Jillian Bower, MPA, CRC Vice President Richard Kusserow, SMS CEO/Former HHS IG Jillian Bower, MPA, CRC Vice President PRESENTERS Richard Kusserow Former HHS Inspector General CEO of Strategic Management Jillian Bower, MPA Vice President of

More information

Enterprise Availability Management

Enterprise Availability Management Statement of Work Enterprise Availability Management This Statement of Work ( SOW ) is between the Customer (also called you and your ) and the IBM legal entity referenced below ( IBM ). This SOW is subject

More information

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services 1 OBJECTIVES What should be done before you sign a contract with a vendor Your responsibilities throughout the

More information

Privacy and Information Security Sanction Policy

Privacy and Information Security Sanction Policy Effective Date: November 2018 Policy Statement Privacy and Information Security Sanction Policy All workforce members, including faculty, staff, and students, are expected to comply with the organization

More information

Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions

Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions GAMING THE SYSTEM! 2016 HCCA Compliance Institute Walter E. Johnson Cindy Hart Adam Weinstein Dawn Lambert Panelists Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions Email:

More information

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Effects of GDPR and NY DFS on your Third Party Risk Management Program Effects of GDPR and NY DFS on your Third Party Risk Management Program Please disable popup blocking software before viewing this webcast June 27, 2017 Grant Thornton LLP. All rights reserved. 1 CPE Reminders

More information

Interoperability & Secure, Compliant Communications in Healthcare

Interoperability & Secure, Compliant Communications in Healthcare Interoperability & Secure, Compliant Communications in Healthcare What s Inside 2 Repea t Offenders 3 HIP AA Compliance Issues 4 Business Associat e Agreement 6 Risks For Non- ompliance? 7 Abou 9 2 Risk

More information

Department of Public Health OF SAN FRANCISCO

Department of Public Health OF SAN FRANCISCO PAGE 1 of 6 1. POLICY INTENT This document establishes the policy for the disciplinary and contractual sanctions to be applied in the event of violations of San Francisco Department of Public Health (SFDPH)

More information

How to Stand Up a Privacy Program: Privacy in a Box

How to Stand Up a Privacy Program: Privacy in a Box How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC

More information

Enterprise Compliance Management for Credit Unions

Enterprise Compliance Management for Credit Unions Enterprise Compliance for Credit Unions Streamline Regulatory Compliance with a Unified Platform to Manage Requirements and Demonstrate Compliance to Regulators Industry Challenge Credit unions are subject

More information

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM WHITEPAPER THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM ANDREW HICKS MBA, CISA, CCM, CRISC, HCISSP, HITRUST CSF PRACTITIONER PRINCIPAL, HEALTHCARE AND LIFE SCIENCES TABLE OF CONTENTS

More information

Maintaining the Public Trust

Maintaining the Public Trust 2017 Illinois Government Auditing Conference Maintaining the Public Trust Ann Spillane, Chief of Staff Illinois Attorney General s Office October 25, 2017 About the Office of the Attorney General The Attorney

More information

Sarbanes-Oxley Compliance Kit

Sarbanes-Oxley Compliance Kit Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery

More information

PACS A WEB-BASED APPLICATION DESIGNED TO AUTOMATE YOUR WORKFLOW

PACS A WEB-BASED APPLICATION DESIGNED TO AUTOMATE YOUR WORKFLOW A WEB-BASED APPLICATION DESIGNED TO AUTOMATE YOUR WORKFLOW About us Our Company Our Mission is Simple Our company is Canadian and was established in 1994. After over 20 years, we continue to be a leading

More information

Centricity 360 Suite Case Exchange Physician Access Patient Access

Centricity 360 Suite Case Exchange Physician Access Patient Access Centricity 360 Suite Case Exchange Physician Access Patient Access Unleash the power of GE collaboration solutions to bring your distributed care teams together. Centricity 360 Suite with Case Exchange,

More information

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes

More information

2017 Healthcare Compliance Benchmark Study

2017 Healthcare Compliance Benchmark Study 2017 Healthcare Compliance Benchmark Study Executive Summary and Results EXECUTIVE SUMMARY This report represents SAI Global s eighth annual survey gathering insights from compliance professionals in the

More information

PII0IP PCI10PHI Addressing User Data Risks In A Distributed Data World

PII0IP PCI10PHI Addressing User Data Risks In A Distributed Data World Executive Brief Addressing User Data Risks In A Distributed Data World 1100001 111PII0IP01 11100101011 0PCI10PHI0 0111101100 11011111 Lorem ipsum ganus metronique elit quesal norit parique et salomin taren

More information

River City Medical Group ANTIFRAUD PLAN

River City Medical Group ANTIFRAUD PLAN ANTIFRAUD PLAN INTRODUCTION (RCMG) has developed an antifraud plan (the ) in compliance with Section 1348 of the California Health and Safety Code, the Centers for Medicare and Medicaid Service, and the

More information

ionmycare.com

ionmycare.com Retirement, Community, Disability & Aged Care ionmycare.com 1300 659 506 Award Winning Software 1. Strengthened Governance and Risk management. 2. Care outcomes improvement providing staff more time. 3.

More information

Privacy Assessment: Beginning the Process

Privacy Assessment: Beginning the Process Privacy Assessment: Beginning the Process Debbie Troklus, Manager (502) 585-7723 debbie.troklus@us.pwcglobal.com Chuck Self ΠωΧ HIPAA Privacy Provisions IIHI vs. PHI Uses and Disclosures Minimum Necessary

More information

Privacy Incident Response & Reporting: Pre and Post HITECH

Privacy Incident Response & Reporting: Pre and Post HITECH Privacy Incident Response & Reporting: Pre and Post HITECH Erika Riethmiller-Bol, Director, Corporate Privacy-Incident Program, Anthem, Inc. HCCA Managed Care Compliance Conference February 16, 2015 Objectives

More information

Delivering high-integrity accounting with Xero

Delivering high-integrity accounting with Xero Delivering high-integrity accounting with Xero Contents Untouched data feeds directly into Xero 4 A multi-layered approach to data integrity 5 Access controls 6 Monitoring and alerts 7 Controls and reporting

More information

Healthcare Integration. Lab data solutions with one simple connection

Healthcare Integration. Lab data solutions with one simple connection Healthcare Integration Lab data solutions with one simple connection About Lifepoint Lifepoint Informatics, founded in 1999, is the trusted leader in healthcare information technology. Our solutions advance

More information

Privacy Officer s Guide to Evaluating Cloud Vendors

Privacy Officer s Guide to Evaluating Cloud Vendors Privacy Officer s Guide to Evaluating Cloud Vendors Andrew Rodriguez, MSHI, HCISSP, CHPC, CHPS, CDP Corporate Privacy and Information Security Officer Shriners Hospitals for Children Adjunct Instructor

More information

THE MOBILE EHR SOLUTION FOR LONG-TERM/ POST-ACUTE CARE PRACTITIONERS

THE MOBILE EHR SOLUTION FOR LONG-TERM/ POST-ACUTE CARE PRACTITIONERS THE MOBILE EHR SOLUTION FOR LONG-TERM/ POST-ACUTE CARE PRACTITIONERS Save time & increase practitioner productivity. Deliver a higher quality of patient care. Capture important CMS-related requirements.

More information

Optimizing Security Practices Among Employees

Optimizing Security Practices Among Employees Optimizing Security Practices Among Employees How to manage user security practices and access to IT services during employment and after employment ends. Processes for establishing a highly secure environment

More information

Provider Directory Data Quality Compliance Program

Provider Directory Data Quality Compliance Program Provider Directory Data Quality Compliance Program Frequently Asked Questions February 2017 General Information 1. What is the Provider Directory Data Quality Compliance Program? In 2016, CMS mandated

More information

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies.

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies. Management of Human Resource Records: Personnel Records for Staff and Temporary Employees and Benefit Program Records for All Employees, Retirees, and COBRA Participants About This Policy Effective Date:

More information

11.0 FDA-Regulated Research Research Involving Investigational Drugs and Biologics

11.0 FDA-Regulated Research Research Involving Investigational Drugs and Biologics 11.0 FDA-Regulated Research The IRB evaluates the safety or efficacy of all drugs and devices used in research. Studies involving unapproved or investigational drugs or devices will be reviewed to ensure

More information