presented to: pre-conference symposia the ninth national hipaa summit six+ months to go: tuning up...
TRANSCRIPT
![Page 1: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/1.jpg)
Presented to: Presented to:
Pre-Conference SymposiaPre-Conference SymposiaThe Ninth National HIPAA SummitThe Ninth National HIPAA Summit
Six+ Months to Go: Six+ Months to Go:
Tuning up for HIPAA Tuning up for HIPAA Compliance – Tips of the TradeCompliance – Tips of the Trade
Holt Anderson, Executive DirectorHolt Anderson, Executive Director
North Carolina Healthcare Information & North Carolina Healthcare Information & Communications Alliance, Inc.Communications Alliance, Inc.
© 2004 NCHICA, All Rights Reserved. Do Not Duplicate Without Permission
![Page 2: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/2.jpg)
What keeps Privacy and What keeps Privacy and Security OfficialsSecurity Officials Awake at Night ? Awake at Night ?
![Page 3: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/3.jpg)
What keeps Privacy and Security OfficialsWhat keeps Privacy and Security Officials Awake at Night ? Awake at Night ?
• Who is judging our effort?– Enforcement
• What don’t I know?– “Reasonably anticipated threats”
• How do we prove it?– Documentation
• What other Laws and Regulations apply?– Crosswalks
• Where do I get help?– Resources
• Why was I chosen?– ????
![Page 4: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/4.jpg)
Compliance & Compliance & EnforcementEnforcement
![Page 5: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/5.jpg)
HIPAA EnforcementHIPAA Enforcement
• Office of Civil Rights Office of Civil Rights (Privacy)(Privacy)
• CMS CMS (Transactions, Code Sets, Identifiers, (Transactions, Code Sets, Identifiers, SecuritySecurity))
• Justice Department
• FBI
• OIG (Re: lessons learned from fraud & abuse)
• Accreditation reviews
• Plaintiff’s bar & courts
• Business Continuity
![Page 6: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/6.jpg)
HIPAA EnforcementHIPAA Enforcement at CMSat CMS
CMS Office of HIPAA Standards:
»Establish and operate enforcement processes
»Develop regulations
»Obtaining voluntary compliance through
technical assistance
»Process will be complaint driven
![Page 7: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/7.jpg)
Summary of HIPAA Summary of HIPAA PrivacyPrivacy Rule RuleCompliance ActivitiesCompliance Activities
Received by HHS Office of Civil Rights (OCR)
7,577 complaints as of July 31, 2004.
57% have been closed, because either
– Office for Civil Rights (OCR) lacks jurisdiction
– There was no violation of the Privacy Rule
– Complaint resolved through voluntary compliance
![Page 8: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/8.jpg)
Summary of HIPAA Summary of HIPAA PrivacyPrivacy Rule RuleCompliance Activities Compliance Activities (cont.)(cont.)
Most frequent complaints Impermissible use or disclosure
Lack of adequate safeguards
Refusal or failure to provide right of access
Disclosures not limited to “minimum necessary” standard
Failure to obtain individual’s authorization, when required
108 referrals to the Department of Justice (DOJ)
OCR refers to the DOJ complaints involving the knowing disclosure
or obtaining of protected health information in violation of the
Privacy Rule.
![Page 9: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/9.jpg)
Business RisksBusiness Risks
• Loose implementation may open the door to
litigation for privacy violations
• Not adjusting as scope and complexity of current
environment / technology changes
• Unquestioning reliance on vendors and “HIPAA
Compliant” solutions
• Not completing a thorough analysis / compliance
effort and is found negligent
![Page 10: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/10.jpg)
Impact of Not ComplyingImpact of Not Complying
Possible litigationPossible litigation
Loss of public confidenceLoss of public confidence
PenaltiesPenalties Civil monetary for violations of each Civil monetary for violations of each
standardstandard Criminal for wrongful disclosure of Criminal for wrongful disclosure of
protected health informationprotected health information No private right of actionNo private right of action
![Page 11: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/11.jpg)
““Reasonably Anticipated Reasonably Anticipated Threats”Threats”
![Page 12: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/12.jpg)
(a) General requirements. Covered entities must
do the following:
(1) EnsureEnsure the confidentialityconfidentiality, , integrityintegrity, and , and
availabilityavailability of all electronicelectronic protected health
information the covered entity creates, receives,
maintains, or transmits.
(2) Protect against any reasonably anticipated reasonably anticipated
threatsthreats or hazardsor hazards to the security or integrity of
such information.
§ 164.306 Security standards: General rules§ 164.306 Security standards: General rules
![Page 13: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/13.jpg)
(3) Protect against any reasonably anticipated reasonably anticipated
uses or disclosuresuses or disclosures of such information that are
not permitted or required under subpart E of this
part.
(4) EnsureEnsure compliancecompliance with this subpart by its by its
workforceworkforce.
§ 164.306 Security standards: General rules§ 164.306 Security standards: General rules
![Page 14: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/14.jpg)
Alleged Holly Springs Hacker Wanted To Show Flaws In Security
Clayton Dillard Accused Of Unlawfully Accessing Hospital Computer System POSTED: 11:06 a.m. EDT September 9, 2003 RALEIGH, N.C. -- A Holly Springs man is in trouble after being accused of hacking into a medical office's wireless computer network.
Clayton Dillard is accused of hacking into a hospital computer system and
accessing information of thousands of patients.
Raleigh police said Clayton Taylor Dillard, a 29-year-old information security consultant, is charged with one felony count of computer trespass, one felony count of unlawful computer access and one misdemeanor count of computer trespass. They said the charges against Dillard resulted from an intrusion that occurred to a wireless computer network at Wake Internal Medicine Consultants Inc. After Dillard accessed the information, he contacted patients and insurance companies. He also wrote WRAL a letter, stating, "These guys are a bunch of bozos." He also mailed WRAL copies of checks and insurance forms with patient names and procedures.
http://www.wral.com/newsCopyright WRAL News 2003
Security Case - WirelessSecurity Case - WirelessSecurity Case - WirelessSecurity Case - Wireless
![Page 15: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/15.jpg)
Holly Springs Man First In Nation Holly Springs Man First In Nation ConvictedConvicted Of Wireless Crime Of Wireless CrimeMan Pleads Guilty To Hacking Into Patient FilesPOSTED: 7:42 a.m. EST November 5, 2003
RALEIGH, N.C. -- Wireless Internet is becoming more and more popular, and with it come new ways for criminals to take advantage of others.
Clayton Dillard, 29, of Holly Springs, pleaded guilty to hacking into patient records at Wake Internal Medicine Consultants. Dillard said it was an experiment, but Raleigh police call it a crime.
Security Case - WirelessSecurity Case - WirelessSecurity Case - WirelessSecurity Case - Wireless
Dillard said he broke the law to prove a point that confidential medical records are vulnerable to computer hackers.
Police said Dillard crossed the line by hacking into more than 2,000 patient files.
Dillard was sentenced to 18-months probation and Dillard was sentenced to 18-months probation and ordered to pay $10,000 in fines.ordered to pay $10,000 in fines.
![Page 16: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/16.jpg)
Security Case – Identity TheftSecurity Case – Identity TheftSecurity Case – Identity TheftSecurity Case – Identity Theft
![Page 17: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/17.jpg)
Security Case – Patient SafetySecurity Case – Patient Safety
![Page 18: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/18.jpg)
““Reasonably Anticipated Threats”Reasonably Anticipated Threats”
Reprinted with permission from the Society of Human Resources Management
![Page 19: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/19.jpg)
DocumentationDocumentation
![Page 20: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/20.jpg)
Security RegulationSecurity Regulation
• Administrative Safeguards– 12 Required Specifications– 11 Addressable Specification
• Physical Safeguards– 4 Required, 6 Addressable
• Technical Safeguards– 4 Required, 5 Addressable
• Organizational RequirementsOrganizational Requirements– 6 Required, 0 Addressable
• Policies & Procedures DocumentationPolicies & Procedures Documentation– 6 Required, 0 Addressable
![Page 21: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/21.jpg)
Organizational RequirementsOrganizational Requirements
• Business Associate Contracts– Tracking and monitoring– Re-negotiate and include Security provisions– ENSURE agents and subcontractors agree to
implement reasonable and appropriate measures
• Group Health Plans– Creating separation with employment function– Reporting of security incidents
• What to do about California law?
![Page 22: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/22.jpg)
Policies and Procedures DocumentationPolicies and Procedures Documentation
• Cataloging all policies and procedures
• Establishing time limit for retention
• Methods for making available
• Publishing updates
![Page 23: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/23.jpg)
Updating and Maintaining ComplianceUpdating and Maintaining Compliance
• Consider updates after implementing:– New processes– Changes in:
• Workflows• Responsibilities• Laws• Standards / practices• Technology – hard and soft
– Suggest every 3 years as a minimum• Constant process for most
![Page 24: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/24.jpg)
ResourcesResources
![Page 25: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/25.jpg)
Are there resources ???Are there resources ???
![Page 26: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/26.jpg)
Are there credible resources ???Are there credible resources ???
![Page 27: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/27.jpg)
HIPAA & HIPPAHIPAA & HIPPA
![Page 28: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/28.jpg)
Examples of Examples of Organizations, Tools, Organizations, Tools, and Other Resourcesand Other Resources
![Page 29: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/29.jpg)
![Page 30: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/30.jpg)
Help in your own community ?Help in your own community ?
![Page 31: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/31.jpg)
Resources Developed by Resources Developed by NCHICA MembersNCHICA Members
![Page 32: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/32.jpg)
About NCHICAAbout NCHICA• 501(c)(3) nonprofit research & education• Established in 1994• ~250 organization members including:
– Providers– Health Plans – Clearinghouses– State & Federal Government Agencies– Professional Associations and Societies– Research Organizations– Vendors
• Mission: Improve healthcare in NC by accelerating the adoption of information technology
![Page 33: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/33.jpg)
NCHICA’s HIPAA EffortsNCHICA’s HIPAA Efforts
• Task Force and Work Groups – 450+ individuals participating from members
– Leverage efforts among organizations
– Build consensus and best practices
– Developed documents, training, and tools
• Gap analysis tools designed to provide an early cut at self-assessment
• Education has been pleasant by-product
• Consultants use tools to provide consistency and thoroughness in approach for smaller organizations
![Page 34: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/34.jpg)
![Page 35: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/35.jpg)
![Page 36: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/36.jpg)
Sample Documents – Vendor TemplateSample Documents – Vendor Template
![Page 37: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/37.jpg)
NCHICA Vendor RFP TemplateNCHICA Vendor RFP Template
![Page 38: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/38.jpg)
Sample Documents – BAA w/ SecuritySample Documents – BAA w/ Security
![Page 39: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/39.jpg)
![Page 40: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/40.jpg)
Sample Documents – Privacy Sample Documents – Privacy Compliance Check List w/ SecurityCompliance Check List w/ Security
![Page 41: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/41.jpg)
Privacy Compliance ChecklistPrivacy Compliance Checklist
![Page 42: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/42.jpg)
Privacy Compliance ChecklistPrivacy Compliance Checklist
![Page 43: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/43.jpg)
• Free tool developed by NC Division of Mental
Health / Developmental Disabilities / Substance
Abuse Services (MH/DD/SAS)
• Spreadsheet checklist to assist groups within
agency and others to understand and plan for
HIPAA Security compliance
• Checklist is being made available free to the
public through NCHICA and from them directly
• Will be published on NCHICA Web site shortly
Compliance Checklist SpreadsheetCompliance Checklist Spreadsheet
![Page 44: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/44.jpg)
Responsibility MatrixResponsibility Matrix
![Page 45: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/45.jpg)
ISO CrosswalkISO Crosswalk
![Page 46: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/46.jpg)
ISO 17799 CrosswalkISO 17799 Crosswalk
![Page 47: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/47.jpg)
NIST CrosswalkNIST Crosswalk
![Page 48: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/48.jpg)
Self-assessment / Gap Analysis Self-assessment / Gap Analysis Tools Developed by NCHICA Tools Developed by NCHICA
Member VolunteersMember Volunteers
![Page 49: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/49.jpg)
Goals of EarlyViewGoals of EarlyView™™ Tools Tools
• Develop a clear understanding of the rule and the impact on the organization– Management reports highlight action items and
document due diligence
• Closed-end gap questions true to the regulation– No “extra” questions– No room for “Maybe” – only “Yes” “No” or “N/A”
• “Things to think about” provided to expand considerations of how one might approach a particular standard– Potential alternatives to compliance
![Page 50: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/50.jpg)
![Page 51: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/51.jpg)
Links to the Regulation TextLinks to the Regulation Text
![Page 52: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/52.jpg)
Management ReportsManagement Reports
![Page 53: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/53.jpg)
HIPAA EarlyViewHIPAA EarlyView™ Tools ™ Tools ExtendersExtenders
www.parentenet.com
www.paramoreconsulting.com
www.jasi.com
www.complyassistant.com
![Page 54: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/54.jpg)
Coordination with Other Coordination with Other Laws, Regulations and Laws, Regulations and
StandardsStandards
![Page 55: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/55.jpg)
Other Standards to ConsiderOther Standards to Consider
• NIST Special Pub 800-30– “Risk Management Guide for Information Technology
Systems”
• NIST Special Pub 800-37 – “Guidelines for the Security Certification and Accreditation
of Federal Information Technology Systems”
• NIST Special Pub 800-53– “Minimum Security Controls for Federal Information
Technology Systems”
• NIST Special Pub 800-53A– “Guidelines for the Selection and Specifications of
Security Controls for Federal Information Systems”
![Page 56: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/56.jpg)
Other Standards to Consider Other Standards to Consider (cont.)(cont.)
• NIST Special Pub 800-14– “Generally Accepted Principles and Practices for
Securing Information Technology Systems”
• NIST Special Pub 800-16– “Information Technology Security Training
Requirements: A Role- and Performance-based model”
• NIST Special Pub 800-18– “Security System”
• NIST Special Pub 800-34– “Business Contingency”
http://csrc.nist.gov/publications/nistpubs/
![Page 57: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/57.jpg)
Other Standards to Consider Other Standards to Consider (cont.)(cont.)
• ISO/IEC 17799• CMS Contractor Assessment Security Tool (CAST)• Federal Information Processing Standards (FIPS)
– Pub 199; Final Publication in December 2003
• Federal Information Security Management Act (FISMA)
• Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OctaveSM) CMU
![Page 58: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/58.jpg)
Coordination w/ Other Regulations Coordination w/ Other Regulations and Standardsand Standards
• Numerous Crosswalks developed
• Borrow and adapt
• Add considerations for various state statutes, regulations and case law
• Collaborate on interpretation with peers in your area
• Potential activity within a Regional SNIP Affiliate organization (RSA)
• Integrate into your compliance plans
![Page 59: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/59.jpg)
NIST/URAC/WEDI Health Care NIST/URAC/WEDI Health Care Security WorkgroupSecurity Workgroup
![Page 60: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/60.jpg)
NIST/URAC/WEDI DeliverablesNIST/URAC/WEDI Deliverables
![Page 61: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/61.jpg)
NISTNIST
![Page 62: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/62.jpg)
NISTNIST
![Page 63: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/63.jpg)
NIST 800-70 Checklist ProgramNIST 800-70 Checklist Program
![Page 64: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/64.jpg)
NIST XP Systems GuidanceNIST XP Systems Guidance
![Page 65: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/65.jpg)
Additional ResourcesAdditional Resources
• www.nchica.org – Sample documents, tools, links
• www.wedi.org/snip– White papers, listserves, regional directory
• www.urac.org – Self-certification for privacy and security– Mapping of security standards
• www.cms.hhs.gov/hipaa/hipaa2/default.asp – Comprehensive site with FAQs and other tools
• csrc.nist.gov/itsec/ – NIST site with crosswalks, policies, guidelines
![Page 66: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/66.jpg)
CMS FAQsCMS FAQs
![Page 67: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/67.jpg)
![Page 68: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/68.jpg)
![Page 69: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/69.jpg)
Free NewslettersFree Newsletters
www.paramoreconsulting.com
![Page 70: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/70.jpg)
Getting Started White PaperGetting Started White Paper
www.complyassistant.com
![Page 71: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/71.jpg)
Overview White PaperOverview White Paper
![Page 72: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/72.jpg)
Policies & Procedures Checklist Policies & Procedures Checklist
www.theclaytongroup.com
![Page 73: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/73.jpg)
References & ResourcesReferences & Resources
www.brownstone.com• Amatayakul• Lazarus
www.hcpro.com• Amatayakul
https://catalog.ama-assn.org• Amatayakul• Lazarus• Walsh• Hartley
Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group
![Page 74: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/74.jpg)
How good is your security ???How good is your security ???
![Page 75: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/75.jpg)
Why was I chosen ?Why was I chosen ?
![Page 76: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/76.jpg)
I was on vacation that day!I was on vacation that day!
![Page 77: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/77.jpg)
Thank you!Thank you!
![Page 78: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/78.jpg)
www.nchica.orgwww.nchica.orgHolt Anderson, Executive DirectorHolt Anderson, Executive Director
[email protected]@nchica.org
P.O. Box 13048, Research Triangle Park, NC 27709-3048
Voice: 919.558.9258 or 800.241.4486
Fax: 919.558.2198
![Page 79: Presented to: Pre-Conference Symposia The Ninth National HIPAA Summit Six+ Months to Go: Tuning up for HIPAA Compliance – Tips of the Trade Holt Anderson,](https://reader033.vdocuments.us/reader033/viewer/2022051401/5697bf9d1a28abf838c938af/html5/thumbnails/79.jpg)
End of Session 2: End of Session 2: Tuning up for HIPAA Compliance Tuning up for HIPAA Compliance – Tips of the Trade– Tips of the Trade
Session 3:Establishing a Security Compliance ProgramEstablishing a Security Compliance Program
Angel Hoffman, RN, MSNAngel Hoffman, RN, MSN
Director of Corporate Compliance, University of Director of Corporate Compliance, University of
Pittsburgh Medical Center, Pittsburgh, PAPittsburgh Medical Center, Pittsburgh, PA