Professional Documents
Culture Documents
Risk Assessment
Security
Dr. Jose I.
Delgado
• HIPAA Background
– Privacy
– Security
• Risk Assessment
• Risk Management
– Omnibus Rule
• Meaningful Use
Must Know
• Every Covered Entity (CE) must identify a
HIPAA Security Officer
• Every CE entity must be in compliance with
the final HIPAA Omnibus Rule
• Every CE must have a Risk Assessment
Completed with all components covered
• A covered entity can be fined $1,000 to
$50,000 per patient record up to $1,500,000 if
patient records are breached
HIPAA Audits
• Audits will be conducted by Office for Civil Rights
instead of contractor
• Number of audits to increase
• Monies collected to be used to fund further audits
• Audits to include Covered Entities and Business
Associates
• 2014 first time a Government Entity was fined
Meaningful Use
• Ties HIPAA Security to Attestation
• Fraud charges possibility based on answers
• Part of Meaningful Use and Records Review
Audits
HIPAA
Title II – Administrative Simplification
Security Categories
Administrative safeguards
Physical safeguards
Technical safeguards
Basic Concepts
Scalability – flexibility to adopt implementing measures
appropriate to their situation.
“Required” and “Addressable”
• What are the audit and activity review functions of the current
information systems?
• Are the information systems functions adequately used and monitored
to promote continual awareness of information system activity?
• What logs or reports are generated by the information systems?
• Is there a policy that establishes what reviews will be conducted?
• Is there a procedure that describes specifics of the reviews?
Assigned Security Responsibility
The HIPAA Security Officer is responsible for:
• Understanding the HIPAA Security Rule and how it
applies.
• Developing appropriate policies and procedures.
• Overseeing the security of EPHI.
• Monitoring each Covered Component for compliance.
• Identifying and evaluating threats.
• Responding to actual or suspected breaches.
AUTHORIZATION AND/OR SUPERVISION
§164.308(a)(3)(ii)(A)