Archive for HIPAA Summit
Are you searching for professional HIPAA and healthcare IT certification training? Look no further!
Professional certification training conferences to be held during the 22nd National HIPAA Summit February 5–7, 2014, in Washington, D.C., include the following:
- Certified HIPAA Professional (CHP)
- Certified HIPAA Administrator™ (CHA)
- Certified Security Compliance Specialist™ (CSCS™)
- Certified Professional in Health Information Technology (CPHIT)
- Certified Professional in Health Information Exchange (CPHIE)
- Certified Professional in Electronic Health Records (CPEHR)
- Certified Professional in Operating Rules Administration (CPORA)
The summit also include multiple on-site and webcast breakout sessions. HCPro is a co-sponsor of the National HIPAA Summit.
HIPAA Summit nuggets from William R. Braithwaite, MD, PhD, “Doctor HIPAA”; Chief Medical Officer, Equifax; Former Senior Advisor on Health Information Policy, HHS, Washington, DC (Co chair):
- Dr. HIPAA: “You all owe your jobs to me,” Braithwaite said (he helped craft the rules and regulations of HIPAA).
- The Privacy Rule: Don’t surprise the patient with a use or disclosure they don’t expect; “it’s that simple,” Braithwaite says.
- HIPAA says you must get your health record when you ask for it; but some providers still think they don’t have to give it to them on occasion
- 50,000 comments on first proposed HIPAA rule
- If you don’t encrypt a mobile device you are in violation because you have to put in reasonable protections; and encryption is the only protection for mobile devices
- Take reasonable and appropriate steps to reduce risk; those terms are used throughout all pages of the privacy and security rule
- Don’t just train once, “as some of you have done,” Braithwaite said, widening his eyes at the audience. Do it at least annually and have training material reflect what you found in your risk assessment
- Username and password alone is not satisfactory protections for logging from a home computer
HIPAA Summit nuggets from Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates LLC, Purchase, NY:
- Often, we see providers with extensive lists of “business associates,” but often some of them are not actually BAs. Most organizations can shorten that list. First thing is look at your list to make sure you have all BAs on the list. Most lists are 20 percent too long.
- Someone has to be the focal point of managing business associate contracts and relationships. It does take time, but if you haven’t done it already, you need to step back and take a look at the BA agreement in a “new light” and see what you can do with it. It has to be on your risk profile.
- Have you prioritized your BAs? Higher risk companies might be billing services, record management, IT vendors, etc. And have you identified where your PHI resides?
- May be a good idea to survey your BAs. What kinds of privacy and security policies and procedures do they have in place?
HIPAA Summit nuggets from Sharon D. Nelson, Esq., president, Sensei Enterprises, Inc., Fairfax, VA; and John W. Simek, vice president, Sensei Enterprises, Inc., Fairfax, VA:
- You may have a great security plan, but it’s as only as good as your incident response plan for breaches
- Where did attacks on your organization originate: is it internal or external? You may have to do forensic investigation and preservation.
- Containing a breach? Just because you block a certain IP address, if they’re already in, it doesn’t matter. You have to block them out.
- No. 1 failure we see on breach response? Failure to patch things.
- If you’re running something like Windows 98, you may want to update that. Turn things on like failed log-in detection. It may not be a default feature.
- Physical security is a concern; a server is right behind a receptionist in a doctor’s office — not good
- Any eight-character password can be broken in two hours. You need 12 characters these days; it takes 17 years to hack a 12-character password. “Eight-character passwords are dead,” Nelson said.
- Have an exit/termination checklist. Did you get all keys, tokens, passwords, log-ins, disable remote access, when an employee is no longer with a company?
HIPAA Summit nuggets from J. David Kirby, president, Kirby Information Management Consulting LLC; Former Director, Information Security Office, Duke University Health System, Durham, NC
- 39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more website) have occurred on laptop or mobile device
- 88% of exposed records are mobile-media related
- Ponemon study says 60% of breaches have a strong malicious component
- Business associates involved in half of breaches