3-hr Virtual Seminar - HIPAA Security Rule Compliance and Risk Analysis: Finding the best ways to reduce security risks and prevent breaches

Why Should You Attend:

This session will present the background of the regulations that call for information security risk analysis and show how it fits in to an overall information security management process. The risk analysis process will be presented within the context of the overall risk prioritization and risk mitigation process, using an example.

Areas of high risk, as identified by respected industry organizations, will be identified to ensure that the most significant risks are discovered and adequately prioritized. The risk analysis process will be applied to a simplified example in order to relate the process to a real situation and drive home the usefulness of the process.

Attendees will gain insights into the management of risks and reduction of exposure to breaches and penalties, and will be able to implement new procedures that will reduce risks immediately.

Learning Objectives:

• Learn how to conduct an information security risk analysis suitable to aid in compliance with the HIPAA Security Rule and other information security regulations relevant to health information managers.
• Find out what the rules are that health care providers must follow, why they are important, and what the penalties are for not complying, including the new penalties for willful neglect of compliance, which begin at $10,000.
• See how the risk analysis requirement for meeting the privacy and security objective of meaningful use, necessary for federal funding, fits in with HIPAA compliance.
• Learn what steps to follow in the discovery and organization of information needed for the risk analysis.
• Find out what are the most significant risks a health care organization faces and how they can be mitigated.
• Learn a methodology for working through the risk analysis information to discover security strengths and weaknesses and develop a list of priorities for improving security compliance.
• Discover that staff need not be technicians in order to perform a useful risk analysis.
• Discover that a risk analysis can be useful for guiding decision-making for appropriate policies and procedures, and security investments.
• Learn what steps should be taken first to mitigate risks, based on real experience.

Areas Covered in the Seminar:

• The requirements for Risk Analysis in the Security Rule and for Meaningful Use.
• Definitions of Risk Analysis.
• How to define the scope of a Risk Analysis?
• What goes into a Risk Management process?
• How flexibility should be used in analysis and mitigation of risks?
• Federal guidance on Risk Analysis.
• The NIST Risk Assessment process.
• A non-technical approach to Risk Analysis.
• Typical risk issues and breach causes.
• New enforcement categories and penalties.
• Risk Analysis requirements for Certified EHRs.
• Developing a risk management plan.
• The importance of documentation.
• A Risk Analysis example will be provided, examining a hospital function and one of its systems.

Free Handouts:

The speaker will supply a sample questionnaire and tools for a risk analysis.

Who Will Benefit:

• Information Security Officers
• Risk Managers
• Compliance Officers
• Privacy Officers
• Health Information Managers
• Information Technology Managers
• Medical Office Managers
• Chief Financial Officers
• Systems Managers
• Legal Counsel
• Operations Directors
• Medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc.)

Instructor Profile:

Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a variety of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans, and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the 2011 WEDI Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national and regional conventions and WEDI national conferences, and before regional HFMA chapter meetings and state hospital associations.

Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Topic Background:

Information security risk analysis is required for HIPAA Security Rule compliance and EHR incentive funding but is an unknown topic for many healthcare providers. Health Care entities are subject to a number of standards and regulations that require them to assess the risks to the personal and private information of their patients and take steps to reduce those risks where they can. In particular, the HIPAA Security Rule and the PCI Data Security Standard for payment card information, as well as state laws in Massachusetts and Nevada, require a thorough and complete risk analysis. In addition, if health care providers want to receive funding from the Federal government for the adoption of Electronic Health Records, one of the required standards for meaningful use is to protect the privacy and security of patient information by performing a risk analysis consistent with the requirements of the HIPAA Security Rule.

And, new enforcement regulations for HIPAA include significant penalties starting at $10,000 for willful neglect of compliance, so even if a HIPAA covered entity doesn’t want to accept funding for adopting an EHR or accept payment cards for services paid by the individual, it risks significant penalties if it hasn’t performed a proper security risk analysis. With the increased focus on breaches and HIPAA compliance, if a healthcare organization hasn't yet performed an information security risk analysis, the time is now.

Performing a HIPAA Risk Analysis can be a confusing, expensive, and time consuming process, but it doesn’t have to be. By following a defined process that finds and focuses on the most significant risks, it is possible to make risk analysis easier and more effective, while meeting the requirements of the Federal government and the Payment Card Industry. Using an organized, simple approach can yield useful, actionable results that can make compliance easier today and going forward.

Follow us :