HEALTHCARE 2013 - New HIPAA Breach Notification Standards - Tougher Rules Require Risk Assessment

Website https://compliance2go.com | Edit Freely

Category HEALTHCARE 2013

Deadline: June 11, 2013 | Date: June 11, 2013

Venue/Country: Online, U.S.A

Updated: 2013-05-03 18:02:38 (GMT+9)

Call For Papers - CFP

? The HIPAA Breach Notification Rule has been in effect since September 23, 2009 and many organizations are not prepared to respond to a breach of PHI and report and document it properly. We will discuss the origins of the rule and how it works, including interactions with other HIPAA rules and penalties for violations, and recent significant chganges to the rules.

? HIPAA Covered Entities and Business Associates need to know where and what information they have, so they can know if there has been a breach, and figure out if it meets an exception, and then determine if it has a "low probability of compromise." We’ll discuss how to know what kind of breach you have and how to decide if you need to notify. We'll also cover how the rules have been changed to eliminate the "harm standard" and replace it with the risk assessment.

? Entities can avoid notification if information has been encrypted according to Federal standards. We’ll talk about what information needs to be encrypted the most and how entities are doing it. We will cover the guidance from the US Department of Health and Human Services that shows how to encrypt so as to prevent the need for notification in the event of lost data.

? We will discuss how to create the right breach notification policy for your organization and how to follow through when an incident occurs. In addition, a policy framework to help establish good security practices is presented.

? We will cover the essentials of information security methods you can use to keep breaches from happening, and be in compliance with the HIPAA Security Rule as well. We'll also discuss the new penalties for non compliance, including mandatory penalties for "willful neglect" that begin at $10,000.

? We will help you understand what isn’t a breach and under what circumstances you don’t have to consider breach notification. You’ll find out how to report the smaller breaches (less than 500 individuals), as required, within 60 days of the end of each year and you’ll know why you want to avoid a breach involving more than 500 individuals ? media notices, Web site notices, and immediate notification of HHS, including posting on the HHS breach notification “wall of shame” on the Web.

? We will explain, based on historical analysis of reported breaches, what measures must be taken today to protect information from the most common threats, as well as discuss information security trends and explain what kinds of efforts will need to be undertaken in the future to protect the security of PHI. We will discuss the kinds of threats that exist for PHI and how they're changing as the hackers gain experience and abilities, and why you need to prepare for next-generation attacks now.

Why should you attend :

? HIPAA Breach Notification rules require notification of individuals and HHS when information security is breached, and the history and trends of breaches indicate that the threats are changing.

? The New Final HIPAA Breach Notification Rule thet becomes enforceable on September 23, 2012 requires all HIPAA covered entities and business associates to follow a number of steps to be in compliance. If there is a breach of protected health information that does not quakify for one of the reporting exceptions, the breach must be reported, unless a risk assessment shows that there is a "low probability of compromise." All reportable breaches must be reported to the Secretary of the US Department of Health and Human Services at least annually.

? There are additional steps to take if the breach affects more than 500 individuals, including media notices and immediate notification of HHS. For every potential breach of PHI, the entity will have to determine if the information breached presents a reasonable risk of harm to the individuals, and take action to notify them if there is a risk of harm. Entities should also be aware that the harm standard may be modified upon release of a final rule, and entities should be ready to adjust to changes in the rules.

? Entities must adopt a breach notification policy and procedures to ensure accurate reporting and documentation of breaches, and must take steps to protect information from breaches by using encryption and proper disposal methods meeting Federal standards. Entities must follow the standards and specifications of the HIPAA Security Rule to protect information from breaches and must negotiate new Business Associate Agreements to include liability for breach notification and requirements for timely reporting to the entity.

? Evaluation of the risk of compromise requires consideration of a number of factors and every HIPAA-covered organization will need have a process ready to perform the risk analysis and come to defensible conclusions in order to avoid violations and potential fines.

? On top of all this, the landscape of information security threats and breaches is changing dramatically, requiring new kinds of security efforts and consistent application of old safeguards to protect patient information. What used to be "good enough" is no longer sufficient to properly protect PHI.

Areas Covered in the Session:

I. Breach Notification Laws

A. State Breach Notification Laws

B. Changes to HIPAA Breach Noitification

C. Federal Breach Notification Law and Regulation

D. The Who, What, and How of Breach Notification

E. The Risk Assessment Process in Breach Notification

II. Preventing and Preparing for Breaches

A. Using an Information Security Management Process

B. Using Risk Analysis and Risk Assessment Before a Breach

C. Most Common Types of Breaches

D. Information Security, Incident, and Breach Notification Policies

E. The Importance of Documentation

III. Enforcement and Audits

A. New HIPAA Violation Categories and Penalties

B. Preparing for HIPAA Audits

C. Case Studies

IV. Future Trends and New Threats to Prepare For

A. History vs. the Future

B. Why Security Trends Are Changing

C. Implications of New Directions in Attacks and Targets

Who will benefit: (Titles)

Compliance director

CEO

CFO

Privacy Officer

Security Officer

Information Systems Manager

HIPAA Officer

Chief Information Officer

Health Information Manager

Healthcare Counsel/lawyer

Office Manager

Contracts Manager

About Speaker

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a variety of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans, and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the 2011 WEDI Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national and regional conventions and WEDI national conferences, and before the New York Metropolitan Chapter of the Healthcare Financial Management Association, Health Information Management Associations of Virginia, New York City, New York State, and Vermont, the Connecticut Hospital Association, and the Hospital and Health System Association of Pennsylvania. Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Speaker : Jim Sheldon-Dean

Product ID : H62324

Schedule Date :

Tuesday, June 11, 2013

duration : 01:00 to 02:30 PM EDT

https://compliance2go.com/index.php?option=com_training&speakerkey=12&productKey=245