1 / 11

Culture of Compliance

Culture of Compliance. HIPAA Privacy & Security Compliance Office. OCR Calls for a “Culture of Compliance”. OCR is aggressively enforcing the HIPAA Privacy and Security Rules Covered Entities and Business Associates should have robust HIPAA Privacy and Security compliance programs.

vin
Download Presentation

Culture of Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Culture of Compliance HIPAA Privacy & Security Compliance Office

  2. OCR Calls for a “Culture of Compliance” • OCR is aggressively enforcing the HIPAA Privacy and Security Rules • Covered Entities and Business Associates should have robust HIPAA Privacy and Security compliance programs 2

  3. OCR Calls for a “Culture of Compliance” • A robust compliance program includes: • Employee training • Vigilant implementation of policies and procedures • Regular audits • Prompt Action Plan to respond to incidents 3

  4. Program Goals • Outline Organization’s responsibilities under the Privacy and Security Rules • Identified IU HIPAA Affected Areas • IU HIPAA Privacy and Security Compliance Plan • Provide strategies to build and maintain a culture of compliance • Leadership – Set an Example • Ongoing awareness 4

  5. Program Goals • Motivation for complying with the regulations? • Just doing the “Right Thing” • Leadership acts as a model that doing the “Right Thing” is the expected • Out of fear of getting caught (hopefully not) • Gauging Success • Responding to incidents • Awareness of responsibilities • Questions related to HIPAA 5

  6. Program Goals • Be Proactive and not reactive • Auditing and monitoring • Education • Mitigate the risks • Not punitive • * We would rather find areas we need to address before there is an incident or before an outside Agency identifies a problem 6

  7. Current Policies – University Level • Breach Notification • Information and Information System Incident Reporting, Management and Breach Notification • ISPP-26 http://policies.iu.edu/policies/categories/information-it/ispp/ISPP-26.shtml • Privacy Complaints • ISPP-27 • http://policies.iu.edu/policies/categories/information-it/ispp/ISPP-27.shtml 7

  8. IU Guidance Materials & Resources • HIPAA Website • http://researchadmin.iu.edu/HIPAA/index.html • Encryption Tools • http://protect.iu.edu/tools/pgp • Reporting Suspected Sensitive Data Exposures http://protect.iu.edu/cybersecurity/incident/sensitive-data • Reporting Security Incidents http://protect.iu.edu/cybersecurity/incident 8

  9. IU Guidance Materials & Resources • Mobile Device Security http://protect.iu.edu/cybersecurity/mobile • Handheld Device Security http://protect.iu.edu/cybersecurity/mobile/handheld • Laptop Security http://protect.iu.edu/cybersecurity/computers/laptop • “How can I protect data on my mobile device” https://kb.iu.edu/data/bcnh.html 9

  10. Drafting Policies – HIPAA Specific • Minimum Necessary • Fundraising • Authorizations • Individuals’ Rights • De-identified Data & Limited Data Sets • HIPAA Security Risk Management • Disposition of Electronic Media • Backup and Recovery • Encryption 10

  11. Interim HIPAA Officers Leslie J. Pfeffer, BS, CHP Interim University HIPAA Privacy Officer Privacy Officer – IUSM (317) 278-4521 lpfeffer@iu.edu Eric W. Schmidt, CISSP, CISM Interim University HIPAA Security Officer Chief Security Officer - IUSM (317) 278-8751 erschmid@iu.edu 11

More Related