MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series

in partnership with

February 20, 2014

Webinar 2HIPAA/HITECH Requirements for

FQHCs and the New Omnibus Rule(Part 2)

About MPCA

Michigan Primary Care Association (MPCA)

Has been the voice for Health Centers and other community-based providers in Michigan since 1980. It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care.

MPCA’s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan

www.MPCA.net

517-381-8000

About OSISOhio Shared Information Services, Inc. (OSIS)We are a 501(c)3 non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide compliance/security related, IT, EPM and EHR services to improve the quality of care delivered to the underserved population.

Our security division has professionals on staff dedicated to providing information security services to transform healthcare.

www.OSISSecurity.com

513-677-5600 x1223

Presented by:Jay Trinckes, CISO, OSIS• Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified in Risk and Information Systems Control (CRISC) • National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and

INFOSEC Evaluation Methodology (IEM)• Author:

• Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA Regional• Upcoming: PMI National Conference, Chicago, IL – May 2014• Experience: risk assessments, vuln/pen tests, information security management,

former law enforcement officer.

Overview of MPCA Seminar Series

Series of five Webinars to assist members with HIPAA Compliance and Meaningful Use

1. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

2. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2)

3. Meaningful Use Requirements for FQHCs

4. Preliminary Assessment Tool for FQHCs

5. Review of Preliminary Assessment for FQHCs

Webinar 2: Topics

• Recap of Part 1• Importance of Security• Administrative• Physical• Technical• Business Associates• Questions/Answers

“There are only two types of companies: Those that have been hacked, and

those that will be.” Former FBI Director Robert Mueller

Recap of Part 1

Overview of HIPAA/HITECHThe Health Insurance Portability and Accountability Act (HIPAA) was enacted in1996 as a response from Congress to:

– Increase technology in healthcare– Protect against potential fraud or compromise

of sensitive information– Different regulations within states

contradicting federal regulations– Regional isolation – everyone doing their own

thing

HITECH ACT

• Part of the American Recovery and Reinvestment Act (ARRA) of 2009

• The Health Information Technology for Economic and Clinical Health Act (The HITECH Act)– Revised HIPAA – Amended enforcement regulations– Stiffer Penalties– Provided enforcement actions for State

Attorney General– Increased Breach Notification Rules

Privacy Basics

• In the most basic terms, a health center (and business associate) may NOT use or disclose protected health information except as permitted or required by the HIPAA Privacy Rule.

• A health center and business associate should apply the least amount of privileges to their individual employees based upon the roles of their employees.

• These restrictions should be applied through policies and procedures to restrict access to protected health information as ‘need-to-know’ or to perform their job functions.

Direct Identifiers

1. Names;

2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to ‘000’.

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older;

4. Telephone numbers;

5. Fax numbers;

6. Electronic mail addresses;

7. Social security numbers;

8. Medical record numbers;9. Health plan beneficiary numbers;10. Account numbers;11. Certificate/license numbers;12. Vehicle identifiers and serial

numbers, including license plate numbers;

13. Device identifiers and serial numbers;

14. Web Universal Resource Locators (URLs);

15. Internet Protocol (IP) address numbers;

16. Biometric identifiers, including finger and voice prints;

17. Full face photographic images and any comparable images;

18. Any other unique identifying number, characteristic, or code.

Omnibus Rule includes Genetic Information as Protected Health Information

Direct Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR § 164.514(e)(2) and include the following eighteen (18) items:

Minimum Necessary

• A health center and business associate must develop policies and procedures to reasonably limit to, the minimum necessary, its disclosures and requests for protected health information for payment and healthcare operations.

• There are several different examples to demonstrate how the minimum necessary standards can be applied, but there may be an easier example of what not to do. – It would be a violation of the minimum necessary standard if a hospital

employee is allowed routine, unimpeded access to patients’ medical records if that employee does not need this access to do his or her job.

Minimum necessary requirements do NOT apply to disclosures to or requests by a healthcare provider for treatment; uses or disclosures made to the individual; uses or disclosures made pursuant to an authorization; disclosures made to the Secretary; uses or disclosures that are required by law; and uses or disclosures that are required for compliance with the Privacy Rule.

Administrative Requirements

• Privacy Personnel Designations• Privacy Training • Administrative Safeguards • Complaint Handling • Workforce Member Sanctions • Mitigation • Retaliation • Waiver of Rights • Privacy Policies

Enforcement• HITECH:

• [Note: State Attorney Generals can also bring enforcement actions.]

• OCR has collected over $50 million from enforcement• It is more cost effective to become HIPAA compliant than

to risk enforcement

Violation CategorySection 1176(a)(1)

Each Violation All Such Violations of an Identical Provision in a Calendar Year

(A) Did Not Know $100 - $50,000 $1,500,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000

(C)(i) Willful Neglect – Corrected

$10,000 - $50,000 $1,500,000

(C)(ii) Willful Neglect – Not Corrected

$50,000 $1,500,000

Enforcement (cont.)US Code Title 42 Chapter 7 – 1320d-6• Wrongful disclosure of individually identifiable health information• Offense: A person who knowingly and in violation of this part-

– Uses or causes to be used a unique health identifier;– Obtains individually identifiable health information relating to an individual;

or– Discloses individually identifiable health information to another person

A person described … shall—• (1) be fined not more than $50,000, imprisoned not more than 1

year, or both;• (2) if the offense is committed under false pretenses, be fined not

more than $100,000, imprisoned not more than 5 years, or both; and• (3) if the offense is committed with intent to sell, transfer, or use

individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

Privacy Rule vs. Security Rule

Privacy Rule• Implement

appropriate and reasonable safeguards to secure Protected Health Information (PHI):– Administrative– Physical– Technical

Security Rule• Intended to protect

certain Electronic Protected Health Information (EPHI)

• Secure the confidentiality, integrity, availability while allowing authorized use and disclosure– Administrative– Physical– Technical

• More Detailed and Comprehensive

Required vs. Addressable

• Addressable is NOT the same as optional!• Addressable means the entity must:

– Perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the entity’s environment

– Decide whether to implement the addressable specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one

– Document the assessments and all decisions

Omnibus Rule• Effective: March 26, 2013 – 180 days to comply –

deadline September 23, 2013– Modifies Privacy, Security, Enforcement Rule, and

Breach Notification Rules• Business Associates (and subcontractors of a BA) are now

directly liable for compliance – minimum necessary applies

– Limit use/disclosure for marketing/fundraising prohibit sale of PHI

– Individuals have right to electronic copies of health information

– Right to restrict disclosure for ‘out-of-pocket’ payments– Modify authorization for proof of immunization to

schools– Enable access to decedent information (after 50 years)

Omnibus Rule (cont.)• Enforcement Rule

– Increased tiers for Civil Monetary Penalties (CMP); ‘willful neglect’

• Breach Notification– Removes ‘harm’ threshold; every security

incident is presumed a breach, unless risk analysis demonstrates low probability of compromise

• Privacy Rules – includes protection of genetic information

• De-Identification - guidance

Meaningful Use• Center for Medicare and Medicaid provides incentives

(i.e. $) for the use of Electronic Health Record (EHR) Technologies

• Since January 2011, there has been an estimated $17 billion paid out for meaningful use incentives.

• Stage 1: 15 core objectives to meet– Core 15 – determines if a security risk analysis was conducted

or reviewed as required under 45 CFR 164.308(a)(1)– In addition, security updates must be implemented

• Stage 2– Ensure adequate privacy and security protection for personal

health information (same as Core 15 above); ALSO addresses the encryption/security of data stored within the EHR software

– Use secure electronic messaging to communicate with patients on relevant health information

Importance of Security

“The state of technology security overall is so weak that

intelligence officials see hacking as one of the largest threats to western powers.”

(Menn 2011)

Importance of Security

• In January 2012, Former FBI Director Robert Mueller testified before the Senate Select Committee on Intelligence explaining that cyber-threats would surpass terrorism as the nation’s top concern.

• Norton AV: 141 victims of cybercrime per minute• Total bill of cybercrime is $139 billion in US ($388

billion globally)• Gartner: Less than 1% of cybercriminals are arrested• OCR – since September of 2009,

– 804 incidents affecting – 29.3 Million individuals.

• Ponemon: The impact of medical identity theft crimes is close to $31 billion a year

State of Security

-Recent Ponemon Institute Survey• Small companies realize vulnerabilities, but few fully appreciate

ramifications– More worried about time/productivity lost than loss of customers or

business partners, or damage to reputation and increase cost to winning new prospects

– Misconceptions of consequences prevent mitigation• Insufficient people resources – 64%• Lack of in-house skilled or expert personnel – 55%• Lack of central accountability– 50%

• Top 3 Threats– Proliferation of unstructured data – 69%– Unsecure third parties including cloud providers – 65%– Not knowing where all sensitive data is located – 62%

• Results indicate that companies tend to seriously underestimate potential damage and reveal a great data breach perception gap

Healthcare Security

• Target: healthcare information– Insurance Information: Able to resell access to people who

don’t have insurance– Access to prescription drugs

• Survey: 600 healthcare executives– 50% reported a privacy/security related issue over last 2 years– 75% already sharing patient data (studies, post-market drug

analysis, new medical programs)– Only 50% addressing security issues

• Hospital Management Systems (HMS) Survey– 53% conducted mandatory risk assessment– 58% had no dedicated staff– 50% spend less than 3% of their resources on security

Data Breach Study

• Causes:– 50% hacking– 49% malware– 29% physical– 17% abuse of privileges– 11% social engineering

• Participants: 45% of large companies had staff that leaked data (46% of these were very/extremely serious)– 92% external– 17% insider

According to a report from PricewaterhouseCoopers, LLP (PwC), “Electronic health data breaches are

increasingly carried out by ‘knowledgeable insiders’ bent on identity theft or access to prescription drugs.”

(Eisenberg 2011)

Costs

Data security breaches cost US healthcare industry $6.5 billion annually– 75% lack adequate funding– 48% of organization spend less than 10% of annual

budget on security

• Five categories:– Legal/Regulatory – fines/penalties, lawsuits– Financial – business distraction, remediation,

communication, insurance, changing vendors– Operational – recruiting new hires, reorganization– Clinical – diagnosis delays, processing fraud, research– Reputational – loss of future patients, business

partners, staff losses

Medical Identity Theft

• Unaware of seriousness• Fairly easy• Victims tend to be older• Hard to determine when crime occurred• Share medical information with family

Larry Ponemon, Chairman and Founder of the Ponemon Institute stated, “Our study shows that the risk and high cost of medical identity theft are not resonating with the public, revealing a serious

need for greater education and awareness.”

Breach Notification Rule• Breach is defined as “the acquisition, access, use, or

disclosure of protected health information in a manner not permitted under subpart E [45 CFR Subpart E – Privacy of Individually Identifiable Health Information] of this part which compromises the security or privacy of the protected health information [or poses a significant risk of financial, reputational, or other harm to the individual].”

• Ponemon Survey:– Overall Cost $188 per record (2012)

• Healthcare $233 per record (2012)• Pharmaceutical $207 per record (2012)

– Full cost of a data breach averages $5.4 million (includes account detection, notification, post-response and loss of business)

Lessons Learned from Breach

• Determine security posture• Assume ALL portable device contain

sensitive information• Set expectations of contractors• Security incident handling• Don’t underestimate burden of incident• Keep logs• Take responsibility for your actions (both

individually and as an organization)

Important Requirements• Administration

– Security Management Process• Risk Analysis, Risk Management, Sanction Policy,

Information System Activity Review

– Security Awareness Training– Security Incident Procedures– Contingency Planning

• Physical– Workstation, Device, Remote Access

• Technical– Access Control, Integrity, Transmission

Administrative Safeguards

Administrative Safeguards

• Over ½ of the HIPAA Security requirements are covered under the Administrative Safeguards

• Administrative Safeguards are:– Administrative actions– Policies/Procedures

• To manage security, must measure the:– Selection of mitigating controls– Development controls accordingly– Implementation of controls– Maintenance of controls

Security Management

• Must “implement policies and procedures to prevent, detect, contain, and correct security violations.”– Conduct a Risk Assessment

• Risk Analysis – “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center.”

• Risk Management - “implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level.”

Sanction Policy

• “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

• Sign a statement of adherence to security policy/procedures

Information System Activity Review

• “regularly review records of information system activities.”– Audit logs– Access reports– Security incident tracking reports

• Identify audit/activity review functionality• Can they be adequately used to monitor• Policy to establish review – procedures to

follow

Assigned Security Responsibility

• Security Official required• The Security Official is “responsible for

the development and implementation of the [security] policies and procedures required by [the Security Rule].”

Workforce Security

• Covered entities and business associates must “implement [adequate] policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information.”

Authorization and/or Supervision

• There should be adequate implementation of “procedures for the authorization and/or supervision of workforce members who work with electronic protected health information.”– Identify Roles– Based on roles, provide appropriate access

levels

• Workforce Clearance• Termination Procedures

Information Access Management

• “implement [adequate] policies and procedures for access authorization to electronic protected health information that are consistent with the applicable [Privacy Rule requirements].”

• Develop classification of information– Protected Health Information– Confidential Information – Business Sensitive– Public Information

Security Awareness Training

• A health center should provide adequate security awareness training to all members of its workforce including management or executive level personnel.– Security Reminders - “periodic security

updates”– Protection from Malicious Software - There

should be adequate procedures in place for “guarding against” malicious software.

Log-in Monitoring

• To verify that appropriate access is being maintained, the covered entity/business associate should have adequate procedures in place to monitor any log-in attempts.

No Expectation of Privacy

Password Management

• Procedures in place for “creating, changing, and safeguarding passwords”.– Use unique, complex passwords– Commit passwords to memory– Do NOT write passwords down in unsecured

locations– Do NOT share passwords with anyone– Authenticate Users

Security Incident

• Security incidents are those situations where it is believed that protected health information has been used or disclosed in an unauthorized fashion.– Actual unauthorized access, use, or

disclosure– Interference with system operations (Denial

of Service)• According to a report by Solutionary, security

service provider, companies pay $6,500 an hour from a DDoS attack and up to $3,000 a day to mitigate/recover from malware infections.

Contingency Plan

• Need to be able to sustain or resume business during or after an emergency.

• Implement adequate policies and procedures, as needed, to respond to emergency or other situations that could cause damage to systems that contain electronic protected health information.– Fire– Vandalism– System Failures– Natural Disasters

Physical Safeguards

Physical Safeguards –First Layer of Defense

• Physical Layer– Controls over physical access– Procedures and maintenance of documents/hardware

• Two Areas:– Facility Access Control– Device/Media Controls

• Physical security requires a total commitment to a CULTURE of security and an adherence to the principles of physical security. – Proper Identification– Proper Authorization– Need to Know; Minimum Use

“60% of all theft is committed by internal staff”

Facility Access Control

• Policies/Procedures– Cover all staff members, visitors, and

business associates, contractors, sub-contractors, (anyone entering facility)

The goal of physical and environmental protection is to secure protected health

information along with the security of the facility and workforce members working

within the facility.

Workstation Use

• Asset Inventory – can’t protect what you don’t know you have– Includes workstations, laptops, PDAs,

tablets, smart phones, printers, typewriters, etc.

• Minimum Necessary Rule applies– Physical Controls to lock down mobile

devices– Technical Controls to restrict devices/users– Restricted access to the Internet

Device and Media Controls

• Hardware and electronic media includes: – Hard drives; – Magnetic tapes or disks;– Optical disks; – Digital memory cards; – Removable thumb drives; or – Any other items that may contain electronic

protected health information.

Controls

• Wiping/Degaussing• Encryption• Password protection• Tracking• USB Controls/Data Loss Protection (DLP)

Remote Use and Mobile Device

“There have been a number of security incidents related to the use of laptops, other portable and/or mobile devices and external hardware that store, contain or are used to access Electronic Protected Health Information (EPHI) under the responsibility of a HIPAA covered entity. All covered entities are required to be in compliance with the HIPAA Security Rule, which includes, among its requirements, reviewing and modifying, where necessary, security policies and procedures on a regular basis. This is particularly relevant for organizations that allow remote access to EPHI through portable devices or on external systems or hardware not owned or managed by the covered entity.” (The Department of Health and Human Services 2006)

Social Engineering

“any act that influences a person to take an action that may or may not be against their best interest.”

Examples

Tips to Avoid SE

1. Learn to Identify Social Engineering Attacks2. Security Awareness Should Be Personal and

Interactive3. Understand the Value of the Information They

Possess4. Updates are essential5. Develop Scripts6. Have and Learn from Social Engineering

AssessmentsCredit – Chris Hadnagy, Social Engineering: The Art

of Human Hacking

Personnel Security

• Be Aware of Surroundings• Attempt to travel in groups and not alone• Stay in lighted areas• Take different routes; change up routine• Out of Town Travel

– Stay at reputable hotels– Take special care and control over

equipment/information– Key cards (magnetic swipes)– Door stops– Talking on phone

Laws of Security

• Law #1: If a malicious individual persuades a user to run his/her program on their computer, it is no longer their computer.

• Law #2: If a malicious individual can alter the operating system of a user's computer, it is no longer their computer.

• Law #3: If a malicious individual has physical access to a user's computer, it is no longer their computer.

• Law #4: If a user allows a malicious individual to upload programs to their website, it isn't their website anymore.

• Law #5: Strong security is always undermined by weak passwords.

Laws of Security (cont.)

• Law #6: Treat your system administrators well and make sure they can be trusted, since a computer is only as secure as the administrator makes it.

• Law #7: The decryption key determines how securely your data is encrypted. (If you use a weak encryption algorithm or don't secure the keys, encryption is worthless.)

• Law #8: Keep your virus scanners up to date since an old .dat file is just slightly better than having no virus scanner installed at all.

• Law #9: It is very difficult to be anonymous in the real world and on the web. (Your behaviors will determine the level of privacy you will have.)

Law #10: “Security is a process… NOT a product.” (– phrase coined by Bruce Schneier.)

Technical Safeguards

Technical Safeguards

• The objective of these safeguards is to mitigate the risk of electronic protected health information being used or disclosed in an unauthorized manner.

• CIA Triad– Confidentiality– Integrity– Availability

Risk Assessment

• The covered entity (and business associate) are required to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Will discuss more in webinar 3

Access Control

• Allow access to only those that are authorized– Includes software programs– Data in databases

• Controls on:– Workstations– Laptops– Servers– Network (through firewall/routers)

Unique User Identification

• Every workforce member must have an unique user identifier (i.e. username) when accessing information

• Account Management Includes:– Account Establishment– Account Activation– Account Modification– Account Termination– Account Removal

Emergency Access Procedure

• Emergency procedures should contain methods of supporting continued operations in situations that affect normal operations.

• It should be determined whether or not the information systems can allow for the automatic failover to emergency configurations or will a workforce member have to manually configure these failover procedures.

Automatic Logoff

• Health centers should implement an automatic logoff of information systems after a period of workforce member inactivity.– Generally, 10 minutes

• The automatic logoff feature should be activated on all workstations (and software) with access to electronic protected health information.

Encryption/Decryption

• A covered entity (and business associate) needs to identify or address all electronic protected health information that requires encryption so that it is restricted from access by individuals or other software programs that may not be granted access rights to this information.

• Reasonable/Appropriate• State of Data

– Stored– Processed– Transit

Audit Controls

• A health center is required to implement audit control mechanisms that are reasonably implemented to record and examine activity in information systems that contain or use electronic protected health information.– Established by risk assessment– Can take up a lot of hard drive space– Need to be flexible, but account for important

items– Need to be reviewed

Integrity

• Deals with alteration or modification of data

• Awareness– Training– Audit Trails– Sanctions

• Risk Assessment identifies possible unauthorized modification areas

• Backups

Authentication

• An authorized individual is required to present something that only they would know prior to gaining access;

• An authorized individual is required to present something that they would only have prior to gaining access; or

• The authorized individual is presenting something unique to only that individual prior to gaining accesses.

Transmission Security

• A health center needs to implement adequate technical security measures to guard against unauthorized access to electronic protected health information being transmitted over an electronic communications network.

• Restrict certain protocols (SNMP, Finger, TFTP)

“Results require action, not excuses!” – Amy Cotta

Business Associates

Business Associates

• Omnibus Rule:– Directly liable– Implement administrative, physical, and technical

safeguards to protect CIA of EPHI– BA is any organization that creates, receives,

maintains, or transmits PHI on health center’s behalf

• Any agent, or subcontractor of BA is also considered a BA– Agent must enter into a BAA with subcontractor to

comply with HIPAA Security Rules and applicable Privacy Rules

Examples of Business Associates

• Companies that provide certain types of functions, activities, and services to covered entities.– Claims Processing;– Data Analysis;– Utilization review;– Billing;– Legal Services;– Accounting/financial services;– Consulting;– Administrative;– Accreditation; or– Other related services

• Omnibus Rule added:– Patient Safety Organizations– Health Information Organizations, E-Prescribing Gateways, other data

transmission services that require routine access– Persons that offer personal health records to one or more individuals on behalf

of health center

Business Associate

• As required by 45 CFR § 164.308(b)(1), a covered entity should obtain “satisfactory assurance” that their business associates will “appropriately safeguard the electronic protected health information created, received, maintained, or transmitted on the covered entity’s behalf.”

• Although ‘satisfactory assurance’ is met through a ‘written contract or other arrangement’, it is recommended that the same level of due diligence met by the covered entity to secure electronic protected health information is being met by the business associate. – Omnibus Rule

Business Associate Contracts

• BA agrees to not use/disclose PHI other than permitted (explain what is permitted)

• Use appropriate safeguards• Ensure subcontractors agree to same

restrictions/safeguards• Availability to health center• Additional amendments• Accounting of disclosures• Make practices available to Secretary of HHS

for purposes of determining compliance

Business Associate Contracts (cont.)

• Report any security incident– Omnibus Rule: reporting of breaches of

unsecured protected health information

• Termination Clause– Omnibus Rule: BA is obligated to follow

standards under HIPAA Security Rule, must also follow applicable HIPAA Privacy Rules

• Consider costs of a breach• Consider right to audit

Summary

• Assume Audit will happen• Conduct Risk Assessment• Update Policies/Procedures• Revise BAAs and conduct Due Diligence• Train and Educate• Evaluate• Document, Document, Document

Service Offerings• HIPAA Compliance Program

• HIPAA/HITECH Information Systems Security Risk Assessment • Administrative Safeguards• Physical Safeguards• Technical Safeguards

• Internal/External Vulnerability/Penetration Test• Organizational Requirements• Policies, Procedures, & Documentation Requirements

• Policies/Procedures• Security Awareness Training

• Mitigation Management• Vendor Due Diligence• Security Incident Response Handling• Business Continuity/Disaster Recovery Planning• Subject Matter Expertise

Questions

Jay@OSISSecurity.com

513-707-1623 (direct)

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series

in partnership with

Thursday, March 6, 2014

2pm – 3pm EST

Webinar 3

Meaningful Use Requirements for FQHCs from the Security Risk Aspect