Best IT Documents.com Blog


Healthcare HIPAA, HITRUST, HITECH Resources

 

IT Security / Technology Risk / Control Frameworks

HITRUST: (RISK Framework)

http://www.hitrustalliance.net/about/

 

Assessment Areas – HIPAA

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • HIPAA Security Rule (3 Safeguards – Administrative, Physical, Technical), Required vs. Addressable. HIPAA Gap Assessments, HIPAA IT Auditing or HIPAA IT Controls Design, Integration, Testing. Gap Assessments, Privacy Gap Assessment – Pre Audits.
  • Understanding of risk and control frameworks such as HITRUST, COBIT, UCF, ITIL, and ISO

 

Preparatory Research

  • Electronic Medical Records: Success Requires an Information Security Culture:

http://www.sans.org/reading_room/whitepapers/HIPAA/electronic-medical-records-success-requires-information-security-culture_34242

  • Aligning Application Security and Compliance: (good info)

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

HIPAA Terminology

Covered Entity, Business Associate, Conduit, Meaningful Use/MU Phase I/II/III, Breach Notification Rule, OCR, ePHI / PHI, BNR, PNR, CFR 45 CFR 164.x (9/2013 – 3/2014), Final HIPAA Omnibus Rule, BA Contracts,

 

IT Governance / Regulations – HIPAA

HIPAA / Omnibus HIPAA Privacy, Security, Governance, And Compliance.

 

HIPAA

http://www.hhs.gov/ocr/privacy/HIPAA/understanding/summary/index.html

 

HIPAA: Survival Guide

http://www.HIPAAsurvivalguide.com/HIPAA-omnibus-rule.php

(Good info)

Terminology

Covered Entity, Business Associate, Baa / Contracts, Conduit, Meaningful Use/Mu Phase I/Ii/Iii, Breach Notification Rule, OCR, Ephi / Phi, Bnr, Pnr, Cfr 45 Cfr 164.X (9/2013 – 3/2014), Final HIPAA Omnibus Rule, Ba Contracts, HIPAA / Hitrust:  HIPAA And Hitrust – What’s The Difference?

 

Overview of HIPAA/Hitech Omnibus Final Rule

Omnibus / Healthit

Http://Www.Darkreading.Com/Privacy/New-HIPAA-Omnibus-Rule-Changes-Health-It/240148673

 

EPHI Identifiers / De-Identification

HHS: Guidance on Methods for De-Identification

HIPAA Phi: List of 18 Identifiers and Definition of PHI

EPHI Computer Systems Inventory:

https://community.pepperdine.edu/it/security/ric/invephi.htm

 

Yale: Break Glass Procedure: Granting Emergency Access to Critical EPHI Systems

Meaningful Use: What Is Meaningful Use?

Http://Www.Healthit.Gov/Policy-Researchers-Implementers/Meaningful-Use

 

Breach Notification Rule: HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414

Covered Entities & Business Associates: § 160.103 Definitions.

  • De-Identification of PHI. Methods In Accordance With HIPAA Privacy Rule.
  • Summary Of The HIPAA Security Rule: HHS: Summary Of The HIPAA Security Rule
  • HIPAA Security Risk Analysis Tips – 9 Essential Elements
  • Complete A Privacy Rule Compliance Assessment (45 CFR §164.530)
  • MU – HIPAA Security Risk Analysis: How To Conduct A Meaningful Use / HIPAA Security Risk Analysis:
  • ECFR: Electronic Code Of Federal Regulations:
  • Cornell Law School – 45 CFR 164 – Summaries: http://www.law.cornell.edu/cfr/text/45/part-164

Are You Ready For A HIPAA Audit? 5 Insights for Executives

HIPAA Audit Tips – Prepare For Audits Using Omnibus Final Rule

White Paper: The HIPAA Final Omnibus Rule: New Changes Impacting Business Associates

Deloitte Brief: Update: Privacy and Security Of Protected Health Information Omnibus Final Rule and Stakeholder Considerations

 

OCR HIPAA Audits: Findings/Recommendations: Notification of Findings And Recommendations Report From OCR HIPAA Audits

HHS/OCR: HIPAA Lessons – UCLA: Specific Lessons from HIPAA Privacy and Security Case At

 

OCR HIPAA Audits: What To Expect When OCR Audits Come

HIPAA Interview and Document Request: HIPAA Security Onsite Investigations and Compliance Reviews: – Great Sample

OCR HIPAA Audit Briefings:  OCR Data On First 20 HIPAA Compliance Audits

HIPAA Enforcement: Case Examples Organized By Covered Entity:

 

Http://Www.HHS.Gov/OCR/Privacy/HIPAA/Enforcement/Examples/Casebyentity.Html#2healthcareprovider

 

HIPAA Settlements / Resolution Agreements

HIPAA-Hitech Compliance: Proven HIPAA Audit Tips – Actions You Should Take Now To Prepare For OCR HIPAA Audits

  1. Set privacy and security risk management & governance program in place (45 cfr § 164.308(a)(1))
  2. Develop & implement comprehensive HIPAA privacy and security and breach notification policies & procedures (45 cfr §164.530 and 45 cfr §164.316)
  3. Train all members of your workforce (45 cfr §164.530(b) and 45 cfr §164.308(a)(5))
  4. Complete a HIPAA security risk analysis (45 cfr §164.308(a)(1)(ii)(a))
  5. Complete a HIPAA security evaluation (= compliance assessment) (45 cfr § 164.308(a)(8))
  6. Complete technical testing of your environment (45 cfr § 164.308(a)(8))
  7. Implement a strong, proactive business associate / management program (45 cfr §164.502(e) and 45 cfr §164.308(b))
  8. Complete privacy rule and breach notification rule compliance assessments (45 cfr §164.500 and 45 cfr §164.400)
  9. Document and act upon a remediation plan

 

HHS.GOV – HIPAA: Security Series

  1. Security 101 for Covered Entities
  2. Security Standards Administrative Safeguards
  3. Security Standards – Physical Safeguards
  4. Security Standards – Technical Safeguards
  5. Security Standards – Organizational, Policies & Procedures, and Documentation Requirements
  6. Basics of Risk Analysis & Risk Management
Comments Off on Healthcare HIPAA, HITRUST, HITECH Resources

Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Healthcare (HIPAA, HiTrust, HiTech) Tiered Application and System Support Services

Tiered Application and System Support Services

Measures include:

o   Time to Respond (Priority 1-4)

o   Time to Resolve (Priority 1-4)

o   % of Open Break Fix Issues that Exceed the SLA

o   Tier 1 Applications / System Availability (system uptime):

 

  • Cerner
  • Meditech
  • PACs
  • PPP
  • McKesson Star
  • Lawson
  • Core Network Systems
  • EICU

 

Tiered Application and System Support Services

  • Time to Respond – Amount of time required for an incident (ticket) to be assigned for work.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 15 minutes
Priority 2 (High): 90% within 4 Business Hours
Priority 3 (Med): 90% within 1 Business Day
Priority 4 (Low): 90% within 3 Business Days

 

Name of SLA Proposed Goal
Time to Respond Priority 1 (Urgent) 90% within 15 Minutes
Time to Respond Priority 2 (High) 90% within 4 Business Hours
Time to Respond Priority 3 (Medium) 90% within 1 Business Day
Time to Respond Priority 4 (Low) 90% within 3 Business Days

 

Tiered Application and System Support Services

  • Time to Resolve – Amount of time required for an incident (service) to be restored.

Ø  Monthly Goals:

Description Proposed Goal
Priority 1 (Urgent): 90% within 4 Hours
Priority 2 (High): 90% within 8 Business Hours
Priority 3 (Med): 90% within 3 Business Days
Priority 4 (Low): 90% within 10 Business Days

 

Name of SLA Proposed Goal
Time to Resolve Priority 1 (Urgent) 90% within 4 Hours
Time to Resolve Priority 2 (High) 90% within 8 Hours
Time to Resolve Priority 3 (Medium) 90% within 3 Business Days
Time to Resolve Priority 4 (Low) 90% within 10 Business Days

 

  • % of Open Break Fix Issues that Exceed SLA – percentage of open Incidents (tickets) that exceed the SLA for all Priority levels in a given month.

Ø  Monthly Goal:  < 35%

Name of SLA Proposed Goal
% of Open Break Fix Issues that Exceed SLA < 35% of Open Break Fix Issues

 

 

 

 

 

  • Tier 1 Applications / System Availability

Ø  Monthly Goal:  >99.9%

Name of SLA Proposed Goal
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability
Tier 1 Applications / System Availability

(Core Network Systems)

>99.9% Availability
Tier 1 Applications / System Availability >99.9% Availability

 

Customer Support Services

  • Measures include:

Ø  Total Call Volume

Ø  Average Speed to Answer

Ø  Call Abandonment Rate

Ø  First Call Resolution Rate

 

  • Total Call Volume – number of calls into each of the Help Desks in a given month.
Help Desk Proposed Goal
Denver  Administration xxxxxx
Houston HD xxxxxx
California Server xxxxxx
  • Average Speed to Answer / per Queue (Seconds) – average length of time required (in seconds) to answer calls into the Help Desk in a given month.

Ø  Monthly Goal:  < 55 seconds

 

Help Desk Proposed Goal
Denver  Administration < 55 seconds
Houston HD < 55 seconds
California Server < 55 seconds

 

  • Call Abandonment Rate / per Queue – rate of calls where the caller hung up while phoning the Help Desk in a given month.

Ø  Monthly Goal:  < 15%

Help Desk Proposed Goal
Denver  Administration < 15%
Houston HD < 15%
California Server < 15%

 

  • First Call Resolution Rate – rate of incidents resolved during the first call to the Help Desk.

Ø  Monthly Goal:  > 50%

Help Desk Proposed Goal
Denver  Administration > 50%
Houston HD > 50%

 

 

 

  • Measures currently include:

Ø  Tier 1 Application and System Back-Ups

v  Monthly Goal:  >75% Successfully backed up within window

Name of SLA Proposed Goal
Tier 1 Application and System Back Ups >75% Successfully

 

Security Services

  • Measures include:

Ø  Virus Protection on Currency Servers within 7 days

Ø  Virus Protection on Currency Desktops within 7 days

v  Monthly Goal:  > 90%

Name of SLA Proposed Goal
Virus Protection Currency Servers (Within 7 Days) > 90% Virus Protection Compliance
Virus Protection Currency Desk Tops (Within 7 Days) > 90% Virus Protection Compliance

 

  • Measures include:

Ø  Change Timeliness of Non-Routine Changes (Urgent, High, and Medium)

Ø  Change Accuracy of Non-Routine Changes (Urgent, High, and Medium)

Ø  % of Urgent and High Unplanned Emergency Changes

Name of SLA Proposed Goal
Change Timeliness of Non-Routine Changes (Urgent, High, and Medium) > 95% Of Changes completed within the Change window
Change Accuracy of Non Routine Changes (Urgent, High, and Medium) > 95% Change Success
% of Urgent and High Unplanned Emergency Changes < 20% of High and Urgent Changes Submitted as Emergency

 

Report and Review Services

  • SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time
  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and ITS Balanced Scorecard are published on the last business day of each reporting month

 

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month goal)
Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

 

Report and Review Services

Measures include:

Ø  Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  LITED:  percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC)

Ø  LITED:  percent of Action Plans completed on Time (SCORECARD METRIC)

Ø  SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Percentage of SLAs that meet or exceed targets (SCORECARD METRIC)

Ø  Scorecard Published to OCIO and Service Delivery Sub-Committee on Time

Ø  Scorecard Data Received on Time

Ø  Percentage of Scorecards measures that meet or exceed targets

 

Customer Satisfaction (LITED) Reports Published to the OCIO and Service Delivery Sub-Committee on Time

Ø  Published on the last business day of the reporting month

Name of SLA Proposed Goal
Customer Satisfaction (LITED) Reports Published to OCIO and Service Deliver Sub-Committee on Time > 95% Reported on Time

 

LITED:  Percent overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD Performance Review and National Scorecard METRIC)

Ø  Did IT meet the overall expectations of Service Delivery in the following Focus Areas:

  • Operations Service Delivery (OSD) – includes Help Desk, Desktop Support and Direct Customer Support
  • Program & Project Delivery (PPD) – includes EPMO, Legal, Contract & Vendor Management
  • Service Quality (SVC)
  • Value Creation (VAL)
  • Relationships (REL)

 

Name of SLA Proposed Goal
LITED:  % overall that meets overall expectations of IT Delivery in 5 focus areas. (SCORECARD METRIC) > 75% Reported Meets Expectations

 

 

LITED:  Percent of Action Plans completed on time.  (SCORECARD Performance Review and National Scorecard METRIC)

Name of SLA Proposed Goal
LITED:  % of Action Plans completed on Time (SCORECARD METRIC) >95% Completed

 

SLA Review Reports published to the OCIO and Service Delivery Sub-Committee on time

  • Percentage of SLAs that meet or exceed targets (Scorecard Metric)
  • Scorecard published to the OCIO and Service Delivery Sub-Committee on time
  • Scorecard data received on time
  • Percentage of Scorecard measures that meet or exceed targets

Ø  SLA Dashboard and IT Balanced Scorecard are published on the last business day of each reporting month

Name of SLA Proposed Goal
SLA Review Reports Published to OCIO and Service Delivery Sub-Committee on Time > 95% Reported on Time
Percentage SLAs that meet or exceed targets (SCORECARD METRIC) > 80% Reported Green (18 month

goal)

Scorecard Published to OCIO and Service Delivery Sub-Committee on Time > 95% (15th of the Month)
Scorecard Data Received on Time > 95% (Received prior to the 26th of the Month)
Percentage of Scorecards measures that meet or exceed targets > 80% Reported Green

 

Tiered Applications and System Support Services

Customer Support Services

Business Continuity Management Services

Security Services

Change Management Services

IT Release and Project Management Services

Report and Review Services

Contracting and Vendor Management Support Services

 

In relation to the clinical needs of the patient

    1. In anticipation of Medicare AND insurer changes
  1. These are not the only influencers of cost & revenue (i.e. Case Managers, Physicians, OR Staff, Service Line Leadership)
    1. Cerner
    2. Meditech
    3. PACs
    4. PPP
    5. McKesson Star
    6. Lawson
    7. Core Network Systems
    8. EICU

 

Corporate Future Growth Strategy Involves Significant Influx Of New Physicians, Staff, And Clinical Facilities.

  • Align newly acquired operations with Corporate security standards quickly and efficiently – without impact to acquisition/integration timelines.

 

Address security gaps at time of acquisition.

  • Avoid inheriting non-compliant systems or processes
  • Synergy with tech-refresh activities associated with the acquisition

 

Due Diligence

  • Identify any security issues that are material to the acquisition.
  • Assess amount of security investment needed to bring acquired operation into compliance with Corporate standards.

 

 

Pre-Integration

  • Risk assessment to identify gaps in infrastructure and processes.
  • Remediation to stop-gap any critical items.
  • Establish roles and provision access for new staff.
  • Overlay Corporate standard security technologies.

 

Post-Integration

  • Bring systems and processes into alignment with Corporate standards.
  • Ensure and maintain compliance.

 

Internal Scans

  • Vendor being used for initial scans to allow for implementation of program by staff
  • Internal team will lead vendor initiative and implement program simultaneously

 

External Scans

  • All Corporate external addresses
  • Denver address space represented here
  • Remaining results to be reviewed with groups next week

 

Acquisition Scans

  • Qualys acquisition represented
  • Rescan April 2019
  • Remediation results reported after rescan
  • Chattanooga Heart scan report to be completed next week.

 

Divestiture Scans

  • No active divestitures

 

Future State Vision

  • Consistent, holistic enterprise-wide approach.
  • Cover all information assets.
  • Coordinate security and business resilience.
  • Enable access to accommodate physician growth and workforce mobility.
  • Establish a control structure framework to meet and manage HIPAA and PCI compliance.

 

Program Maturity Objectives

  • Meet defined customer service objectives.
  • Predictable cost for sustainable compliance.
  • Active management and significant reduction of risk.
  • Adoption across entire enterprise.
  • Business decisions influenced by trends and metrics.
  • Program covers new and emerging risks (mobile, virtualization etc.).

 

www.bestitdocuments.com

 

Comments Off on Sample – Healthcare (HIPAA, HiTRust, HiTech) Tiered Application and System Support Services

Healthcare IT Technology Issues to consider

Healthcare IT Technology Issues to consider

www.bestitdocuments.com

 

Comments Off on Healthcare IT Technology Issues to consider

Sample – HIPAA Access Components – Identity Management Visio

Comments Off on Sample – HIPAA Access Components – Identity Management Visio

PCI DSS, SOX (CobiT) and HIPAA & HITECH simplified

Posted in Health Care HIPAA - HITECH - HITECH (98),Visio Samples - Stencils (457) by Guest on the October 22nd, 2017

PCI DSS SOX (CobiT)
HIPAA & HITECH
Penalties: Fines, loss of credit card processing and level 1 merchant requirements
Penalties: Fines up to $5M and
up to 10 years in prison
Penalties and fees
up to $1.5M for neglect
5.1.1  Monitor zero day attacks not covered by anti-virus

6.2 Identify newly discovered security vulnerabilities

11.2   Perform network vulnerability scans quarterly by an ASV

11.4   Maintain edge IDS and IPS’s to monitor and alert personnel; keep engines up to date
DS 5.9 Malicious Software Prevention, Detection and Correction “Put preventive, detection and corrective measures in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).”

DS 5.6 Security Incident Definition

“Clearly define and communicate the characteristics of potential security incidents so that they can be properly classified and treated by the incident and problem management process.”

164.308 (a)(1)(ii)(A)

Risk Analysis – Conduct Vulnerability Assessment

164.308 (a)(1)(ii)(B)

Risk Management — Implement security measures to reduce risk of security breaches

164.308 (a)(5)(ii)(B)

DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”
Protection from Malicious Software — Procedures to guard against malicious software host/network IPS

164.308 (a)(6)(iii)

Response & Reporting — Mitigate and document security incidents
10.2   Automated audit trails

10.6   Review logs at least daily

10.3   Capture audit trails
DS 5.5 Security Testing, Surveillance and Monitoring “… a logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.”
164.308 (a)(1)(ii)(D)

Information System Activity Review — Procedures to review system activity
10.5   Secure logs

10.7   Retain audit trail for at least one year

10.7   Maintain logs online for three months

164.308 (a)(6)(i)

Login Monitoring — Procedures and monitoring for login attempts on host IDS

164.312 (b) Audit Controls — Procedures and mechanisms for monitoring system activity
6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public-facing web applications.
DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks

AI3.2  Infrastructure resource protection and availability
164.308(a)(1)

Security Management Process — Implement policies and procedures to prevent, detect, contain and correct security violations.

164.308(a)(6)

Security Incident Procedures

Implement policies and procedures to address security incidents.

Comments Off on PCI DSS, SOX (CobiT) and HIPAA & HITECH simplified

Clinical – Clinical Revenue Cycle Definition – PowerPoint Slide

Posted in Health Care HIPAA - HITECH - HITECH (98) by Guest on the January 14th, 2016

Clinical Revenue Cycle Definition – PowerPoint Slide

Clinical_Revenue_Cycle_Definition

Comments Off on Clinical – Clinical Revenue Cycle Definition – PowerPoint Slide

Sample – Word – Meditech RAC Tracking Tool Set-Up Sample

Posted in Health Care HIPAA - HITECH - HITECH (98) by Guest on the November 14th, 2015

Word – Meditech RAC Tracking Tool Set-Up Sample

Meditech_RAC_Tracking_Tool_Set-Up.doc

Comments Off on Sample – Word – Meditech RAC Tracking Tool Set-Up Sample

Sample Word – POC Imprivata Hardware – Software Resources

Comments Off on Sample Word – POC Imprivata Hardware – Software Resources

Sample Word – POC Clinical Application VDI Desktop Integration

Free Word Document Download

POC Clinical Application VDI Desktop Integration

 

Comments Off on Sample Word – POC Clinical Application VDI Desktop Integration

Sample Word – Clinical Access SSO Test Cases

Free Word document download

Clinical Access SSO Test Cases

 

Comments Off on Sample Word – Clinical Access SSO Test Cases

Sample Word – POC Clinical Application VDI Use Cases

Free Word document download

POC Clinical Application VDI Use Cases

 

Comments Off on Sample Word – POC Clinical Application VDI Use Cases

Sample Word – Clinical Radiology Provisioning Architecture (PACs)

Free Word document download

HIPAA, HITech / HITrust

Clinical PACS System Detailed Information for provisioning

 

Comments Off on Sample Word – Clinical Radiology Provisioning Architecture (PACs)

IT Security Guideline – Emergency Access Controls and Password Use

This procedure is to ensure that access controls do not interfere with critical and timely access to patient information.

This is to be accomplished by the following:

Prepare 2 packets of sealed envelopes with full access information and store it in a secure area. The accesses included in each packet are Network, Meditech, ChartMaxx and Dictaphone.

Passwords are to require user to change them the first time they access the system(s).

Provide doctors and nurses with full access including username and password.

After this emergency access process is activated, IT management must be notified as soon as reasonably possible.

After these emergency access capabilities are used, a full audit must be conducted.

After emergency access is no longer needed, accounts will be deactivated and new emergency accounts are to be created for use in the next emergency situation.

Comments Off on IT Security Guideline – Emergency Access Controls and Password Use

Admission / Registrations Applications – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the August 1st, 2015

Revenue Cycle – Admission/Registrations Applications

This position will manage implementation and support of admissions/registration applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the admissions processes and facilitate revenue cycle such as insurance verification, scheduling, authorization and referral management will fall in this area.  In addition this manager will oversee general financial applications implementation and support (GL, AP, MM, PP) at Meditech sites which have not gone live with Corporate Connect.

Revenue Cycle – Meditech Technical Support

This positions will manage Meditech technical support including NPR report writing / data extracts, custom programming, system performance, coordination of downtimes and systems architecture.  This position will have a dotted line reporting relationship to the Director of Meditech Clinical Applications.

Revenue Cycle – McKesson Technical Support

This positions will manage McKesson technical support including report writing / data extracts, custom programming, system performance, coordination of downtimes and systems architecture.  This position will coordinate heavily with clinical areas using McKesson applications.

Revenue Cycle – Billing Applications

This position will manage implementation and support of billing related applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the billing processes and facilitate claims submission and revenue cycle processes such as ePremis will fall in this area.

Revenue Cycle – Abstracting / Coding / Medical Records Applications

This position will manage implementation and support of coding, abstracting and medical records applications.  This will include but not be limited to applications from Meditech and McKesson.  Other applications which are used in the coding processes and facilitate revenue cycle such as 3M encoder and grouper software will be supported in this area.

Comments Off on Admission / Registrations Applications – IT Security Applications Group Manager Roles

CERNER – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the July 31st, 2015

CERNER Clinical

CERNER Clinical – LIS

Manage team responsible for the development, implementation and support of the Cerner Millennium PathNet applications used in the laboratory environment, which includes Anatomic Pathology, Blood Bank, General Laboratory, Outreach Services, Specimen Management and the integration with Medical Device Interfaces (MDIs).

CERNER Clinical – Pharmacy and Medication Management

Manage team responsible for the development, implementation and support of the applications supporting pharmacy and medications management, which include Cerner Millennium PharmNet, BCMA (CareMobile), ePrescribing, and Medication integration within Cerner Millennium PowerChart.

CERNER Clinical – Clinical Documentation

Manage team responsible for the development, implementation and support of applications supporting Clinical Documentation and HIM within Cerner Millennium, which includes Nursing and Physician Documentation and Nursing and Physician Order Entry in Millennium applications such as PowerChart, FirstNet, INet, SurgiNet, HIM, etc.

CERNER Clinical – Ancillary

Manage team responsible for the development, implementation and support of applications supporting Ancillary Departments, which includes Cerner Millennium Enterprise Scheduling, SurgiNet, FirstNet, and RadNet.

CERNER Clinical – Application Administration

Manage team responsible for the development and coordination of application technical activities to support application implementation and support objectives in the areas of Cerner System Architecture, Cerner Millennium CORE, Charge Services, Foreign System Interfaces, and CCL Programming.  Ensures that technical strategy decision, implementation activities, and production support are in agreement with vendor specifications and overall system architecture.

 

MEDITECH Clinical Applications

MEDITECH Clinical – LIS

Manage team responsible for the development, implementation and support of the Meditech LIS applications used in the laboratory environment, which include General Laboratory, Microbiology, Anatomical Pathology, BloodBanking and outreach services. Must have strong understanding of laboratory workflow processes.

MEDITECH Clinical – Pharmacy and Medication Management

Manage team responsible for the development, implementation and support of the applications supporting pharmacy and medications management, which include Pharmacy, EDM RXM, BMV (BCMA), e-prescribing and formulary services such as First Databank. Must have strong understanding of pharmacy workflow processes.

MEDITECH Clinical – Clinical Documentation

Manage team responsible for the development, implementation and support of applications supporting Clinical Documentation, which include Nursing and Physician Documentation, Order Entry, PCI, Departmental and Iatrics. Must have strong understanding of nursing, clinical documentation and CPOE.

MEDITECH Clinical – Ancillary

Manage team responsible for the development, implementation and support of applications supporting Ancillary Departments, which includes Community Wide Scheduling, Staffing & Scheduling, Radiology, Imaging Services, Mammography, OR and ED. Must have strong understanding of the processes supporting the Radiology, ED and OR environments.

 

Comments Off on CERNER – IT Security Applications Group Manager Roles

MEDITECH – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the July 30th, 2015

MEDITECH Clinical Applications

MEDITECH Clinical – LIS

Manage team responsible for the development, implementation and support of the Meditech LIS applications used in the laboratory environment, which include General Laboratory, Microbiology, Anatomical Pathology, BloodBanking and outreach services. Must have strong understanding of laboratory workflow processes.

MEDITECH Clinical – Pharmacy and Medication Management

Manage team responsible for the development, implementation and support of the applications supporting pharmacy and medications management, which include Pharmacy, EDM RXM, BMV (BCMA), e-prescribing and formulary services such as First Databank. Must have strong understanding of pharmacy workflow processes.

MEDITECH Clinical – Clinical Documentation

Manage team responsible for the development, implementation and support of applications supporting Clinical Documentation, which include Nursing and Physician Documentation, Order Entry, PCI, Departmental and Iatrics. Must have strong understanding of nursing, clinical documentation and CPOE.

MEDITECH Clinical – Ancillary

Manage team responsible for the development, implementation and support of applications supporting Ancillary Departments, which includes Community Wide Scheduling, Staffing & Scheduling, Radiology, Imaging Services, Mammography, OR and ED. Must have strong understanding of the processes supporting the Radiology, ED and OR environments.

 

Comments Off on MEDITECH – IT Security Applications Group Manager Roles

Ambulatory Physician Services – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the July 29th, 2015

Ambulatory Physician Services – Ambulatory EMR

Manages team responsible for development, implementation and support of ambulatory electronic medical record across Corporate facilities to include Allscripts and eClinical Works as the Corporate standards as well as legacy ambulatory systems currently in place. Experience in support of an ambulatory clinical environment  and process flows required.

Ambulatory Physician Services – Physician Remote Access

Manages team responsible for assisting in support of affiliated physician sites and data sharing needs as they relate to Corporate’s ambulatory electronic medical record. Proven experience with direct physician communication and relationship building desired. Understanding of ambulatory clinical environment and process flows required.

 

Comments Off on Ambulatory Physician Services – IT Security Applications Group Manager Roles

Ancillary Services – IT Security Applications Group Manager Roles

Posted in Compliances (1300),Health Care HIPAA - HITECH - HITECH (98) by Guest on the July 28th, 2015

Ancillary Services – Diagnostic Imaging (PACS/CVPACS) 

Manage team responsible for development, implementation and support of diagnostic imaging applications.  This will include General PACS as well as Cardiac PACS applications.  Assist director in design and implementation of Corp standard application migration path.  Manage migration teams.  Must have strong understanding of the workflow processes supporting medical imaging (radiology) and cardiac catheterization laboratory environments.   

Ancillary Services – Home Health/Hospice/Telemedicine 

Manage team responsible for the development, implementation and support of applications supporting home health care, hospice and emerging telemedicine and virtual care environments.  Assist director in design and implementation of Corp standard application migration path.  Manage migration teams.  Must have strong understanding of the workflow processes supporting one or more of these environments.

 

 Ancillary Services – Advanced Clinicals 

Manage team responsible for the development, implementation and support of current applications supporting advanced clinicals.  This includes electronic ICU applications, patient monitoring applications (with Biomedical Engineering), specialty clinical applications such as Oncology, OB and Surgical Management.  Assist director in the design and implementation of Corp standard application migration path.  Manages migration teams.  Must have strong working knowledge of processes supporting advanced clinicals. 

Ancillary Services – Ancillary Legacy 

Manage team responsible for the development, implementation and support of current clinical applications that supporting Ancillary departments.  This includes legacy products such as but not limited to behavioral health, sleep lab functions, respiratory and physical medicine applications, long term care applications, and dietary solutions.  Assist director in design and implementation of Corp standard application migration path.  Manage migration teams.  Must have an understanding/working knowledge of the workflow processes involving one or more of these environments.

Comments Off on Ancillary Services – IT Security Applications Group Manager Roles

McKesson Information Solutions

McKesson produces many Healthcare applications including Series 2000, STAR, Care Manager and Image Manager. There are many more applications in their portfolio, but these are the prime applications that we find at healthcare facilities when we present eTrust Single Sign-on and Admin.

Each of these applications incorporates their own user and group management paradigm and authorization and authentication tables.

This document addresses the Series 2000 application with regards to building a custom option for provisioning users from eTrust Admin. Ken Lee and Mark Wettlaufer traveled to Lake Mary, FL to meet with the Series 2000 Development Group on 10 May 2004 and came away with a positive feeling about the chance of success in developing a custom option.

Key findings for Series 2000

  • Runs on the iSeries AS/400 hardware from IBM
  • Utilizes the iSeries DB2 UDB database
  • User tables address authorization (ACLs) while authentication is handled by OS/400 security
  • Application is heavily customizable and dynamic based on client needs
  • Security Code is another name for the password sting for the Series 2000 account and is currently stored in clear text with future plans for some sort of encryption
  • Password refers to the OS/400 account password
  • A user within Series 2000 is uniquely identified by:
    • library name for database instance
    • hospital code
    • 4 character “printed code”
  • All user information is primarily stored in three (3) tables and has a very simple structure
  • Client customizations (the dynamic nature of the application) are stored in fixed, known table names and/or “flat” files
  • Database tables accessible from Win32 applications with an ODBC connector (there is also a JDBC connector)
  • A user is defined to belong to a group code AND can have additional individual function codes authorizing additional functions

Concerns for developing a Custom Option for eTrust Admin

  • Dynamic / customizable nature of Series 2000 – every Series 2000 environment will be different, so our option needs to be able to read the tables / flat files where these customizations are stored and be dynamic / flexible
  • Sanity edits – our option will need to emulate the input edits performed by the user management interface of Series 2000. For example, individual users can be assigned certain rights based on the nursing station or clinic codes being used.       Series 2000 performs a “sanity” check to ensure that a nursing station or clinic code is already defined in the system before being assigned to a user. Since we will be accessing the tables via ODBC, we could store anything in any field, but that “garbage data” could have adverse effects on the system
  • Security Code storage – currently in clear text so this is not a concern but we will require commitment from McKesson to either disclose the encryption algorithm / key or provide a trusted connection or API mechanism once they implement encryption of the Security Code.

Where do we go next? Recommendations

Series 2000 looks like a very good candidate for developing a custom option for eTrust Admin. CA has many common customers with McKesson that have Series 2000 and therefore, have the pain of user management within this application. A custom option would allow our common customers to achieve all the values that eTrust Admin can provide.

The interface appears to be simple. We can get to the tables via ODBC and from McKesson’s own admission, the user tables are an extremely simple format.

To proceed, we should

  • Secure the source for the one custom option being developed for Cingular Wireless (if legally possible). The CARE option at Cingular seems like it could be a very good model for the Series 2000 option because CARE is also table driven (the dynamic, customizable nature of Series 2000)
  • Arrange another meeting with the Development Group at McKesson to arrange transfer of user table schemas and source code fragments of the “sanity” edits
  • Arrange a contact point at McKesson for questions as we proceed
  • Arrange for testing at McKesson
  • Develop a prototype of the management screens within the Admin Win32 GUI to demonstrate to McKesson and two or three prime customers for comment
  • Target two or three prime customers for beta testing this option
  • Secure agreement from McKesson to be ready to provide an API or disclose the encryption algorithm / key once they institute Security Code encryption
Comments Off on McKesson Information Solutions

Sample Word – Sample HIPAA Application Software Systems

Posted in Health Care HIPAA - HITECH - HITECH (98),Policies - Standards (600) by Guest on the July 15th, 2015

Free Word document

Sample Application Software Systems

 

Comments Off on Sample Word – Sample HIPAA Application Software Systems

IT Security Guideline Maintenance of Record of Access Authorizations (Access Controls and Password Use)

Procedure

User Access Requests will be tracked as follows:

ISM Management System for IT administered systems / applications

For Non-IT administered applications, emails are sent to the application administrators, who are then responsible for retaining the requests.

  1. HealthStream
  2. ChartMaxx
  3. Radiology PACS
  4. Cardiology PACS
  5. Medical Necessity
  6. Omnicell
Comments Off on IT Security Guideline Maintenance of Record of Access Authorizations (Access Controls and Password Use)

Sample – Clinical Vendor Proof of Concept Criteria

Posted in Health Care HIPAA - HITECH - HITECH (98),Security (1500) by Guest on the December 8th, 2014
  1. Understand Clinical workflows 
  2. Understand the emphasis on Security
    • User enrollment , provisioning / de-provisioning (integration with Active Directory)
    • Password management (self service)
    • Auditing / reporting
    • Flexible and strong two factor authentication
  3. Vendor
  4. Capacities
  5.  Viability (longevity, experience, financials, market standing)
    • Product
    • Ease of use,
    • Ease of maintenance / customer support (help desk, customer support / vendor support required)
    • Co-location Scalability
    • Operational overhead
    • Application Extensibility
    • Developer resources required
    • Enterprise deployment
    • Extent of training required
  6. Vendor Scorecard format
  7. Vendor Scorecard ranking
  8. Vendor Selection

http://bestitdocuments.com/Services.html

 

Comments Off on Sample – Clinical Vendor Proof of Concept Criteria

HIPAA Healthcare Vendor Contract Analysis Review Example

Review of your IT Systems

  • Contracts,
  • Scope,
  • Service Level Agreements,
  • Business Associate Agreements,
  • And defined SLS and Business Associate Agreements and deliverables;
    • Review of current processes
    • And procedures to support compliance

The core fundamentals will be to identify ownership and performance to include:

  • Security patch management
  • Event logging
  • Event escalation
  • End-point security
  • Incident scoring and handling
  • Incident investigation process
  • Security investigations
  • Breach report metrics
  • Breach reporting process
  • Alert process handling
  • Alert notification

Review implemented technology solutions to assess the effectiveness in support of the preferred corporate security posture and compliance to include the design, implementation, effectiveness of:

  • Firewall architecture
  • Network architecture
  • IDS/IPS
  • SIEM
  • Event Log centralization and analysis
  • Service desk solution
  • Data Loss Prevention solution
  • Effective integration of these solutions 

Secure collaboration

  • Secure email process and/or procedure
  • Secure device use and control enforcement to manage corporate data
  • BYOD posture and Acceptable Device Use agreement
  • User privacy communications and executable agreement 

Management review of current program

Identify the documented contractual commitment to the solution processes currently in place to include:

  • Vendor provided organizational effectiveness
  • Established processes, core values, and attributes to accomplish security goals and objectives
  • Clear definition of the roles and responsibilities of the vendor partners and corporate team
  • Administrative and functional structure to determine resource assignments and coverage of the processes required of the corporate security program
  • Knowledge of the processes necessary for the vendor partners to accomplish their tasks.
  • Analysis and mapping of who, what and where to the overall corporate security program design, fulfilled with a GAP report as appropriate

http://bestitdocuments.com/Services.html

 

 

Program Analysis and recommendations phase

Provide a spreadsheet mapping outcome GAP, RISK and Recommendations. Compare and contrast corporate security posture to:

  • Corporate policy
  • NIST
  • MARS-E and
  • FedRAMP (FIPS 199)
Comments Off on HIPAA Healthcare Vendor Contract Analysis Review Example

Sample Word – Imprivata Deployment Guide

Posted in Health Care HIPAA - HITECH - HITECH (98),Projects (400) by Guest on the November 4th, 2014
Comments Off on Sample Word – Imprivata Deployment Guide

Sample Visio – HIPAA – Health Fair

Comments Off on Sample Visio – HIPAA – Health Fair
Next Page »