CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT

Transcription

1 CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT Class Date: January 29, 2016 Webinar Questions/Follow-Up Answers Question Please expand on the Treatment portion of TPO Is there a resource to use to help develop policies, procedures and plans? Do BA s need to create separate trainings? Should the training be the same for the County and the BA s? For those not in the presentation, how can we get the PowerPoints? I m very interested in commonly-used methods (similar to your example of Citrix ShareFile). Can you please have others explain what they are using for secure data repository/file sharing? Include in follow up documents if needed. If only a fax number is shared, is it a breach? Is there a difference Answer From HHS.gov: Treatment generally means the provision, coordination, or management of health care related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Yes, the resource you might select to help you complete your Security Risk Analysis (SRA) should help with your Policies, Procedures and plans. See below for a list of some possible vendors that could help. Yes, BA s are responsible to meet the 45 CFR regulations that pertain to training. It is OK if the county wants to include the BA s in their trainings for compliance. Trainings do not need to be the same, but a BAs training must include the requisite content relevant to HIPAA. The PowerPoints will be posted on the CIBHS website early the week of 2/1 Citrix ShareFile is a web-based, secured large file sharing and storage system. San Joaquin uses Box Enterprise for secure file sharing, Sophos and Checkpoint for endpoint encryption. Someone posted they use PGP As we discussed in class, a fax number on its own is considered PHI. If the fax number shared in a public environment where someone not involved with the treatment of the patient could obtain it, that would be a breach, and an investigation would be needed and all of the facts would be reviewed. If the fax number was shared in the office and no other info was included, the possibility of exposure would be very low. All possibly breaches require the privacy investigation to make sure all of the details are uncovered. Yes, there is a difference between the number and documents. See above answer 1

2 between Fax Number and Fax Documents in terms of PHI and breach? If in the hallway, I only talk about a fax number, is that a breach of PHI. On the exams, is the results screen the last screen? Is there a description of the Security Roles somewhere? regarding the breach investigation. Yes, the results slide is the last one on both exams. Close out using the X in the upper right corner and return to your Dashboard. Yes, below are the Security Role responsibilities from the Xpio/HHE policy for your review: Security Compliance Officer (SCO) will be responsible for developing and implementing the security policies and procedures for the organization. The SCO will be responsible for establishing and maintaining an official repository of all security documentation including policies, procedures, plans, inventory, staff assignments, implementation data, test results and data required by regulation. Privacy Officer is responsible for ensuring the organization s compliance with the HIPAA privacy rule and other applicable privacy regulations. The Privacy Officer works in collaboration with Legal to ensure that the policies and procedures of the organization meet both privacy and security requirements. The Privacy Officer: 1. Ensures the accuracy of the PHI and ephi inventory. 2. Works with the Security Compliance Officer to create and implement the Incident Response Plan. 3. Reviews all plans, policies and procedures. 4. Works with the Security Compliance Officer to develop any organization privacy awareness training and announcements. 5. Has responsibility for reporting privacy breaches and responding to official and public requests for information pursuant to the HIPAA Privacy Rule. 6. Coordinates any customer and business partner privacy awareness initiatives. To assist where security or privacy implementation falls across functional areas, the following roles are defined and can be assigned to others as necessary: Workforce Security Manager has overall responsibility for workforce security and training. Duties include: 1. Background checks. 2. Security and access roles assignment. 3. Security training. 4. Sanctions process. IT Security Manager has overall responsibility for implementing and operating technical IT security. Duties include: 1. Acquiring and maintaining the security technology. 2. Creating an inventory of all IT equipment and applications. 3. Creating an inventory of PHI and other sensitive data. 4. Application and infrastructure change/configuration control. 2

3 5. Managing the security of IT access accounts. 6. Backup and recovery. Incident/Breach Manager is responsible for creating and implementing the security incident / privacy breach response plan. This includes: 1. Preparing for incidents and breaches by creating an incident response plan. 2. Working with all other managers and staff to quickly move through the containment, eradication and recovery phases of security incidents. 3. Coordinating with legal counsel to meet privacy breach reporting requirements and execute breach communications. Physical Security Manager is responsible for ensuring that the facility is secured from unauthorized access to restricted areas, devices, files and sensitive information 24/7/365. This includes: 1. Preparing the physical security plan and contingency plan. 2. Responsibility for the physical placement of devices to prevent unauthorized viewing, tampering or theft while in operation and securing networking infrastructure unauthorized access. 3. Maintaining records maintenance on all physical security infrastructure including locks and any surveillance equipment. 4. Maintaining documentation of all keys and the persons to whom they have been entrusted. I did the Executive Exam this morning and it still doesn t show the course and exam with green checkmarks plus I can t find my certificate. Is there a different call in for the afternoon? How would you define a small provider? So far, none of the links on the agenda have worked If we passed the test, how do we get the certificate? I m not seeing the print certificate and the course status says in progress. Discussion about what to share with Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. No, it was the same The term was used in explaining that all Covered Entities, regardless of their size, needs to meet the HIPAA regulations. In class, we defined a small size as a single provider office, a small practice with several licensed clinicians. Select the CTRL key when you click on the link. You can copy the links out and paste into your browser if they are not working from the document. Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. We only share the diagnosis if it might pose a risk to the officer (or client), otherwise we don t share. We consider Officer safety paramount. We make the assumption the 3

4 Police who respond to assist with a client in an emergency Will you send out the training and the other documents for reference? Will the recorded session be available for listening again? Do you have a sample of the Risk Assessment Questions available to share, or where can we review a sample? Can anyone recommend any encryption software? Has anyone heard about the new DMH regulations in regards to having to encrypt all data at a Department of Defense level? Any enterprise solution software vendor recommendations? Are there any recommendations to encrypt mobile devices? Is it enough to know that my ephi is located on specific share drives and MY Documents folders on the servers? We don t allow storing ephi on a local hard drive. I don t know every Excel spreadsheet, but I am certain they client doesn t want to be harmed. Yes, all will be posted on the CIBHS website early in the week of 2/1 Yes, the recorded sessions will be posted on the CIBHS website early in the week of 2/1 CMS has just published a tool for agencies to use to complete their own SRA. Checkpoint, EndPoint Security, BitLocker (make sure you turn off the ability for the users to turn off BitLocker). Shasta County uses BitLocker. Ernie Ruoff, Information Protection Unit, responded and reported he was not aware of any new encryption regulations. DMH is now under DHCS and they report no new regs either. The DOD security is FIPS 140 and equivalent to AES 256, and that is the recommended level of encryption at this time. Mimecast for encrypted s is one solution in the county community. One tool used in the CiBHS community is MaaS 360, Cost is $8/device/month but many nice features. You will be asked to complete a PHI inventory where you document all of the software used that includes PHI, the locations and the devices (servers, desktops and mobile) that may contain ephi. It is great that you only allow saving of ephi to a shared, secure drive. That will be included in your documentation as proof you have control. I would say the next step is to make sure your servers are encrypted. It will be part of your PHI inventory to make sure you have them all documented. 4

5 are protected on the Share Drive Would anyone be willing to share their SRA questions that were used and the format or the analysis? What are the actual physical requirements for data media transfer; back up tapes, etc? No participant shared any data, refer to the CMS site for their questions/format: The standard is that it be inaccessible except to authorized personnel (for the purpose of operations, in this case). If when the transport company accepts that PHI, it is encrypted or locked up with appropriate documented custody, then physical transportation is no different than encrypted electronic transport. That means that the transport company is not a business associate. On the other hand, if you hand them a bunch of papers or drives and it is up to them to keep it safe without adequate safeguards to ensure privacy from the transportation personnel (think of them as a medium), then they would be a BA. Below is from an Audit document about what the auditor will be asking about device and media control/back up data. Address the policies and procedures related to protecting back up data as well as reducing risks (d)(1): Develop Inquire of Addressable Security Device and Data management Media Controls - Backup as to the (d)(2)(iv) and procedures Create a Storage established retrievable exact Procedures over the copy of ephi, backup and when needed, restoration of before movement ephi data. of equipment. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine whether procedures cover the 5

6 backup and restoration of ephi data. Obtain and review formal or informal documentation and evaluate the content to identify where ephi data are stored. If data is stored onsite, observe the facility to determine if the location is secure and protected from the elements, e.g., the location is equipped with a fire suppression system, a fireproof safe, etc. If data is stored off-site, obtain and review documentation and evaluate the content relative to the criteria specified to determine if the data is stored in a secure 6

7 location, e.g., a contract with a service provider such as Iron Mountain, a SSAE16 report over the controls in place if the service is a third-party provider, etc. If the off-site location is run by the entity, observations similar to the ones listed above may need to be performed. For a selection of days, obtain and review evidence that backups over ephi data were performed successfully. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine how 7

8 Is the lockbox required? Can we get a sample of the BAA Subagreement? How can we critique the class? Please post a 42 CFR Part 2 consent sample Post some SRA vendor options often restoration tests are to be completed. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable. As noted above, I see no mention of a lockbox being required, but you should determine what is the most secure way to transfer your tapes/hard drives off to a redundant site or secure storage. Reduce risks. The language of the agreement is basically the same, except it is between a BAA and a sub-contractor. THIS HIPAA BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into effective [date] (the Effective Date ), by and between [Business Associate] ("Business Associate") and [Subcontractor] ( Subcontractor ). Evaluations were sent out to all on the webinar and in class. If you need one, please contact Kelly Bitz at kbitz@cibhs.org Several good 42 CFR Part 2 form samples here: A list of several vendors that can complete SRA s is noted below. Xpio Health is recommended, the others are additional resources that have not been contacted or are recommended by Xpio at this time. 1. Xpio Health, LLC 2. HIPAA One 8

9 What is a good tool to build survey s or to engage clinical staff? 3. ClearDATA 4. Sunera 5. Clearwater Compliance, LLC Kahoot! 9