Assessing Your HIPAA Compliance Risk

Transcription

1 Assessing Your HIPAA Compliance Risk Jennifer Kennedy, MA, BSN, RN, CHC National Hospice and Palliative Care Organization HIPAA Security Rule All electronic protected health information (PHI and EPHI) created, received, maintained or transmitted by a covered entity is subject to the Security Rule. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of PHI and EPHI. 1

2 First HIPAA breach settlement involving less than 500 patients Hospice of North Idaho settles HIPAA security case for $50,000 in 2013 This is the first settlement involving a breach of unsecured electronic protected health information (PHI) affecting fewer than 500 individuals The risk assessment requirement The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization to ensure it is compliant with HIPAA s administrative, physical, and technical safeguards A risk assessment also helps reveal areas where your organization s protected health information (PHI and EPHI) could be at risk 2

3 RISK ASSESSMENT PRINCIPLES Identify the Scope of the Analysis The risk analysis scope that the Security Rule requires is the potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that a covered entity creates, receives, maintains, or transmits This includes PHI in all forms Electronic Hard copy 3

4 Gather data Gather relevant data on PHI You must identify where your PHI and EPHI is stored, received, maintained or transmitted Hard copy files Desktop computers Laptop computers Mobile devices Servers Identify and Document Potential Threats and Vulnerabilities Identify potential threats and vulnerabilities to the confidentiality, availability and integrity of the PHI and EPHI The potential for a threat to trigger a specific vulnerability creates risk identification of threats and vulnerabilities are central to determining the level of risk 4

5 Identify and document threats Identify and document reasonably anticipated threats to PHI and EPHI Compile a categorized list of threats Natural, human, environmental Identify different threats unique to the circumstances of their environment Determine likelihood of threats Determine the potential impact of threat occurrence Identify and document vulnerabilities Create a list of vulnerabilities, both technical and non technical, associated with existing information systems and operations that involve PHI and EPHI Non technical vulnerabilities may include previous risk analysis documentation, audit reports or security review reports Technical vulnerabilities may include assessments of information systems, information system security testing, or publicly available vulnerability lists and advisories 5

6 Assess Current Security Measures Goal: to analyze current security measures implemented to minimize or eliminate risks to PHI and EPHI Technical measures Access controls, identification, authentication, encryption methods, automatic logoff Non technical measures management and operational controls, such as policies, procedures, standards, guidelines, accountability and responsibility, and physical and environmental security measures TIME TO MANAGE YOUR RISK 6

7 Risk Management Steps 1. Develop and implement a risk management plan Purpose of a risk management plan is to provide structure for your evaluation, prioritization, and implementation of risk reducing security measures 2. Implement security measures Actual implementation of security measures (both technical and non technical) within the covered entity Risk Management Steps 3. Evaluate and maintain security measures Continue evaluating and monitoring the risk mitigation measures implemented Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment 7

8 Coming soon! HIPAA security best practices New webpage Tools and resources Education videos Watch the NHPCO webpage and NewsBriefs for updates Questions NHPCO members enjoy unlimited access to Regulatory Assistance Feel free to questions to 1 6 8

9 Regulatory and Compliance Team at NHPCO Jennifer Kennedy, MA, BSN, RN,CHC Director, Regulatory and Compliance Judi Lund Person, MPH Vice President, Compliance and Regulatory Leadership us at: 1 7 Resources CMS Basics of Risk Analysis and Risk Management e/securityrule/riskassessment.pdf HHS/ OCR Final Guidance on Risk Analysis e/securityrule/rafinalintro.html 1 8 9