Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Transcription

1 Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

2 Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics Understand the impact of HITECH

3 About the Speaker Trish Lugtu BS, CPHIMS, CHP, CHSS Health IT Consultant

4 I am not an attorney. Recommendations offered during this engagement are intended to be advisory only. MMIC Health IT does not undertake to establish any standards of medical practice. MMIC Health IT recommendations are not legal advice. Specific legal advice should be obtained from a qualified attorney when necessary.

5 Assumption: You generally know what HIPAA is. HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Security

6 HIPAA Security Deep Dive Series Diving Deeper into HIPAA Security Administrative Safeguards Technical Safeguards Physical Safeguards Risk Analysis Auditing for HIPAA Security Incident Response Breach Notification And more

7 Security Compliance Vision I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Excerpt from Hippocratic Oath (modern version)

8 Security Compliance Vision I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Excerpt from Hippocratic Oath (modern version)

9 Security Compliance Vision I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Excerpt from Hippocratic Oath (modern version)

10 Sociotechnical System

11 Security as the System

12 Vision: Culture of Security Envision a culture where security is - empowered by the organization - embraced within the culture - strengthened by technology all to reach the end goal of respecting the privacy of our patients, for their problems are not disclosed to any of us that the world may know.

13 How is security defined within the context of HIPAA?

14 Objectives of Security Confidentiality Protection of ephi from unauthorized disclosure Loss results in lost public confidence, embarrassment, or legal action Integrity Protection from improper modification Loss may lead to a contaminated system or corrupted data resulting in inaccuracy, fraud, or erroneous decisions. Availability Accessibility and usability of data or information upon demand by an authorized person Loss of system functionality and operational effectiveness

15 If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. - Bruce Schneier, Chief Security Officer, British Telecom

16 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

17 Overview of Security Compliance Documentation Develop and distribute written standards of conduct, policies and procedures that promote organization s commitment to compliance. Responsibility Assign security responsibility officer, committee Training Develop and implement regular and effective training for workforce Communication Develop and maintain communication processes Enforcement Develop response system of allegations and enforce violations with appropriate disciplinary actions. Monitoring Remediation Use of audits and other evaluation techniques to monitor compliance and assist in reduction of identified problems. The investigate and remediate systemic problems and the develop policies to address the non-employment or retention of sanctioned individuals. Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

18 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

19 Security as the System

20 HIPAA Security Rule Overview Security Standards: General Requirements Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and proceduresand documentation requirements

21 Security Standards: General Requirements for Covered Entities (CEs) Flexibility Reasonable and appropriate Capabilities and costs Probability and criticality Standards Must comply with standards with respect to ephi Ensure and Protect Implementation Specifications Maintenance Required/Addressable Must comply if adopted, and document if not reasonable Implement an alternative measure If reasonable Review and modify Continued provision of reasonable and appropriate protection of ephi

22 Administrative Safeguards These are the administrative actions, and policies and procedures for managing the selection, development, implementation, and maintenance of security measures to protect electronic Patient Health Information (ephi). These policies manage the conduct of the workforce in relation to the protection of that information. Implementation Specifications 1. Security Management Process 2. Assigned Security Responsibility 3. Workforce Security 4. Information Access Management 5. Security Awareness Training 6. Security Incident Procedures 7. Contingency Plan 8. Evaluation 9. Business Associate Contract and Other Arrangements

23 Physical Safeguards Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Implementation Specifications 1. Facility Access Controls 2. Workstation Use 3. Workstation Security 4. Device and Media Controls

24 Technical Safeguards Technical safeguards refer to the technology and the policy and procedures for its use that protect ephi and control access to it. Implementation Specifications 1. Access Control 2. Audit Controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security

25 Organizational Requirements Business associate contracts or other arrangements Impacted by HITECH BAs are now covered by HIPAA Security and breach notification requirements

26 Policies and Procedures and Documentation Requirements Implement reasonable and appropriate policies and procedures Maintain the policies and procedures Keep written records Retain documentation for 6 years Available to persons implementing Update and review

27 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

28 Assigning Security Responsibility Security Officer + Committee to set policies Officer has oversight of activities - operationally responsible for driving compliance activities of organization Document security official s responsibilities Example Security Official Responsibilities Member of Compliance Committee Oversight of compliance activities Work with vendors, consultants, 3 rd party resources to improve security Implement, manage, enforce information security directives Ensure security policies meet organization needs Facilitates ongoing audits and risk assessments Leads incident response activities

29 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

30 I am concerned for the security of our great Nation; not so much because of any threat from without, but because of the insidious forces working from within. - Douglas MacArthur

31 Insidious Behaviors Cell phones provide a perfect example of insidious behavior.

32 Workforce Training Different Levels of Training Policy Makers and Compliance Team People Managers Workforce Regular periodic training Training when substantial changes occur Technology, processes, regulatory change Security awareness and best practices Security reminders, posters, intranet Document Trainings

33 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

34 Open lines of communication Create systems for compliance program Allow workforce to ask questions Include confidentiality and non-retaliation language Provide access to security official Examples) hotline, , suggestion box Allow anonymous reporting under condition and understanding that it may be necessary at some point for identity to be revealed Security incidents to be documented, investigated, and recorded into a log

35 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

36 Enforcement of standards Appropriate and consistent sanctions for failure to comply with the security policies and procedures Range from warning to employee termination Based on severity of the action, intent, and patterns of behavior Include in security awareness and training program Conduct internal audits and monitoring to ensure policies are met

37 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

38 Internal audits and monitoring Focus on areas of vulnerability identified in risk analysis Ongoing checklists for monitoring Self evaluation assessments In response to reports and feedback Corrective measures Report significant findings to organization

39 Building a Culture of Security Documentation Remediation Responsibility Monitoring Security Compliance is a Strategy Training Enforcement Communication Adapted from the HHS OIG: Publication of the OIG Compliance Program for Hospitals, Federal Register 63 (35):8987, February 23, 1998

40 Only in growth, reform, and change, paradoxically enough, is true security to be found. - Anne Morrow Lindbergh

41 NIST Risk Management Framework

42 We will bankrupt ourselves in the vain search for absolute security. - Dwight D. Eisenhower

43 Impact of HITECH Increased Fines Breach Notification EHR Incentive Program Stage 1 Meaningful Use Stage 2 Meaningful Use Audit Program

44 HITECH Act Enforcement Interim Final Rule, Effective 2/18/2009 HIGH DUE DILIGENCE LOW HIPAA Violation Minimum Maximum Violation occurred even with Reasonable Due Diligence Violation resulted from Reasonable Cause $100 $50,000 $1,000 $50,000 Willful Neglect $10,000 $50,000 Corrected within 30 days Willful neglect Not corrected $50,000 $50,000 LOW HARM HIGH Notes: Maximum penalty of $1.5 Million for all violations of an identical provision. Maximum can be imposed by State Attorneys General regardless of the type of violation. Prohibition provided for imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect

45 Breach Notification Rule Notifications required Individual Notice Media Notice (> 500 individuals) Notice to the Secretary Notification by Business Associate to CE Individual notice Media notice Notice to the Secretary Notification by business associate

46 Risk Analysis for Meaningful Use Core Set Objective 15 - Required Resource intensive Don t wait last minute! Understand what is required Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security MeasureConduct deficiencies as part of its risk management process. Attestation Eligible Professionals must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.

47 HIPAA Privacy & Security Audit Program Effective Nov 2011 HHS must audit for HIPAA compliance OCR running pilot program; 150 audits

48 What to Expect in an Audit

49 Questions? Trish Lugtu Health IT Consultant CPHIMS, CHP, CHSS Direct: Web: