HIPAA HITECH ACT Compliance, Review and Training Services

Transcription

1 Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical areas: prcesses, peple, technlgy and gvernance. When cnsidering the rganizatin s prcesses, clsely examine business and IT prcesses. Fr example: Determine hw PHI is used in each business prcess bth paper and electrnic. When assessing issues related t peple, cnsider the fllwing: Is staff trained in the secure handling f paper and electrnic health recrds? D the plicies and prcedures prvide emplyees with adequate and up-t-date guidance? Next, examine the technlgy side. Cnduct a vulnerability assessment f the netwrk. Pair the vulnerabilities t relevant threats fr a cmplete picture. If encryptin is present, is it the mst up-t-date encryptin algrithm? Is the patch management prgram perating effectively? Inventry and review all utsurced service prvider agreements. Ensure a right t audit clause is defined in the cntract. Finally, lk at gvernance issues: Identify the individuals wh are respnsible fr the prgram. In the event f a breach, wh will prmptly ntify management? Wh is respnsible fr making sure timely infrmatin security reviews are dne? Security Cmpliance Deadline: 2/17/2010: Appint a security fficial Implement all HIPAA security administrative, technical and physical safeguards Cnduct a security risk analysis Amend business assciate agreements t include new security rules (as early as 9/15/2009 since that is the latest date the new breach ntificatin rules will apply) Enter int business assciate agreement with security safeguards with any rganizatin that prvides data transmissin services t yu Develp and maintain written security plicies & prcedures Cnduct privacy and security wrkfrce training Wait fr HHS guidance (expected by 1/1/2010 and t be updated annually) regarding the mst effective and apprpriate technical safeguards and cnsider implementing Page 1 f 7

2 Cmpliance, Review and Training Services Implement technlgies r methdlgies t secure (frm April 2009 these are "encryptin r destructin") Privacy Cmpliance Deadline: 2/17/2010 Appint a privacy fficial. Amend business assciate agreements with grup health plans t include additinal required prvisins Cure yur breaches f business assciate agreements Enter int business assciate agreements with privacy safeguards by 2/17/2010 with any rganizatin that prvides data transmissin services t yu Cmply with new HITECH minimum necessary requirements effective 2/17/2010 (further HHS guidance expected by 8/17/2009) Cmply with changes t request fr restrictin rules Cmply with new marketing restrictins Seek authrizatin prir t selling PHI fr certain purpses (beginning n later than 2/17/2010, depending n when regulatins are issued) Cmply with new ntificatin rules fr breach f unsecured PHI Page 2 f 7

3 Sample Detailed Review and Plicies HIPAA HITECH ACT Cmpliance, Review and Training Services Intrductin T give yu an idea in mre f what the HIPAA regulatins we shwed n the prir page require fr plicies and prcedures we have put tgether this sectin as an example f what yu wuld need t at least assess, then cdify, in writing t be available fr audit by bth yur CE s and HHS. Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical areas: prcesses, peple, technlgy and gvernance. When cnsidering the rganizatin s prcesses, clsely examine business and IT prcesses. Fr example: Determine hw PHI is used in each business prcess bth paper and electrnic. When assessing issues related t peple, cnsider the fllwing: Is staff trained in the secure handling f paper and electrnic health recrds? D the plicies and prcedures prvide emplyees with adequate and up-t-date guidance? Next, examine the technlgy side. Cnduct a vulnerability assessment f the netwrk. Pair the vulnerabilities t relevant threats fr a cmplete picture. If encryptin is present, is it the mst up-t-date encryptin algrithm? Is the patch management prgram perating effectively? Inventry and review all utsurced service prvider agreements. Ensure a right t audit clause is defined in the cntract. Finally, lk at gvernance issues: Identify the individuals wh are respnsible fr the prgram. In the event f a breach, wh will prmptly ntify management? Wh is respnsible fr making sure timely infrmatin security reviews are dne? Page 3 f 7

4 Cmpliance, Review and Training Services Physical Safeguards (45 C.F.R ) must be enacted and mnitred: Hw is PHI stred within the rganizatin (i.e. fixed server databases/hard drives versus remvable media such as backup tapes)? Des yur cmpany f a physical security plan? What types f cntrls exists t limit access int buildings cntaining servers that hst PHI? What types f cntrls exists t limit access within buildings t rms husing servers cntaining PHI? Wh has access t facilities cntaining PHI, and what prcess exists t grant these individuals access? What envirnmental cntrls exist t prtect PHI frm destructin? T the extent PHI is physically maintained, des the rganizatin emply shredders r ther destrying devices fr cnfidential PHI cntaining dcuments? D yu train and dcument the training f emplyees n the use f shredders? Administrative Safeguards (45 C.F.R ): Plicies/Dcumentatin (45 C.F.R ) What plicies (and prcedures) are available specifically addressing HIPAA privacy and security rules and cmpliance including the fllwing: Risk Management Risk Assessment and Applicatin Criticality Analysis (FIPS 200) Physical Security Encryptin Remte Access Media and Dcument Destructin Change Cntrl/ Patch Management Acceptable Use ( , Prtable Media, Sftware, Cmpany Resurces) Training and Security Reminders Antivirus and Wrkstatin Security Unique User Identificatin Audit and Lg Mnitring Security Incident Cntingency and Emergency Access and Wrkfrce Clearance, Sanctin, and Access Management. Page 4 f 7

5 Cmpliance, Review and Training Services Wh r what grup within the rganizatin is respnsible fr creating and updating these plicies? When the rganizatin s plicies were last updated? Hw ften have any f these plicies been updated? Are new emplyees trained t fllw these plicies and prcedures? Hw frequently are existing emplyees re-trained n existing plicies and prcedures? Hw frequently are existing emplyees trained regarding updates in HIPAA rules? Hw are persnnel screened in rder t grant certain levels f access t PHI? Des the rganizatin have a frmal security incident respnse plan t address ptential breaches f security that include at a minimum: Rles and respnsibilities Islate affected system Preserve evidence Restre cmprmised system frm knwn safe backups and Pst incident respnse reprt including identificatin f lessns learned and ther mitigating cntrls may be indicated based n the incident? Des the rganizatin require business partners t cmply with its privacy and security plicies? Des rganizatin ever send PHI via r ftp (file transfer prtcl)? Des the rganizatin have plicy r prcedures related t de-identifying PHI fr use in advertising, marketing, educatinal prgrams? What plicies and prcedures exist regarding ntificatin in the event f a breach? Technical Safeguards (45 C.F.R ) are critical t all yur security: What types f security exists t prtect PHI as it flws t/is accessed at remte wrkstatins? Describe the data flw life-cycle f PHI thrugh the rganizatin s infrmatin systems. Page 5 f 7

6 Cmpliance, Review and Training Services This shuld cver hsting services, TPA, wellness, claims audit, actuarial and ther partners including sub agents. Des the rganizatin prevent brwsers with un-patched security vulnerabilities frm accessing the cmpany s infrmatin system? What types f security and encryptin prtect prtable media cntaining PHI? (Prtable media shuld always be encrypted.) Equipment Encryptin Inventry & Checklist Plicy and Audits Regularly verify r audit that encryptin plicies are in place and being fllwed. Passwrds Use a strng passwrd AND make it different than yur cmputer lgin Never write a passwrd dwn. D nt share passwrds Prtable Devices Inventry Knw what PHI is stred n all prtable devices. Minimize the amunt f PHI n prtable devices (nne in identifiable frm). Delete PHI frm all prtable devices as sn finished wrking with it. Only use prtable strage devices like USB keys, with encryptin installed, r install encryptin n them befre use them t stre PHI. PC/Laptp/PDA/Server Enable perating system encryptin. Purchase systems with whle disk encryptin OR Purchase sftware fr whle disk r virtual disk encryptin n laptps/ PDA. Only stre PHI n an encrypted disk. Des the rganizatin have rutine maintenance prtcls that backup, delete, relcate, r therwise impact data cntaining PHI? What types f audit mechanisms exist t track access and transmissin f PHI by internal r external users? Typically audit lgs include a timestamp, a unique user accunt, data accessed/mdified/created, and the lcatin f the user. Hw ften are these audit mechanisms used t detect abnrmal use? D autmatic triggers exist t ntify the rganizatin f abnrmal PHI use? Page 6 f 7

7 Cmpliance, Review and Training Services Unsecured PHI - Sectin f the HITECH Act defined unsecured PHI as infrmatin that was nt secured thrugh the use f technlgy rendering the infrmatin unusable, unreadable r indecipherable.. i.e encrypted r destryed. Safe Harbr - Use f encryptin fr PHI is a Safe Harbr under the HITECH law and 47 state privacy laws Page 7 f 7