Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Transcription

1 Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire

2 Housekeeping You may submit questions throughout the webinar using the question area in the control panel on the right side of your screen. We will address as many questions as possible during the Q&A portion of the webinar until the top of the hour. All remaining questions will be responded to via after the webinar. Attendees will receive a PDF of the slide presentation and a link to the recorded webinar.

3 Speaker Introduction Jim Sandford, Vice President Coalfire Mr. Sandford has more than 20 years of compliance and risk management experience working in the financial services and healthcare industries.

4 Agenda HIPAA compliance drivers OCR Audit Program Business associate data breaches Deadlines & penalties Problems & Solutions How to get started Am I a BA?

5 What is driving HIPAA compliance? Business associates must validate HIPAA compliance. we re going to find that there were a lot of covered entities that didn t realize they have BAs and BAs that didn t know they were BAs Leon Rodriguez - Director, Office for Civil Rights Department of Health and Human Services Sept 23, 2013 IT GRC is moving from the data center to the board room. The OCR audit program is back in the business again, and healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance Leon Rodriguez - Director, Office for Civil Rights, Healthcare IT News, September 24, 2013

6 Looking ahead OCR Audit Program Permanent audit program begins October 1, 2014 Scope will be expanded to include BAs, not just CEs (350 CEs and 50 BAs is the current plan). Audits will focus on risk analysis, risk management and other issues in 2015 and Audits to be conducted by OCR staff and they WILL ask CEs for their list of BAs; CEs need to have their house in order.

7 The OCR is serious OCR in Enforcement Spotlight OCR must investigate all breaches impacting 500+ people will start selectively investigating breaches impacting fewer than 500 people OCR reported a total of 256 breaches by covered entities 10,202,051 people impacted from September 22, 2010 to February 8, 2011 July OCR awards KPMG $9.2M contract to conduct 150 random audits in 2012

8 Data breaches caused by BAs

9 Deadlines and penalties Timing Covered Entities (CEs) and Business Associates (BAs) HAD until September 23, 2013 to become compliant with the HIPAA Omnibus Rule. Penalties VIOLATION TYPE EACH VIOLATION REPEAT VIOLATIONS/YR Did Not Know $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect Corrected $10,000 $50,000 $1,500,000 Willful Neglect Not Corrected $50,000 $1,500,000

10 Who exactly is on the hook? Compliance Responsibility (e)(1) Standard: Business Associate Contracts (ii) A covered entity is not in compliance with the standards in (e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

11 Is it a requirement or a responsibility? Are monitoring, auditing, oversight, or review activities required for the covered entity to perform for their business associates; or a business associate to perform these activities for their subcontractors? So what about the responsibility? Reasonable diligence Business care and prudence

12 The problem a complex eco-system

13 How do I get started? Screen and track your business associate status (questionnaires, spreadsheets, automated solutions). Collaborate on business associate management across the enterprise (contracts, procurement, IT, legal, privacy, etc.). Build better partnerships with BAs to create a culture of compliance at their organization. Be prepared for an OCR audit with documentation to demonstrate business associate oversight. By turning your business associate policies into procedures, you can efficiently and effectively track your BAs compliance.

14 How to get started (con t) Get organizational support and alignment across departments to meet the requirements Determine which vendors are business associates help them map data flow and ephi Continue to provide effective business associate oversight to defend against any allegation of willful neglect

15 Are all vendors BAs?

16 Balance risk with satisfactory assurance 1 - What functions will BAs perform on a CE s behalf? 2 - What level of exposure to PHI would there be? 3 - What risks are associated to the exposure of PHI? 3 - What compliance commitment rec d from the vendor?

17 BA responsibilities/risk/recommendations BA responsibilities (Network Administrator Example) Possible Risk Recommended Satisfactory Assurances Access to data Transmission of data Malicious software Hacking Unauthorized access to the data Security Risk Assessment Compliance Calendar Patching Policy and Schedule Server Maintenance Access to data Storage of data Compromised data Security Incidents Business Continuity / Disaster Recovery Troubleshooting Help Desk Access to data Unauthorized Access Access and Audit Controls Security Incident Policy Data Storage and Maintenance Unauthorized Access Compromised Data Security Incidents Access and Audit Controls Security Maintenance Encryption for data in motion, data at rest and data in use Business Continuity / Disaster Recovery Security Incident Policy

18 Satisfactory Assurances in detail Satisfactory Assurance (A few examples) Security risk assessment Documentation Summary of the risk assessment Scan results Vulnerabilities What to look for? Consistent assessments have been completed High level risks and potential threat or vulnerability identified - remediation has been planned or completed Quarterly scan results on network activity A compliance calendar Schedule of compliance events Training plan Dates assigned for table top testing of disaster recovery Planned security assessments Scheduled scans or updates Annual training Patching policy and schedule Patching policy Is it appropriate to have them perform certain activities on your behalf? Business continuity/disaster Recovery Contents of the BC/DR plan Testing format & results Framework for the BC/DR plan Escalation Process Recovery Process Assessment and Assignment

19 A Standard BA Oversight Program

20 Covered entity compliance management process Assess Validate Monitor Screen BAs for compliance BAs to remediate gaps Monitor BA remediation progress - Set baseline standard for compliance through online testing tools Consistently monitor BA compliance by repeating the process on a regular basis or as changes permit AUDIT READY Validate BA governance and oversight to internal or external auditors When the OCR audit team asks How do you manage BA Compliance?

21 Business associate compliance management process Assess Conduct risk assessment and establish a remediation plan Remediate Update compliance gap closure progress Test and Promote Perform testing on a regular basis and use compliance as a marketing tool COMPLIANT Enter compliance validation and notify CEs to review the compliance registry Business associates now have direct responsibility for protecting electronic ephi and reporting compliance to covered entities.

22 Questions Jim Sandford ext. 7526