HIPAA Security & Compliance

Transcription

1 Creative Mind. Creative Heart. Creative Care WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am

2 HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior Director of Operations Three Pillars Technology Solutions LLC THURSDAY, MARCH 27, :30 11:45 p.m. Breakout session Introduction Presenter background and information on Three Pillars Technology Benefits of WALA membership and their HIPAA Resource Guide Goals for this presentation Audience survey What has changed with HIPAA and why is it important? HIPAA (Health Insurance Portability and Accountability Act) a brief history and overview of it s evolution HIPAA was enacted by Congress in 1996 Privacy Rule and Security Rule ~ HIPAA Enforcement Rule 2006 HIPAA/HITECH enacted in 2009 HIPAA/HITECH Final Omnibus Rule published in 1/2013 with a compliance deadline, for most of its provisions, of September 23,

3 The Business Case for Compliance or Why Should I Care? HIPAA Rules Are Assisted Living Game Changer What are the potential risks and impact of non compliance? Risk of OCR Audit and Fines Willful Neglect Finding Costs of a PHI breach Loss of Goodwill and Reputation as a result of breach Protection of sensitive data has become an expectation of both your customers and business partners Then there s the ticking time bomb of HIPAA compliance RIN: 0945 AA04 Fines $1.7 Million to Alaska Department of Health and Human Services for Unencrypted USB Drive Stolen $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop $400,000 fine to Idaho State University for failing to maintain strong firewall configuration $50,000 to hospice in Idaho for lost unencrypted laptop $1.7 Million to WellPoint for not properly authorizing access to an online application database 2

4 Challenges to achieving best practice HIPAA compliance Attitudes of: HIPAA denial Complacent compliance or taking a Let s just wait and see approach The main objective is achieving regulatory compliance with your Policies and Procedure (a/k/a 3 Ring Binder Style Compliance) and neglecting your Security Practices o Creates very real danger of taking false comfort in what may be an illusion of compliance o Caveat: The best and most expensive and updated policies and procedures in the world, if not matched by practice implementation, will not prevent a PHI breach Typical Assessment Findings Risk Assessments are not complete, improperly conducted or up to date Organizations are mistaking Gap Analysis and/or Vulnerability Assessments for Risk Assessments Policies, Standards and Procedures on critical practices are not complete or none exist at all Goal # 1 Avoid Willful Neglect Seven (7) Basic HIPAA Compliance Health Check Questions Every Healthcare Covered Entity and Business Associate Needs to Ask Themselves 1. Have you conducted a legitimate HIPAA Risk Assessment which has been documented and is not outdated? 2. Do you have written and appropriately updated HIPAA Privacy and Security policies in place? 3. Have you designated an individual trained to function in the role of your HIPAA Privacy and Security Officer? 4. Do you have an ongoing, documented Risk Management program? 5. Does your organization have a documented HIPAA education, awareness and training program in operation? 6. Have you reviewed, revised and updated your Business Associate Agreements, as necessary? 7. Do you have a PHI (Protected Health Information) Breach occurrence and notification policy and process in place, and have you updated it to reflect changes made by the new HIPAA / HITECH rules? 3

5 Importance of the HIPAA Security Risk Assessment Wake Up!! it s no longer a Three Ring Binder Policy and Procedure compliance world DIY or Get Some Help Recommended Action Steps to Take 4

6 Compliance Assessment vs. Risk Assessment A Compliance Assessment is a gap analysis that identifies gaps in the organization on HIPAA Administrative, Physical and Technical specifications A Risk Assessment is more in depth and includes these elements in the report and work papers: o Threat Source List o Inventory Asset List o Risk Level of High, Medium and Low for each risk based on Likelihood and Impact scores o Likelihood determination for each risk o Impact determination for each risk Necessary Documents and Practices Access, Authorization and Authentication Controls Anti Malware Practices Application Development Practices Asset Classification and Sensitivity Practices Asset Management Practices Acquisition of New Company Practices Change Management Practices Configuration Management Practices Communications and Operations Management Computer System Acceptable Use Practices Data Backup Practices Data Retention Practices Disaster Recovery & Business Continuity Practices Encryption and Digital Signature Practices Incident Handling Practices Logging and Auditing Practices Organizational Security Policy Password Protection Practices Patch Management Practices Personnel Security Controls Practices Physical and Environmental Controls Remote Access and VPN Practices Risk Assessment Practices Security Awareness Practices Software Licensing Practices Data Leakage Protection Practices Develop an action plan and commence action Problem: Where to start? Solution: Management defines the policy Create the policy Conduct risk assessment based on policy Determine gaps and deficiencies Prioritize risks (i.e. per risk assessment) Approve projects to remediate and implement Commence ongoing review of policy, procedure and practices recognize that threats and risks change best practice security practice is dynamic not static 5

7 Recommended Next Steps Perform a Compliance Gap Assessment and check to ensure that your Risk Assessment is adequate and up to date Conduct a true and thorough Security Risk Assessment if you have not done so Budget for and implement controls based on findings in the Risk Assessment Thank You Three Pillars Technology Solutions LLC 2701 International Lane, Suite 201 Madison, WI