Sustainable Compliance: A System for Ongoing Audit Readiness

Transcription

1 View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013

2 Agenda Sustainable Compliance at St. Charles Health System Centralized Documentation Risk Analysis & Testing High Risk Areas Ongoing Compliance Activities Maximizing Your Compliance Coverage

3 Sustainable Compliance Judi Hofman BCRT, CHPS, CAP, CHP, CHSS St Charles Health System Bend, Oregon

4 Sustainable Compliance Overall sustainability of compliance Centralized documentation Policies and Procedures Current Risk Analysis Disaster recovery/emergency mode of operations plan Incident response investigation documentation Control testing and documentations of Risk Analysis Application Layer Infrastructure Layer Enterprise Controls

5

6

7

8 ID Control Description Ap 1 Ap 2 Ap 3 Ap 4 HIPAA 1 Strong password controls are enforced to safeguard against unauthorized access. FAIL PASS PASS PASS HIPAA 2 User Accounts are disabled or deleted on the key applications upon termination of an employee. HIPAA 3 Administrator access within key applications is restricted to a defined set of system administration personnel. HIPAA 4 A review of user accounts and their associated access levels is performed and adequately documented to ensure appropriate access to the system. HIPAA 5 Change requests are formally documented and authorized by management before performing the work. HIPAA 6 Monitoring procedures are designed to provide reasonable assurance around completeness and timeliness of system and data processing. HIPAA 7 Backups are scheduled and monitored for successful completion.

9

10

11 Sustainable Compliance Develop a Compliance Plan Engage impacted departments *IT *HR *Business *Internal Audit Combine other compliance assessment activities *PCI *Financial *HR Evidence of Compliance Design effectiveness Operational effectiveness

12 Sustainable Compliance Top of the list compliance focus includes: Policies and Procedures Workforce training (new and on-going) Audit program Incident response (including breach response) Risk analysis & risk mitigation

13 Sustainable Compliance High risk areas: On-going risk management Current disaster recovery and emergency mode of operations plan Encryption of any transmitted or transported electronic PHI Access control Risk assessment

14 HIPAA Security Series /securityrule/securityruleguidance.html Guidance of Risk Analysis Required under the HIPAA Security Rule

15 Sustainable Compliance High risk areas (continued): Compliant data backup and recovery Remote access management Wireless access Audit control Person or entity authentications Documentation plan to address OCR or state investigation and audits

16 Sustainable Compliance What you need to do! Current Risk Assessment Prioritize high to low risk compliance gaps Assign resources to eliminate privacy and security compliance gaps Track and document compliance project status Document mitigation activity Store all centrally

17 Sustainable Compliance This amounts to more than adopting required policies and procedures compliance is an on-going process Need to demonstrate continued compliance activities (not a one time event) CE bear the burden of demonstrating compliance The time is now to address compliance gaps

18 CHRIS ARNOLD VP OF PRODUCT MANAGEMENT

19 Regulatory Framework for HIPAA Compliance HIPAA Audit Protocol User Activity Monitoring 2014 OCR HIPAA Enforcement #1 Security Gap from Pilot Audits Patient Privacy Monitoring ARRA HITECH Meaningful-Use Electronic Health Records Audit Logs Required Security Risk Analysis / Correct Deficiencies Protect Your Reputation Position Yourself for HIPAA Compliance

20 Maximize HIPAA Audit Protocol Coverage for Investment FairWarning 3.1 Maps Directly to OCR HIPAA Audit Protocol Requirements Patient privacy monitoring: 25 of the HIPAA audit protocols HIPAA Protocol sections Audit Controls Security Incident Procedures Security Management Process Breach Assessment & Notification Security Awareness and Training Access Control Administrative Requirements

21 Compliance Dashboard

22 (b): Audit Controls

23 (a)(6): Security Incident Procedures & (a)(1): Security Management Process

24 : Breach Risk Assessment

25 & 406: Breach Notification

26 (a)(5): Security Awareness & Training

27 (a): Access Control

28 & 530: Administrative Requirements - Burden of Proof & Training Documentation

29 : Administrative Requirements - Complaints, Sanctions & Mitigation

30 More Information A full mapping of FairWarning to the HIPAA Audit Protocols is available online: WP-OCR-PROTOCOL-MAPPING.pdf

31 CMS Meaningful Use Audits 5-10% of Eligible Providers audited Failing an audit means a complete return of all funds Biggest shortfalls include failure to have a well-documented Security Risk Assessment and to address areas of risk FairWarning addresses one of the most common risk areas identified user activity monitoring For more information:

32 PPM Business Case Available after today s webinar: The Business Case for Patient Privacy Monitoring OCR HIPAA Audit Protocol Mapping Benefits of FairWarning Patient Privacy Monitoring CMS Meaningful Use Audit Exposure Privacy Incident Risk Estimator HIPAA Omnibus Implications FairWarning Return on Investment Available by ing [email protected]

33 Questions? Additional Questions?