HIPAA Risk Assessments for Physician Practices

Transcription

1 HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM

2 DISCLAIMER The statements and opinions presented are those of the presenters only and do not represent or reflect that of North Shore LIJ Health System or any of its affiliates.

3 Risk Assessment vs. Risk Analysis Often used interchangeably! Risk Assessment: Evaluation of the probability that protected health information has been compromised. Risk Analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ephi). Risk Management: Physical, technical and administrative controls established to prevent incidents identified as risks.

4 OCR HIPAA Audits Phase 1 Pilot Program (2012) - Included cross-section of Covered Entities - Opportunity for corrective action/management response - Able to separate Privacy and Security - Audit Program is available online at ment/audit/protocol.html

5 OCR HIPAA Audits Phase 1 identified areas of heightened risk : Absent or outdated risk analysis Individuals right to access their PHI Minimum necessary use and disclosure Notice of privacy practices Breach notification and incident response Technical controls

6 OCR HIPAA Audits Phase 2 (2015) will include: Desk Audits with on site as needed HITECH requirements Business Associates Breach Risk Assessments

7 Meaningful Use Requirement Pre- and Post-Payment Audits At least 5% of MU attesters MU Audit Findings Eligible providers 10,000 audits on 265,075 attestations 22.7% of EPs failed to meet MU standards nonexistent or shoddy self-assessments of how well doctors and healthcare organizations are protecting patient health information are the main reasons for a notably audit high failure rate among eligible practitioners (EPs).

8 HIPAA Security Rule Security vs. Privacy Risk Management Administrative Safeguards Physical Safeguards Technical Safeguards

9 Administrative Safeguards Establishes standards and specifications for health information security program that include the following: Identify and analyze risks to ephi and implementing security measures Formal risk analysis Reviewed frequently Information access management: Process to provision user IDs/passwords Termination procedures Policies and procedures Staff training Contingency plan

10 Physical Safeguards Control physical access to office and computer systems Facility access controls Door locks Alarms Workstation security measures Anti-theft devices Workstation proper access and use Privacy screens Desk dividers Printer and copier security measures Disposal Leased equipment

11 Technical Safeguards Hardware, software or other technology that limits access to ephi Access to ephi Auto-logoff Passwords Encryption (data at rest) Audit controls to monitor activity EHRs, financial systems, etc. Integrity controls to prevents alteration or destruction Transmission security measures Encryption Contingency plan to respond to emergencies or restore lost data Living document

12 Conducting Risk Assessment Who should be involved Process to maintain Define what you look at

13 Risk Assessment Audit Tools FACILIT NAME: DATE: ADDRESS: REVIEWER: PHONE: HIPAA - CRITERIA es No N/A 1. Does the staff discuss confidential patient information among themselves in public areas? 2. Does the patient receive and acknowledge receipt of the Notice of Privacy Practices as required? 3. Is the Notice of Privacy Practices posted in an appropriate area? 4. Are computer monitors positioned away from public areas to avoid observation by unauthorized individuals? 5. Is the screen saver activated when the computer is not in use? 6. Are paper records stored or filed so as to avoid observation by patients, visitors or unauthorized staff? 7. Is confidential patient information left unattended in a printer, photocopier or fax machine and are these devices in a secure area? 8. Is physical access to fax machines and printers limited to authorized staff? 9. Are patient lists, with information beyond date/address readily visible by visitors? 10. Is paper PHI or any item containing PHI (e.g. IV Bags, Labels, etc.) disposed of in appropriate dedicated secure containers or shredded, where applicable? 11. Are computer passwords visibly posted? 12. Is staff aware it is not permissible to share their password with anyone? 13. Are unattended computer systems (including computers on carts) appropriately logged off when not in use? 14. Is the staff aware of whom to contact about a privacy or security complaint? (e.g. unauthorized release or access of patient information) 15. Is the staff aware of how to encrypt an when sending PHI? HIPAA -CRITERIA es No N/A 16. Is EPHI stored locally on unencrypted workstation hard drives? (random check of desktops) 17. Are there unattended portable media devices (e.g. jump drives (flash drive) in unsecured areas? 18. Is the staff observed inappropriately requesting Social Security numbers and/or making copies of any type of photo identification? 19. Is the staff aware of the process for the release of patient information? (obtaining a HIPAA Authorization for the Release of PHI form) 20. Is the staff aware of the HIPAA policies and procedures and do they know where to find them?

14 Risk Assessment Audit Tools Sessional Sites Physician Name: Sessional Location: Scheduled sessions: Laptop ID: Physician maintains custody of device? Password protected? Automatic logout? Laptop is encrypted? Any other users of device? Network access via VPN (virtual private network)? Any note-taking on paper? Is there a process for secure paper-handling? All notes and information entered into laptop? Is there any other PHI residing on device? Prescriptions sent electronically? Any documents given to patient at site? All documents sent to patients via FMH portal? Non-portal patients receive documents from premises via AEHR task list? Patient arrival: list of patient names/appointment times given to non-employed receptionist? Patient arrival: list of patient names/appointment times collected/destroyed at end of session? How are arrived appointments handled in the EHR: Notes created without patient arrival in registration; Personnel elsewhere arrive patients in registration; notes are linked later to the appointment Doctor sends task to arrive patients in registration by personnel elsewhere upon notice by site staff Are charges entered in the EHR? Any Time of Service payments collected? Any financial transactions in the sessional office? Are NEW patients identified & given Privacy Notice? Do patients sign Privacy Notice acknowledgement: Prior to visit? At time of visit? Correct: N N N N N N N Audit:

15 Attorney-Client Privilege Rationale: Communications made (or information developed) as part of legal advice Managed by attorney (internal/external counsel) Risk analysis is work product May help define what gets released for review by OCR Able to identify existing issues Care is required to maintain confidentiality

16 Third-party Vendor vs. In-house Decision to do it internally vs. externally How complex is the organization? Do you have an IT department? Does it have capacity? How many physicians? Patients? Revenue? Do you have an EMR and other systems? NIST Tool scalable assessment

17 Other Relationships Sessional space Joint ventures Hospital work Business Associates

18 QUESTIONS? Contact: Lloyd Torres Eric Sandhusen