Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How?

Transcription

1 Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How? March 27 th 12 pm EDT Moderator: Gerry Blass Panelists: Mac McMillan, Francois Bodhuin, Lou Dignam

2 Webinar Objec*ves Provide an overview of what has changed for BAs with respect to the Omnibus Describe how to develop and sustain effec*ve vendor management prac*ces to ensure compliance Present a five step life cycle approach with suppor*ng ac*ons for managing vendor security requirements Provide useful resources and tools to use in a vendor management program Share proven best prac*ce strategies for provider organiza*ons seeking to improve vendor selec*on and management to ensure compliance

3 Housekeeping All awendees will be on mute for the dura*on of the presenta*on. We ask that any and all ques*ons be directed to the host in the Q&A Panel and we will try to answer as many as we can at the end of the presenta*on. This webinar is scheduled to last 1 hour but we can stay on longer for Q&A at the end and all of you are welcomed to do the same. If we do not have a chance to answer your ques*on please feel free to us. Our addresses are included in the presenta*on.

4 Housekeeping This webinar as well as a PDF of the presenta*on will be archived and available on the NJ HIMSS website shortly a]er the event. Everyone who has registered will receive an with the link. We have included Bios (with addresses) slides at the end of this presenta*on.

5 Introduc*ons Gerry Blass, President & CEO, ComplyAssistant Mac McMillan, CEO - CynergisTek Francois Bodhuin, IS Technology Director - Informa*on Security Officer, Inspira Lou Dignam, Director of Informa*on Security and Server Pladorms, Virtua Health

6 Seek Professional Help The Phases of BA Nego*a*ons Denial Anger Bargaining Depression Acceptance (Just need to get here by September 2014)

7 A New Paradigm Leon Rodriguez, Office for Civil Rights Director, had this to say about Omnibus: This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, These changes not only greatly enhance a pajent s privacy rights and protecjons, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protecjons, regardless of whether the informajon is being held by a health plan, a health care provider, or one of their business associates.

8 HIPAA Defines Business Associate 45 C.F.R : A Business Associate (BA) is a person/en2ty who/that: (i) on behalf of such CE or of an organized health care arrangement ( OHCA ) in which the CE par*cipates, but other than in the capacity of a member of the workforce of such CE or arrangement, performs, or assists in the performance of: A. a func9on or ac9vity involving the use or disclosure of PHI, including claims processing or administra*on, data analysis, processing or administra*on, u*liza*on review, quality assurance, billing, benefit management, prac*ce management, and re- pricing; or B. any other func*on or ac*vity regulated by this subchapter; OR (ii) Provides, other than in the capacity of a member of the workforce of such CE, legal, actuarial, accoun2ng, consul2ng, data aggrega2on (as defined in of this subchapter), management, administra2ve, accredita2on, or financial services to or for such CE, or to or for an OHCA in which the CE par*cipates, where the provision of the service involves the disclosure of PHI from such CE or arrangement.

9 HITECH Expands Defini*on Any person or en*ty that creates, receives, maintains or transmits PHI on behalf of a Covered En*ty or Business Associate. 45 CFR (3)(iii) Now specifically includes: Health Informa*on Organiza*ons Regional Health Informa*on Organiza*ons E- prescribing gateways, and Any person or en*ty that transmits PHI or requires access to PHI on a rou*ne basis. Conduits for data transmission are NOT BAs (e.g., retains PHI for only that period of *me necessary to support the transmission process)

10 Subcontractors Incorporated Any person or en*ty that creates, receives, maintains or transmits PHI on behalf of a HIPAA Business Associate. 45 CFR (3)(iii) This applies even if Sub and BA don t enter into BAA The HIPAA/BAA obliga*ons awach to downstream subcontractors TOO! OCR can directly enforce requirements against Subcontractors

11 Can Vendors Avoid HIPAA? The absence of a BA Agreement does NOT mean that a BA can avoid HIPAA compliance. A BA is determined by HIPAA s defini*ons and the ac*vi*es of the BA (or Sub), and direct compliance and enforcement by OCR cannot be avoided by simply not having in place a HIPAA- compliant BA Agreement in place between the CE and the BA, or the BA and its Subcontractor. Just because you are not a BA, does NOT mean HIPAA is not relevant.

12 Breach No*fica*on The Interim Rule: Defined a breach to mean generally: the acquisi*on, access, use, or disclosure of protected health informa*on in a manner not permiwed [by the Privacy Rule] which compromises the security or privacy of the protected health informa*on. It further elaborated that compromises the security or privacy of the PHI meant poses a significant risk of financial, reputa*onal, or other harm to the individual. FYI: HHS originally included harm test in order to align the rule with many state breach no*fica*on laws as well as exis*ng obliga*ons on federal agencies that have a similar risk of harm standard for triggering breach no*fica*on.

13 Breach No*fica*on The Final Rule Removes the significant risk of harm test, and replaces it with a presump*on that any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. CE or BA has the burden of proof to demonstrate that there is a low probability that the PHI is compromised. The CE and BA must also maintain wriden documenta2on sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue no*ces.

14 HITECH Revisions to BAAs BAA must state BA must comply with HIPAA Security Rule regarding e- PHI Must state that minimum necessary rule applies to use & disclosures of PHI BA must report breaches of unsecured PHI to CE (this is in addi*on to any uses/disclosures that violate the BAA) Contract must obligate BA to ensure that Subcontractors agree in wri2ng to same restric*ons If BA is going to carry out CEs obliga2ons (i.e., providing access to individuals), then contract must state BA is obligated to perform these obliga*ons in a compliant manner

15 Upda*ng BAAs BA Agreements that were entered into and in effect as of or before January 25, 2013 will be considered compliant for up to 1 year a]er the September 23, 2013 effec*ve date for final HITECH Rule compliance. So you have un2l September 23, 2014 before you must amend for technical compliance with HITECH. NEW BA Agreements entered into any 2me arer January 25, 2013 should have been updated by September 23, 2013, the effec*ve compliance deadline. If a BA Agreement is up for renewal or is modified any 2me arer March 26, 2013, then an updated and HITECH compliant BAA must be put in place.

16 BA Considera*ons & Issues I m not a BA or We don t need a BAA Defining permitted BA Services and Functions An agent, or not Security assessments (show me) Breach notification timeframes Encryption required Use of de-identified data Foreign (non-u.s.) sub-agents Cyberinsurance Indemnification (breaches; penalties; lawsuits) State law

17 Ac*on Implement a process to evaluate who is a BA, and who is not a BA (i.e., conduit); and sub- BAs Update your BAA forms for HITECH language Include Omnibus required language Add language to protect yourself from agent issue! Use compliant form NOW if entering into new BAA Can keep old BAAs in place un*l 9/23/2014 if they were in effect by Jan 25, 2013 & don t renew a]er March 23, Manage your BA Agreements! Keep track of important dates Assign who is responsible for managing BAAs?

18 Vendor Management Expecta*ons Vendor security requirements have been expanded under the new rules, and expecta*ons for Covered En**es were further clarified during OCR s HIPAA compliance audits in 2012 Expecta*ons for Managing Business Associates Pre- Contract Due Diligence Contrac*ng Requirements Post Contract Maintenance/Administra*on Incident Management Back Up/Disaster Recovery Physical Protec*on Access Control Accoun*ng for Disclosures Media/Data Disposal/Accountability End of Contract/Termina*on

19 Vendor Security Management Requirements Defini*on Solicita*on/RFP Processes Contract & Agreements Performance Monitoring Termina*on Security Incident Management & Breach No*fica*on Documenta*on Define Terminate Select Monitor Contract

20 Administra*ve Requirements BA Inventory Research accounts payable Vendor informa*on Requirements Defini*on Classifica*on Security Minimal Necessary Solicita*on/RFP Processes Solicita*on/RFP development Pre- contract evalua*on Contracts & Agreements Security requirements BAA development

21 Opera*onal Requirements Performance Monitoring Upda*ng documenta*on as required Back up/recovery Physical Security External Requests Business changes Incident Response No*fica*on of CE Risk Analysis Clean up/remedia*on No*fica*on others Termina*ons Disposi*on of informa*on Workforce turnover

22 First Hand Experience Inspira & Virtua

23 Approach Mac already addressed the necessity. Lou and I will discuss the process. Life Cycle approach New BA Sanc*on check + Security ques*onnaire Exis*ng BA Yearly survey Get our house in order Find a Management Tool and a Methodology Remember to involve Purchasing / Materials Management they maintain the primary rela*onship with the vendors (point of contact ) *** Most Important *** - Get Execu*ve support You need a high level of collabora*on between the Privacy and Security team and the business folks.

24 Approach 1 BA Inventory 2 Program Setup 3 Func*onal Analysis 4 Send and Monitor Results 5 Analysis of Results 6 Process Review 7 Start over

25 1 BA inventory Iden*fy who maintains the BA Inventory Review BA inventory Contract management so]ware So]ware Support arrangements SFTP Survey all Directors Categorize the vendors (Triage) Good *me to check if all BA have BAAs Select 10 BAs for pilot

26 2 Program Setup Iden*fy the tool to use (GRC so]ware) Methodology SAAS or do it yourself? Create lewers LeWer of introduc*on from the organiza*on LeWer to the Vendor Set up vendor ques*onnaires 1 or 2 Different set of ques*ons depending of vendor category Have your ques*ons reviewed by Privacy and Security as well as Legal If you submit the ques*ons via the web, allow for awachments

27 3 Func*onal Analysis Push back from vendors some vendors think they already have to comply with HIPAA/HITECH, so they do not need to respond. What if answers are not what we expected? Determine Ac*ons this is where execu*ve support may be needed. Will this cost the organiza*on more money? Are we ready to terminate a contract? Consider developing a grading system, but iden*fy the show- stoppers.

28 4 Send and Monitor Results Start with a pilot 2 nd Cycle Extend the pilot or send to all BAs Iden*fy who is responsible for monitoring the responses. On- going and a lot of work

29 5 - Analysis and Process Review Analyze the results % of responses Accuracy Decisions will depend on results / answers Store informa*on in a database to compare answers from one year to another

30 6 Process Review Review the process Tweak the lewers Tweak the ques*onnaires Are we sending to the correct person? Do we give enough *me to the BA for answers? Are we trea*ng the vendors the same way within each category?

31 7 Start Over Never ending Story Life Cycle Get to every vendor every year Keep refining the process to make it easier for the vendor (Web ques*onnaire )

32 Conclusion Do it right analyze consequences Confirm the Execu*ve support Don t forget Plan B (Risk Acceptance) This is s*ll our data and we are responsible for it make BA understand that fact Doing this demonstrates our oversight (Due diligence)

33 Q & A Gerry Blass gerry@comply assistant.com Mac McMillan mac.mcmillan@ cynergistek.com Francois Bodhuin bodhuinf@ihn.org Lou Dignam ldignam@virtua. org

34 Moderator Bio Gerry Blass - gerry@complyassistant.com Gerry is President & CEO of Blass Consul*ng and Compliance. Gerry has over 35 years of experience in healthcare IT and compliance. Gerry provides healthcare IT and consul*ng services and so]ware called ComplyAssistant that automates the management and documenta*on of healthcare compliance ac*vi*es. Gerry co- authors quarterly columns for JHIM, the na*onal HIMSS magazine, and is a co- founder of HIPAA 411, a linked in group.

35 Panelist Bio Mac McMillan - mac.mcmillan@cynergistek.com Mac McMillan is CEO of CynergisTek, Inc., a firm specializing in informa*on security and regulatory compliance in healthcare. He is Chair of the HIMSS Privacy & Security Policy Task Force and brings over 30 years of experience from Government and private sector posi*ons. He has worked in the healthcare industry since his re*rement from the government and contributes regularly to the thought leadership around compliance, security and privacy in healthcare.

36 Panelist Bio Francois Bodhuin - bodhuinf@ihn.org Francois is the Technology Director and Informa*on Security Officer at Inspira. Francois manages servers/worksta*ons, the Networks, TV services and the telephony. Francois has 20 years of healthcare IT experience and teaches Informa*on Technology at Cumberland County College as an adjunct professor. Francois has obtained the CISSP cer*fica*on from ISC2 as well as the MCSE Sec+ cer*fica*on from Microso]. He is a member of DVHIMSS and NJHIMSS.

37 Panelist Bio Lou Dignam - ldignam@virtua.org Lou has 28 years of technical Healthcare IT experience, 12 of which were specialized in Informa*on Security. Lou joined Virtua in July 2008 as the Director of Informa*on Security and Server Pladorms/HIPAA Security Officer to oversee all informa*on security efforts around Regulatory & Audit Compliance, Policy Development, Technology Risk Mi*ga*on, and Vulnerability Management and to develop and deliver a comprehensive informa*on security program for Virtua. Lou obtained his CISSP in 2006 and has extensive technical knowledge in informa*on security, informa*on security management, IT risk management and assessment, network technology, server technology, and desktop technology.