HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives. We will begin shortly after 12:30 PM (Pacific Time) Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE April 23, 2012 Presented for ACCMA by David A. Ginsberg 2008 1
Agenda The Meaningful use criteria- a quick reminder HIPAA Background Deep Dive into the 15 th Core Objective Conducting a risk analysis Remediation-Gaps and Deficiencies Now Meaningful Use A new concept with the HITECH Act 2008 2
Meaningful Use and ARRA redux Part of the American Recovery and Reinvestment Act which included the HITECH Act The HITECH Act provides incentive funding for physicians, hospitals and other health providers to implement electronic health records It also provides funding for creation of health data exchanges that ultimately will foster interoperability and bring patients and their health data together Meaningful Use The rule introduces the concept of three stages of meaningful use achievement The stage or phase in program is a way to harmonize the meaningful use criteria with the incentive funding program Stage 1 begins in 2011 Stage 2 begins in 2014 (Proposed) Stage 3 begins in 2015 2008 3
MU MU 2008 4
MU MU 2008 5
MU MU 2008 6
MU MU 2008 7
Deep Dive into the 15 th Core Objective Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) What does the Security Rule say? Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Deep Dive This is a component of a broader regulatory standard known as risk management The concept of CIA is well established in the information security world In developing the HIPAA Security Rule, and specifically the risk analysis requirement, HHS relied upon guidance from organizations well versed in Information Security such as NIST 2008 8
HIPAA Security Risk Analysis It is NOT a checklist! How do you conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ephi held by the covered entity? There are steps that are defined by CMS, NIST and others These have been incorporated and made simple in PrivaPlan-and evaluated by CMA legal counsel! Details of a Risk Analysis It entails a formal review of risks to ephi and your information security: ephi inventory and network or system characterization Review of controls or safeguards Review of threats and vulnerabilities including prior incidents Criticality analysis Review policies and procedures Review likelihood of threat exploitation Risk analysis 2008 9
Details continued Your control analysis or review spans administrative, physical and technical areas and the other components in the HIPAA Security Rule Workforce clearance Access authorization Termination procedures Contingency planning and disaster recovery Training Sanctions Incident reporting and response Details continued Facility security Visitor access Emergency operations Maintenance Media and ephi life cycle Paper disposal Business associate agreements Policies and Procedures 2008 10
Details continued Review of prior incidents Review of technical controls Encryption controls Integrity controls (malware, use of secure portals) How to establish impact? First by defining ephi criticality, then review threats and vulnerabilities EHR specific focus Roles and permissions-security settings Audit logs Server location and location (even if you use a remote data center) Contingency and disaster recovery Periodic testing Specific MU areas like providing an electronic copy, patient summaries, patient reminders, patient access (portals), exchange of data 2008 11
More on MU and the HIPAA SRA The measure also states: implement updates as necessary and correct identified security deficiencies as part of the risk management process What are updates? The results of a review of a prior HIPAA SRA, or an update to a SRA and/or updating the analysis More on MU and the HIPAA SRA Correcting identified security deficiencies as part of a risk management plan: Remember some of these may be Privacy/Security such as posting the Notice of Privacy Practices or using an up to date Business Associate agreement Of course, emphasis is on correcting those deficiencies that the use of an EHR exposes your organization to But it also refers to other security deficiencies that are gaps in compliance with the Security Rule 2008 12
More on MU What has to occur prior to attestation Certainly, conducting or reviewing a HIPAA SRA Identifying security deficiencies Correcting those deficiencies can be done as part of a risk management plan-based on your assessment of risk, and incorporating flexibility of approach HIPAA Security Risk Analysis A follow up audit would expect a formal report to be on hand to prove you have done the risk analysis-and to show that you are remediating or managing gaps and deficiencies If you attest without doing the work, you will be risking fraud-being untruthful on your attestation documents and receiving federal funds 2008 13
Stage 2 Proposed Changes ONC and CMS mean business when it comes to safeguarding ephi!!!! The preamble to the Stage 2 HIPAA changes states Protecting electronic health information is essential to all other aspects of meaningful use. Unintended and/or unlawful disclosures of personal health information could diminish consumers' confidence in EHRs and electronic health information exchange. Ensuring that health information is adequately protected and secured will assist in addressing the unique risks and challenges that may be presented by electronic health records. Stage 2 Proposed Changes The language for the HIPAA Core Objective measure stays the same but adds a key new concept: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process. 2008 14
Stage 2 Proposed changes The preamble to the proposed rule notes the need for addressing encryption and security of data at rest in part because of the many reported breaches of devices containing ephi Later we discuss the need to report breaches and the concept of unsecured PHI (non encrypted) Encryption and data at rest review is a normal part of a good HIPAA Security risk analysis-but many organizations fail to review or act on this area and in some cases vendors are not supportive! Stage 2 Proposed Rule Encryption may not always be reasonable-but an alternative mechanism must be identified The Preamble goes on to state: We propose this measure because the implementation of Certified EHR Technology has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider's risk management process and implemented or corrected as dictated by that process. 2008 15
Other HIPAA concerns Privacy laws are changing The final rule is expected shortly Key areas we have time to discuss today Accounting of disclosures Access restriction (for health plans) Business Associates (you should already use an updated form) Increased enforcement and penalties The recent huge penalties! Breach Notification Already in place via the Interim Final Rule Key concepts unsecured PHI, and the concept of significant financial, reputational or other harm,60 day notification to the individual, HHS notification Did you comply last year? Did you complete your filings with HHS within 60 days of the end of last year? How does this relate to HITECH? Implementing and using an EHR increases both risk and probability of a breach--- 2008 16
Some interesting non ephi risks PrivaPlan has helped physicians with the following breaches of non ephi Waste bins with PHI meant for the shredder Statements mis-mailed (and OCR s position on this) Enforcement and risks are real Recent Office of Civil Rights settlement with Blue Cross/Blue Shield of Tennessee for $1.5 million Over the theft of unencrypted hard drives-even though the drives were kept in a locked room secured by a swipe card and a secondary key card lock! The value of this physical security didn t outweigh the risk of unencrypted data being stolen because the building was no longer occupied full time by BCBS. 2008 17
Enforcement is real The OCR press release about the settlement says: This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.... The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients' right to private and secure health information. Enforcement This settlement settles once and for all the risk associated with unencrypted data at rest And it reinforces the need for risk analysis activities! And just this month, a cardiology practice in Phoenix had a $100,000 fine For the first time the fine included failure to conduct a risk analysis! 2008 18
HIPAA Security Risk Analysis Solutions? If you are a PrivaPlan user or have been you have a do it yourself guide-be sure to update your subscription! Or Purchase the ToolKit We can also do the Risk Analysis for a low fee To Purchase PrivaPlan PrivaPlan Online HIPAA Compliance Toolkit $325 Special Price for CMA members ($495 retail) Upon checkout at PrivaPlan.com use : Coupon Code: cmatool170 PrivaPlan Online HIPAA Training $129 Special Price for CMA,members ($169 retail) Upon checkout at PrivaPlan.com use Coupon Code: cmatrain40 2008 19
Contact information David Ginsberg dginsberg@privaplan.com 1-877-218-7707 Have you updated your PrivaPlan Subscription? Q & A Individual Questions? 2008 20