Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use



Similar documents
Securing Patient Portals

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Meaningful Use and Security Risk Analysis

HIPAA and HITECH Compliance for Cloud Applications

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

Bill Moran and Betta Sherman

The Impact of HIPAA and HITECH

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

The HIPAA Omnibus Final Rule

CA Technologies Healthcare security solutions:

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Architecting Security to Address Compliance for Healthcare Providers

Overview. Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Data Breach, Electronic Health Records and Healthcare Reform

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

The Importance of Sharing Health Information in a Healthy World

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

InfoGard Healthcare Services InfoGard Laboratories Inc.

BEYOND THE EHR MEANINGFUL USE, CONTENT MANAGEMENT AND BUSINESS INTELLIGENCE

HIPAA COMPLIANCE AND

Document Imaging Solutions. The secure exchange of protected health information.

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Health Information Technology

Guided HIPAA Compliance

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Health Information Privacy Refresher Training. March 2013

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Converged Infrastructure: Meeting the New Challenges of Healthcare IT

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Secure & File Transfer Practices in Healthcare 2014 / Sponsored by DataMotion

HIPAA Compliance and the Protection of Patient Health Information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

SECURETexas Health Information Privacy & Security Certification Program FAQs

Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Violations Incur Multi-Million Dollar Penalties

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Compliance, Incentives and Penalties: Hot Topics in US Health IT

Best Practices in HIPAA Security Risk Assessments

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by.

HIPAA Security Rule Compliance

The Medicare and Medicaid EHR incentive

Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

Bridging the HIPAA/HITECH Compliance Gap

HIPAA Security Risk Analysis for Meaningful Use

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Ensuring Privacy & Security of Patient Information

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA and HITECH Compliance Simplification. Sol Cates

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

2013 Healthcare Compliance Benchmark Study

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

Privacy and Security: Meaningful Use in Healthcare Organizations

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA in an Omnibus World. Presented by

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Dissecting New HIPAA Rules and What Compliance Means For You

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Meaningful Use Stage 2. Meeting Meaningful Use Stage 2 with InstantPHR TM.

Impact of Meaningful Use and Healthcare Transformation On Patient Access

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

The benefits you need... from the name you know and trust

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Health Record Banking Alliance

2012 HIPAA Privacy and Security Audits

HIPAA: AN OVERVIEW September 2013

Anatomy of a Healthcare Data Breach

Latest Changes in Healthcare Regulations and the IT Solutions Needed to Address Them

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Health Care - Meaningful Use of HITECH

Joe Dylewski President, ATMP Solutions

Transcription:

Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013

Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing Web-based Patient Portals... 3 Meaningful Use Incentives... 3 Increased Penalties... 4 Government Audit & Oversight... 4 Sharing the Risk: Business Associate and Subcontractor Obligations... 5 Securing Patient Portals... 6 Patient Portal Security Requirements... 6 Trend Micro Web App Security... 7 Conclusion... 8 2

Abstract Information security has evolved into a mission-critical function for healthcare organizations amid the tumult of industry reform, innovation, and regulatory upheaval. A nationwide move towards Electronic Health Record (EHR) systems, web-based platforms for patient and provider access to information, increased regulation, provider consolidation, and the increasing need to share health information between patients, providers, and payers all point toward the need for robust information security protections. At the same time, changes in federal legislation are offering lucrative incentives for implementing EHRs and patient portals, and those who do not vigilantly protect patient information stored in EHRs and web-based portals face increasingly stiff penalties. With the emergence of e-health networks offering web-based services, the future success of healthcare is likely to depend on how effectively patients can obtain and manage their health related information over the web in a secure manner. This challenge is further amplified by the growing complexity of patient data management practices including outsourcing the development and implementation of web-based platforms to third party Business Associates and their subcontractors. The Carrot and the Stick: Incentives and Penalties for Securing Web-based Patient Portals Meaningful Use Incentives The Health Information Technology for Economic and Clinical Health (HITECH) Act and recently released HIPAA Omnibus Rule seek to improve health care delivery and patient care by encouraging electronic access to personal health information across the continuum of care, including via web-based patient portals. HITECH takes a carrot-and-stick approach to promote the mandated conversion to EHRs and implementation of web-based patient portals. The act provides a healthy carrot of $19.2 billion in incentive payments to promote EHR adoption, primarily funneled through Medicare and Medicaid reimbursement as incentive payments for the Meaningful Use of certified EHR technology. Each physician can qualify for a total of up to $44,000 over five years through Medicare or up to $63,750 over six years from Medicaid dependent upon satisfying annual qualification criteria. At the same time, the Meaningful Use requirements call for increased security and privacy controls to bolster patient confidence and adoption of EHR technology in order to qualify for incentives. Stage 2 of Meaningful Use specifically requires the implementation and adoption of a secure web-based patient portal to facilitate patient access to health information. 3

Increased Penalties The HITECH Act and HIPAA Omnibus Rule have acknowledged the increased risk associated with storing and transmitting electronic Protected Health Information (PHI) by introducing strong penalties (a heavy stick ) for healthcare providers and their Business Associates and subcontractors who fail to meet the HIPAA Security and Privacy Rule mandates. Prior to the enactment of the HITECH Act, the imposition of civil penalties under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. Enacted in February 2009, HITECH increased the range at minimum of $100 up to $50,000 per violation, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Additionally, criminal penalties of up to $250,000 and up to 10 years in prison for HIPAA violations not only apply to healthcare covered entities but also to employees and other individuals. The Omnibus Rule, effective in 2013, ups the ante even further by allowing for fines of up to $1.5 million per violation, regardless of how many violations occur concurrently within a given calendar year. As if the regulatory non-compliance penalties did not already supply sufficient motivation for compliance with security requirements, the Meaningful Use incentive provisions also threaten reduced reimbursement, starting in 2015 for entities who have not met the requirements for securing EHRs and patient portals. Government Audit & Oversight In addition to more proactive oversight underway via the new regulations, both federal and state governments have also been actively investigating possible violations and filing suit for breaches that have been reported to the Department of Health and Human Services (HHS) under HITECH. Several entities are empowered to investigate and audit security compliance including the Office for Civil Rights (OCR), Center for Medicare and Medicaid Services (CMS), and State Attorneys General. Under HITECH, money collected in civil penalties is funneled back into OCR s enforcement budget. The act also permits state attorneys general to bring civil actions for HIPAA violations, making wider oversight and enforcement far more likely than prior years under HIPAA. 4

Sharing the Risk Business Associate and Subcontractor Obligations The risk of incurring penalties associated with patient data breaches is further exacerbated by the growing trend of healthcare organizations outsourcing EHR and patient portal solutions to third party Business Associates. According to a recent HITRUST Alliance report, 21% of healthcare security breaches in 2012 implicated a third party Business Associate. Healthcare organizations are also challenged with a lack of resources needed to effectively manage, evaluate, and continuously monitor Business Associate security compliance including patient portal web applications while maintaining focus on delivering quality patient care. The HITECH and the Omnibus Rule widened the net of compliance obligations by expanded the definition of a Business Associate to include organizations that transmit and routinely access PHI, such as health information exchange organizations, web application providers, and IT hosting vendors. Previously, Business Associates were liable only under the terms of their contracts, but under HITECH, Business Associates are subject to direct government oversight and civil and criminal penalties for HIPAA violations. Additionally, the HIPAA Omnibus Rule also expands many of these requirements to the subcontractors of Business Associates, resulting in the rollout of modified Business Associate Agreements to reflect these new obligations. 5

Securing Patient Portals Patient Portal Security Requirements The Meaningful Use Stage 2 criteria focus on patient engagement to provide better care. The aim of this requirement is to make health information more accessible to the individuals, and to provide patient with the means to communicate electronically with health care providers via patient portals. However, this also makes the web application the direct link to sensitive enterprise information including PHI. Patient portals, combined with EHRs, allow clinicians to communicate directly with their patients, also extending to them capabilities to schedule appointments, refill prescriptions, access lab results, and pay bills. Stage 2 of MU requires that a secure web-based patient portal be established and sets out specific standards to demonstrate that the portal is being used by both providers and a substantial number of patients to meet following measures: 1. Provide secure messaging between patients and providers 2. Allow patients the ability to access and download their electronic information in a secure manner 3. Deliver reminders for preventive and follow-up care 4. Provide patients with specific educational materials 5. Conduct a risk assessment of the patient portal must to ensure that appropriate security controls are in place to protect patient information in alignment with HIPAA / HITECH / Omnibus requirements For healthcare professionals participating in the Centers for Medicare & Medicaid Services (CMS) EHR incentive programs, the deadline for meeting Stage 2 criteria is right around the corner. A technical solution for assessing and remediating security risks specific to web-based platforms and portals is an essential component to achieving these compliance objectives. Security scanning and remediation tools allow healthcare organizations and Business Associates to demonstrate continual risk assessment of their web-based platforms and avoid jeopardizing incentive payments or incurring significant financial penalties. 6

Trend Micro Web App Security Trend Micro Web App Security was developed to address today s complex threat environment, providing a complete suite of security capabilities designed to detect threats and vulnerabilities, and protect web applications and patient portals in a single integrated solution without the cost and effort of traditional approaches. Trend Micro Web App Security as a Service delivers: Complete Intelligent Application Testing o Provides organizations a complete suite of scanning products to identify and quickly remediate vulnerabilities for both in-house hosted and third party / Business Associate web applications and portals o Offers comprehensive testing of patient portal platforms (operating system, server, network) with over 50,000 checks o Allows scanning to be done on-demand or run continuously to assess third party Business Associate web applications Integrated Detection and Protection o Provides continuous monitoring of security controls for patient portals and other third party web applications, ensures vulnerabilities are quickly identified (industry average is 231 days to find) and minimizes the time to respond to security threats with the ability to quickly block new attacks Unlimited SSL o Allows customers to deploy SSL for patient and provider portals and other online applications to improve security and patient trust while significantly reducing infrastructure costs related to managing multiple SSL certificates o Integrates SSL health checking into the detection capabilities of the solution, allowing for time saving checks for configuration errors and certificate expiration for third party / Business Associate web applications including EHRs and patient/provider portals Integrated Management Console o Unlike other security offerings, platform and application vulnerability detection and protection is accomplished via a single integrated console including logging and reporting for internal and third party applications to substantially simplify operation and reduce resource requirements o Monitors web application reputation for third party Business Associate web applications to ensure reputation and categorization issues are identified and resolved 7

Conclusion Healthcare organizations are becoming increasingly dependent on web-based technologies such as patient portals to improve patient engagement and address government incentive and regulatory requirements. Organizations are also beginning to understand that HITECH/HIPAA compliance and information security risk assessments are not one-time events and must be implemented as part of a continual security monitoring and remediation program. The impact of lapses in security can be staggering and can cause significant financial harm, reputational damage, and loss of consumer confidence. As such, healthcare organizations must continuously work to identify web application weaknesses for EHRs and patient portals to defend against increasingly sophisticated external threats. The complexity of managing security requirements for third party hosted applications on web and mobile platforms further compounds the security compliance conundrum for healthcare entities. Automated web application security solutions such as Trend Micro Web App Security serve a critical role in supporting the development of robust information security programs to protect patient information for both in-house and third party hosted web applications. Trend Micro Web App Security provides a flexible and repeatable way to perform continual security risk assessments of patient portals and web-based healthcare platforms to demonstrate compliance with federal regulations and incentive programs and protect patients from the harm associated with health information exposure. 8

About Meditology Meditology Services LLC is a healthcare-focused advisory services firm with core principles of quality, integrity, loyalty and value. Our executive team has an average of 15 years of consulting and operational experience in healthcare with provider and payer clients nationally of varying size and complexity. We understand the importance of relationships and derive much of our business from a long list of satisfied clients who value the quality of our work products combined with the professionalism, approach, and innovative solutions we bring to our engagements. About Trend Micro As a global leader in cloud security, Trend Micro develops security solutions that make the world safe for businesses and consumers to exchange digital information. With more than 20 years of experience, we deliver top-ranked security that fits our customers needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments. For More Information Contact: Meditology Services LLC 5256 Peachtree Road, Suite 190 Atlanta, GA 30341 info@meditologyservices.com Tel. (404) 382-7591 www.meditologyservices.com 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information