HIPAA Security Compliance Reviews



Similar documents
HIPAA Compliance Review Analysis and Summary of Results

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security Rule Compliance

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Overview of the HIPAA Security Rule

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA security rules of engagement

HIPAA Compliance: Are you prepared for the new regulatory changes?

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HIPAA Security Alert

Joe Dylewski President, ATMP Solutions

HIPAA Compliance Guide

C.T. Hellmuth & Associates, Inc.

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Information Security Overview

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA and Mental Health Privacy:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Procedure Title: TennDent HIPAA Security Awareness and Training

The HIPAA Audit Program

OCR/HHS HIPAA/HITECH Audit Preparation

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Security Is Everyone s Concern:

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Sustainable Compliance: A System for Ongoing Audit Readiness

HIPAA Security Series

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

CHIS, Inc. Privacy General Guidelines

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

What s New with HIPAA? Policy and Enforcement Update

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA PRIVACY AND SECURITY AWARENESS

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA Compliance Guide

Datto Compliance 101 1

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

The Basics of HIPAA Privacy and Security and HITECH

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

How To Write A Health Care Security Rule For A University

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

State HIPAA Security Policy State of Connecticut

HIPAA Audit Risk Assessment - Risk Factors

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

PHI- Protected Health Information

HIPAA Security Matrix

Healthcare Compliance Solutions

Security Compliance, Vendor Questions, a Word on Encryption

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Joseph Suchocki HIPAA Compliance 2015

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

General HIPAA Implementation FAQ

A Technical Template for HIPAA Security Compliance

HIPAA Security Checklist

HIPAA Privacy & Security Rules

Transcription:

HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2

What is HIPAA? Administrative Simplification Transactions and Codes Sets Unique Identifiers Security Privacy 2

Covered Entities under HIPAA The Administrative Simplification standards adopted by HHS under HIPAA apply to any entity that is: a health care provider that conducts certain transactions in electronic form a health care clearinghouse, or a health plan 2

Role of CMS/OESS OESS is responsible for E-Health including e-prescribing, personal health records, Recovery Act coordination re: electronic health record incentives HIPAA: Regulatory/Policy Interpretation (5010 and ICD-10) Outreach and Education Enforcement 4

HIPAA Security Rule Security Standards for the protection of Electronic Protected Health Information (ephi) Applies to ephi that a covered entity creates, receives, maintains, or transmits Published February 20, 2003 Compliance Date April 20, 2005 (April 20, 2006 for small health plans) 5

HIPAA Security Rule Security Standards Three categories of safeguards: Administrative Physical Technical 6

HIPAA Enforcement Secretary of HHS delegated to the Administrator of CMS the authority to investigate complaints of non-compliance with HIPAA regulations Office for Civil Rights (OCR), HHS has responsibility for privacy Enforcement efforts are complaint based 2

CMS Enforcement Statistics Report Open and Closed Cases by Type As of April 30, 2009 43 415 614 8 Complaint Type Total Open Closed Transactions and Code Sets (TCS) 614 43 571 Security 415 74 341 National Provider Identifier (NPI) 43 4 39 Total 1,072 121 951 Open Outstanding issues remain. Entity may be under a corrective action plan or additional information from either the complainant, the filed against entity, or both is being sought. Closed No further action required. All issues have been sufficiently resolved. Please note that 47 of the 341 security cases have been closed via corrective action plans.

Most Common Complaints Security Rule Section 164.308(a)(4)(i) Security Type Description Information Access Management Number of complaints 159 164.312(a)(1) Access Control 158 164.308(a)(5)(i) 164.308(a)(6)(i) 164.310(d)(1) Security Awareness and Training Security Incident Procedures Device and Media Control 127 103 73 9

Expanded our work to build voluntary HIPAA compliance Began to conduct compliance reviews on covered entities Contracted with Price Waterhouse Coopers (PWC) for 10 reviews in 2008 10

Selection of entities: Entities against whom a complaint has been filed Media reports of potential security violations Reviews focused: on the allegations in the complaint or Information in the media report how the covered entity resolved the issues 11

Issues included: Risk analysis and management Security training; Physical security of facilities and mobile devices; Off-site access and use of ephi from remote locations; Storage of ephi on portable devices and media; Disposal of equipment containing ephi; Business associate agreements and contracts; Data encryption; Virus protection; Technical safeguards in place to protect ephi; and Monitoring of access to ephi. 12

Reviews-2008 Reviews were conducted in New York, Florida, California, Oregon, New Hampshire, North Carolina, Pennsylvania, Maryland Nine were of providers and one was a health plan Seven were hospitals, one pharmacy, and one home care/hospice provider 13

Reviews-2008 Compliance reviews revealed areas where covered entities appeared to struggle: Risk assessment Currency of Policies and Procedures Security Training Workforce Clearance Workstation Security Encryption 14

Reviews-2008 Prepared Report: HIPAA Compliance Review Analysis and Summary of Results-2008 Reviews Outlines the six overarching compliance issues and provides recommended solutions as a guide to help improve compliance 15

Reviews-2008 Posted Compliance Review Examples Related to Loss of Portable Device Related to Theft of Backup Tapes Related to Theft of Workstation and Backup Hard Drive Related to Theft of Laptop Related to a Computer Virus Infection Related to Theft of Workstation and Backup Hard Drive 16

Reviews Reviews have resulted in Corrective Action Plans (CAPs) that include: Policies and procedures for remote use/access Designation of internal security audit personnel CAPs are monitored by CMS Compliance review cases are generally closed when CMS verifies completion of CAP. 17

Reviews-2009 Contracted with Quality Software Services, Inc (QSSI) to do compliance reviews in 2009 Six have been conducted or scheduled Not complaint based reviews Selected by covered entity type and location 18

Reviews-2009 Reviews in Florida, California, New York, Illinois, Minnesota, and Washington Three health plans, one clearinghouse, two providers (one federally qualified health center and one skilled nursing facility) 19

Reviews-2009 Reviews are not meant to be punitive Improve compliance Determine things that the entity is doing well (possible best practices that can be shared) Determine areas where the covered entity can improve their compliance 20

Reviews-2009 Contact covered entity via letter sent by certified mail Propose review dates Propose date for pre-entrance conference call with CMS, QSSI and covered entity Request working space with electricity, phone with outside access and internet connectivity for at least five business days 21

Reviews-2009 Request documents Receive documents on a flow-basis Assess documents for compliance with the HIPAA regulations Periodic pre-review conference calls Formulate questions based on review of policies and procedures 22

Reviews-2009 On-site review: Interview staff Review additional documentation Review technical controls Review results of past reviews and audits Draft report Final report of findings Creation of corrective action plans, if needed 23

Reviews-2009-Interviews Director of Covered Entity (CE) organization under review. VP IT Security and Compliance SVP, Chief Compliance Officer VP Infrastructure IT Security Manager Direct Line Supervisor of individual or area where breach/incident occurred. Developer Executing the File Transfer During the Security Incident 24

Reviews-2009-Interviews Lead systems manager or director. Systems security officer Computer Hardware specialist. Disaster recovery specialist or person in charge of backup tapes. Facility access control coordinator (physical security). 25

Reviews-2009-Interviews Lead network engineer. Individuals responsible for administration of platforms that store, transmit, or process ephi. Individuals responsible for administration of the site network (wired and wireless). Individuals responsible for monitoring of platforms that store, transmit, or process ephi. Individuals responsible for monitoring the network (if different from above). 26

Reviews-2009-Interviews Human resources representative. Director of training. Individual responsible for policy and procedure management Incident response team leader. Access to all members of workforce. 27

Reviews-2009-Sample Request All policies and procedures designed to demonstrate compliance with the HIPAA Security Rule Administrative Safeguards mapped to the specific HIPAA Security Administrative Safeguard. Policies and procedures to prevent, detect, contain, and correct security violations. Policies and procedures address setting up a user s access profile. Policies and procedures that address detecting, reporting, and responding to security incidents (if not in the security plan). Physical security policies. 28

Reviews-2009-Sample Request Policies and procedures that address encryption and decryption of electronic PHI. Policies and procedures that address mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives). Policies outlining the entity's monitoring of system usage - authorized and unauthorized attempts. Policies regarding the use of wireless networks in the environment.. 29

Reviews-2009-Sample Request Templates and/or documents used to record the acknowledgement of use of wireless networks, mobile computing, as well as remote access to systems. Periodic vulnerability scanning policy and procedure. Periodic network penetration testing policy and procedure. Access to security violation monitoring reports. Security violation monitoring reports templates. 30

Reviews-2009-Sample Request Access to reports developed related to follow up action taken from violations that have occurred. Security violation follow-up action log/report templates. Policies and procedures that address granting, approving, and monitoring emergency access IDs during an emergency situation. Policies and procedures that outline hiring and termination procedures. Policies related to employee background checks and confidentiality agreements. 31

Reviews-2009-Sample Request Templates and/or documents used to record the processing of background checks and confidentiality agreements. Policies related to periodic reviews of appropriateness for personnel with access to PHI. Policies for granting system access (for example, by level, role, and job function. Polices and procedures that address creating, changing, and safeguarding passwords. Templates and/or documents used to record the creating, changing, and safeguarding passwords. 32

Reviews-2009-Sample Request Policies related to the timely removal of personnel from the system environment. Policies and procedures regarding secure workstation use are documented and address specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage). Policies and procedures that address the secure disposal of hardware, software, and the electronic PHI data. 33

Reviews-2009-Sample Request Templates and/or documentation used to record the secure disposal of hardware, software, and the electronic PHI data. Most recent high-level risk assessment. Review risk assessment policies. Risk assessment template documentation Other documents: http://www.cms.hhs.gov/enforcement/09_hip AAComplianceReviewInformationandExampl es.asp 34

Reviews-2009 Vulnerabilities identified: HIPAA Security Policies and Procedures Business Associate Agreements Encryption of ephi on mobile devices HIPAA Security Training 35

HIPAA Compliance Looking to the future continuation a three-pronged approach: Complaint management Compliance reviews Outreach and Education 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information