HIPAA: Compliance Essentials

HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014

What is HIPAA??

HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change employment (dependent on employer s program)? Rules for Data Interchange Regulations protecting the security and privacy of Protected Health Information (PHI)

Privacy vs Security Privacy Rules Establishes the rights of patients to control the use of personal information in all its forms verbal, written, electronic Security Rules Administrative, Physical and Technical safeguards for PHI in digital form (ephi)

CIA Confidentiality, Integrity, Availability Confidentiality: The property that data or information is not made available or disclosed to an unauthorized person Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner Availability: The property that data or information is accessible and useable upon demand by an authorized person

Structure of the Security Rule Standards the broad security requirements The standards are required Implementation Specifications The more detailed instructions contained within each Standard Some are required (R) Some are addressable (A) flexibility and latitude in meeting Based on what s reasonable and appropriate

Defining Reasonable and Appropriate The size and complexity and capabilities of the covered entity The covered entity's technical infrastructure, hardware, and software security capabilities The costs of security measures The probability and criticality of potential risks to ephi

Options for Addressable Specifications Implement the specification Implement one or more alternative security measures Do not implement either an addressable implementation specification or an alternative DOCUMENT YOUR DECISION!

Three Types of Safeguards 1. ADMINISTRATIVE Organizational Rules and Procedures 9 Standards 23 Implementation Specification 2. PHYSICAL Physical Protections and Rules 4 Standards 10 Implementation Specifications 3. TECHNICAL Technology Protections and Rules 5 Standards 9 Implementation Standards

Administrative Safeguards are defined as Actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures and manage the conduct of the covered entity s workforce.

Administrative Safeguards Security Management Process Assigned Security Responsibility (no spec) (R) Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation (no spec) (R) Business Associates Contracts (R)

Physical Safeguards are defined as Physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Physical Safeguards Facility Access Controls Workstation Use (no spec) (R) Workstation Security (no spec) (R) Device and Media Controls

Technical Safeguards are defined as The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Access Controls Technical Safeguards Audit Controls (no spec) (R) Integrity (R) Person or Entity Authentication (no spec) (R) Transmission Security

Options for Risk Management Avoid Do not participate in the risk Reduce Mitigate the causes of risk Transfer Insure against the risk Accept Assume and budget for the risk

Elements of an Effective Compliance Program 1. Leadership 2. Policies and Procedures 3. Risk Analysis 4. Education and Training 5. Monitoring and Auditing 6. Response and Reporting 7. Enforcement

Levels of compliance 1. Non-compliant 2. Compliant on paper 3. Compliant in practice 4. That is documented, and can be verified and proven

Documentation Requirement Implement reasonable and appropriate policies and procedures to comply with the standards Maintain the policies in written form (not verbal) Maintain written record of the action, activity or assessment Must be kept for 6 years Must be made available for those for which the document pertains Periodically review the documentation

In a Nutshell: Compliance is 1. Having Written Policies and Procedures 2. That are mapped to the regulations 3. That reflect the findings of your risk analysis 4. That are followed 5. And can be proven via a paper trail of forms, reports, logs, etc.

Example #1: Employee Termination Policy Checklist Document

Two BIG Gray Areas 1. Addressable safeguards Based on the Reasonable and Appropriate standard 2. Risk Analysis findings and results

The First Step: Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information

Meaningful Use and Risk Analysis MEANINGFUL USE CRITERIA #12 Provide patients with electronic copy of their health information upon request #13 Provide clinical summaries for patients for each offic # 14 Perform at least one test of certified EHR technica #15 Conduct or review a Security Risk Analysis per 45 CFR Conduct or review a Security Risk Analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary.

Security Risk Analysis and Meaningful Use Meaningful Use Core Requirement # 15 Conduct or review a Security Risk Analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary CFR 164 directly references the HIPAA Administrative Standards

In Other Words HIPAA Risk Analysis MU Risk Analysis

Stage 1 vs Stage 2 Stage 1 CR# 14 or 15: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Stage 2 CR# 9 or 7: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for eligible hospitals.

Stage 2 Thoughts 45 CFR 164.312 (a)(2)(iv) Encryption and Decryption safeguard of the Access Control standard Does Not Change HIPAA Standards - 164.306(d)(3) regards implementation specifications and addressable safeguards the reasonable and appropriate standards still apply Biggest burden is on EHR vendors EHR vendors required to deliver software in an encrypted state Software must require administrative level privileges to disable encryption New language regarding Risk Management Reference to the Security Management Process Standard

HIPAA Verbiage Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information

Why Security Risk Analysis? Improves Awareness Justification for Reasonable and Appropriate for Addressable Implementation Specifications Identify assets, vulnerabilities and controls Improved basis for decision making Justify Expenditures for Security Helps determine personnel access levels Otherwise you are just guessing!

A Risk Analysis Should Identify IT Assets that touch ephi Clarify ephi flows: into, within, out of Determine policy compliance (regulatory map) Identify and categorize risk to the CIA of ephi Recommend and rank standards and controls for remediating, mitigating and managing risks

#1 How to Conduct a Security Risk Analysis? NIST SP 800-30 Guidance on Risk Assessment SP 800-66 Resource Guide for Implementing HIPAA Audit Protocol June 2012 ONC Guide to Privacy and Security of HIT Myths and Facts (p.11)

ONC Guide to Privacy and Security: Security Risk Analysis Myths and Facts Myths Optional for small providers Installing a certified EHR is enough My EHR vendor is handling this A checklist will suffice Only needs to look at EHR I must outsource the risk analysis. Facts No. All eligible providers (EP) No. The risk analysis must look at all systems with ephi No. EP s are solely responsible for the risk aynalyis No. While useful, they are inadaquate No. All IT assets processing, storing, accessing ephi No. You can conduct this yourself.

ONC on Outsourcing P. 17 Select a qualified professional to assist you with the security risk analysis. If you need to, outsource this to a professional, a qualified professional s expertise and focused attention will yield quicker and more reliable results than if your staff does it piecemeal over several months.

NIST Process Diagram 864-200-2419

NIST: Preparation Identify: Purpose Scope Assumptions and Constraints Sources of Information Risk Model and Analytic Approach

NIST: Conducting Identify threat sources Identify threat events Identify vulnerabilities Determine likelihood Determine impacts Determine ranking (pairing)

Step by Step Guide - Determine the Level of Risk 19. Rank overall risk based on the vulnerability pairings

Common Errors Checklists only No inventory Compliance focused only No listing or ranking of risks No recommended controls or mitigation actions Not dated within reporting period for MU

Key Auditor Considerations Reference ONC and HHS guidance and Adequately covers risk associated with the use of certified EHR technology Conducted by either audited entity or a consultant (not EHR vendor affirmations) Is it just compliance/checklist or an actual assessment of risks Needs to be dated but can reference a previous risk assessment that shows continued improvement

Self assessment tools Problems Not intended for enterprises Hard to use Aren t very good at identifying risks Requires expert knowledge to use well Compliance rather than risk focused NIST not required by nonfederal entities Available Tools: Not Recommended HHS Toolkit NIST Toolkit Use with caution National Learning Consortium HIMSS

RA Mini Project Plan Identify team Inventory and Asset List Information Flows Network diagram and system boundary -risk categorization Interfaces inventory Policy review and mapping Security incidents review Training materials review Vulnerability scan and penetration testing Wireless security assessment Firewall/Gateway settings Physical security assessment Contingency plan and backup analysis Leadership analysis Authentication and access controls Encryption determination Transmission security Mobile device security Risk identification and ranking Report-mitigation & controls

Risk Assessment Review Only if no significant changes in system or operating environment Full risk analysis should be conducted every 2 to 3 years Iterative (changes since last risk assessment) Document changes Update inventory Review incidences and do root cause analysis Work-flow analysis New vulnerability scans inc. external Review of prior technical assessment (wireless security, authentication and access controls, audit controls, and processes, etc) Progress implementing controls Update risk matrix Recommend and advise on additional security controls Update the security management plan

Example: Addressable Safeguard Encryption Class of device laptop, workstation, etc. Laptops portable, battery Mobility and physical security Data storage Performance Alternatives

Ranking of Devices 1. Server in a data center 2. Server not in a datacenter 3. Workstations with thin client 4. Non-mobile laptops with thin client 5. Workstations with fat client 6. Mobile laptops with thin client 7. Mobile laptops with fat client

Example: Non-regulatory high risk from risk analysis Windows XP EOL April 8th Support being discontinued Devices increasingly vulnerable Regulatory compliance impact?

Windows XP EOL Mitigation Options Use of XP machines only for essential applications Repurpose assets to non-sensitive data Ensure and update software for use with XP Discontinuing use of applications that open files from the internet Discontinuing use of Internet Explorer Disconnecting XP machines from the network Increased frequency of vulnerability scans Use web-content filtering to block access to known malicious sites Re-architect assets to thin client Improve network gateway security Replace hardware or upgrade to new OS http://www.healthsecuritysolutions.com/2014/03/time-to-update-are-you-ready-to-leavewindows-xp-behind/

Closing Thoughts Pulling It All Together Integrate into your business practices Automate as much as possible Application Use active directory and other network tools Define and understand vendors roles Create and use checklists Period based monthly, quarterly, annually Event based new hires, new software, etc Consider outsourcing

Your HIPAA Compliance Partner

Contact Information: Steve Spearman sspearman@healthsecuritysolutions.com 864-643-2579