HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help



Similar documents
Best Practices for DLP Implementation in Healthcare Organizations

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Somansa Data Security and Regulatory Compliance for Healthcare

COMPLIANCE ALERT 10-12

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

New HIPAA regulations require action. Are you in compliance?

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The Impact of HIPAA and HITECH

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Department of Health and Human Services. No. 17 January 25, Part II

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA: AN OVERVIEW September 2013

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Lessons Learned from HIPAA Audits

Protecting Regulated Information in Cloud Storage with DLP

HIPAA Security Rule Compliance

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

The Basics of HIPAA Privacy and Security and HITECH

HIPAA BUSINESS ASSOCIATE AGREEMENT

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA in an Omnibus World. Presented by

Business Associate Management Methodology

Bridging the HIPAA/HITECH Compliance Gap

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance Guide

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA and HITECH Compliance for Cloud Applications

Data Breach, Electronic Health Records and Healthcare Reform

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Business Associate Liability Under HIPAA/HITECH

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance Guide

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

The HIPAA Audit Program

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

M E M O R A N D U M. Definitions

Legislative & Regulatory Information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Compliance Calendar

Overview of the HIPAA Security Rule

University Healthcare Physicians Compliance and Privacy Policy

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Dissecting New HIPAA Rules and What Compliance Means For You

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Document Imaging Solutions. The secure exchange of protected health information.

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

BUSINESS ASSOCIATE AGREEMENT

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Business Associate Agreement Involving the Access to Protected Health Information

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Transcription:

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013, requires immediate attention by any organization handling Personal Health Information. This paper reviews highlights of this Rule and describes how an appropriate Data Loss Prevention technology may significantly help address compliance requirements. What is the Omnibus Rule? On January 25 the U.S. Department of Health & Human Services' Office for Civil Rights published its 563-page final Omnibus Rule with the objective of clarifying, data privacy and security enforcement objectives for the Health Information Portability and Accountability Act (HIPAA). These objectives have, in particular, been updated to address electronic health record requirements as mandated by the HITECH Act. The Omnibus Rule is in effect as of March 26, and Covered Entities have until Sept. 22, 2013 to become compliant. The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital age. What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law by President Obama on February 17, 2009, to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States as part of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill. Financial incentives to healthcare providers for demonstrating meaningful uses of EHR will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. U.S. Health & Human Services' Secretary, Kathleen Sebelius Who Must Comply with the Rules? As required by Congress in HIPAA, the Privacy Rule covers: Health plans Health care clearinghouses Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities, collectively called Covered Entities, are bound by the standards even if they contract with others, called Business Associates, to perform some of their essential functions. HIPAA Omnibus Compliance 1 of 8

The Omnibus Rule clarifies that a Covered Entity is any organization or individual that directly handles Personal Health Information (PHI), generally referring to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care. How Are Business Associates Treated? HIPAA defines a Business Associate as any organization or person working in association with or providing services to a Covered Entity handling or disclosing Personal Health Information (PHI). Examples of Business Associates may include accounting or consulting firms that work with covered entities, or any number of other contractors or subcontractors that have or could have access to such protected information. Extensions made to the HIPAA regulation by the HITECH Act require Business Associates to comply with HIPAA mandates regarding the handling and use of PHI. Since February, 2010, the Department of Health and Human Services has been able to audit Business Associates for HIPAA compliance. The Omnibus Rule clarifies the definition of a Business Associate as one that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity What is Important in Establishing PHI Policies? Health and Human Services explains that the Omnibus Rule encompasses modifications and clarifications to four previously existing rules: 1. HIPAA Privacy, Security, and Enforcement Rules to include HITECH requirements 2. Breach Notification Rule 3. HIPAA Privacy Rule regarding GINA, the Genetic Information Nondiscrimination Act of 2008 4. Additional modifications to HIPAA Rules Penalties for noncompliance increase based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. "This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their Business Associates." HHS Office for Civil Rights Director Leon Rodriguez Individual rights are expanded. Patients can ask for a copy of their electronic medical record in an electronic form and may in certain conditions instruct their provider not to share information about their treatment with their health plan. New limits are set on how information is used and disclosed for marketing and fundraising purposes and the sale of an individuals health information without their permission is prohibited. HIPAA Omnibus Compliance 2 of 8

The individuals ability to authorize the use of their health information for research purposes is streamlined. And, the new rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school. The Omnibus Rule clarifies statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes. What is the HIPPA Security Rule? "The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a Covered Entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information." The Security and Privacy Rule both share the common goal of safeguarding PHI, the Privacy Rule applies to all media types including paper, oral, or electronic The HIPAA Security Rule s requirements are organized into three categories: Administrative, Physical, and Technical Within these categories are 18 standards and 36 implementation specifications. Implementation specifications are further categorized into Required and Addressable. Required specifications are critical and must be implemented. Addressable specifications are based on the individual needs and practices of a Covered Entity. What is the HIPPA Privacy Rule? "The HIPAA Privacy Rule establishes national standards and requires appropriate safeguards to protect the privacy of personal health information by setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patient s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections." While the Security and Privacy Rule both share the common goal of safeguarding PHI, the Privacy Rule applies to all media types including paper, oral, or electronic. The Privacy Rule requires organization to consider the confidentiality, integrity, and availability of PHI. Procedures need to be in place to address the use and disclosure of PHI and notice of privacy practices HIPAA Omnibus Compliance 3 of 8

What is the HIPAA Breach Notification rule? Interim final breach notification regulations, issued in August 2009, implemented section 13402 of the HITECH Act by requiring HIPAA Covered Entities and their Business Associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. What Technology is Available to Help? To assist in managing compliance with these regulations an appropriate Data Loss Prevention, DLP, technology may be deployed. The DLP acronym can mean different things to different people. This may be partly due to a desire on the part of vendors to promote simple solutions for what are complex problems and partly due to a lack of standard industry terminology surrounding the topic. However, useful definitions are provided by several industry consultants. To be considered Content Aware DLP, products must support sophisticated detection techniques that extend beyond simple matching to keywords and regular expressions. Gartner Inc. defines content-aware Data Loss Prevention technologies as those that, as a core function, perform content inspection of data at rest or in motion, and can execute responses ranging from simple notification to active blocking based on policy settings. To be considered Content Aware DLP, products must support sophisticated detection techniques that extend beyond simple matching to keywords and regular expressions. To be of value to the tasks of managing the Protected Health Information discussed here requires an appropriate Content Aware DLP capable of preventing as well as reporting on improper access to protected information. This will be required in order to identify sensitive information within the context of the information and in the form that it may be digital represented. For example, a string of 9 digits in a spreadsheet attached to an email on a medical topic may or may not represent a Social Security identity. To do this effectively and efficiently an appropriate Content Aware DLP will apply advanced fingerprinting techniques which have been developed in the industry specifically for this type of deep content analysis required when the stakes are high. HIPAA Omnibus Compliance 4 of 8

What are Examples of how DLP can Address Specific Statute Requirements? Statute 164-306, Security standards Requires a Covered Entity to ensure the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity creates, receives, maintains, or transmits. An appropriate Data Loss Prevention Solution will help with the confidentiality portion of this safeguard in ways such as: Detect and Prevent Email containing PHI from being transmitted to the internet Detect and Prevent Network transmissions containing PHI from leaving the Covered Entitie's network (including email or access to webmail providers such as Gmail) Detect and secure any unencrypted PHI found on workstations, laptops or network file shares with inadequate controls Detect and Prevent PHI from being copied to USB devices (or burned to DVD/CD) A Covered Entity must ensure the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity creates, receives, maintains, or transmits. Statute 164-308, Administrative safeguards, section A, Risk Analysis Requires a Covered Entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the Covered Entity. An appropriate Data Loss Prevention will further provide a mechanism to continuously assess potential confidentiality risks to PHI held by a Covered Entity by providing the following capabilities: Continuously scan all network traffic (including email, webmail and other traffic) destined for the internet to identify and block potential external transmission of unencrypted PHI Periodically asses unencrypted PHI on workstations, laptops, and file systems to determine if any data is being stored in locations without proper controls Monitor all data copied to USB and prevent any PHI from being copied without adequate encryption controls HIPAA Omnibus Compliance 5 of 8

Statute 164.312, Technical Safeguards Requires a Covered Entity, in accordance with 164.306, implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). A Data Loss prevention solution addresses this safeguard by providing mechanisms: To discover unencrypted PHI on systems with inadequate controls (this is called Discovery DLP). The discovery process will scan File Shares, Workstations, SharePoint Servers and Databases for confidential information To detecting PHI about to be written to USB, CD or DVD. A DLP solution has specific mechanisms to detect, block or encrypt PHI about to be written to USB, CD or DVD. Statute 164-312 (e)(1), Technical safeguards: Transmission Security Requires a Covered Entity to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. A Covered Entity must implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. An appropriate DLP addresses this safeguard with a comprehensive mechanism, called Network DLP, to detect unencrypted PHI leaving an organizations network destined for the internet. This capability has specific mechanisms: for the detection and prevention of PHI sent via email, for the detection and prevention of PHI over HTTP/HTTPS perhaps resulting from using Gmail or other webmail provider to audit that patient data is not being sent via any other protocol HIPAA Omnibus Compliance 6 of 8

What are some of the Major Points Worth Remembering? Breaches are often perceived as occasional disasters. In fact, they are actually daily incidents that can be prevented through implementation of proper policies and appropriate technology to support them. Business Associates and their subcontractors are now subject to HIPAA compliance audits. Those contracts should be updated to include verbiage acknowledging they understand they must comply with breach notification rules. In some cases, a one-year grandfather period may be granted to revise agreements already in place. The new Omnibus Regulations place greater emphasis on prebreach prevention as well as post-breach response. Developing metrics to measure how well PHI is being protected will be essential in achieving and demonstrating compliance when requested. Technology exists to support data risk assessments as new health applications are brought online and new Business Associates for IT are becoming a key part of a healthcare organization's infrastructure. DLP technology may be used to conduct internal HIPAA compliance audits. This practice will assist healthcare organizations in demonstrating compliance should they be audited. The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule... will begin to be enforced September 23, 2013 Conclusion The changes brought by the long awaited HIPAA Omnibus Rule have been delivered and enforcement will begin in September 2013. These changes were created to provide more clarity to the HIPAA/HITECH regulations previously announced. In addition, non-compliance on the part of all health information handlers will be vigorously pursued and penalties will be applied to Covered Entities as well as their Business Associates. Utilizing innovative technology such as Data Loss Prevention Solutions can go a long way to toward protecting Healthcare Organizations and ensuring they are in compliance with the latest Omnibus Regulations. HIPAA Omnibus Compliance 7 of 8

About Code Green Networks Code Green Networks delivers data loss prevention solutions that protect private employee and customer information and safeguard intellectual property across all electronic communications channels. The company s easyto-deploy, easy-to-manage content inspection appliances rapidly detect and prevent potential data leaks, helping organizations automate compliance and mitigate risks from internal breaches that can result in loss of revenue, financial penalties and irreparable damage to a corporation s image, brand and customer loyalty. Code Green Networks, Inc. 385 Moffett Park Drive Suite 105 Sunnyvale, CA 94089 Phone: +1 (408) 716-4200 E-mail: info@codegreennetworks.com HIPAA Omnibus Compliance 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information