Sustainable Compliance: A System for Ongoing Audit Readiness

View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013

Agenda Sustainable Compliance at St. Charles Health System Centralized Documentation Risk Analysis & Testing High Risk Areas Ongoing Compliance Activities Maximizing Your Compliance Coverage

Sustainable Compliance Judi Hofman BCRT, CHPS, CAP, CHP, CHSS St Charles Health System Bend, Oregon

Sustainable Compliance Overall sustainability of compliance Centralized documentation Policies and Procedures Current Risk Analysis Disaster recovery/emergency mode of operations plan Incident response investigation documentation Control testing and documentations of Risk Analysis Application Layer Infrastructure Layer Enterprise Controls

ID Control Description Ap 1 Ap 2 Ap 3 Ap 4 HIPAA 1 Strong password controls are enforced to safeguard against unauthorized access. FAIL PASS PASS PASS HIPAA 2 User Accounts are disabled or deleted on the key applications upon termination of an employee. HIPAA 3 Administrator access within key applications is restricted to a defined set of system administration personnel. HIPAA 4 A review of user accounts and their associated access levels is performed and adequately documented to ensure appropriate access to the system. HIPAA 5 Change requests are formally documented and authorized by management before performing the work. HIPAA 6 Monitoring procedures are designed to provide reasonable assurance around completeness and timeliness of system and data processing. HIPAA 7 Backups are scheduled and monitored for successful completion.

Sustainable Compliance Develop a Compliance Plan Engage impacted departments *IT *HR *Business *Internal Audit Combine other compliance assessment activities *PCI *Financial *HR Evidence of Compliance Design effectiveness Operational effectiveness

Sustainable Compliance Top of the list compliance focus includes: Policies and Procedures Workforce training (new and on-going) Audit program Incident response (including breach response) Risk analysis & risk mitigation

Sustainable Compliance High risk areas: On-going risk management Current disaster recovery and emergency mode of operations plan Encryption of any transmitted or transported electronic PHI Access control Risk assessment

HIPAA Security Series http://www.hhs.gov/ocr/privacy/hipaa/administrative /securityrule/securityruleguidance.html Guidance of Risk Analysis Required under the HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Sustainable Compliance High risk areas (continued): Compliant data backup and recovery Remote access management Wireless access Audit control Person or entity authentications Documentation plan to address OCR or state investigation and audits

Sustainable Compliance What you need to do! Current Risk Assessment Prioritize high to low risk compliance gaps Assign resources to eliminate privacy and security compliance gaps Track and document compliance project status Document mitigation activity Store all centrally

Sustainable Compliance This amounts to more than adopting required policies and procedures compliance is an on-going process Need to demonstrate continued compliance activities (not a one time event) CE bear the burden of demonstrating compliance The time is now to address compliance gaps

CHRIS ARNOLD VP OF PRODUCT MANAGEMENT

Regulatory Framework for HIPAA Compliance HIPAA Audit Protocol User Activity Monitoring 2014 OCR HIPAA Enforcement #1 Security Gap from Pilot Audits Patient Privacy Monitoring ARRA HITECH Meaningful-Use Electronic Health Records Audit Logs Required Security Risk Analysis / Correct Deficiencies Protect Your Reputation Position Yourself for HIPAA Compliance

Maximize HIPAA Audit Protocol Coverage for Investment FairWarning 3.1 Maps Directly to OCR HIPAA Audit Protocol Requirements Patient privacy monitoring: 25 of the HIPAA audit protocols HIPAA Protocol sections Audit Controls Security Incident Procedures Security Management Process Breach Assessment & Notification Security Awareness and Training Access Control Administrative Requirements

Compliance Dashboard

164.312(b): Audit Controls

164.308(a)(6): Security Incident Procedures & 164.308(a)(1): Security Management Process

164.402: Breach Risk Assessment

164.404 & 406: Breach Notification

164.308(a)(5): Security Awareness & Training

164.312(a): Access Control

164.414 & 530: Administrative Requirements - Burden of Proof & Training Documentation

164.530: Administrative Requirements - Complaints, Sanctions & Mitigation

More Information A full mapping of FairWarning to the HIPAA Audit Protocols is available online: http://www.fairwarning.com/whitepapers/20 12-07-WP-OCR-PROTOCOL-MAPPING.pdf

CMS Meaningful Use Audits 5-10% of Eligible Providers audited Failing an audit means a complete return of all funds Biggest shortfalls include failure to have a well-documented Security Risk Assessment and to address areas of risk FairWarning addresses one of the most common risk areas identified user activity monitoring For more information: http://journal.ahima.org/2013/10/30/prepare-now-for-possible-meaningful-use-audits/

PPM Business Case Available after today s webinar: The Business Case for Patient Privacy Monitoring OCR HIPAA Audit Protocol Mapping Benefits of FairWarning Patient Privacy Monitoring CMS Meaningful Use Audit Exposure Privacy Incident Risk Estimator HIPAA Omnibus Implications FairWarning Return on Investment Available by emailing Solutions@Fairwarning.com

Questions? Additional Questions? Contact Solutions@FairWarning.com @FairWarningInc