Meaningful Use and Security Risk Analysis

Similar documents
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

HIPAA Security Rule Compliance

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

The HIPAA Omnibus Final Rule

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

COMPLIANCE ALERT 10-12

Bridging the HIPAA/HITECH Compliance Gap

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

HIPAA COMPLIANCE PLAN FOR 2013

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Data Breach, Electronic Health Records and Healthcare Reform

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Healthcare and IT Working Together KY HFMA Spring Institute

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Overview of the HIPAA Security Rule

BNA s Health Law Reporter

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

HIPAA COMPLIANCE AND

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

The HIPAA Audit Program

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

HIPAA Security Risk Analysis for Meaningful Use

HIPAA and Mental Health Privacy:

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

M E M O R A N D U M. Definitions

University Healthcare Physicians Compliance and Privacy Policy

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

What is required of a compliant Risk Assessment?

How to Leverage HIPAA for Meaningful Use

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

InfoGard Healthcare Services InfoGard Laboratories Inc.

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

Architecting Security to Address Compliance for Healthcare Providers

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Joe Dylewski President, ATMP Solutions

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The Basics of HIPAA Privacy and Security and HITECH

The Impact of HIPAA and HITECH

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Implications of HIPAA Requirements on Healthcare Payment Processing

PrivacyPro ; A Key Component of Privacy Information Management Overview Whitepaper

Anatomy of a Healthcare Data Breach

Why Lawyers? Why Now?

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Business Associate Management Methodology

OCR/HHS HIPAA/HITECH Audit Preparation

Meaningful Use Audits. NextGen Physician Consulting Services

SECURITY RISK ASSESSMENT SUMMARY

Will the Feds Really Buy Me an EHR?

HIT Audit Workshop. Jeffrey W. Short.

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Healthcare Insurance Portability & Accountability Act (HIPAA)

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Security Overview of the Regulations

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

Dissecting New HIPAA Rules and What Compliance Means For You

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Library Guide: HIPAA

HIPAA Compliance: Are you prepared for the new regulatory changes?

What do you need to know?

Somansa Data Security and Regulatory Compliance for Healthcare

Making Mobility Matter in Healthcare Data Security

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

White Paper #6. Privacy and Security

Transcription:

Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition

Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties? You re not alone. A majority of healthcare providers plan to either implement electronic health records, or take a closer look at existing systems to apply for compliance in the immediate future. A key part of meeting the Meaningful Use compliance requirement is conducting a risk assessment. There is considerable confusion in the market regarding how this should be conducted, but at the core it is a revival of the original HIPAA rules regarding security. By conducting an analysis that covers several core areas, and gaining a comprehensive understanding of how and where your electronic health information is used and stored, you can begin to build a stronger risk posture and avoid fines and penalties. Only 20 percent of doctors and 10 percent of hospitals use even basic electronic health records. Kathleen Sebelius, Secretary of Health and Human Services, July 2010 Introduction In the evolutionary race of patient data, electronic medical records are winning; not only because of the efficiencies gained from these technologies, but also due to mounting pressure from increased prevalence of breaches, audits, and government incentives. Despite this rapid natural selection of the computing landscape, though, many healthcare providers have yet to adopt an electronic data reporting or electronic health records (EHR) system, although there are many EHR options in the marketplace. This will likely change, since the Meaningful Use guidelines provide incentives in the near-term, followed by penalties for late adoption of EHR. As an incentive to secure these systems, Stage 1 of the Meaningful Use guidelines includes a measure for protecting electronic health information under requirement 45 CFR 164.308(a)(1), including conducting a risk analysis and implementing security measures as appropriate, and correcting identified security deficiencies as part of an overall risk management process. Approximately 90 percent of hospitals have expressed intent to meet the Stage 1 requirements by 2012. However, only 2 percent of providers had met Stage 1 of the Meaningful Use requirement by 2009. And according to a survey by PricewaterhouseCoopers, as of September 2011, only 19 percent of healthcare providers said they have completed the prerequisite security assessment, which includes criteria for access control, identity management, and encryption. 1 As HHS Secretary Kathleen Sebelius proclaimed in 2010, only 10 percent of hospitals are using electronic health records in any capacity. 2 This glaring reality illustrates that, even though HIPAA regulations have been defined since 1996, and 1 PwC Whitepaper, Old Data learns new tricks 2 http://www.dailynorthwestern.com/city/sebelius-talks-healthcare-reform-at-uic-1.2647199 Page 2

electronic medical records software has been in the market for decades, the United States is still very slow to adopt these technologies. With incentives through HITECH and the Meaningful Use guidelines, large amounts of data are expected to come online in the near future, creating significant exposure to unprecedented risks. Since healthcare is already under attack from cybercriminals and insiders, the current trends could only be the tip of the iceberg in terms of the number and types of breaches and cyber-attacks that we may see in the future. To put this potential risk in further perspective, HIMSS Analytics awards the Stage 7 designation for health care organizations that have the highest level of EHR implementation, with patient encounters that are completely paperless and integrated. According to HIMSS, this allows the health organization to support the true sharing and use of health and wellness information. However, only 61 US hospitals have achieved this award as of October 2011. 3 And already, a breach of personal health information occurred, on average, every other day in the past year and a half. 4 3 http://www.himssanalytics.org/hc_providers/stage7hospitals.as p, accessed October 25, 2011 4 US Department of Health and Human Services Office for Civil Rights, accessed June 27, 2011, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnot ificationrule/breachtool.html. Meaningful Use Incentives and Disincentives Government incentives are in place to quickly meet the Meaningful Use requirements, including security. The HITECH Act earmarks up to $27 billion for healthcare IT (HIT) over the next several years, with stimulus payments to adopt the core and menu sets of the Meaningful Use requirements. 5 Therefore, providers have a strong rationale to begin immediate adoption of EHR. Under the Medicare EHR Incentive Program, Medicare eligible professionals who demonstrate meaningful use of certified EHR technology can receive up to $44,000 individually over 5 years. But to receive the maximum incentive payment, the eligible professionals must begin participation by 2012. For 2015 and later, Medicare eligible professionals who do not successfully demonstrate Meaningful Use will have a payment adjustment to their Medicare reimbursement. The payment reduction starts at 1 percent and increases each year that a Medicare eligible professional does not demonstrate meaningful use, to a maximum of 5 percent (see Figure 1). This is a strong indicator that hospitals will eventually be required to meet the Meaningful Use requirements. The incentives that are in place require providers to act quickly to buffer enough time to implement the strategies, hardware, processes, and controls that will be required. The incentives and penalties also indicate that information technology and security may consume more of a provider s capital budget in the near future; and that culture change and workflow change management will need to take place prior to implementing a new electronic health records system in order for the strategy to be sustainable. 5 http://www.healthdatamanagement.com/blogs/privacy- security-meaningful-use-ehr-electronic-health-record-42118-1.html Page 3

Figure 1: Meaningful Use Incentives Strong incentives are in place to conduct a comprehensive risk assessment Page 4

Figure 2: Meaningful Use as it Relates to HIPAA Meaningful Use is a Throwback to HIPAA The security requirements for Meaningful Use are nothing new. Meaningful Use references the Security Rule established in 1996 in the original form of HIPAA. When the HITECH Act was developed as part of the American Recovery and Reinvestment Act, it applied some new extensions to the already existing rule. 6 For instance, with HITECH, new breach notification rules were extended, mandating reporting of breach incidents to HHS for breaches that affect more than 500 people, and extending the rules to health care business associates. HITECH also implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorneys general to file civil actions for HIPAA violations on behalf of a community s constituents. 6 http://www.hipaasurvivalguide.com/hitech-actsummary.php The specific carryover of the Meaningful Use guidelines, set out by CMS, is measure 45 CFR 164.308, which sets out the requirement to conduct a risk assessment. This measure, in turn is part of a series of measures that encompass the full security rule from HIPAA (see Figure 2). Meaningful Use can be thought of as HHS finally starting to get some sizzle to their steak in terms of enforcing and incenting providers to not only adopt EHR, but also to make sure that they are implemented in a way that supports the original HIPAA guidelines. One of the core requirements for meeting Meaningful Use is having a risk mitigation and security plan in place for protecting electronic Personal Health Information (ephi). The large cohort of providers that are planning to meet the Stage 1 requirements by 2012 have the onus to pay particular attention to the implementation of a Page 5

clear security and risk mitigation and management plan. How the risk assessments are conducted still has some flexibility built in, which adds some confusion to the environment. Many federal guidelines are often referred to such as NIST SP 800-66. There are several core questions that this guideline and others recommend that providers should consider in implementing the security rule, such as: Have you identified what the specific ephi is within your organization, including that which is created or transmitted? Have you identified all external sources of ephi, including what business associates create, receive, or transfer? Have you identified all internal and external threats to your information systems that could compromise ephi? While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it is also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although it is a starting point, the risk assessment is really just a step toward the goal of complete compliance that will be required and continually enforced in the near future. The HIPAA Security Rule specifically focuses on the safeguarding of ephi and is the most comprehensive guideline regarding protected health information. All HIPAA covered entities, which includes some federal agencies, must comply with the rule, which focuses on protecting the confidentiality, integrity, and availability of ephi. The ephi that a covered entity creates, utilizes, archives, or transmits must be protected against reasonably anticipated threats, hazards, and unauthorized disclosure. Specifically, the Security Rule applies to all covered entities including covered healthcare providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors; although the HITECH Act has extended this liability to third parties that interface with the organization s ephi. 7 Three Major Imperatives of the Security Rule The one measure related to security in the Meaningful Use guidelines is Core Measure 15 for Eligible Providers (EPs). The measure stipulates that healthcare providers must conduct a risk assessment; but in its totality, there are three basic areas that comprise the Meaningful Use Security Rule as part of rule 164.308. The first - conducting a security risk analysis is already required by HIPAA. Some of the key questions to ask regarding this requirement are: How thorough was the initial risk analysis, if any? What methodology was used? Did it just cover your organization, or were third parties also examined? This is important to note since the HITECH Act added rules mandating that the security rule apply not only to the covered entity, but also to business associates who interact with your ephi. Secondly, the risk analysis should be updated annually. As the media has sensationalized almost daily, constant threats are emerging of an alwaysincreasing scale and sophistication, so having a process in place to proactively monitor these threats regularly is essential. Each year, the original benchmark analysis should be revisited, and a vulnerability management program should be implemented to find, test, and deploy necessary fixes and security interventions that arise. Mobile devices present a special concern since more than 85 percent of physicians have expressed a desire to be able to access ephi 7 http://www.hipaasurvivalguide.com/hitech-actsummary.php Page 6

anytime, anywhere, and on any device. 8 And since a significant portion of these devices are not currently encrypted or tracked on most networks, it is sometimes difficult to fully comprehend what the level of risk is without understanding the demands these disparate devices place on having layered security, policies, controls and procedures in place. The third requirement is correcting security deficiencies. This is already a familiar concept in the world of healthcare since patient safety, financial risk, and occupational hazards are all tracked and measured. This same strategy needs to be applied to security risk management. And not all of these measures are necessarily technical. Process oversight, training, and accountability management are just as necessary to keep a streamlined risk management program in place. Overall, the 164.308 measure also encompasses 164.306, which dictates that covered entities must also apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures, and implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The security rule is not just a one-time event that can be used to apply for federal incentives or examine the system it really must be a repeatable and sustainable process that allows for regular updates and mitigation at any point in the cycle. Audits are Underway Historically, audits have been limited in healthcare; and because the healthcare industry doesn t have examiners as in the financial industry, the risks have been limited to an actual breach, not of failing an examination as in the banking industry. But the increasing objectivity of the requirements of Meaningful Use and audit plans for the future are changing this dynamic to create a more urgent need to implement a security strategy. In July of 2011, the HHS Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. 9 The implementation of this audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act. The KPMG contract enables OCR to put feet on the street, while retaining an oversight role in the process. Sue McAndrew, OCR s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. Certainly, if we uncover in the course of the audit major violations or potential violations we will be dealing with those in the same manner we would through our formal enforcement process, she said recently. 10 Criminal and civil penalties can also be levied against organizations and/or individuals for violations of HIPAA Privacy and Security Rules. Monetary penalties for a breach of HIPAA Privacy and Security Rules range from $100 to $50,000 per violation. Additionally, state attorneys general are 8 http://mobihealthnews.com/8889/survey-86-percentof-mds-want-mobile-emr-access/ 9 http://govhealthit.com/news/hhs-taps-kpmg-performhipaa-audits 10 http://www.healthcareinfosecurity.com/articles.php?ar t_id=3924&opg=1 Page 7

now authorized to bring civil actions against HIPAA violators on behalf of state residents. 11 Each audit will follow a typical onsite audit process with an in-person visit and interviews with key management personnel such as the CIO, privacy officer, legal counsel, and health information management/medical records director. These audits will supposedly initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues. While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to any one organization fairly low, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well. Conclusion Organizations participating in the EHR Meaningful Use plan already have a compelling incentive to conduct or update a security risk analysis. But simply pushing the organization to meet Meaningful Use with the singular goal of collecting incentive payouts does not prepare the organization for inevitable future audits and to mitigate the additional risks posed by online data access, mobile devices, Health Information Exchanges, Accountable Care Organizations, increased abilities of hackers, and the increased demands placed on organizations from macroeconomic trends such as aging of the population. Meaningful Use has reinvigorated the discussion of what it means to have a strong security posture, but the most comprehensive security guidelines have existed in previous incarnations in the forms of HIPAA and HITECH. There are fundamental components of any assessment: understanding what controls are currently in effect, determining the impact of likely events from viruses to natural disasters, and documenting exposures and vulnerabilities, not only in systems but also in processes. A healthcare organization s assessment program should consider questions regarding the controls that are implemented to safeguard the systems and information, and the physical facility and surrounding environment as well. For more information about Dell SecureWorks, visit www.secureworks.com 11 http://www.himss.org/content/files/mu_privacy_secur ity.pdf Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information