BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...

7/28/2014

©Clearwater Compliance LLC 1

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

7/28/2014



Instructional Module 7:

How to Assess and Monitor

Your Compliance with the

HIPAA Privacy and Security

and HITECH Breach

Notification Rules3


1. “How to Assess and Monitor Your Compliance with the HIPAA Privacy and Security and HITECH Breach Notification Rules”

2. Instructional Module Duration =

45 minutes

1. Learning Objectives Addressed

In This Module‒ Describe the Process for Conducting a Compliance Assessments

‒ Identify Practical Solutions to Close Common Compliance Gaps

‒ Use OCR’s 2012 Audit Protocols to Identify Specific Documentation Requirements

‒ Design an Assessment Compliance Dashboard for Communicating Remediation Progress

‒ Describe additional factors to consider in Breach Determination

Module 7. Overview

4

7/28/2014



9 Actions to Take Now

5

4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR §164.308(a)(8))

7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)

9. Document and act upon a remediation plan

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Demonstrate Good Faith Effort!


Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

Peoplemust include

talented privacy & security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or

processes – documented ‐provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,

intrusion detection, incident management tools, etc.)

BalancedCompliance

Program

Four Critical Dimensions

Clearwater Compliance Compass™6

7/28/2014



Sample OCR Enforcement Action

7

Seeking Evidence of:

• Governance

• PnPs

• Assessments

• Documentation

• Etc.


Why do HIPAA Compliance Assessments?1. Prepare for Mandatory Audits

2. Prepare for Complaint or Breach Investigations

3. Reduce the Risk of a Costly Data Breach

4. Complete Security Rule requirement

45 C.F.R. §164.308(a)(8)

5. Build Solid Educational Foundation

6. Re‐energize Overall Compliance Program

Evidence of Good Faith Effort vs. Reckless Disregard

7/28/2014



Types of Assessments

1. Compliance Assessments (Security Evaluation ‐ Non‐Technical, at 45 CFR §164.308(a)(8))

– Where do we stand?

– How well are we achieving ongoing compliance?

2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))– What are the threats and vulnerabilities of our information assets (ePHI)?

– What do we need to do to mitigate risks?

3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))

– How effective are the safeguards we have implemented?

– Are the safeguards working?

4. Risk‐of‐Harm Breach Risk Assessment (Breach‐related, in HITECH parlance)

– Consideration of at least 4 factors to gauge the potential of compromise?

– Is there low probability of compromise of PHI?

Each Assessment Has Its Role and Proper Time 9

© Clearwater Compliance LLC | All Rights Reserved10

YES NO DON’T KNOW

HIPAA Compliance Assessments?

Pause & Quick Poll

• Has Your Organization Completed HIPAA Privacy, Security or Breach Notification Rule Assessments?

7/28/2014



Crosswalk Policies and Procedures against the Rules

Identify, Document and Prioritize Gaps

Recommend and Implement a Remediation Plan to Close Gaps

Update and Train on New and Revised Policies and Procedures

Monitor Progress, Audit and Report on Results

How To Conduct aHIPAA Compliance Assessment


Policies and Procedures Cross‐Walk to the Regulations

7/28/2014



Reference NIST SP 800‐66

13

http://clearwatercompliance.com/wp-content/uploads/2013/12/NIST_SP-800-66-Revision1.pdf

• Basis of HIPAA Security Rule

• Cross‐walks HIPAA Security Rule to Compendium of NIST Security Framework Documents


3 Dimensions of HIPAA Assessment

1. Is it documented?• Policies, Procedures and

Documentation

14

3. Is it Reasonable and Appropriate?• Comply with the implementation

specification

2. Are you doing it?• Using, Applying, Practicing,

Enforcing

7/28/2014



“…one of the benefits that OCR wanted out of the pilot audit program was to be able to put a protocol out there, so that when its auditors went in, it was essentially an open‐book test for covered entities and they could later do their own internal assessments and audits.”

“That protocol is for the entity’s self‐learning and self‐correction.”

HIT Policy Committee Meeting 12‐4‐13

https://ocrnotifications.hhs.gov/hipaa.html








7/28/2014



2.60 65%

3.11 78%

Security Assessment Results

• Prioritize addressing those weaknesses that pose the highest risk• Consider the most prevalent causes of security incidents or privacy violations


Privacy & Breach Assessment Results

18

2.60 65%

2.80 70%

7/28/2014










7/28/2014



Assigned Compliance Responsibility

21

(1) Standard: Personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

(2) Implementation specification: Personnel designations. A covered entity must document the personnel designations

Administrative Requirements §164.530 (a)

(2) A covered entity must, in accordance with § 164.306:

2. Standard: Assigned security responsibility. Identify the HIPAA Security Officer who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate

Administrative Safeguards§164.308 (a)


Assigned Compliance Responsibility

7/28/2014



Workforce Access to PHI

23

(1) Standard: minimum necessary requirements

(2)(i) A covered entity must identify: (A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and

(B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.

Minimum Necessary §164.514 (d)

(3)(i) Standard: Workforce security.Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.

Administrative safeguards.§ 164.308 (a)


Minimum Necessary Workforce Access Worksheet

7/28/2014



Minimum Necessary ‐

25

(d) (3) Implementation specification: Minimum necessary disclosures of protected health information. (i) For any type of disclosure [or requests] that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

§164.514 (e) – Routine Requests and Disclosures


Business Associate Inventory

26

• Name of BA

• General Services Provided

• Business Owner

• Type of PHI Provided (specific medical information? sensitive?)

• Amount of PHI (# of records, frequency of sharing)

• Business Process Supported (specific services, minimum necessary?)

• Who Do They Share It With?

• BA Contract – up-to-date?

• Criticality to your organization

7/28/2014



Minimum Necessary ‐

27

(d) (3) Implementation specification: Minimum necessary disclosures of protected health information. (i) For any type of disclosure [or requests] that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

§164.514 (e) –Non-Routine Requests and Disclosures

(ii) For all other disclosures [or requests], a covered entity must:(A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and(B) Review requests for disclosure on an individual basis in accordance with such criteria.


Sanctions

28

(1) Standard. A covered entity or business associate must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.

(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity or business associate must document the sanctions that are applied, if any.

Administrative Requirements §164.530 (e)

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

Administrative safeguards.§ 164.308 (a)

7/28/2014



Type of

Violation

Example of

Unauthorized Use or

Disclosure

Result # of

Occurrences

Types or examples of

Sanctions

Non‐

Intentional

or

Accidental

Fax to wrong number

Mail to wrong recipient

Voice message

Wrong discharge papers

Loss of records or files

No further disclosure

1st time Additional training

2nd time Note in personnel file and

counseling

3rd time Reassignment or Termination

Further disclosure 1st time Note in file and counseling

2nd time Reassignment or termination

Intentional

& Non‐

Malicious Snooping No further disclosure

1st time Note in file, counseling or

suspension

2nd timeReassignment , suspension or

Termination

Further disclosure 1st time Suspension or Termination

Intentional

&

Malicious

Sharing or sale of

information

Business disruption

Financial, reputational or

other harm to individuals 1st time Termination

Example of Sanction Criteria(Actual sanctions will depend on organizational culture and policy‐Maintain sufficient flexibility in your Policy to allow for undefined situations)


Incident Reporting and Processing

30

(f) Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.

Administrative Requirements §164.530 (f)

(6) (i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.

(ii) Implementation specification: Response and Reporting (Required).Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Administrative Safeguards§164.308 (a)

7/28/2014



Complaints

31

(1) Standard. A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.

(2) Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.

Administrative Requirements §164.530 (d)


Conduct initial screening; Investigate severity; Set priorities for next step; Determine timing of notifying management

Collect all relevant data for use in analysis; Adhere to policy and applicable laws; Notify Law Enforcement?

Secure area; Maintain uncontaminated evidence; Buy time for proper investigation; Limit additional data loss

In parallel with Containment, determine the source, root cause, method, motivation and timing of incident; Forensics needed?

Reduce risk of future harm of follow‐on data use or disclosure‐verify data return or destruction

Implement solutions to avoid another incident; consider updates to procedures, technology, training & sanctions

Test to ensure “solution” is working; audit periodically

Maintain log of all aspects of response activities

Triage

Investigate

Contain

Analyze

Mitigate

Remediate

Monitor

Document

Incident Response Protocol

7/28/2014










Version Control andRetention

34

7/28/2014










Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program

Ongoing Support and Guidance

• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments• Remediation Plans• Policies & Procedures

Review• Business Associate

Management• Training Update

This image cannot currently be displayed.


Think Program, Not Project!

Start Year 1 Year 2• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate Management• Training

• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments • Remediation Plans• Policies & Procedures Review• Business Associate Management• Training Update

Assessments NOT Once and Done


7/28/2014



This image cannot currently be displayed.This image cannot currently be displayed.

Make progress on your remediation plan a standard

agenda item with your Compliance

Council


Questions?

38


7/28/2014



The Breach Notification Rule

39

Burden of Proof

Breach Notification

Administrative

All PHI, including ePHI



Breach Exceptions


Exception #1• Unintentional• Good Faith• Within Scope of Authority• No Further Use or

Disclosure

Exception #2• Inadvertent• To another Authorized

Person• Same CE or BA or OHCA• Not Further Use or

Disclosed

Exception #3• Good Faith Belief that

information could not be retained

7/28/2014





Breach Risk Assessment

Factors


The Four Factors and SomeConsiderations for Analysis of “low probability of compromise”





7/28/2014



From the Preamble…..

• In addition to the statutory exceptions that have been included in both the interim final rule and this final rule, there may be other similar situations that do not warrant breach notification.

• …there are several situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification

• We agree with commenters that providing notification in such cases may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.

43


Principles of the Framework

• Each individual breach case is unique

• Each investigation should follow the same process and criteria

• Assessment should guide a decision, but not the decision itself

• Provide for consistent application

• Modify for both state and federal breach definitions and requirements.

• Maintain documentation

44

Breach Risk Assessment Framework

7/28/2014



YES NO DON’T KNOW

BreachPreparation Plan?

Pause & Quick Poll

• Have you developed and tested a Breach Risk Assessment?



Supplemental Materials

7‐1. Workforce Access to PHI Inventory template (Excel)

7‐2. Business Associates Inventory (Excel)

7‐3. Documentation Requirements in Privacy and Breach Notification Rules (Word)

7‐4. Breach Preparation Plan (PDF)

7‐5. Health IT Policy Committee_Accounting of Disclosures_FINAL_11182013 (PPT)

46

7/28/2014



Questions?

47


BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...

Documents

Transcript of BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...