Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
-
Upload
redspin-inc -
Category
Documents
-
view
1.266 -
download
0
description
Transcript of Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
HIPAA & HITECH Requirements, Compliance, and Meaningful Use
We know it’s confusing.
Let’s focus on what you need to know!
Information Security Assessments“We Take Your Security Personally”
Dan Berger, Executive Vice President
Redspin, Inc.
Phyllis Patrick, MBA, FACHE, CHC
Phyllis A. Patrick and Associates LLC
Agenda
- New Era in Health IT – What it means to you
- Risk Assessment Strategies and Components
- Effective Security Process
- Meaningful Use and how to get incentive $
- Practical Example –Case Study
New Era in Health IT
– New Regulations and Initiatives
– Incentive Funding (Medicare & Medicaid)
– New Consumer and Patient Issues
New Programs
• Electronic Health RecordsEHRs
• Health Information ExchangesHIEs
• Regional Extension CentersRECs
• Achieving meaningful use of certified EHRsEHRs
Privacy and Security
Policies and Programs
• Privacy as a Patient Satisfaction Issue
• Synergy with Quality and Safety Programs
• Right of Private Action/State AG Activities
– New Regulations and Initiatives
– Incentive Funding (Medicare & Medicaid)
– New Consumer and Patient Issues
The ONC Mandate
Americans will benefit from electronic health records as
“part of a modernized, interconnected, and vastly
improved system of care delivery.”
ONC Mandate and Initiatives
• Temporary Certification Program
• Standards and Certification Criteria Final Rule
• Medicare and Medicaid EHR Incentive
Programs
• Meaningful Use of EHRs Final Rule
• Certified Health IT Product List
New Federal Regulations
– Meaningful Use of Electronic Health Records
(Final Rule) – Medicare and Medicaid Incentive
Programs
– Certification Process/Criteria
– Certification Standards
– HITECH Amendments to HIPAA
– Breach Notification Requirements
What are the Rules?
Security Laws
– Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
– Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
– Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
– Family Educational Rights and Privacy Act (FERPA)
– Payment Card Industry Data Security Standard (PCI DSS)
– State Breach Notification, Social Security Numbers, Data Protection, and other laws
– Children’s Online Privacy Protection Act
– Federal Information Security Management Act (FISMA)
– H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
– Encryption Laws (e.g., State laws)
– Sarbanes-Oxley Act (Public Companies)
– Gramm-Leach-Bliley Act (Financial Services)
– And more………
Some rules haven’t changed – Have you fully
implemented the HIPAA Security Rule?
The HIPAA Security Rule
– Compliance Date: April, 2005
– 42 Standards and Implementation Specifications
– Information Security Management Program
– Applies to Electronic Protected Health Information (ePHI) that
a Covered Entity Creates, Receives, Maintains, or Transmits
Security Rule Standards
Evaluation Standard
Perform a periodic technical and non-technical evaluation,
based initially upon the standards and implemented under this
rule and subsequently, in response to environmental or
operational changes affecting the security of electronic
protected health information, that establishes the extent to
which an entity’s security policies and procedures meet the
requirements of this subpart.” [§164.308(a)(8)]
Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)
Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)
Related Standards
Consequences of Not Meeting
the Requirements
New Enforcement Efforts and
Priorities
HHS made changes to the HIPAA regulations to conform
the enforcement component of the regulations to the
statutory revisions made pursuant to the HITECH Act.
• Civil Monetary Penalties
• Violations categorized
• Tiered ranges of civil money penalty amounts
Penalties – Per Calendar Year
$100 - $50K/violation, not to
exceed $25K - $1.5MM
Person did not know (and by
exercising reasonable due
diligence) would not have
known
$1,000 - $50K/violation, not
to exceed $100K - $1.5MM
Violation due to reasonable
cause and not to willful
neglect
$10K - $50K/violation, not to
exceed $250K - $1.5MM
Due to willful neglect and
violation was corrected
At least $50K/violation, not to
exceed $1.5MM
Due to willful neglect and
violation was not corrected
GOVERNANCE
Leadership
Organizational Structures
Processes that support the security and privacy
programs while supporting and sustaining the
organization’s mission and strategic goals
Relationships with Business Associates and 3rd
parties
Effective Security Program
Governance
– Involves appropriate organizational personnel
– Defines a governance framework or methodology
– Enables uniform risk measurement across the
organization
– Produces quantifiable, meaningful deliverables
– Reflects business practices, organizational risk
appetites, and changing levels of risk
Reference: IT Compliance Institute
Business Associates
Covered Entity (CE)
A health plan, health care clearinghouse, or health
care provider who transmits any health information in
electronic form in connection with a transaction
covered under the HITECH Act
Business Associate (BA)
Party who performs a function on behalf of a Covered
Entity and has access to PHI in the performance of
that function
Business Associate Compliance
Business Associates (BAs):- IT vendors- coding vendors- outsourced call center- subcontractors- insurance companies- pharmacies- hospitals- physicians- e-prescribing ecosystem- CPOE- radiology labs- HIEs- RHIOs- ACOs- lawyers- CPAs- housekeeping services- etc. !!!
CoveredEntity (CE)
Liability:
-BAs are contractually liable to CEs
for breach of BA agreement
-BAs are civilly and criminally liable
to Federal government for violations
Notification:
-BA notify CE of any breach
-CE has obligation to notify patients
and HHS
-If 500+ persons, notify media
serving their area
Recommendations:
-Identify BAs with highest risk
-Communicate expectations to BAs
-Automate contract and BA
agreement files
-Develop auditing and monitoring
process
-Educate executives and key players
on BAs
Assessing Your Security Program
Components of the Assessment
• Governance of the Privacy and Security Programs
• Privacy Rule and Security Rule Standards
• Policies and Procedures
• Risk Assessment and RA Management
• Program Infrastructure
– Designation of Privacy and Security Officers
– Reporting Relationships
– Staffing and Resources
• Education and Training Programs
• Security Breach Notification Policy and Procedures
• Readiness to meet HITECH/HIPAA requirements and Meaningful Use criteria
• Impacts of Business Partner/Business Associate Relationships
• Auditing and Monitoring Processes
Strategies for a Risk Assessment
• Formal and ongoing evaluation and review process
• Periodic Risk Analysis, in particular following significant changes
• Senior leader support
• Adequate and available resources
• Steering committee
Strategies for a Risk Assessment
• Governance/Reporting/Metrics
• Organization-wide Risk Analysis
• Communication of Risk Profile
• Documentation and Action Plans
• Independent Consultants?
Show Me the Money
How to Access Federal Dollars
Eligible Entities
– Eligible professionals (EPs)
– Eligible hospitals
– Critical access hospitals
– Certain Medicare Advantage Organizations whose affiliated
EPs and hospitals are meaningful users of certified EHR
technology
What is “Meaningful Use?”
• Use of a certified EHR in a meaningful manner (e.g.,
e-prescribing)
• Use of certified EHR technology for electronic
exchange of health information to improve quality of
health care
• Use of certified EHR technology to submit clinical
quality and other measures
Meaningful Use – Criteria and Standards
– Is the practice or hospital is making adequate
use of EHRs?
– Has a risk analysis been conducted?
– Is their a platform for staged implementation?
To achieve meaningful use, providers must:
– Provide and monitor privacy and security
protection of confidential PHI through operating
policies, procedures, and technologies
– Comply with all applicable federal and state laws and regulations
– Provide transparency of data sharing to patients
Meaningful Incentive Program
Medicare EHR
Participation as early as FY 2011
EPs may receive up to $44,000 over 5 years, plus incentive if in HSPA
Must begin by 2012 to get maximum
Incentives for hospitals may begin in 2011 w/a $2 million base payment
Medicare EPs, hospitals and CAHs who do not show meaningful use have payment decrease beginning 2015
Medicaid EHR
Voluntarily offered by individual states
May begin as early as FY 2011
EPs may receive up to $63,750 over 6 years
Incentives for hospitals may begin in 2011
No payment adjustment for providers who do not show meaningful use
CMS Meaningful Use Goals
Improve quality, safety, and efficiency of
health care and reduce health disparities
Engage patients and families
Improve care coordination
Improve population and public health, and
Ensure adequate privacy and security
protections for personal health
information
.
HIPAA/HITECH Compliance
What are the objectives of a
HIPAA Risk Analysis and
Security Assessments?
Compliance: a HIPAA Risk Analysis
verifies compliance with the standards
defined in the Security Rule of the
Administrative Provisions in Title II of
HIPAA.
Security : Utilizes a risk-based
approach to minimize the risk of a
compromise of Electronic Protected
Health Information (EPHI) triggering
the breach notification requirements.
Some Types of Assessments
Controls
Data Security
Network Analysis
Physical Security
Systems Analysis
External Pen
Internal Pen
Wireless Pen
Web App
Social Engineering
Other possible assessments:- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley
Components of Risk
The assets
(what you are trying to protect is PHI)
• You need to know where it is, how it is used, and
how it is transported over the network.
The threats
(what are you afraid of happening?)
• Sophisticated cybercriminals stealing account
credentials, credit card records, or medical
history to file false claims.
• Hackers using application attacks to gain access
to database records.
• Insiders gathering inappropriate data through
misconfigured access control.
The vulnerabilities
(how could the threat occur?)
• Targeted social engineering attacks; malware
exploiting Adobe .pdf and MS office .doc
vulnerabilities
• Application vulnerabilities (e.g., SQL injection,
command injection)
• Misconfigured database access controls
Current mitigation
(what is currently reducing the risk?)
• Staff
• Technology
• Processes
PHI/PII Risk Indication
CASE STUDY
AxolotlHealth Information Exchange (HIE) Solution Provider
Axolotl Overview
Founded: 1995
Location:
San Jose, California
Industry:
Healthcare Technology Provider
Solutions For:
Hospitals & Health Systems
RHIOs
State Health Agencies
Physicians
Employees: 200
•Since 1995, Axolotl has been providing
advanced Clinical Networking solutions
•Health Information Exchange has
become a necessary foundation to
support the “meaningful use” of health
information technology
•Cloud environment – supports electronic
sharing of data among hospitals,
physicians, clinical laboratories,
pharmacies, health plans (insurers), and
public health department
•Security and regulatory compliance are
imperative for Axolotl’s customers
Solution for Axolotl
• Comprehensive information
security assessment of
governance and operational
processes covering both
production and internal systems
• Thorough assessment of
policies, practices, and
procedures from both an internal
and external point of view
• Axolotl has been able to use
information security and
compliance as a distinct
advantage in a fiercely
competitive segment of the
healthcare market.
Areas Covered
Is Your Organization Ready?
Some Additional
Thoughts…
Common Themes and Issues
• Lack of Documentation
• Lack of Awareness of
Programs
• Insufficient Training and
Education
• Lack of adequate
Disaster and Business
Continuity Planning
• Privacy and Security less
priority than Safety or
Quality Programs
• Mobile Device Policy and
Procedures
• Managers unaware of
their role and
responsibilities in privacy
and security
• Management of Business
Associate Relationships
• Lack of or outdated
Encryption Policy and
Procedures
• Who to Contact in case of
perceived or actual
Security Breach or
Privacy Incident
EHR for the Future
• Whatever happens to the health care agenda, EHRs will
continue to evolve and regionalization will occur
• Some geographical areas will develop mature EHRs faster than
others
• Patients/consumer engagement is gaining traction
• Vendor market will consolidate and be more accountable
Appendix
Strategies for a Risk Assessment
• Establish a formal, ongoing Evaluation
and Review Process using independent
consultant/third party. Conduct the review
using project management tools and
methods.
• Perform Risk Analysis, following
established policies and procedures, at a
minimum, every three years or whenever
there is a significant change in the
environment (e.g.,new system, new regs,
new service, new threats, changes in senior
management)
•Evaluation/
Review
Process
•Risk Analysis
•Steering
Committee
•Governance
•Metrics/
Scoreboard
•Risk/Threats
•Integrated
Assessment
•Risk Profile
•Consultant
Criteria
•Sr. Mgmt.
Support
•Penalties
•Document!
• Establish an ongoing Steering Committee:
o Dedicate a multi-disciplinary team
responsible for guiding the Evaluation and
Risk Assessment Processes; utilize existing
team/committee if appropriate
• Establish governance structure/process for Security and Privacy reports to BOD, Audit & Compliance Committee, Strategic Planning Committee, etc.
• Security and Privacy Metrics/Scoreboard
•Evaluation/
Review
Process
•Risk Analysis
•Steering
Committee
•Governance
•Metrics/
Scoreboard
•Risk/Threats
•Integrated
Assessment
•Risk Profile
•Consultant
Criteria
•Sr. Mgmt.
Support
•Penalties
•Document!
Strategies for Risk Assessment
Strategies for Risk Assessment
• Determine level of risk and threat to the organization, e.g.,
• Security Breach
• Identity Theft/Medical Identity Theft
• Privacy Complaints/OCR Complaints/Patient Suits
• Organization’s “Risk Appetite”
• Organizational reputation
• Financial consequences
• Integrate risk assessment for security and privacy into organization-wide risk assessment risk assessment for all types of risk
• Develop and communicate Risk Profile
•Evaluation/
Review
Process
•Risk Analysis
•Steering
Committee
•Governance
•Metrics/
Scoreboard
•Risk/Threats
•Integrated
Assessment
•Risk Profile
•Consultant
Criteria
•Sr. Mgmt.
Support
•Penalties
•Document!
Strategies for a risk assessment
• Retain independent consultant that meets
specific criteria:
Determine qualifications of individuals performing review
Ask questions to ascertain if consultants possess “hands on” experience
Do reports summarize data or provide noted gaps analysis?
Does the consultant provide a “to do list” based upon the audit results, mapping a path for the organization to follow or is it buried in the summary?
Do you understand the results and have support from the organization to resolve issues identified?
•Evaluation/
Review
Process
•Risk Analysis
•Steering
Committee
•Governance
•Metrics/
Scoreboard
•Risk/Threats
•Integrated
Assessment
•Risk Profile
•Consultant
Criteria
•Sr. Mgmt.
Support
•Penalties
•Document!
Strategies for a Risk Assessment
• Elicit support from senior management to
provide adequate resources to address areas
of identified risks
• Note: Organizations that ignore findings are
subject to increased penalties!
• Documentation and retention of action plans and follow-up is key to surviving and resolving audits and investigations.
•Evaluation/
Review
Process
•Risk Analysis
•Steering
Committee
•Governance
•Metrics/
Scoreboard
•Risk/Threats
•Integrated
Assessment
•Risk Profile
•Consultant
Criteria
•Sr. Mgmt.
Support
•Penalties
•Document!
Successful information
risk management program
1. Organizing for
performance
2. Assessing risk
3. Decision analysis
4. Policy implementation
5. Measuring program
effectiveness
6. Repeat steps 2-5,
adjust the
organization defined
in step 1 to evolving
business
requirements
Risk Management Process: Detail
Step 1. Assess Risk
Identify and prioritize risks to the
business.
a. Plan data gathering.
b. Gather risk data.
c. Prioritize risks.
Step 2. Decision Analysis
Evaluate requirements, understand
possible solutions, select controls,
estimate costs, and choose the most
effective mitigation strategy.
a. Define functional requirements to
mitigate risks.
b. Outline possible control solutions.
c. Estimate risk reduction.
d. Estimate solution cost.
e. Choose mitigation strategy.
Step 3. Policy Implementation
Policy implementation. Acquisition and deployment of
controls to carry out the policy.
a. Ensure policy specifications are enforceable.
b. Integrate process automation, people, and technology in
the mitigation solution.
c. Defense in depth – coordinate application, system, data,
and network controls.
d. Communicate policies and control responsibilities
throughout the organization.
Step 4. Measure Effectiveness
Develop and disseminate reports. Provide management a
dashboard of program effectiveness.
a. Management dashboard that summarizes organization’s
risk profile.
b. Report on changes under consideration and underway.
c. Communicate effectiveness of the control solutions in
mitigating risk.
d. Report on existing environment in terms of threats,
vulnerabilities and risk profile.
HIPAA Audit Scope Attributions