2014-10-30 how to conduct a hipaa security compliance self ... · “q&a” to pose any ......
Post on 13-Mar-2020
0 Views
Preview:
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved
Frame
Monitor
RespondAssess
Clearwater HIPAA Business Risk Management Life Cycle™Privacy
AssessmentSecurity Assessment
Today’s Topics
ePHI Discovery
Risk Response
Remediation
Risk StrategyGovernance
AuditingTechnical Testing
WorkforceTraining
Risk Analysis
© Clearwater Compliance LLC | All Rights Reserved4
Welcome to today’s Live Event… we will begin shortly…
Please feel free to use “Chat” or “Q&A” to pose any ‘burning’ questions you may have in advance…
© Clearwater Compliance LLC | All Rights Reserved5
Wes Morris, CHPS, CIPM615‐823‐3084
Wes.Morris@ClearwaterCompliance.comClearwater Compliance LLC
How to Conduct A HIPAA Security Rule Compliance Self Audit
October 30, 2014
© Clearwater Compliance LLC | All Rights Reserved
Some Ground Rules
6
1. Slide materials… will be provided2. Questions in “Question Area” on GTW Control
Panel3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave
session6. Recorded version and final slides within 48
hours
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – What type of organization?
7
© Clearwater Compliance LLC | All Rights Reserved
Wes Morris, CHPS, CIPMHIPAA Consultant•20 years in Clinical Care / Social Services
•11 years in HIPAA Privacy and Security
•Experienced Hospital Privacy and Security Officer, Team Lead and Subject Matter Expert
•Certified in Healthcare Privacy and Security (CHPS)
•Examination Development Committee Member for AHIMA CHPS Exam
•Certified Information Privacy Manager (CIPM)
•Mentor to HIM students and new Privacy Officers
Wes.morris@clearwatercompliance.com
© Clearwater Compliance LLC | All Rights Reserved
Our Passion
10
… And, keeping those same organizations off the Wall of
Shame…!
We’re excited about what we do because… …we’re helping organizations provide better care by safeguarding the very personal and intimate healthcare information of millions of fellow Americans…
© Clearwater Compliance LLC | All Rights Reserved
Here’s What We Do For a Living…
• Since 2010• 350+ Customers• Compliance Assessments |
Risk Analyses | Technical Testing | Policies & Procedures | Training | Remediation | Executive Coaching | BootCamps
• 20 OCR or CMS Audits & Investigations to date
• Raving Fan customers!Key Differentiator: SaaS
Platforms for Operationalizing Your Compliance Programs
© Clearwater Compliance LLC | All Rights Reserved
Mega Session ObjectiveHelp You Understand and
Address Two Very Specific HIPAA Rule Security Compliance Evaluation Requirements…and, perform a self-audit!
12
© Clearwater Compliance LLC | All Rights Reserved
Big Points about Compliance Self‐Audit• Must cover entire Regulation• First Time – Lots of Work• Not Once and Done• Often Requested in OCR Investigation
Data Request• Risk Analysis ≠ Security Assessment
(Evaluation) = Compliance Self‐Audit• Addresses TWO (2) Dimensions of HIPAA
Security Risk Management• Consider Doing Same for Privacy and
Breach Notification13
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
14
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
© Clearwater Compliance LLC | All Rights Reserved
Related Webinars to View• The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis
• How To Conduct a Bona Fide HIPAA Security Risk Analysis
15
• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
Blog Post
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
16
1. Understand Evaluation Requirements
2. Learn How to Evaluate Your Compliance
3. View a Demonstration of Our Evaluation Process / SaaS Solution
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA‐HITECH Compliance…
17
Priv
acy
Secu
rity
Bre
ach
Not
ifica
tion
……
HITECHHIPAA
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs
Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense” Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
18
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
≠
© Clearwater Compliance LLC | All Rights Reserved
OCR Investigation Data Request
19
© 2013-14 Clearwater Compliance LLC | All Rights Reserved
HIPAA Phase 2 Audits: A Revised Game Plan
• “Very Targeted Audits”o CEs: specific compliance areas, such as security risk assessments,
privacy and breach notification, copies of periodic risk analysis and other evidence
o BAs: security risk assessment and providing breach notification to CEso Will not include CEs or BAs under a current OCR investigation
• Audit Change: From 400 remote desk to <200 more comprehensive
• Prescreening surveys to be sent “in near future” to CEs and BAs
o Surveys will determine “in or out” - not “are you compliant?”o CEs will be asked “for a list and contacts for all your business
associates”o BAs will be selected from the lists provided by CEs
• Delayed to finish roll-out of Web portal for document submissionNo date given for completion
© Clearwater Compliance LLC | All Rights Reserved
Executive Summary
21
Established Performance Criteria§164.308(a)(8) Evaluation - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
MUST DO:1. Have comprehensive documented policies and procedures2. If external resources, ensure qualified3. Cover ALL standards and implementation specs4. Ensure criteria is established (standards and measures)5. Gather all necessary documentation to evaluate6. Complete both technical and nontechnical evaluations7. Document findings, observations and remediation plan8. Demonstrate evaluation is completed periodically
© Clearwater Compliance LLC | All Rights Reserved
1. Reasonable diligencemeans the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!
3. Willful neglectmeans conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
22
Three Terms to Memorize1
145 CFR 160.401 Definitions
Give Your CEO and Outside Counsel
Something to Work With!
© Clearwater Compliance LLC | All Rights Reserved
(C)(ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach
Enforcement: Amount of CMP ‐ 45 CFR § 160.404
Violation Category‐ Section 1176(a)(1)
Penalty Range for Each Violation
All Such Violations of an Identical Provision in a
Calendar Year
(A) Reasonable Diligence (Did Not Know)
$100 ‐ $50,000 $1,500,000(B) Reasonable Cause $1,000 ‐ $50,000 $1,500,000(C)(i) Willful Neglect – Corrected $10,000 ‐ $50,000 $1,500,000
23
© Clearwater Compliance LLC | All Rights Reserved
10 Actions to Take Now
24
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR §164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan10. Assess current insurance coverage
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
Peoplemust include talented privacy &
security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or processes – documented ‐provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,
intrusion detection, incident management tools, etc.)
BalancedCompliance
Program
Four Critical Dimensions
Clearwater Compliance Compass™25
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
26
1. Understand Evaluation Requirements
2. Learn How to Evaluate Your Compliance
3. View a Demonstration of Our Evaluation Process / SaaS Solution
© Clearwater Compliance LLC | All Rights Reserved
27
Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Assessments • Corrective Action Plans• Policies & Procedures Review• Training• Technical Testing
Think Program, Not Project!
Start Year 1 Year 2• Oversight• Assessments • Corrective Action Plans• Policies & Procedures• Training• Technical Testing
• Re-Assessments • Corrective Action Plans• Policies & Procedures Review• Training• Technical Testing
How to Do It Right
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
28
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
© Clearwater Compliance LLC | All Rights Reserved
Steps to Complete A SecurityCompliance Assessment
29
1. Form a Cross-Functional Task Force2. Set Business Risk Management Goals3. Use as an Opportunity to Get Educated –
Learn the Requirements and the Consequences
4. Create an Assessment Checklist or Software Tool Based on the Regulations and OCR Audit Protocol
5. Set a Scoring Methodology6. Assess Your HIPAA Security Compliance7. Document Gaps8. Develop a Preliminary Remediation Plan
© Clearwater Compliance LLC | All Rights Reserved
HIPAA Security Nontechnical Evaluation
1. Is it documented?• Policies, Procedures and
Documentation
30
3. Is it Reasonable and Appropriate?• Comply with the implementation
specification
2. Are you doing it?• Using, Applying, Practicing,
Enforcing
© Clearwater Compliance LLC | All Rights Reserved
Poll #2 ‐ Security Non‐Technical Evaluation
31
© Clearwater Compliance LLC | All Rights Reserved32
ALL IMPORTANT ‐‐ AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS
HIPAA Security Technical Evaluation
• External Network Vulnerability Assessment• Internal Network Vulnerability Assessment• External Penetration Testing• Internal Penetration Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans
© Clearwater Compliance LLC | All Rights Reserved
Reference NIST SP 800‐53A
33
http://clearwatercompliance.com/wp‐content/uploads/2014/01/NIST‐SP800‐53A‐rev1‐final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations‐Building_Effective_SAPs.pdf
“Security control assessments are not about checklists, simple pass‐fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800‐53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”
© Clearwater Compliance LLC | All Rights Reserved
Resource
34
“The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly.
© Clearwater Compliance LLC | All Rights Reserved
Reference NIST SP 800‐115
35
http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf
• Basis of Technical Evaluations– Pen Testing– Vulnerability Scans– Post Testing Activities
© Clearwater Compliance LLC | All Rights Reserved
Poll #3 – Security Technical Evaluation
36
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Assessment™
37
Methodology and Software is…• Proactive• Adaptable• Consistent• Predictable• Measurable• Controlled• CPI‐based• Standards‐based
Science & Engineering
Monitoring and Auditing Maturity
Arts & Crafts
© Clearwater Compliance LLC | All Rights Reserved
Major Benefits of Clearwater Process
38
MarketFeedbackInvaluable
Insights from Executives, Staff and Regulators
3Proven ModelThought‐,
Methodology‐and Software‐Leadership
1Deep
ExperienceMillions of Lives Under
Our Processes, Safeguards and Protection
2
Become Self‐Sufficient | Operationalize Risk Management
© Clearwater Compliance LLC | All Rights Reserved
Essential Information at Your Fingertips
“Yes, it’s time for a change.”“Yes, it’s time for a change.”“Yes, it’s time for a change.”
© Clearwater Compliance LLC | All Rights Reserved
High Value ‐High Impact
Assessment WorkShop™ ProcessI. PREPARATION (t‐4 weeks)
A. Plan / Gather / ScheduleB. Read Ahead / Review MaterialsC. Provide SaaS Subscription/TrainD. Administer Surveys
II. ONSITE ASSESSMENT (t=0)A. FacilitateB. Educate & EquipC. EvaluateD. Populate SaaS
III. WRITTEN REPORT (t+2 weeks)A. Findings B. ObservationsC. RecommendationsD. Presentation and Sign Off 40
© Clearwater Compliance LLC | All Rights Reserved
Key WorkShop™ Deliverables1. Preparation for Mandatory Audits
2. Objective, Independent 3rd Party Review
3. Solid Educational Foundation
4. Completion of 45 CFR 164.308(a)(8) - Evaluation
5. Revitalize Security Compliance Program
6. Baseline/Benchmark Score
7. Preliminary Remediation Plan
8. Findings, Observation & Recommendations Report
41Demonstrate Good Faith Effort
© Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
42
1. Consider Assessing the Forest First, Then Get Into the Trees/Weeds (Risk Analysis)
2. Stay Business Risk Management-Focused
3. Operationalize Compliance (Think: Plan-Do-Check-Act)
4. Large or Small: Consider Help (Tools, Experts, etc)
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA‐HITECH Webinars at:
http://abouthipaa.com/webinars/upcoming‐live‐webinars/
43
Get more info…
View pre‐recorded Webinars at:http://abouthipaa.com/webinars/on‐
demand‐webinars/
© Clearwater Compliance LLC | All Rights Reserved
Clearwater CE Omnibus ReadinessCheck™:
http://clearwatercompliance.com/covered-entity-omnibus-readinesscheck/
44
Two Specific Helpful DocumentsClearwater BA Omnibus
ReadinessCheck™: http://clearwatercompliance.com/business‐associate‐omnibus‐
readinesscheck/
© Clearwater Compliance LLC | All Rights Reserved45
Upcoming Clearwater Events
November 5,12,19Virtual Session
Information Risk Management BootCamp™
December 5In Person Classroom SessionInformation Risk Management
BootCamp™Tampa, FL
November 4,2014Complimentary Webinar
HIPAA‐HITECH 101
November 13,2014Complimentary Webinar
How to Calculate the Cost of a Data Breach and How to Get the Budget for Your HIPAA HITECH Compliance
Program
November 20,2014Complimentary Webinar
How to Develop Your HIPAA‐HITECH Policies and Procedures
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster … Earn CPE Credits!
© Clearwater Compliance LLC | All Rights Reserved46
David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation
Bob Chaput, CISSP, CIPP/US CHP, CHSSCEO | Clearwater Compliance
Expert Instructors
Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System
Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel | Idaho State University
Michelle Caswell, JDSenior Director, Legal and ComplianceClearwater Compliance
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Designated (ISC)2 Official Training Partner
47
Upcoming Training Courses• Dec 1 - 3, 2014 HCISPP CBK Training, Nashville• Feb 9-11, 2015 – Miami• Apr 6-8, 2015 – Nashville
7
HCISPP Description • HCISPP is a foundational credential – confirming a foundational level of
performance tasks, knowledge, and abilities relating to the security and privacy of healthcare
• As a foundational credential, the experience requirement is two years (2), as follows: – Minimum two years of experience in one knowledge area of the
credential that includes security, compliance & privacy: – Legal experience may be substituted for compliance
– Information management experience may be substituted for privacy
– At least one year of the two-year experience must be in the healthcare industry
• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally
7
HCISPP Description • HCISPP is a foundational credential – confirming a foundational level of
performance tasks, knowledge, and abilities relating to the security and privacy of healthcare
• As a foundational credential, the experience requirement is two years (2), as follows: – Minimum two years of experience in one knowledge area of the
credential that includes security, compliance & privacy: – Legal experience may be substituted for compliance
– Information management experience may be substituted for privacy
– At least one year of the two-year experience must be in the healthcare industry
• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally
© Clearwater Compliance LLC | All Rights Reserved
Wes Morris, CHPS, CIPMHIPAA Consultant
http://www.ClearwaterCompliance.comwes.morris@ClearwaterCompliance.com
Phone: 615‐823‐3084Clearwater Compliance LLC
48
Contact
Exit Survey, Please
top related