first hipaa privacy-security...
TRANSCRIPT
© 2010-11 Clearwater Compliance LLC | All Rights Reserved1
"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."
- Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance
First HIPAA Privacy-Security Officer
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Understanding the Difference: HIPAA Security Assessment
vs. Risk Analysis
WEBINAR Bob Chaput615-656-4299 or [email protected] Compliance LLC
…Welcome to …
2
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
3
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED: 1. http://AboutHIPAA.com/about-hipaa/resources/2. http://AboutHIPAA.com/webinars/on-demand-webinars/
4
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn the two specific assessment requirements
2. Review how to conduct each one
3. Help you get started with practical, actionable next steps
5
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Who’s this guy talking?Bob Chaput, MA, CHP, CHSS, MCSE
6
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Legal
• Member: HCCA, ACHE, AHIMA, NTC, Chambers, Boards
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
We’re excited about what we do because…
…we’re helping organizations safeguard the very intimate, personal and private healthcare information of millions of fellow Americans…
Our Passion
7
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Why Should You Care?
1. It’s the law…both assessments!
8
3. You want to stay in business
2. Your stakeholders trust you to do this
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Meet the ‘Wall of Shame’
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
9
05/31/2011•278 CEs
•56 Named BAs•10.9 MM Individuals
Wyoming District of Columbia Vermont North Dakota Alaska South Dakota Delaware Montana Rhode Island Hawaii Maine New Hampshire
10.78 MIL
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
10
Priv
acy
Secu
rity
Dat
a B
reac
hN
otifi
catio
n
……
HITECHHIPAA
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Health Information Technology for Economic and Clinical Health Act
HITECH = Hey It’s Time to End your Compliance Holiday
11
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement2) Bigger Penalties3) Wider Net Cast
12
© 2010-11 Clearwater Compliance LLC | All Rights Reserved13
NIST – OCR HIPAA Security event
© 2010-11 Clearwater Compliance LLC | All Rights Reserved14
OCR Compliance Expectations…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved15
Drums Beating Louder and Louder…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn the two specific assessment requirements
2. Review how to conduct each one
3. Help you get started with practical, actionable next steps
16
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Assessments Are Central to Compliance
• Establishing good policy and procedures is not enough…
• Comprehensive business processes are not enough…
• Deploying leading technology solutions and systems controls is not enough…
17
Regular assessments are crucial in establishing and maintaining effective compliance
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
18
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY
SCAN OR PENETRATION TEST…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Security Evaluation vs. Risk AnalysisExposure-focused Trees/Weeds
Both Are Important and Necessary Compliance Roadmap
HIPAA Security Final Rule “taxonomy”
• 5 major areas
• 22 Standards
• 53 Implementation Specifications
Where do you stand?
Compliance-focused Forest
19
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
3 Dimensions of HIPAA Security Evaluation
1. Is it documented?• Policies, Procedures and
Documentation
20
3. Is it Reasonable and Appropriate?• Comply with the
implementation specification
2. Are you doing it?• Using, Applying,
Practicing, Enforcing
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
2 Dimensions of HIPAA SecurityRisk Analysis
1. What is our exposure of our information assets (e.g., ePHI)?
21
2. What do we need to do to mitigate risks?
A Risk Analysis Addresses Both
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Security Compliance Roadmap
HIPAA Security
Evaluation(HSE)
Data Breach Notification
Plan(DBP)
HIPAA Risk
Analysis(HRA)
HIPAASecurity Training(HST)
HIPAA BA
Contracts(HBC)
HIPAA Security
Evaluation(HSE)
HIPAASecurity Strategy
(HSS)
22
HIPAA SecurityPolicies(HSP)
HIPAA Compliance
Manual(HCM)
HIPAARemediation
Plan(HRP)
MonitorSecurity
Operations(HSO)
ImplementSecurity
Operations(HSO)
GovernSecurity
Operations(HSO)
HIPAA Security
Operations(HSO)
45 CFR164.308(a)(8)
45 CFR 164.316(b)
45 CFR Parts 160, 164 Subpart D
Preliminary Remediation
Plan(PRP)
45 CFR 164.308(a)(5)(i)
45 CFR 164.308(a)(8)45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.316(a)
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn the two specific assessment requirements
2. Review how to conduct each one
3. Help you get started with practical, actionable next steps
23
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Clearwater Security Assessment
24
Educate | Assess | Plan Remediate | Document
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Clearwater Security Assessment delivers clear value …
1. Assessment Wizard
2. Educational Tool
3. Advisory Guide
4. Remediation Management Tool
5. Executive Dashboard
6. Living Compliance Manual
7. Roadmap to Compliance
25
http://HIPAASecurityAssessment.com
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Methodology
26
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Risk = Impact * Likelihood
What is Risk?
Goal = Understand What Risks Exist and Into What Category They Fall
… to determine Risk, one must consider threats and vulnerabilities
Impact * Likelihood !27
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Risks• Financial• Political• Legal• Regulatory• Operational
impact• Reputational
Threats Trigger Vulnerabilities…
Threat• Laptop with
ePHI can be stolen
Vulnerabilities• No strong
password• ePHI is not
encrypted• No ability to
destroy data• Laptop is not
backed up 28
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Regardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities -Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
…from HHS/OCR Final Guidance
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
29
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
EH & CAH Meaningful UseEHs and CAHs 14 Core Objectives1. Use CPOE for medication orders directly entered by any licensed healthcare professional who
can enter orders into the medical record per State, local, and professional guidelines. 2. Implement drug-drug and drug-allergy interaction checks. 3. Maintain an up-to-date problem list of current and active diagnoses4. Maintain active medication list. 5. Maintain active medication allergy list. 6. Record specific set of demographics7. Record and chart specific changes in the certain vital8. Record smoking for patients 13 years old or older9. Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals,
the States. 10. Implement one clinical decision support rule related to a high priority hospital condition along
with the ability to track compliance with that rule. 11. Provide patients with an electronic copy of their health information (including diagnostic test
results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request.
12. Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request.
13. Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically.
14.Protect electronic health information
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Step-by-Step: Determine Residual Risk
31
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
HIPAA Security Risk Analysis
32
Inventory | Assess | Plan Remediate | Document
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
What You Receive – HIPAA Security Risk Analysis ToolKit™ • HIPAA Security Risk Analysis and Risk Management Methodology with
Detailed Step-by-Step Instructions • Comprehensive HIPAA Security Risk Analysis Excel Workbook Tool™,
HIPAA Compliance Software • HIPAA-HITECH Security Compliance Roadmap™• Comprehensive HIPAA Security Glossary of Terms, included with Excel
Tool™ • Executive Summary – Risk Analysis template • HHS/OCR Final Guidance on Risk Analysis • NIST Special Publications 60 minutes of complimentary email, telephone
or web-meeting support• Very Latest Updates on HITECH Act and NPRM Changes
33
HIPAA Security Risk Analysis ToolKit™More Information at: http://clearwatercompliance.com/hipaa-compliance-software/hipaa-it-security-risk-analysis-toolkit/
Comprehensive digital download navigation tool…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn the two specific assessment requirements
2. Review how to conduct each one
3. Help you get started with practical, actionable next steps
34
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Steps to Complete A SecurityCompliance Assessment
35
1. Form a Cross-Functional Task Force2. Set Business Risk Management
Goals3. Get Educated – Learn the
Requirements and the Consequences4. Build / Buy an Assessment Checklist or Software Tool
Based on the Law5. Set a Scoring Methodology6. Assess Your HIPAA Security Compliance7. Document Gaps8. Develop a Preliminary Remediation Plan
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Steps to Complete A HIPAA Meaningful Use Risk Analysis
36
1. Form a Cross-Functional Task Force2. Set Business Risk Management
Goals3. Get Educated – Learn the
Requirements and the Consequences4. Build / Buy a Risk Analysis Software Tool Based on the
HHS/OCR Final Guidance5. Set a Scoring Methodology6. Complete the HIPAA Risk Analysis Methodology7. Document Control Gaps8. Make Risk Mitigation Decisions9. Prioritize Work Plans based on Risks10. Execute Risk Mitigation Plan
© 2010-11 Clearwater Compliance LLC | All Rights Reserved37
Resources
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Health and Human Services – Office of Civil Rights, “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”, (http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf)
2. National Institute of Standards and Technology (NIST) Special Publication 800-30, "Risk Management Guide for Information Technology Systems" (http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)
3. National Institute of Standards and Technology (NIST) Special Publication 800-33, " Underlying Technical Models for Information Technology Security" (http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf)
4. National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1, "A Resource Guide for Implementing The HIPAA Security Rule" (http://csrc.nist.gov/publications/PubsSPs.html)
38
HIPAA Security Resources
5. National Institute of Standards and Technology (NIST) Special Publication 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems” (http://csrc.nist.gov/publications/nistpubs/800-14/Planguide.PDF)
6. National Institute of Standards and Technology (NIST) Special Publication 800-26, “Security Self-Assessment Guide for Information Technology Systems” (http://csrc.nist.gov/publications/nistpubs/800-26/Planguide.PDF)
7. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3 Final, "Recommended controls for Federal Information Systems and Organizations" (http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf)
8. Notice of Public Rulemaking (NPRM) – “Modifications to HIPAA Privacy, Security and Enforcement Rules under The Health Information Technology for Economic and Clinical Health Act (HITECH)” (http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf)
9. “HIPAA Security Final Rule” (http://abouthipaa.com/wp-content/uploads/HIPAA_Security_Final_Rule1.pdf)
http://AboutHIPAA.com/about-hipaa/resources/
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
HIPAA-HITECH WorkShop™
I. PREPARATIONA. Plan / GatherB. Read AheadC. Complete QuickScreen™
39
II. ONSITE ASSESSMENTA. FacilitateB. EducateC. Evaluate
III. WRITTEN REPORTA. Findings B. ObservationsC. Recommendations
½ Day
½ Day
1 Day
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Summary:Security Evaluation vs. Risk Analysis
40
What’s similar:• Both required by HIPAA Security Final Rule• Both have been required since April 2005• Both need “periodic” updates• Both are somewhat complex• Both help determine gaps• Both help you become compliant with HIPAA Security• Both are important and necessary
What’s Different:• One is compliance-focused; one is exposure-focused• One is “macro” level; the other more “micro”• One is an overall compliance assessment; one is a risk assessment• One is Forest-level; one is Trees/Weeds-level• One is “named” in Meaningful Use Stage I Objectives• One has specific ‘Final Guidance’ from OCR on how to perform
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Register Now! … at: http://AboutHIPAA.com/webinars/
41
Upcoming HIPAA HITECH Webinars
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Sign Up Today! -COMPLIMENTARY 30-DAY TRIAL
42
https://www.hipaasecurityassessment.com/signup#free-trial
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput
http://[email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
43
Contact
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Why Now? – What We’re Hearing“Our business partners (health plans) are
demanding we become compliant…” – large national care management company (BA)
“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric Practice (CE)
“We want to proactively market our services by leveraging our HIPAA compliance status …” --large regional fulfillment house (BA)
“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)
“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research consortium (BA)
“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)
44
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” –outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
45
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs