ocr’s privacy, security, and breach notification … · may 4, 2016 3 introduction (2/4) • on...

OCR’s Privacy, Security, and Breach Notification Compliance Audits are Underway: Is Your Organization Prepared?

by

Edward D. Jones III

CEO, Cornichon Healthcare Select, LLC

May 4, 2016

Presented In HIPAA Integrity Webinar sponsored by WEDI

May 4, 2016 www.HIPAAIntegrity.com 1


Introduction (1/4)

– On March 21, 2016, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Resources (HHS) initiated its long-awaited HIPAA Privacy and Security and HITECH Act Breach Notification Rule compliance audits authorized under the February 17, 2009, HITECH Act enacted as part of the American Recovery and Reinvestment Act on February 17, 2009.

– Compliance desk audits follow an earlier compliance audit program in 2012 that found only 11% compliance from covered entities audited.

– In the current audit round, all covered entities and business associates not currently being investigated for a complaint or breach are subject to selection for a compliance desk audit.

– Following several initial information inquiries, the compliance desk audits are expected to begin early this summer, with electronic responses to OCR due within 10 days after date on notice of audit.


Introduction (2/4)

• On April 1, 2016, OCR published on its Website the long-awaitedAudit Protocol-Current, an update of OCR‘s earlier audit protocolsreleased in June 2012.

• The 2012 audit protocols were more tailored to guiding design and implementation of policies and procedures whereas the 2016 audit protocols are more suited to OCR’s desk audit sample design.– Example: Breach Notification

• That being said, the 2016 audit protocols provide more detail in some instances for guiding design and implementation of policiesand procedures, as examples in the Webinar will illustrate.

• HIPAA Integrity has built an easy-to-understand comparative table of 2012 and 2016 audit protocols and has linked each protocol set to the pertinent policies and procedures in HIPAA Integrity‘sCompliance Tool Package.


Introduction (3/4)

• Two Key Definitions (Merriam-Webster’s Collegiate Dictionary, Eleventh Edition, 2003)

– Policy• “a definite course or method of action selected from among

alternatives and in light of given conditions to guide and determine present and future decisions.”

• “a high level overall plan embracing the general goals and acceptable procedures especially of a government body.”

– Procedure• “a series of steps followed in a regular definite order.”

– Note. HIPAA and HITECH Act Safeguard Rules require policies and procedures to be in writing, which can be in electronic form, and be accessible to all covered entity and business associate workforce members, including management.


Introduction (4/4)

• This Webinar will: – Explain the 2016 compliance desk audit process.– Show examples of how the 2016 OCR audit protocols differ from OCR’s

2012 audit protocols– Explain how audit protocols are just one of several guides needed to

establish robust safeguard policies and procedures.– Describe how you can achieve and demonstrate timely compliance using

the HIPAA Integrity Compliance Tool Package.• Valuable tools for covered entities and business associates to validate existing

compliance efforts.• Valuable tools for covered entities and business associates just starting their compliance

efforts.• Think of compliance as an investment in your business future, not an expense.

– Provide a special HIPAA Integrity offer at the end of the Webinar fortoday‘s Webinar participants.


Let’s Get Started–Current Compliance Audit Process

• Scope of the Current Compliance Audits– Provisions of the HIPAA Privacy Rule, HIPAA Security

Rule, HITECH Act Breach Notification Rule

– Covered Entities and Business Associates

• “OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating the compliance efforts of the HIPAA regulated industry.”

• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html


Compliance Audit Process

• Objective of the Current Compliance Audits– “The audit program is an important part of OCR’s overall

health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”



• Timeline of the Current Compliance Audits (1/3)

– “OCR’s HIPAA audit program is currently underway.”• Obtain and verify via email request covered entity contact

information.

• Obtain via email audit pre-screening questionnaire of organization characteristics (“size, type, and operations”) from health care providers, health plans, healthcare clearinghouses, and business associates.– http://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/audit/questionnaire/index.html.

– Covered entities will be asked to identify their business associates.

» http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html.

– Data will be used to “develop pools of potential auditees” for random sampling of the audit pool(s): initially auditees covered entities, then business associates.

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html


Compliance Audit Process• Timeline of the Current Compliance Audits (2/3)

– “OCR’s HIPAA audit program is currently underway.”• Selected auditees will be notified by email of their selection and

“asked to provide documents and other data in response to a document request letter, online via a new secure audit portal on OCR’s Website” within 10 business days of the information request. [emphasis added]

• OCR auditors will “review documentation and then develop and share draft findings with the entity.”

– If necessary, a site visit of three to five days could ensue “when OCR deems it appropriate”.

• Auditees will have an opportunity to review draft findings and provide written response(s) for inclusion in final audit report, completed 30 days after auditee’s response.

• OCR expects to conclude these compliance audits by end of 2016.



• Timeline of the Current Compliance Audits (3/3)

– “OCR’s HIPAA audit program is currently underway.”

• Note. ”An entity that does not respond to OCR may

still be selected for an audit or subject to a

compliance review.”

– In this event, OCR will rely on publicly available

sources to identify the potential auditee.

– “Onsite audits will be more comprehensive than

desk audits and cover a wider range of requirements

from the HIPAA Rules.”


• OCR Compliance Enforcement– Covered entities and business associates retain the burden of

proof under HHS compliance enforcement actions and must submit written records to HHS in an audit or investigation.

– Cooperation. HHS will seek cooperation of covered entities and business associates in obtaining compliance with Administrative Simplification provisions.

– Assistance. HHS, as part of its enforcement activities, may provide technical assistance to covered entities and business associates to help them comply voluntarily.

– Resolution Agreement and Corrective Action Plan if determination of willful neglect-not corrected as result of compliance audit or investigation related to a complaint or a breach. Examples at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html



• From Compliance Audit -> Compliance Review (1/2)

– “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, we will abide by the FOIA regulations.”


Compliance Audit Process• From Compliance Audit -> Compliance Review (2/2)

• What are Compliance Reviews?– HHS will conduct a compliance review to determine if a covered entity or

business associate is complying with Administrative Simplification provisions if there is preliminary evidence indicating a potential violation due to willful neglect.

» HHS Office for Civil Rights (OCR) has enforcement authority for HIPAA Privacy and Security Rules, and HITECH Act Breach Notification Rule.

– HHS may conduct a compliance review to determine if a covered entity or business associate is complying with Administrative Simplification provisions in any other circumstance.

– A covered entity or business associate must permit access to HHS during normal business hours to review records pertaining to compliance, or at any time and without notice if there is evidence of exigent circumstances.



• How OCR will use compliance audit results– “Audits are primarily a compliance improvement activity. OCR

will review and analyze information from the final reports. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”


• BreachFrom September 23, 2009, HITECH Act Breach Reporting Date –December 31, 2015:– 1,437 “large” breaches (affecting 500 or more individuals)

impacting 154,368,781 individuals’ patient health records.From January 1-December 31, 2015:– 258 large breaches impacting 113,208,516 individuals’ patient

health records.– In 2015, 258 large breaches represented 18% of total large

breaches since September 2009 reporting date, but 73% of patient records breached since that date.

Redspin, Breach Report 2015: Protected Health Information (PHI), February 2016. www.redspin.com.

http://www.redspin.com


• BreachFrom September 23, 2009, HITECH Act Breach Reporting Date – December 31, 2015:

– Breached Organization• Covered Entity—79.8%

• Business Associate—20.2%

– Breached Record Type• Electronic—73.7%

• Hard Copy (Paper and Film)—26.3%

Redspin, Breach Report 2015: Protected Health Information (PHI), February 2016. www.redspin.com.

http://www.redspin.com


• Breach

– “From 2009-2013, the primary cause of PHI breach was the loss or theft of unencrypted portable computing devices.”

– In 2015, “[nine] of the top 10 incidents and 98.1% of records breached were the result of hacking attacks/IT incidents.”

– “Because phishing attacks exploit human vulnerabilities rather than technical, healthcare organizations must step up their security awareness education efforts for all employees. They need to be better trained to recognize phishing schemes through social engineering testing and security awareness training. Policies may also need to be tightened.”

www.Redspin.com

http://www.Redspin.com


• Breach– Costs

• “The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”

• “If a healthcare organization has a breach, the average cost could be as high as $363.”

• Costs include remediating the harm, notification of breach to affected individuals, and lost business.– Ponemon Institute 2015 Annual Survey (sponsored by IBM),

available at:

http://www.ponemon.org/blog/cost-of-data-breach-grows-as-does-frequency-of-attacks.

http://www.ponemon.org/blog/cost-of-data-breach-grows-as-does-frequency-of-attacks


• “The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data as a result of distributed denial of service (DDoS) attacks, and three-quarters of organizations suffering a breach in 2015.”

--David Weldon, “Most organizations hit by data breaches in 2015,” Health Data Management, May 3, 2016.

• “The most difficult part of implementing information protection is people. Security is ultimately a ‘people problem,’ not a technology issue…. People do not always understand the value of the healthcare data they access, but healthcare organizations can remedy this issue by educating and training the people who collect, use, store, and share that information. In doing this, healthcare IT can ensure that employees are aware of the value of their data, and therefore more inclined to take the extra steps to protect that data and ensure adversaries are not able to intercept it…. Training is crucial.” [emphasis added]

--David Finn, Health IT Officer, Symantec, “Cybersecurity: Playing by the rules and defending your network,” Health Management Technology, March 2016.


• Three fundamental safeguard principles:– Confidentiality. Data or information are not made available or

disclosed to unauthorized persons or processes.– Integrity. Data or information have not been altered or destroyed in

an unauthorized manner.– Availability. Data or information are accessible and useable upon

demand by an authorized person.• These principles also are the foundation for rules and responsibilities of

workforce members under the HIPAA Privacy Rule and HITECH Act Breach Notification Rule for safeguarding protected health information (PHI) when we broaden the definition of PHI and its identifiers to include information in hard copy and conveyed orally.

• These principles are achieved primarily through six implementations for demonstrating compliance.


• Six Key Compliance Implementations1. Designating Privacy and Security Officials to manage safeguard efforts

and ensure ongoing vigilance.

2. Conducting and periodically reviewing and updating an analysis of risks (threats and vulnerabilities) pertaining to creation, receipt, maintenance, and transmission of PHI to ensure that it is not impermissibly accessed, disclosed, or used by unauthorized persons or processes.

3. Identifying risk mitigation strategies and shaping safeguard policies and procedures based on risk analysis findings.

4. Training workforce members on “awareness and understanding” of safeguard policies and procedures.

5. Having in place and applying sanctions for safeguard violations.

6. Documenting all safeguard activities, actions, and assessments.


April 2016 Audit Protocols• “The Phase 2 HIPAA Audit Program reviews the policies and

procedures adopted and employed by covered entities and

business associates to meet selected standards and

implementation specifications of the Privacy, Security, and Breach

Notification Rules. These analyses are conducted using a

comprehensive audit protocol that has been updated to reflect the

Omnibus Final Rule. The audit protocol is organized by Rule and

regulatory provision and addresses separately the elements of

privacy, security, and breach notification. The audits performed

assess entity compliance with selected requirements and may vary

based on the type of covered entity or business associate selected

for review.”

• There are 365 pages of April 2016 Audit Protocols.


Enabling Rules (1/3)

• Privacy

– Standards for Privacy of Individually Identifiable Health Information: Final Rule. 67 FR 53182-53273, August 14, 2002. Compliance for covered entities: August 14, 2003.

• Security

– Security Standards: Final Rule. 68 FR 8334-8381, February 20, 2003. Compliance for covered entities: April 20, 2005.

• Breach Notification

– Breach Notification for Unsecured Protected Health Information: Interim Final Rule. 74 FR 42740-42770, August 24, 2009. Compliance for covered entities and business associates: September 23, 2009 (effective date for reporting breaches of PHI occurring on or after that date, with enforcement commencing for breaches occurring on or after February 22, 2010).

• Modifications Final Rule

– Modifications to HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and Genetic Information Nondiscrimination Act (GINA); Other Modifications to the HIPAA Rules: Final Rule. 78 FR 5566-5702, January 25, 2013. Compliance for covered entities and business associates: September 23, 2013.



• Privacy

– Compliance for covered entities: August 14, 2003.

• Security

– Compliance for covered entities: April 20, 2005.

• Breach Notification

– Compliance for covered entities and business associates: September 23, 2009

(effective date for reporting breaches of PHI occurring on or after that date, with

enforcement commencing for breaches occurring on or after February 22, 2010).

• Modifications Final Rule

– Compliance for covered entities and business associates: September 23, 2013.

– Note. If your organization has been in business since the

compliance dates above, you may need to demonstrate that you

have archived policies and procedures for the six years from

creation or last action according to the Documentation Standard.



• Each of these enabling regulations is accessible at: http://www.hhs.gov/hipaa/for-professionals/index.html or http://www.ecfr.gov/cgi-bin/text-idx?SID=d7016c224c7c49489e98a2394c19b404&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl.

http://www.hhs.gov/hipaa/for-professionals/index.html

http://www.ecfr.gov/cgi-bin/text-idx?SID=d7016c224c7c49489e98a2394c19b404&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl


OCR’s 2012 Audit Protocol45 CFR 164.530(j) PR, AR.10.1Documentation

OCR’s April 2016 Audit Protocol 45 CFR 164.530(j) PR, AR.10.1Documentation

164.520 Notice of Privacy practices for protected health information. Inquire of management as to whether the documentation of privacy practices must be maintained in electronic or written form and retained for a period of six years.

Obtain and review documentation to determine if (1) the notice of privacy practices, and (2) acknowledgements for health care providers with direct patient relationships are maintained in electronic or written form and retained for a period of six years.

Does the entity maintain all required policies and procedures, written communication, and documentation in written or electronic form?

Are such documentations retained for the required time period?


OCR’s 2012 Audit Protocol45 CFR 164.312(a)(2)(i) SR, TS.1.1Access Control – Unique User Identification

OCR’s April 2016 Audit Protocol 45 CFR 164.312(a)(2)(i) SR, TS.1.1Access Control – Unique User Identification

System Users Have Been Assigned a Unique Identifier.Inquire of management as to how users are assigned unique user IDs. Obtain and review policies and/or procedures and evaluate the content in relation to the specified criteria to determine how user IDs are to be established and assigned and evaluate the content in relation to the specified criteria. Obtain and review user access lists for each in- scope application to determine if users are assigned a unique ID and evaluate the content in relation to the specified criteria for attributing IDs. For selected days, obtain and review user access logs to determine if user activity is tracked and reviewed on a periodic basis, and evaluate the content of the logs in relation to the specified criteria for access reviews.

Does the entity have policies and procedures regarding the assignment of unique user IDs to track user identity?Does the entity assign unique user IDs to track user identity?Obtain and review policies and procedures regarding the assignment of unique user IDs. Evaluate the content of the policies and procedures in relation to the specified performance criteria to determine how user IDs are to be established and assigned.Obtain and review documentation demonstrating the assignment, creation, and use of unique user IDs in electronic information systems for user. Evaluate and determine if users are assigned a unique ID in accordance with the entity's policies and procedures for attributing new user IDs.


OCR’s 2012 Audit Protocol45 CFR 164.410BN, N.4.1 BN, N.4.2 BN, N.4.3Notification by a Business Associate

OCR’s April 2016 Audit Protocol 45 CFR 164.410BN, N.4.1 BN, N.4.2 BN, N.4.3Notification by a Business Associate

Notification by a Business Associate.Timeliness of Notification.Content of Notification.Inquire of management as to whether there have been any breaches of unsecured PHI for a business associate and verify that the covered entity was notified. Obtain the standard business associate agreement to verify that the breach and notification elements are included in the agreement.

164.410 - Notification by a Business Associate. Did the business associate or subcontractor determine that there were any breaches of unsecured PHI within the specified period?If yes, obtain copies of the notification(s) sent by the business associate (or subcontractor) to the covered entity (or business associate for breaches by subcontractors). Evaluate whether the business associate or subcontractor sent the notifications consistent with the requirements at 164.410. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by 164.410.


OCR’s 2012 Audit Protocol45 CFR 164.316(b)(1) SR, CP.2.0Documentation

OCR’s April 2016 Audit Protocol 45 CFR 164.316(b)(1) SR, CP.2.0Documentation

Does the entity have policies and procedures to maintain written policies and procedures related to the security rule and written documents of (if any) actions, activities, or assessments required of the security rule?

Obtain and review policies and procedures regarding the maintenance of policies and procedures.

Obtain and review documentation demonstrating that policies and procedures are being maintained.

Obtain and review written documentation demonstrating the entity's action, activity or assessment that is required by the Security Rule. Evaluate and determine if such implementation is in accordance with related policies and procedures.


OCR’s 2012 Audit Protocol45 CFR 164.316(b)(2)(i) SR, CP.2.1Documentation-Time Limit

OCR’s April 2016 Audit Protocol 45 CFR 164.316(b)(2)(i) SR, CP.2.1Documentation-Time Limit

Does the entity have policies and procedures in place regarding the retention of required documentation for six (6) years from the date of its creation or the date when it last was in effect?

Obtain and review documentation of policies and procedures for compliance with retention requirements.

Obtain and review documentation demonstrating that policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect.

Obtain and review documentation demonstrating that an action, activity, or assessment is being maintained for six (6) years from the date of its creation or the date when it last was in effect. Evaluate and determine if such implementation is in accordance with related policies and procedures.


Sample Policy Related to OCR’s April 2016 Audit Protocol (1/2)

45 CFR 164.316(b)(2)(i) SR, CP.2.1 Documentation-Time Limit

Sample Policy: Cornichon HC Select has implemented the required Time Limit implementation specification of the Documentation standard. Our organization retains all documentation pertaining to administrative, physical, and technical safeguard policies and procedures, and any related records of action, activity, or assessment related thereto, for 6 years from its creation or last record action, activity, or assessment. Our workforce members are required to be trained on and to comply with our Time Limit implementation specification of the Documentation standard, and are subject to sanctions for noncompliance. Our Security Official is responsible for documenting these policies and procedures and for evaluating their effectiveness as part of our ongoing risk analysis process.


Sample Procedures Related to OCR’s April 2016 Audit Protocol (2/2)

45 CFR 164.316(b)(2)(i) SR, CP.2.1 Documentation-Time Limit

Sample Procedures: Cornichon HC Select has implemented the required Time Limit implementation specification of the Documentation standard. Our organization retains all current and archived documentation pertaining to administrative, physical, and technical safeguard policies and procedures, and any related records of action, activity, or assessment related thereto, for 6 years from its creation or last record action, activity, or assessment. Our organization uses online storage of and backs up all current and archived documentation. The Security Official is responsible for training all workforce members on accessing current read-only policy and procedure documentation based on Security Official assigned username/password authentication and permissions to each workforce member. Our Security Official is responsible for managing the Documentation standard and its Time Limit implementation specification.


OCR’s April 2016 Audit Protocol (1/4)

45 CFR 164.310(a)(2)(iv) SR, PS.1.4Facility Access Controls – Maintain Maintenance Records (1/4)

Does the entity have policies and procedures in place to document repairs and modifications to the physical components of a facility which are related to security?Does the entity document repairs and modifications to the physical components of a facility which are related to security?Obtain and review such policies and procedures related to maintaining maintenance records. Evaluate the content in relation to the specified performance criteria for documenting repairs and modifications to the physical components of a facility related to security.Elements to review but are not limited to:• Workforce members’ roles and responsibilities in repairs and modification to the physical components• Record keeping process of repairs and modification to the physical components• Specification of when repairs or modification of physical security components are required• Authorization process of repairs or modification of physical security components.Obtain and review documentation demonstrating records of repairs and modifications to physical security components. Evaluate and determine if records of repairs and modifications are being tracked and reviewed on periodic basis by authorized personnel.Has the entity chosen to implement an alternative measure?If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.



45 CFR 164.310(a)(2)(iv) SR, PS.1.4 Facility Access Controls – Maintain Maintenance Records (2/4)

Does the entity have policies and procedures in place to document repairs and modifications to the physical components of a facility which are related to security?

Does the entity document repairs and modifications to the physical components of a facility which are related to security?




Obtain and review such policies and procedures related to maintaining maintenance records. Evaluate the content in relation to the specified performance criteria for documenting repairs and modifications to the physical components of a facility related to security.

Elements to review but are not limited to:• Workforce members’ roles and responsibilities in repairs and modification to the physical components• Record keeping process of repairs and modification to the physical components• Specification of when repairs or modification of physical security components are required• Authorization process of repairs or modification of physical security components.

Obtain and review documentation demonstrating records of repairs and modifications to physical security components. Evaluate and determine if records of repairs and modifications are being tracked and reviewed on periodic basis by authorized personnel.


April 2016 OCR Audit Protocol (4/4)


Has the entity chosen to implement an alternative measure?If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.

Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.


OCR’s 2012 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis

Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that

contain, process, or transmit ePHI.


OCR’s April 2016 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis (1/3)

Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?

Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?

Determine how the entity has implemented the requirements.

Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.



Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:• A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ePHI• Details of identified threats and vulnerabilities• Assessment of current security measures• Impact and likelihood analysis• Risk rating



Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.

If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.


HIPAA Integrity Privacy Rule

Codes

Privacy Rule Administrative

Requirements Standards

Privacy Rule Administrative Requirements

Implementation Specifications

Exhibits:HIPAA Integrity

Privacy Rule Administrative

Requirements Forms

Privacy Rule (PR) Administrative Requirements (AR)

PR AR 0

Introduction to Administrative Requirements

PR AR 1.1 Personnel Designations Personnel Designations

PR AR 2.1 Training Training Privacy Safeguard Training for Workforce Members Log

PR AR 3.1 Safeguards Safeguards

PR AR 4.1 Complaints to the Covered Entity

Documentation of Complaints

Privacy Safeguard Complaint Log

PR AR 5.1 Sanctions Documentation

PR AR 6.1 Mitigation

PR AR 7.1 Refraining from Intimidating or Retaliatory Acts

PR AR 8.1 Waiver of Rights

PR AR 9.1 Policies and Procedures

PR AR 9.2.1 Changes to Policies and Procedures

Changes in Law

PR AR 9.2.2 Changes to Privacy Practices Stated in the Notice

PR AR 9.2.3 Changes to Other Policies or Procedures

PR AR 10.1 Documentation Retention Period

PR AR 11.1 Group Health Plans


HIPAA Safeguard Security Rule Codes

Security RuleSafeguard Standards

and Requirements

Security Rule Safeguard


Exhibits:HIPAA Safeguard

Security Rule Forms

Security Rule (SR)Administrative Safeguards (AS)45 CFR 164.308(a)

SR AS 0

Introduction to Administrative Safeguard Standards

SR AS 1.0 Security Management Process

SR AS 1.1 Risk Analysis (R) HIPAA Safeguard Risk Analysis Template

SR AS 1.2 Risk Management (R) Risk Analysis Report Log

SR AS 1.3 Sanction Policy (R) Workforce Member Sanctions Policy Acknowledgement

SR AS 1.4 Information System Activity Review (R)

SR AS 2.0 Assigned Security Responsibility

Security Safeguard Complaint Log

SR AS 3.0 Workforce SecuritySR AS 3.1 Authorization and/or

Supervision (A)1. Workforce Member Authorization Acknowledgement;2. Stationary Hardware Assignment and Encryption Log

SR AS 3.2 Workforce Clearance Procedure (A)

Workforce Member Background Check Log

SR AS 3.3 Termination Procedures (A)

1. Workforce Member Exit Checklist;2. Workforce Member Exit Interview Acknowledgement

SR AS 4.0 Information Access Management

SR AS 4.1 Isolating Health Care Clearinghouse Functions (R)

SR AS 4.2 Access Authorization (A)

SR AS 4.3 Access Establishment and Modification (A)

1. Workforce Member Right of Access Authorization Modification Acknowledgement;2. Workforce Member Right of Access Authorization Modification Log




and Requirements




Security Rule Forms

SR AS 5.0 Security Awareness and Training

Security Safeguard Training for Workforce Members Log

SR AS 5.1 Security Reminders (A)

SR AS 5.2 Protection from Malicious Software (A)

SR AS 5.3 Log-in Monitoring (A)SR AS 5.4 Password

Management (A) SR AS 6.0 Security Incident

ProceduresSR AS 6.1 Response and

Reporting (R)Security Incident Report Log

SR AS 7.0 Contingency PlanSR AS 7.1 Data Backup Plan (R)SR AS 7.2 Disaster Recovery Plan

(R)SR AS 7.3 Emergency Mode

Operation Plan (R)SR AS 7.4 Testing and Revision

Procedures (A)SR AS 7.5 Applications and Data

Criticality Analysis (A)

SR AS 8.0 Evaluation

Security Rule (SR)Business Associate (BA)45 CFR 164.308(b)

SR BA 0

Introduction to Requirements for Business Associate Contracts or Other Arrangements for Contractors and Subcontractors

SR BA 1.0 Written Contract or Other Arrangement

Business Associate Agreement Status Tracking Log

Security Rule (SR)PhysicalSafeguards (PS)45 CFR 164.310

SR PS 0

Introduction to Physical Safeguard Standards

SR PS 1.0 Facility Access Controls

SR PS 1.1 Contingency Operations (A)

SR PS 1.2 Facility Security Plan (A)

SR PS 1.3 Access Control and Validation Procedures (A)

SR PS 1.4 Maintenance Records (A)

Maintenance Records Log




and Requirements




Security Rule Forms

SR PS 2.0 Workstation UseSR PS 3.0 Workstation SecuritySR PS 4.0 Device and Media

ControlsSR PS 4.1 Disposal (R) Log for Disposal of

Hard Copy and Electronic Media Containing Protected Health Information (PHI)

SR PS 4.2 Media Re-use (R) Log for Removal of Electronic Protected Health Information on Electronic Media Before Re-use

SR PS 4.3 Accountability (A) 1. Log of Movements of Stationary Information Systems and Electronic Media; 2. Log of Use of Portable Electronic Media Outside of the Facility: Assignment and Encryption

SR PS 4.4 Data Backup and Storage (A)

Security Rule (SR)TechnicalSafeguards (TS)45 CFR 164.312

SR TS 0

Introduction to Technical Safeguard Standards

SR TS 1.0 Access ControlSR TS 1.1 Unique User

Identification (R)SR TS 1.2 Emergency Access

Procedure (R)Emergency Access Log

SR TS 1.3 Automatic Log-off (A)SR TS 1.4 Encryption and

Decryption (Data at Rest) (A)

Data at Rest Encryption Log

SR TS 2.0 Audit ControlsSR TS 3.0 IntegritySR TS 3.1 Mechanism to

Authenticate Electronic Protected Health Information (A)

SR TS 4.0 Person or Entity Authentication

SR TS 5.0 Transmission Security

SR TS 5.1 Integrity Controls (A)SR TS 5.2 Encryption (Data in

Motion) (A)Data in Motion Encryption Log


HIPAA IntegritySecurity Rule Codes

Security RuleSafeguards:

Table of Contents,Introductions &

Standards



Exhibits:HIPAA Integrity

Security Rule Forms

Security Rule (SR)Compliance Protocols (CP)45 CFR 164.316

SR CP 0

Introduction to Policies and Procedures, and Documentation Standards

SR CP 1.0 Policies and ProceduresSR CP 2.0 DocumentationSR CP 2.1 Time Limit (R)SR CP 2.2 Availability (R)SR CP 2.3 Updates (R)


• HIPAA Integrity … (1/2)

– Each HIPAA Integrity Compliance Tool Package is designed to facilitate compliance by a single physical facility of a covered entity or business associate that creates, receives, maintains, or transmits protected health information to achieve compliance.

– HIPAA Integrity embeds a single physical facility purchaser’s designated corporate name in each safeguard compliance tool as part of the purchase fulfillment process. If you have multiple physical facilities, purchase additional HIPAA Integrity packages, but it is important in doing so that you differentiate corporate facility names during this process to distinguish one physical facility’s risk analysis and physical safeguards from those of another physical facility within the organization.

– HIPAA Integrity in Version 3.1 includes implementation guidance, comparison of 2012 and April 2016 OCR Audit Protocols—with links to pertinent policies and procedures—and online access to latest versions of authoritative reference material from the National Institute of Standards and Technology (NIST); HHS, including OCR, Centers for Medicare & Medicaid Services (CMS), and the Office of the National Coordinator of Health Information Technology (ONC); and other sources.


• HIPAA Integrity … (2/2)

– HIPAA Integrity Compliance Tool Package includes access via app for smart technology devices after download at no additional cost. Just login on a smart device with your username and password and download the Package to the device.

– HIPAA Integrity also includes online practicums to help clients use the tools for implementing safeguard policies and procedures.

– HIPAA Integrity provides download regeneration for updates and version changes during the initial purchase year for $499 and annually thereafter at the purchaser’s option for an annual renewal fee of $99 per facility. HIPAA Integrity notifies your organization via email at renewal time.

– Today’s Webinar participants who purchase HIPAA Integrity initial year membership by 11:59 PM Friday, May 6, 2016, will receive the second year free.


• Just to Recap before QUESTIONS…

– HIPAA Integrity includes..» Risk Analysis Template» 92 Policies and Procedures for Privacy Rule Administrative Requirements,

Security Rule, and Breach Notification Rule» 22 Authorization and Maintenance Forms» Concordance Linking Meaningful Use Stage 1 and 2 Security Measures with

Pertinent HIPAA Security Rule standards» Safeguard Training Curriculum in 5 Lessons and Test Questions for

Administration by Privacy and Security Officials.– This Summer, HIPAA Integrity Version 3.1 will launch, providing additional Privacy

Rule policies and procedures pertaining to use and disclosure, PHI minimum use, and patient right of access to PHI, and integration of the April 2016 OCR Audit Protocols with their pertinent policies and procedures.

– HIPAA Integrity has been designed for self-assessment, but Cornichon Healthcare also conducts for healthcare clients on a consulting basis HIPAA/HITECH Act compliance gap analysis, risk assessment, and preparation for ISO/IEC 27001: 2013 information security management system (ISMS) control audit.


• For further information on HIPAA Integrity, please contact Craig D. Maynard at [email protected].

• For further information on Cornichon consulting on HIPAA/HITECH or ISO/IEC 27001: 2013, please contact Ed Jones at [email protected] or at 843-412-0425.

mailto:[email protected]

mailto:[email protected]

ocr’s privacy, security, and breach notification … · may 4, 2016 3 introduction (2/4) • on...

Documents