the must have tools to address your hipaa compliance challenge

The Must Have Tools To Address Your Compliance Challenge

855.85HIPAA www.compliancygroup.com

Industry leading Education

Certified Partner Program For Today

•  Please ask questions! (We are going to)

•  Today’s Slides http://compliancy-group.com/slides023/

•  Upcoming & past webinars:http://compliancy-group.com/webinar/

Get Involved

#cgwebinar

•  October 21 - Top 5 tools to help you achieve HIPAA compliance

•  November 11 - Saving time and money through web-based benefits administration and consolidated billing


Question What best describes your organization’s view of HIPAA compliance?

The Must Have Tools to Address Your HIPAA Compliance Challenge - Email Encryption Andy Nieto, Health IT Strategist

Agenda

■  Introductions? ■  Has anybody not heard of HIPAA? ■  Three keys for successful email encryption

5

First…

■  Utilize existing workflow »  Easier for sender and

receiver »  Increased user

acceptance »  Often more efficient

6

It’s not just technology

■  Cultivate a culture of compliance »  Endorsed and

practiced from the top down

»  Becomes a way of working

7

Go beyond your own walls

■  Develop security risk awareness »  Business Associates »  Patients »  Providers

8

Thanks

Andy Nieto Healthcare IT Strategist [email protected] 973-455-1245 x240

9


Question Do you think Meaningful Use attestation makes you HIPAA compliant?

Why a Risk Assessment is NOT enough!

Step 1. Assess where you are against the regulation (GAP) •  The key to a risk analysis is auditing yourself against

the administrative, technical, and physical aspects of HIPAA •  A risk analysis will help you attest to Meaningful Use Stage 1

Core Requirement 15

Step 2. Remediation Plan •  Prove that you remediated the deficiencies identified in the risk analysis •  For example, lack of Policies & Procedures, Training, Attestation, and IT deficiencies

What Do All Compliance Regulations Have In Common?

Step 3. How do you illustrate your compliance plan? •  Administrative

•  Policies & Procedures

•  Technical •  IT security including, servers, routers firewalls and Devices with PHI on them

•  Physical

•  Security within physical locations of your practice(s)

Step 4. Creating a culture of compliance • Maintaining your compliance • Auditing your sites regularly • Refreshing your staffs training

Beyond a Risk Analysis

***Only 11% of Covered Entities passed the audit,

70% of Covered Entities are not compliant*** "OCR determined that the most common cause of findings or observations was that the CE was entirely unaware of the requirement.” “Pleading ignorance will not be a defense when OCR comes to call.”*

* http://www.govhealthit.com/news/steps-prep-phase-2-ocr-audits

What CMS, HHS & OCR is Saying


Question Have your Business Associates signed a BAA and provided the necessary documentation?

www.onlinetech.com Copyright 2014 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020

HIPAA COMPLIANT CLOUDS Should be: •  Independently HIPAA audited to the OCR Audit Protocol Guidelines •  Include encryption out of the box

–  FIPS 140-2 requires AES 256 bit encryption –  End-to-end: All the way to the backup

•  Within high-availability data center with rigorous physical and network security safeguards

•  Give you options: –  Not all private clouds can scale –  Not all clouds provide compliant offsite backup & recovery


CLOUD BACKUP & RECOVERY

•  Get offsite •  Ask yourself, would Mr. FIPS approve? •  What are your recovery opPons? •  Can you fly/drive/walk/point to where your offsite backup data lives?


CULTURE OF COMPLIANCE

•  “HIPAA Certified” = Healthcare’s unicorn

•  Ask for and read the independent audit report

•  Experience the culture for yourself

•  Partner or liability?

– Ask yourself, “will I sleep better here?”


Question When it comes to HIPAA non-compliance, what do you think is worse?

46.01%

13.04%

12.96%

12.31%

9.43%

4.92% 1.31%

Portable Media Network Server Computer Laptop EMR Paper E-‐mail

HIPAA Breaches AffecPng 500+ Records 2006-‐2013 [Source: HHS]

Most breaches: lost/stolen devices

Top HIPAA File Sharing Risks

1. Device Loss with Unencrypted PHI

2. Accidental Sharing of PHI

3. Unencrypted PHI on Cloud?

Solved by BAA

Not Solved by BAA

Dropbox Box Google Drive Sookasa + Dropbox

Signed BAA

On-‐device EncrypPon

Prevent Accidental Sharing

Access Control for On-‐device Data

End User Experience and

Sync

Popularity (Network Effect)

Sookasa: Top 5 Tools


Question Generally speaking, how expensive do you think it is to encrypt?

qliqSOFT,Inc. www.qliqsoD.com

qliqCONNECT Secure, HIPAA-‐Compliant

Mobile Messaging SoluNons

Risks to Healthcare CIO •  Smartphones & BYOD -‐ More healthcare providers

are using their own smartphones.

•  SMS TexNng -‐ Physicians and nurses have discovered the effec8veness of tex8ng.

•  HIPAA ViolaNons -‐ Increasing audits and financial penal8es for HIPAA viola8ons.

Must haves for HIPAA compliant messaging

•  Full HIPAA-‐compliance •  No PHI Stored on 3rd Party Vendor System •  Public/Private Key EncrypPon •  Increase in producPvity and happiness of healthcare providers

Security and Compliance

•  User authenPcaPon (Supports acPve directory) •  Remote lock and data wipe •  Configure message retenPon •  Ability to audit user acPvity •  Configurable password segngs

855.85HIPAA www.compliancygroup.com

Certified Partner Program

Q&A •  Please ask questions! (We are going to)

•  Today’s Slides: http://compliancy-group.com/slides023/

•  Upcoming & Past webinars: http://compliancy-group.com/webinar/

•  October 21 - Top 5 Compliance Tools •  November 11 - Saving time and money through Web-based

Benefits administration and consolidated billing

Daryl Glover Executive VP Strategic Initiatives [email protected] 866-295-0451 Ext 103

Our Panelists

Marc Haskelson President/CEO of Compliancy Group [email protected] 855-854-4722 Ext 507 April Sage Director Healthcare IT [email protected] 734-213-2020 Ext 113

Andy Nieto Healthcare IT Strategist [email protected] 973-455-1245 Ext 240

Asaf Cidon CEO and Co-founder of Sookasa [email protected] 888-675-4998