Upload
vanngoc
View
215
Download
0
Embed Size (px)
Citation preview
9/9/2014
1
HCCA Boston Conference
Managing HIPAA Compliance
September 12, 2014
Private and Confidential
PwC
Current State Update
Threats, Breaches and Enforcement Actions
(oh my!)
12
PwC
Why are we discussing?
o $50 billion estimated annual losses to business from data and identity theft
o Audits of security / privacy requirements are coming have been here
o In 2013, the average cost per one lost or stolen record was $188; the average cost of data breaches for healthcare organizations over the past two years was approximately $2 million1.
o Ninety percent of healthcare organizations have had at least one data breach in the past two years1.
o 669 large breaches of over 500 affected individuals were reported to HHS over the past 3 years2.
o 41% of healthcare data breaches are due to business associates/3rd parties1.
Breaches and non-compliance can lead to significant impacts : brand, reputation, fines, lost revenue and/or regulatory sanctions
Companies often face direct financial impacts: investigations, legal fees, credit monitoring services for victims, reissuance of credit cards, government fines, and regulatory sanctions
3
1 Source: Ponemon Institute Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 20142 Source: U.S. Department of Health & Human Services, HHS.gov, March 2014
9/9/2014
2
PwC
Causes of large* breaches (by # of breaches) January 2013 – March 2014
4
Theft47%
Improper Disposal5%
Hacking/IT Incident6%
Loss11%
Unauthorized Access/Disclosure
16%
Other/Unknown15%
Theft
Improper Disposal
Hacking/IT Incident
Loss
UnauthorizedAccess/DisclosureOther/Unknown
* Breaches involving 500 records or greater
PwC
Source of large* breach (by # of breaches) January 2013 – March 2014
5
Desktop Computer14%
Email 10%
Electronic Medical record2%
Laptop29%
Network Server6%
Paper20%
Other19%
Desktop Computer
Electronic Medical record
Laptop
Network Server
Paper
Other
* Breaches involving 500 records or greater
PwC
2013 Enforcement Spotlight
Continued Activity Around Security Rule Compliance
Affinity Health Plan – over $1.2 million
-ePHI left on photocopier drives
Wellpoint ‐ $1.7 million
-Faulty testing of programming updates left information accessible on web
portal
Idaho State University ‐‐ $400,000
-Disabled firewall exposed ePHI to breach
Adult & Pediatric Dermatology ‐‐ $150,000
-Stolen unencrypted thumb drive; lacked risk analysis, and
policies/procedures for breach notification
Privacy Was Also a Focus
Shasta Regional Medical Center ‐‐ $275,000
-Patient medical records shared with media
6
9/9/2014
3
PwC
Enforcement Action Lessons Learned
• Covered entities and their business associates must undertake a careful risk analysis to understand the threats and vulnerabilities
to individuals’ data, and have appropriate safeguards in place to
protect this information.
• Take caution when implementing changes to information systems, especially when those changes involve updates to
Web‐based applications or portals that are used to provide access to
consumers’ health data using the Internet.
• Senior leadership helps define the culture of an organization
and is responsible for knowing and complying with the HIPAA
privacy, security and breach notification requirements to ensure patients’ rights, as well as the confidentiality of their health data, are
fully protected.
7
PwC
Enforcement Action Lessons Learned
• Evaluate the risk to e‐‐‐‐PHI when at rest on removable media, mobile devices and computer hard drives (and printers!)
• Take reasonable & appropriate measures to safeguard e-PHI
- Store e‐PHI to a network versus on laptops, desktops or mobile
devices
- Encrypt data on portable/movable devices & media
- Employ a remote device wipe solution to remove data when device
is lost or stolen
- Train workforce members on how to effectively safeguard data and timely report security incidents
• Choose and implement an appropriate control framework
to ensure compliance
8
PwC
Developments with the Final Rule Changes
• Business Associates - Now directly liable for compliance with requirements of HIPAA Privacy and Security Rules.
◦ Business Associate Agreements (BAAs) must be updated by September 22, 2014
• Increased Civil Penalties - HIPAA Enforcement Rule changes increase
and tier civil money penalties provided under HITECH.
• HITECH established tiers of increasing penalty amounts, based on levels of
culpability.
• NOW, Categories include:
VIOLATION (Sect. 11769(a)(1) EACH VIOLATION CAP PER CALENDAR YEAR
a) Did not know Penalty: $100-$50,000 Cap: $1.5 million
b) Reasonable Cause Penalty: $1,000-$50,000 Cap: $1.5 million
c) (i) Willful Neglect-corrected $10,000-$50,000 Cap: $1.5 million
d) (ii) Willful Neglect-not corrected $50,000 - $1.5 million Cap: $1.5 million
9
9/9/2014
4
PwC
Looking Forward to 2015 and Beyond
Preparing for the Next Phases of OCR Audits
210
PwC
OCR Audit Program – Phase 1 and 2
• Given the large number of breaches of Protected Health Information (PHI) and the requirements for auditing within the HIPAA/HITECH
legislation, the U.S. Department of Health & Human Services’ Office
of Civil Rights (OCR) has increased its focus on conducting audits and investigations of Healthcare organizations.
• The OCR piloted its first Phase of audits in 2012 and used the
information gained from that first phase to enhance the focus areas
for Phase 2, which will include audits of 350 organizations in 2014.
• The following slides offer a recap of key data from Phase 1 findings
as well as a preview of the upcoming Phase 2 program.
11
PwC
OCR Audit: Phase 1Audit Protocol consisted of 11 Modules
12
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
9/9/2014
5
PwC
OCR Audit: Phase 1Privacy: Percentage of Findings by Areas of Focus
13
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
PwC
OCR Audit: Phase 1 Security: Percentage of Findings by Area of Focus
14
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
PwC
OCR Audit Phase 1:Cause Analysis – Top Elements
15
Privacy
• Notice of Privacy Practices
• Access of Individuals
• Minimum Necessary
• Authorizations
Security
• Risk Analysis
• Media Movement and Disposal
• Audit Controls Monitoring
• Access Control
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
9/9/2014
6
PwC
OCR Audit: Phase 2 Set to Begin
• Federal auditors this summer are set to expand the number of privacy and security audits that were previously part of a HIPAA pilot program that wrapped up last year.
• The OCR plans to audit hundreds of providers, insurers and data warehouses, including business associates, to ensure they comply with new risk assessment and notification requirements.
• While the first phase focused primarily on the implementation of security and privacy protocols, the second phase focuses on enforcement of those measures.
• The OCR will conduct “desk audits” rather than on-site ones
• The audits will also focus on regulatory provisions that were the source of a high number of compliance failures during the pilot program, such as:
- the lack of a complete and accurate risk assessment
- access to protected health information
- authorizations for the disclosure of protected health information
- privacy notices and breach notification protocols.
16
PwC
OCR Audit: Phase 2Timing
17
Period Activity
Spring 2014 Covered Entity Address Verification
Summer 2014 Pre-audit Surveys Sent to Covered Entity Pool
Fall 2014 Notification and Data Request Letters Sent to Selected Entities
Two Weeks Period for Entity Response
October 2014 – June 2015 Covered Entity Audit Reviews
2015 Business Associates
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
PwC
OCR Phase 2:Who Can Be Audited?
18
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
9/9/2014
7
PwC
OCR Audit: Phase 2Pre Audit Survey
• OCR entity databases lack data for entity stratification
• Survey currently going through the Paperwork Reduction Act clearance process
• Questions address size, location, service types, contacts
• OCR will conduct address verification with entities this Spring
• Entities will receive link to on-line screening pre-survey this summer
• OCR expects to reach out to 550 - 800 entities
• OCR will use results of survey to select a projected 350 covered
entities to audit
19
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
PwC
OCR Audit Phase 2:Approach
• Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories)
• Primarily internally staffed by OCR auditors
• Selected entities will receive notification and data requests in Fall
2014
• Entities will be asked to identify their business associates and
provide their current contact information
• OCR will select business associate audit subjects for 2015
first wave from among the BAs identified by covered entities
• Comprehensive on site audits will be performed as resources allow
20
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
PwC
OCR Audit Phase 2:Desk Audit Expectations
21
The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach
Notification, Phase 2 (Linda Sanches, March 2014)
• Data requests will specify content & file organization, file names, and any other document submission requirements.
• Only requested data submitted on time will be assessed.
• All documentation must be current as of the date of the request.
• Auditors will not have opportunity to contact the entity for clarifications or
to ask for additional information, so it is critical that the documents accurately reflect the program.
• Submitting extraneous information may increase difficulty for auditor to find and assess the required items.
• Failure to submit response to requests may lead to referral for more detailed compliance review.
9/9/2014
8
PwC
• Covered Entities• Security – Risk Analysis and Risk Management• Breach – Content and Timeliness of Notifications
• Round 1 - Business Associates• Security – Risk Analysis and Risk Management• Breach – Breach Reporting to CE
• Round 2 - Covered Entities• Security – Device and Media Controls, Transmission
Security
• Privacy – Safeguards, Training to Policies and Procedures
• (Projected)• Security: Encryption and Decryption, Facility
Access Control (Physical);
• Other Areas of High Risk as Identified by 2014 Audits, Breach Reports and Complaints
OCR Audit Phase 2: Audit Focus
22
2014
2015
2016
PwC
Preparing for an Audit
23
PwC
1. Regular and thorough risk assessments
2. Refresh Policies and Procedures (and ensure process = policy)
3. Refresh and give training where needed
4. Conduct a self assessment of policy compliance
5. Conduct a risk assessment and execute risk management strategy
(document decisions on risks and controls) – including vendors, BAAs, and the ‘cloud’
6. Document controls, gaps, and action plans to remediate basic HIPAA violations / inconsistencies
7. Conduct a pre-audit against HIPAA***
24
Advice from the OCR
Key #1: It’s always better to be telling OCR what your issues are rather than being told by OCR what they are.
Key #2: Maintain an “Audit Ready Culture and Program”
9/9/2014
9
PwC
PwC’s View on 5 Key Steps to Readiness
25
#1. Develop HIPAA Control Framework (i.e., Based on OCR Protocol)
#2. Inventory Systems and Data Flow/Storage
#3. Conduct HIPAA Privacy/Security Risk Assessment(s)
#4. Implement Controls based on deltas
#5. Ongoing Monitoring and Control
PwC
Comparison of Third Party Reporting Options
Consideration FinancialReporting
Trust Services Principles & Criteria NIST / HIPAA
HITRUST
Relevantreporting standard
AT801 - aka SOC1, aka SSAE 16
AT101 – SOC2 AT101 – SOC3 AT101 – Custom Proprietary –CSF Assurance Program
What it reports on
Internal Controls over Financial Reporting– must related to processing of financial information (e.g., revenue & receivables)
Security,availability, processing integrity, confidentiality, and/or privacy controls
Security,availability, processing integrity, confidentiality, and/or privacy controls
NIST’s Resource Guide for Implementing the Health Insurance Portability and Accountability Act - HIPAA Security Rule
Common Security Framework (CSF), a certifiable overarching framework incorporating security requirements at federal (HIPAA/HITECH), state, 3rd party (PCI, COBIT), and other (NIST, FTC, CMS) levels
Who uses it Limited distribution –parties knowledgeable of the service org
Limiteddistribution –parties knowledgeable of the service org
Widely available –general public
Depends on nature of report and criteria reporting against
Limited distribution–specified parties
Resulting report
Attest Opinion with description of systems and auditor tests/results
Attest Opinion with description of systems and auditor tests/results
Branded Report (e.g. SysTrust or WebTrustcertificate)
Attest Opinion with reference to relevant criteria(can include tests/results)
Certificate,with background, mgmt rep, scope, test results, et al.
Report issued by
Independent CPAs Independent CPAs Independent CPAs Independent CPAs HITRUST, basedon approval by CSF Assessor (incl PwC)
26
PwC
Presenter
Michael Parisi – Hartford, CTTel: (860) 241-7194
Email: [email protected]
9/9/2014
10
PwC
Questions
28
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United States) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Privacy and Information Security: Be OCR ReadyMass. Eye and Ear Case Study
Heather Fowles, CISSP, CISA
Director of Information Security and ISO
Mass. Eye and Ear
HCCA Boston Regional Conference
September 12, 2014
30
A Little Background and
History….
9/9/2014
11
Massachusetts Eye and Ear
� Independent 41-bed nonprofit specialty
hospital located in Boston focused on
treatment of eye, ear, nose and throat
conditions
� Principally ambulatory – over 90% of
surgical cases performed on an
outpatient basis
� Close clinical affiliation with
Massachusetts General Hospital
� Harvard Medical School teaching affiliate
for Ophthalmology and Otolaryngology
31
Incident and Investigation
� Feb. 2010: unencrypted laptop stolen from Mass. Eye and Ear
physician travelling overseas
– Database with Protected Health Information for >3500 patients and
research subjects
� Apr. 2010: Mass. Eye and Ear reported the theft under the
HITECH breach reporting rules
� Oct. 2010: US Dept. HHS OCR initiated investigation of Mass.
Eye and Ear’s compliance with HIPAA Privacy, Security and
Breach Notification rules
– Broad investigation, not limited to circumstances of theft
32
Resolution Agreement and
Corrective Action Plan
� Sept. 2012: Mass. Eye and
Ear and the OCR sign
Resolution Agreement (RA)
– No admission / no
concession
– 3-year Corrective Action Plan
(CAP)
– Six areas of “Covered
Conduct”
– Pay $1.5M settlement to
OCR
33
9/9/2014
12
Resolution Agreement and Corrective
Action Plan (cont.)
Sept. 2012: CAP requirements
� Revise information security policies and procedures
(subject to OCR approval)
– 10 minimum content requirements
� Re-train workforce
� Engage independent monitor to oversee compliance
for three years
� Implement additional controls particularly around
portable devices
34
Monitor and Monitor Plan
� Jan 2013: OCR approves Mass. Eye and Ear’s selection of PwC as
its Monitor
� February-April 2013: PwC develops Monitor Plan
– Subject to OCR approval
– Validates Mass. Eye and Ear compliance with CAP
• Procedures to test specific CAP obligations regarding policies and procedures,
risk analysis, training, incident management and workforce compliance
• 4 unannounced visits - main campus and 3 satellite facilities - every six months
in addition to planned audit procedures
• Workforce Compliance tests based on HITRUST CSF controls - shared standard
for internal risk analysis and Monitor reviews
– PwC to issue opinion to OCR every 6 months on Mass. Eye and Ear’s
compliance for duration of CAP
35
Monitor Plan Development
36
Mapping exercise – CAP “Minimum Content” requirements to
one or more HITRUST CSF controls
Twenty-five key CSF controls selected
Test procedures defined for each
Acce
ss C
on
tro
l
01.a Access Control Policy
01.e Review of User Access Rights
01.f Password Use
01.g Unattended User Equipment
01.j User Authentication for External Connections
01.n Network Connection Control
01.q User Identification and Authentication
01.t Session Time-out
01.x Mobile Computing and Communications
01.y Teleworking
Co
mm
un
ica
tion
s a
nd
O
pe
ratio
ns M
an
ag
em
en
t
09.aa Audit Logging
09.ab Monitoring System Use
09.o Management of Removable Media
09.s Information Exchange Policies and Procedures
09.u Physical Media in Transit
HR
Se
cu
rity
02.f Disciplinary Process
02.i Removal of Access Rights
Asse
t M
an
ag
em
en
t
07.a Inventory of Assets
07.b Ownership of Assets
Info
rma
tion
Sys
tem
s,
Acq
uis
itio
n,
De
velo
pm
en
t, a
nd
Ma
inte
na
nce
10.f Policy on the Use of Cryptographic Controls
IS P
olic
y
04.a Information Security Policy Document
04.b Review of the Information Security Policy
Info
rma
tion
Se
cu
rity
Incid
en
t M
an
ag
em
en
t
11.a Reporting Information Security Events
Org
an
iza
tion
of
Info
rma
tion
Se
cu
rity
05.b Information Security Coordination
Ris
k M
an
ag
em
en
t
03.b Performing Risk Assessments
9/9/2014
13
Processes & Technology
� 2012-2014: Implement policies, procedures, enhanced
processes and technology
– Information Security Policies and Procedures
– Information Security Training and Policy Certification
– Access Controls
• Enforce training and certification completion – disable network access
for non-completion
• Automated daily checks – e.g. training completion, terminations
• Quarterly system access recertification
• Access request forms only able to be submitted for active workforce
members in HR or credentialing system
37
Processes & Technology (cont.)
� 2012-2014: Implement policies, procedures, enhanced
processes and technology
– HITRUST framework for annual risk analysis
– Outsourced IPS, log monitoring and vulnerability scanning
– Encryption
• Laptop – Bitlocker, Checkpoint, (TrueCrypt)
• Native smartphone encryption
• Encrypted USBs, external drives
– Inventory – electronic and manual• Red/green sticker process for manual inventory
– Network Access Control– in process
38
Halfway through… CAP overview
39
MONITOR PERIOD 1 (COMPLETE) MONITOR PERIOD 2 (COMPLETE)
MONITOR PERIOD 3 (IN PROGRESS) MONITOR PERIOD 4 (FUTURE)
MONITOR PERIOD 6 (FUTURE)MONITOR PERIOD 5 (FUTURE)
MAY 2013 NOVEMBER 2013
MAY 2014 NOVEMBER 2014
MAY 2015 NOVEMBER 2015
MAY 2014
MAY 2015
MAY 2016
POLICY COMPLIANCE CERTIFICATION AND TRAINING
POLICY COMPLIANCE CERTIFICATION AND TRAINING
ANNUAL REPORT
ANNUAL REPORT
ANNUAL REPORT
TRAININGPOLICY COMPLIANCE CERTIFICATION
IMPLEMENTATIONREPORT
ANNUAL REVIEW OF POLICIES
TRAINING UPDATE
TRAINING UPDATE
ANNUAL REVIEW OF POLICIES
TRAINING UPDATE
ANNUAL REVIEW OF POLICIES
POLICY UPDATEDISTRIBUTION
POLICY UPDATEDISTRIBUTION
MEE COMPLETED DELIVERABLE
MEE FUTURE DELIVERABLE
MANUAL INVENTORY RECONCILIATION
MANUAL INVENTORY RECONCILIATION
POLICY/PROCEDURE IMPLEMENTATION
UNANNOUNCED MONITOR VISIT
FUTURE UNANNOUNCED MONITOR VISITS
MONITOR COMPLETED DELIVERABLE
MONITOR FUTURE DELIVERABLE
MONITOR PERIOD 2 REPORT
MONITOR PERIOD 3 REPORT
MONITOR PERIOD 4 REPORT
MONITOR PERIOD 5 REPORT
MONITOR PERIOD 6 REPORT
MONITOR PERIOD 1 REPORT
RISK ANALYSIS
RISK ANALYSIS
RISK ANALYSIS
?
X X X X
X
XX XX
? ? ? ?? ? ? ?
? ? ? ?? ? ? ?
9/9/2014
14
40
Lessons Learned…
Lessons Learned: Investigation and Response
� Reported breaches of over 500 records are a
common trigger for OCR investigation
� Don’t expect an investigation to focus narrowly on the
circumstances of a breach
� If you must report a large breach, prioritize addressing known
information security/compliance weaknesses immediately– Policies and procedures addressing HIPAA compliance requirements
– Risk analysis
– Workforce training and awareness
– Incident identification and response
– Portable device encryption
– Remediating specific weaknesses identified in risk analysis
– Clearly documenting rationale for risk acceptance decisions
41
Lessons Learned: Investigation and Response (cont.)
� Take the long view
– Collect documentation of HIPAA compliance from initial
compliance dates forward, e.g.
• Policy and procedure adoption and review
• Risk analysis, risk remediation and risk acceptance decisions
• Implementation of physical, administrative and technical safeguards
– “If it wasn’t documented, it never happened.”
� If investigated, put best effort into initial response
– Ability to amplify responses later in process may be limited
42
9/9/2014
15
Lessons Learned Living with a CAP/Monitoring Arrangement
Monitor Selection:
� Better the devil you know
– Choose Monitor and team you know and can work with
� Other musts: independent, experienced with regulator, healthcare
audit expertise, acceptable to OCR
� Agree up-front on standards
− Standards/risk framework-based approach (NIST, HITRUST etc.) can
help identify, prevent issues
− Common language and “yardstick” for Monitor and internal risk
analysis
− Not required by OCR, but various frameworks recommended/cited in
guidance on risk analysis
43
Lessons Learned Living with a CAP/Monitoring Arrangement (cont.)
Monitor Plan Development:
� CAP will dictate high-level Monitor Plan requirements, but
negotiate the details
– Be realistic about organizational capabilities
– Align plan with organization’s policies, procedures, and information
security/privacy/compliance priorities
– Align plan with current or planned technology and processes
� Monitor opinion on compliance vs. report of issues
– Consider audit rigor vs. audit process transparency trade-offs
44
Lessons Learned: Living with a CAP/Monitoring Arrangement (cont.)
Processes and Technology:
� Know the organization’s limits
� Save internal resources for tasks requiring knowledge of the
organization and culture
� Go outside for commodity services
� Be realistic about resources needed
� Don’t underestimate effort for process changes
� Communicate
� Make lemonade!
� A CAP will focus the organization’s attention
� Opportunity to drive needed information security/compliance
investments and improvements
45
9/9/2014
16
Questions?
46
Privacy and Information Security:
Be OCR-Ready
Lessons Learned from the 3-year
Corrective Action Plan:
Deborah Adair
Director, Health Information Services/Privacy Officer
September 12, 2014
Questions: [email protected]
Physical Removal and Transport of Protected Health Information (PHI) &
Personal Information (PI)
9/9/2014
17
Official Terms of the CAP
� III. Term of CAP: “The period of compliance obligations assumed by MGH under this CAP shall begin on the Effective Date [2/14/2011] and conclude 3 years from the Monitor Plan Approval Date [7/11/2011] [ i.e., CAP concludes 7/11/2014]…except that after this period MGH shall be obligated to: (a) submit the Annual Report for the final Reporting Period.[2/14/2014 – 7/10/2014] and (b) comply with the document retention requirement [VII Document Retention…The office(s) responsible…shall maintain…all non-privileged documents and records relating to compliance with this CAP for 6 years from the Effective Date [i.e. retain through 2/14/2017].
� V. E.2.c Semi-Annual Monitor Reports: “Within 180 days of the Monitor Plan Approval Date, and once every 6 month period thereafter, the Monitor shall prepare a written report….MGH shall prepare a response to the Monitor Report…within 30 days of MGH’s receipt of the Monitor Report.”
� VI. B. Annual Reports: The one-year period after the Effective Date and each subsequent one-year period or portion thereof during the course of the period of compliance obligations shall be known as a “Reporting Period”. MGH shall submit Annual Reports to the Monitor…Such Annual Reports shall be incorporated into the Monitor Reports to HHS. MGH shall submit each Annual Report… no later than 60 days after the end of each corresponding Reporting Period.
� What does ‘conclude’ mean?
� New hires with hire date up through July 10 were expected to take CAP training.
� Weekly Policy Violations reporting continued through Aug 8.
� The Monitor’s Semi-Annual report was due due July 9; our response to the Monitor report was due Aug 8.
� Our final Annual Report was due Sept 10.
� Hardcopy and electronic documents must be maintained through 2/14/2017.�
50
Other Significant Dates - 2011
� Monitor Plan submitted March 30th with final
approval by OCR on July 6th
� Three policies submitted to OCR on May 13th and
approved on June 7th
� Health Stream CAP training opened up on June
20th.
� MGH had trained approximately 97% of our
workforce by July 20th
51
Monitor Plan
� Privacy Office will report all policy violations to
Monitor within 30 days of determination
� Monitor will start unannounced site visits
� Main Campus and offsite
� Will identify themselves to site management
� Will need a list of all workforce members
� May ask any workforce member about policies
� May inspect laptops, and portable USBs
9/9/2014
18
Workforce Definition
� Defining and identifying > 30,000 workforce
� Non employees in PeopleSoft
� Nursing Students with new preceptor processes
� Clean up of reporting structures
� Verification of credentialing and privileges
� Accountability of Research increased
Implementation
� Privacy Office met every deadline for completion of
training, reporting to the monitor and response to
OCR
� No CAP violations during the three-year period
� No major HHS reportable incidents
� Policies and processes developed at MGH adopted
by PHS and other sites
Training
� Negotiated HealthStream licenses for all workforce, now use consistent platform
� CAP training taken and documented in HealthStream
� More consistency in Privacy and Security training
� Sanctions applied more evenly across weekly and professional staff
� Policy violation consequences include turning off access
9/9/2014
19
Questions: [email protected] (617) 726-6360
What Will be Covered in this Training:
Policy: Removal and Transport of PHI and PI
Take reasonable precautions to safeguard and secure the information at all times.
If you are not directly involved with patient care must have supervisor approval before removing PHI or PI.
Policy: Laptop Encryption
Encrypt Laptops used for any business purposes, even personally owned Laptops.
Policy: Portable USB Drive Encryption
Encrypted USB drives must be used when storing confidential data on USB drives.
Encryption and Applications
� Attestation database allows prompt identification
of unencrypted use
� Changed attestation language for more clarity
� Run weekly reports and contact workforce directly
� Implemented Active Sync for phones, Bit Locker for
PCs, and SyncPlicity for cloud storage
57
Laptop Encryption
Policy Violations
� MGH requires attestation signed by workforce on first day stating they will not use an unencrypted laptop for business purposes
� MGH requires electronic attestation every 90 days in conjunction with password change
� If individual attests ‘yes’ to use of laptop and ‘no’ to it being encrypted, immediate flag to Privacy and Security & individual contacted
� If attestation done in error, then corrected
� If no error, then policy violation reported to HR
9/9/2014
20
Relationships
� Work done outside of silos, and gained cross-functional respect
� HR took on additional responsibilities for non employee documentation
� MGPO compensation supported new professional staff processes
� Police and Security agreed to new Badge ID process
� Shared best practices across Partners
Culture Shift
� MGH shifted to higher awareness and support of
privacy and security of PHI
� Workforce are self reporting incidents:
� Calling concerned, wanting to do the right thing
� PHI brought to Privacy Office, very clean hospital
� Protecting Our Patients Privacy (POPP) program
engaging staff in a positive way
Questions?
Time flies when you’re having fun!