DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

What does “HIPAA Compliant” mean? Session 137

April 15, 2015 Dana DeMasters, MN, RN, CHPS

Privacy/Security Officer Liberty Hospital

Tom Walsh, CISSP President & CEO

tw-Security

Conflict of Interest

• Dana DeMasters has no conflict of interest • Tom Walsh has no conflict of interest

Learning Objectives

• Explain the facts and myths surrounding the term “HIPAA compliant”

• Discuss some of the other tools and resources available for assessing and managing HIPAA compliance

• Present the approach used by community based hospital for conducting a self-assessment of its own compliance and their business associates

Learning Objectives

• Provide examples of how to make compliance awareness and education more effective

• Rationalize why HIPAA compliance is a journey and not necessarily a destination

Start here

HIPAA Compliance

Myth versus Truth

Myth • A product or service is “HIPAA Compliant”

– How was the compliance determination made?

Truth • There is no “HIPAA compliance certification”

– No independent governing board or certification – No “Good Housekeeping Seal of Approval” – No “Angie’s List” for business associates

Myth versus Truth Truth • An independent firm using staff with the

appropriate credentials could render a professional opinion regarding an organization’s HIPAA compliance status

• Things to consider… – Evaluations or assessments are a “snapshot in time” – An organization could easily backslide on their

compliance efforts or significant changes could impact their overall compliance status

HIPAA Compliance Tools

• OCR’s HIPAA Audit Program Protocol • NIST Special Publications, 800 Series • HITRUST

Compliance Tools

• OCR’s HIPAA Audit Program Protocol – While not easy to use or the best tool available,

it’s FREE and better than nothing at all – http://ocrnotifications.hhs.gov/hipaa.html

• NIST Special Publications – 800 Series – http://csrc.nist.gov/publications/PubsSPs.html

• HITRUST – Governance framework for HIPAA security and the

Payment Card Industry Data Security Standard

HIPAA Audit Program Protocol Three components:

1. Privacy (77 criteria) – Most would not apply to a BA

2. Security (78 criteria) – Three would not apply to a BA

3. Breach Notification (10 criteria) – Seven N/A to a BA

“OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.” Source: HHS website http://ocrnotifications.hhs.gov/hipaa.html

HIPAA Audit Program Protocol (SAMPLE)

Audit Test Procedures

• For each criteria, there are typically three stated measures within the audit procedures: 1. “Inquire of management…” (Perception) 2. “Obtain…” some type of document (Policy) 3. “Observe…” validate the safeguard and control is

being followed (Practice)

• The three “P’s” needed to align: 1. Perception 2. Policy 3. Practice

Audit Test Procedures

A common “Audit Procedure” that would pertain to standards, policies, procedures, plans or any other forms of documentation…

Determine if the covered entity's formal or informal policies and procedures have been updated, reviewed, and approved and on a periodic basis.

1. Updated 2. Reviewed 3. Approved

Audit Test Procedures

For any of the 22 Addressable Implementation Specifications of the HIPAA Security Rule… the same phrase is repeated:

If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so.

This needs to be documented in your book of evidence.

Missing from the Protocol? • Tablet • Smartphone • Mobile devices • Personally-owned devices • Portable media

– External hard drives and USB thumb drives

• Data loss prevention • Data leakage • Change control • Configuration management

• BYOD • Mobile device

management • Wireless networks • Texting • Secure messaging • Web portal • Secure website (https) • Router, switch, firewall • Networking scans • Penetration testing

Also Missing…

• Biomed or Biomedical Devices • Cloud • Telecommuting

– (such as remote coding and remote transcription) • Telemedicine • Teleradiology • Social Security Numbers • Software licensing (illegal software) • Payment Card Industry Data Security Standard (PCI DSS)

Liberty Hospital – Our Approach

Self-Assessment

• At Liberty Hospital we: – Complete security risk analyses based upon NIST

guidelines – Hold monthly Information Security Committee

meetings and report to Corporate Compliance – Conduct an evaluation of compliance using the

OCR’s HIPAA Audit Program Protocol – Complete HIPAA rounds

Business Associates – New

Before agreeing to a new service offering … • Contracts involving PHI (other than direct

treatment) are assigned to the Compliance Dept. • Determination is made if BAA and Security

Questionnaire are needed – Information Security Analyst – Privacy/Security Officer

• Contract administrator sends documents

Business Associates – Current

• Depending on the business associate, the Compliance Department sends out either: – Attestation Letter

or – Security Questionnaire

Note: Simple questionnaires could also be created for validating compliance with the applicable provisions of the Privacy and Breach Notification Rules

Reference additional handouts (See next slides)

Attestation Letter Proof that all of the all 24 HIPAA Security Rule standards and the 48 required implementation specifications are met

• Self certification – HIPAA Audit Program Protocol – HITRUST – COBIT – NIST

• Third-party – – Independent Verification and Validation (IV&V)

from a qualified firm

Security Questionnaire

• Returned Security Questionnaires are reviewed by Compliance Dept. – Sometimes a call is scheduled to

review the form with the business associate to obtain clarification

• Compliance approves and signs • Approval is then given to work

with the vendor

Other Security Audit Forms

• The SSAE 16 (or the old SAS 70) reports are only an evaluation of an organization’s internal controls – While these reports may demonstrate that some

security practices exist, they do not mean that an organization is compliant with the HIPAA Security Rule standard

– If used, always specify an SSAE 16 Type II, SOC2

Getting Started – High Risks

• Started with smaller business associates first – Mom and pop shops – Outsourced services such as:

• Transcriptionists • Coders • Billers (physician offices)

– Collection agencies

A breach caused by a business associate may not be covered by your cyber-insurance

Business Associates and Breaches

• As of December 31, 2014 – 28% (336 incidents) of all reported breaches were caused by Business Associates/Business Partners affecting 22,984,725 patients (55%) … of the breaches reported to HHS affecting over 500 patients since September 2009

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Challenges in Obtaining Assurances • Security Questionnaire

– Business associates don’t like them – May not get returned – If returned, they are sometimes incomplete

• Attestation Letter – Honor system: Trusting the business associate

• Refusing to provide reasonable assurances (other than a signed BAA) of HIPAA compliance

Audience Exercise

• What would you do if your largest business associate refuses to provide any proof of compliance with HIPAA?

• If the business associate is remotely hosting the electronic health record for a hospital or clinic that is attesting to Meaningful Use, are they obligated to communicate their risk analysis to a covered entity?

Satisfactory Assurances

• Section 164.502(e) – permits CE to disclose protected health information to a business associate if the CE obtains satisfactory assurances, in the form of a written contract or other written arrangement

Making Compliance Awareness More Effective

Raising Awareness

At our hospital we have a fun-filled and educational Compliance Week every year

– “Comply with Me” – “ Let’s Get Ethical” – Compliance cart – Prizes – Hospital newsletter – HIPAA Awards

Let’s Get Ethical

Information Security Analyst Privacy/Security Officer Compliance Officer/Risk Manager Compliance Auditor

Meet Your Compliance Team

Compliance is a Journey

Tom Dana

Enjoy your journey!

Compliance is a Journey

• Compliance is not the only driver for security and privacy

• Information security and privacy make good business sense

• Documentation and demonstrated practices along with executive management support (leadership by example) are the best indicators of a real compliance program

Questions?

• Dana DeMasters, MN, RN, CHPS Privacy/Security Officer Liberty Hospital Liberty, MO dana.demasters@libertyhospital.org

• Tom Walsh, CISSP President & CEO tw-Security Overland Park, KS Tom.Walsh@tw-Security.com