Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
What does “HIPAA Compliant” mean? Session 137
April 15, 2015 Dana DeMasters, MN, RN, CHPS
Privacy/Security Officer Liberty Hospital
Tom Walsh, CISSP President & CEO
tw-Security
Conflict of Interest
• Dana DeMasters has no conflict of interest • Tom Walsh has no conflict of interest
Learning Objectives
• Explain the facts and myths surrounding the term “HIPAA compliant”
• Discuss some of the other tools and resources available for assessing and managing HIPAA compliance
• Present the approach used by community based hospital for conducting a self-assessment of its own compliance and their business associates
Learning Objectives
• Provide examples of how to make compliance awareness and education more effective
• Rationalize why HIPAA compliance is a journey and not necessarily a destination
Start here
HIPAA Compliance
Myth versus Truth
Myth • A product or service is “HIPAA Compliant”
– How was the compliance determination made?
Truth • There is no “HIPAA compliance certification”
– No independent governing board or certification – No “Good Housekeeping Seal of Approval” – No “Angie’s List” for business associates
Myth versus Truth Truth • An independent firm using staff with the
appropriate credentials could render a professional opinion regarding an organization’s HIPAA compliance status
• Things to consider… – Evaluations or assessments are a “snapshot in time” – An organization could easily backslide on their
compliance efforts or significant changes could impact their overall compliance status
HIPAA Compliance Tools
• OCR’s HIPAA Audit Program Protocol • NIST Special Publications, 800 Series • HITRUST
Compliance Tools
• OCR’s HIPAA Audit Program Protocol – While not easy to use or the best tool available,
it’s FREE and better than nothing at all – http://ocrnotifications.hhs.gov/hipaa.html
• NIST Special Publications – 800 Series – http://csrc.nist.gov/publications/PubsSPs.html
• HITRUST – Governance framework for HIPAA security and the
Payment Card Industry Data Security Standard
HIPAA Audit Program Protocol Three components:
1. Privacy (77 criteria) – Most would not apply to a BA
2. Security (78 criteria) – Three would not apply to a BA
3. Breach Notification (10 criteria) – Seven N/A to a BA
“OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.” Source: HHS website http://ocrnotifications.hhs.gov/hipaa.html
HIPAA Audit Program Protocol (SAMPLE)
Audit Test Procedures
• For each criteria, there are typically three stated measures within the audit procedures: 1. “Inquire of management…” (Perception) 2. “Obtain…” some type of document (Policy) 3. “Observe…” validate the safeguard and control is
being followed (Practice)
• The three “P’s” needed to align: 1. Perception 2. Policy 3. Practice
Audit Test Procedures
A common “Audit Procedure” that would pertain to standards, policies, procedures, plans or any other forms of documentation…
Determine if the covered entity's formal or informal policies and procedures have been updated, reviewed, and approved and on a periodic basis.
1. Updated 2. Reviewed 3. Approved
Audit Test Procedures
For any of the 22 Addressable Implementation Specifications of the HIPAA Security Rule… the same phrase is repeated:
If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so.
This needs to be documented in your book of evidence.
Missing from the Protocol? • Tablet • Smartphone • Mobile devices • Personally-owned devices • Portable media
– External hard drives and USB thumb drives
• Data loss prevention • Data leakage • Change control • Configuration management
• BYOD • Mobile device
management • Wireless networks • Texting • Secure messaging • Web portal • Secure website (https) • Router, switch, firewall • Networking scans • Penetration testing
Also Missing…
• Biomed or Biomedical Devices • Cloud • Telecommuting
– (such as remote coding and remote transcription) • Telemedicine • Teleradiology • Social Security Numbers • Software licensing (illegal software) • Payment Card Industry Data Security Standard (PCI DSS)
Liberty Hospital – Our Approach
Self-Assessment
• At Liberty Hospital we: – Complete security risk analyses based upon NIST
guidelines – Hold monthly Information Security Committee
meetings and report to Corporate Compliance – Conduct an evaluation of compliance using the
OCR’s HIPAA Audit Program Protocol – Complete HIPAA rounds
Business Associates – New
Before agreeing to a new service offering … • Contracts involving PHI (other than direct
treatment) are assigned to the Compliance Dept. • Determination is made if BAA and Security
Questionnaire are needed – Information Security Analyst – Privacy/Security Officer
• Contract administrator sends documents
Business Associates – Current
• Depending on the business associate, the Compliance Department sends out either: – Attestation Letter
or – Security Questionnaire
Note: Simple questionnaires could also be created for validating compliance with the applicable provisions of the Privacy and Breach Notification Rules
Reference additional handouts (See next slides)
Attestation Letter Proof that all of the all 24 HIPAA Security Rule standards and the 48 required implementation specifications are met
• Self certification – HIPAA Audit Program Protocol – HITRUST – COBIT – NIST
• Third-party – – Independent Verification and Validation (IV&V)
from a qualified firm
Security Questionnaire
• Returned Security Questionnaires are reviewed by Compliance Dept. – Sometimes a call is scheduled to
review the form with the business associate to obtain clarification
• Compliance approves and signs • Approval is then given to work
with the vendor
Other Security Audit Forms
• The SSAE 16 (or the old SAS 70) reports are only an evaluation of an organization’s internal controls – While these reports may demonstrate that some
security practices exist, they do not mean that an organization is compliant with the HIPAA Security Rule standard
– If used, always specify an SSAE 16 Type II, SOC2
Getting Started – High Risks
• Started with smaller business associates first – Mom and pop shops – Outsourced services such as:
• Transcriptionists • Coders • Billers (physician offices)
– Collection agencies
A breach caused by a business associate may not be covered by your cyber-insurance
Business Associates and Breaches
• As of December 31, 2014 – 28% (336 incidents) of all reported breaches were caused by Business Associates/Business Partners affecting 22,984,725 patients (55%) … of the breaches reported to HHS affecting over 500 patients since September 2009
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Challenges in Obtaining Assurances • Security Questionnaire
– Business associates don’t like them – May not get returned – If returned, they are sometimes incomplete
• Attestation Letter – Honor system: Trusting the business associate
• Refusing to provide reasonable assurances (other than a signed BAA) of HIPAA compliance
Audience Exercise
• What would you do if your largest business associate refuses to provide any proof of compliance with HIPAA?
• If the business associate is remotely hosting the electronic health record for a hospital or clinic that is attesting to Meaningful Use, are they obligated to communicate their risk analysis to a covered entity?
Satisfactory Assurances
• Section 164.502(e) – permits CE to disclose protected health information to a business associate if the CE obtains satisfactory assurances, in the form of a written contract or other written arrangement
Making Compliance Awareness More Effective
Raising Awareness
At our hospital we have a fun-filled and educational Compliance Week every year
– “Comply with Me” – “ Let’s Get Ethical” – Compliance cart – Prizes – Hospital newsletter – HIPAA Awards
Let’s Get Ethical
Information Security Analyst Privacy/Security Officer Compliance Officer/Risk Manager Compliance Auditor
Meet Your Compliance Team
Compliance is a Journey
Tom Dana
Enjoy your journey!
Compliance is a Journey
• Compliance is not the only driver for security and privacy
• Information security and privacy make good business sense
• Documentation and demonstrated practices along with executive management support (leadership by example) are the best indicators of a real compliance program
Questions?
• Dana DeMasters, MN, RN, CHPS Privacy/Security Officer Liberty Hospital Liberty, MO [email protected]
• Tom Walsh, CISSP President & CEO tw-Security Overland Park, KS [email protected]