Upload
compliancy-group
View
411
Download
0
Embed Size (px)
DESCRIPTION
The Compliancy Group features FREE HIPAA education Series. Please view our profile to see all of our webinars or visit us at www.compliancy-group.com
Citation preview
855.85HIPAA www.compliancygroup.com
Industry leading Education
• Please ask questions • #CGwebinar • Todays slides are available http://compliancy-‐group.com/slides023/ • Past webinars and recordings http://compliancy-‐group.com/webinar/
This document may not be reproduced, transmitted, or distributed without the prior permission of All Medical Solutions
Ensuring Patient Privacy The Need to Monitor for Inappropriate Access to ePHI
© Copyright 2013 All Medical Solu9ons
About the Speaker: Stephen Salinas serves as Senior Business Development Consultant and Channel Manager at All Medical Solu9ons (AMS). While at AMS, Stephen has worked alongside California’s two most successful Regional Extension Centers (HITEC-‐LA and COREC), overseeing the successful adop9on of EHR technology and Meaningful Use to over 1,200 California physicians. About All Medical Solu4ons: All Medical Solu9ons (AMS) is a healthcare organiza9on consultancy and solu9ons development division of Fusion Systems Co., Ltd., a global Informa9on Technology Solu9ons consul9ng business. Based in California, AMS has over 20 years of experience in developing proprietary technology products for Fortune 500 companies and over 10 years in bringing tailored and insighWul solu9ons to na9onal and regional healthcare providers. As a Service Partner of two RECs, AMS has witnessed first hand the many issues healthcare organiza9ons face with regards to HIPAA and Meaningful Use. AMS launched SPHER™ in 2013, an online state-‐of-‐the-‐art Electronic Health Record (EHR) monitoring solu9on which fulfills federal HIPAA audit requirements. For more informa9on, go to amsspher.com.
Introduction
© Copyright 2013 All Medical Solu9ons
Today’s Topic:
Ensuring Pa4ent Privacy The Need to Monitor for Inappropriate Access to ePHI
A look into the current state of healthcare and security, your obliga4ons under HIPAA to monitor user ac4vity of your EHR to ensure pa4ent privacy rights are protected, and an outline of what should be done to protect your organiza4on
from the threat of a privacy breach
© Copyright 2013 All Medical Solu9ons
The Need to Become Compliant with HIPAA • The current state of healthcare and security • Results of the OCR Pilot HIPAA Audits of 2012 • User Ac9vity Monitoring – the #1 security deficiency • The official OCR HIPAA Audits enforced in 2013 A Deeper Dive into User Ac4vity Monitoring (Privacy Monitoring) • The importance of User Ac9vity Monitoring • User Ac9vity Monitoring references in HIPAA and Meaningful Use • Iden9fying the hurdles organiza9ons face when aiming for compliance • How to correctly implement, document, and maintain a Privacy Monitoring
program
Re-‐evalua4ng Your Current Security Posture • The need to priori9ze Privacy Monitoring and Workforce Educa9on • Case Studies
Agenda
© Copyright 2013 All Medical Solu9ons
According to HIPAA, “an impermissible use or disclosure of protected health informa9on is presumed to be a breach unless the covered en9ty or business associate demonstrates that there is a low probability that the protected health informa9on has been compromised.”
– 4 factors: • Nature and extend of the PHI involved • Unauthorized person who the used the PHI or to whom disclosure was made to
• Whether PHI was actually acquired or viewed • Extent to which the risk to the PHI has been mi9gated
What is a Privacy Breach?
© Copyright 2013 All Medical Solu9ons
The cost of a Privacy Breach • Healthcare industry loses $7 Billion a year due to privacy breaches
• Average cost of a privacy breach = $2.4 million • 94% of healthcare organiza9ons have had at least one data breach in the last two years
• Compared to all other industries in the US, healthcare had the highest per capita breach cost
• 54% of organiza9ons have liile or no confidence they can quickly detect privacy breaches (Ponemon Ins9tute)
The Current State of Healthcare and Security
© Copyright 2013 All Medical Solu9ons
The Need to be Compliant with HIPAA
“The HIPAA/HITECH rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a pa9ent’s privacy rights and protec9ons, but also strengthen the ability of [the Office of Civil Rights] to vigorously enforce the HIPAA privacy and security protec9ons.” (Leon Rodriguez, Head of OCR)
© Copyright 2013 All Medical Solu9ons
" Section 13411 of the HITECH Act – Mandatory audits will occur separate from the standard audits now in place.
" US Government Accountability Office GAO-12-481 – GAO evaluates the HITECH EHR/Meaningful Use Incentive Program managed by CMS
• Proposes the need for “Meaningful Use Audits” to ensure hospitals and providers participating in the program have not falsely attested to achieving Meaningful Use
– 10% Hospitals and 20% of Providers that attested for Meaningful Use will be audited
" HIPAA Omnibus Final Rule redefines and increases Civil Monetary Penalties – Civil Money Penalties (CMPs) for covered entities have been increased to a $1.5 million cap
per violation for violations due to willful neglect (“did not know”) • Willful Neglect – Not Corrected: defined as a breach resulting from an intentional failure or reckless
indifference of HIPAA obligations, and the breach was not corrected immediately after discovery. Violations are defined as the number of patient records affected.
" HHS Contracts KPMG – 2012 Audit Pilot Program – 115 Covered Entities (CEs) Audited during Q4 2012
• Selection of CEs was based on random selection, and not based on prior HIPAA infractions • #1 Discrepancy: NO User Activity Monitoring
The Driver for HIPAA/HITECH Audits
© Copyright 2013 All Medical Solu9ons
KPMG Pilot Audits: Privacy/Security/Breach Non-Compliance
© Copyright 2013 All Medical Solu9ons
*Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation
KPMG Findings – Top 9 Security Issues
Auditors reported that the CEs “did not know” it was required
© Copyright 2013 All Medical Solu9ons
" Covered En99es can expect two (2) separate audits where they will be required to demonstrate HIPAA Compliance
• Q1 2013 – CMS Meaningful Use (MU) Audits
• Q4 2013 – HHS OCR Privacy/Security/Breach Audit Program
HIPAA/HITECH Audits Occurring in 2013
© Copyright 2013 All Medical Solu9ons
" Q1 2013 – CMS Meaningful Use (MU) Audits
– 10% Hospitals, 20% of Providers will be audited and be able to demonstrate that they met the required MU criteria
• If an audited entity has failed to correctly attest to even a single metric then that participant will be required to return all of the funds and face the possibility of fraud charges
• Specifically MU Core Measure 14 for Hospitals, MU Core Measure 15 for Providers (HIPAA Security Rule Compliance)
– Measure: Conduct or review a security risk analysis in accordance with § 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the risk management process.
– You will be required to submit a copy of your Security Risk Assessment as well as an outline of your risk management process showing the security safeguards (? policies and procedures) both implemented to date and in progress.
• If the entity is unable to demonstrate compliance with the HIPAA Security Rule, the entity may be subject to the more stringent HHS OCR Audit
CMS Meaningful Use Audits
© Copyright 2013 All Medical Solu9ons
" Q4 2013 – HHS OCR Privacy/Security/Breach Audit Program
" Increased number of Audit Protocol Procedures compared to the OCR KPMG Pilot Audit Program – Privacy Audit Procedures 68 → 81 – Security Audit Procedures 77 → 78
• 9 of the Audit Procedures directly relate to User Ac9vity Monitoring – Breach No9fica9on Audit Procedures 10
Learn more about the HIPAA Audit Program Protocol : http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
HHS OCR Audit Program
© Copyright 2013 All Medical Solu9ons
" Advanced 30-‐90 day no9fica9on by mail " 15 day deadline to respond a large documenta9on request " 3-‐5 day on-‐site data collec9on of up to 5 auditors
– Interviews of key personnel and assorted staff members, site walkthroughs, opera9onal reviews, and requests for further informa9on
" Drat report issued, 10 days window to respond " Final report issued, imposing CMPs and correc9ve ac9on
The OCR Audit Process
Notification letter and
request for documentation
sent to Covered Entity
Receiving and reviewing
documentation and planning the audit field work
On-site field work
Draft audit report
Covered Entities review and comment on draft audit
report
Final audit report
© Copyright 2013 All Medical Solu9ons
A Deeper Dive into User Ac4vity Monitoring
HIPAA requires user ac4vity monitoring
You must review your EHR audit logs for inappropriate access
Protect your Pa4ents’ Privacy by adhering to the law
© Copyright 2013 All Medical Solu9ons
" HHS outlines what is defined as inappropriate access and disclosure under the HIPAA Privacy Rule:
“HIPAA is based on sound current prac9ce that protected health informa9on should not be used or disclosed when it is not necessary to sa9sfy a par9cular purpose or carry out a func9on. The minimum necessary standard requires covered en99es to evaluate their prac9ces and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health informa9on.”
What is Inappropriate Access and Disclosure?
© Copyright 2013 All Medical Solu9ons
" Internal workforce and 3rd par9es have access to your pa9ents ePHI " You grant access to PHI under the assump9on that privacy policies
will be followed in the strictest sense " New informa9on systems put in place (EHR)
" Implemen9ng new policies, procedures, and security safeguards are an aterthought " Staff not effec9vely educated on the new policies and procedures " Management not strictly and rou9nely enforcing " Current and newly adopted policies and procedures may not strong
enough and will need revised " It is the covered en99es responsibility to monitor all access to ePHI,
including access granted to Business Associates " Your Risk/Vulnerability of facing an internal privacy breach
is high
Outline the Problem
© Copyright 2013 All Medical Solu9ons
HIPAA Security Related Regulations HIPAA Security Rules " Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D) " Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(B) " Implement procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C) " Retain required documentation of policies, procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(B)(1)(ii) Meaningful Use Requirements " ONC certification for EHR technology requires an EHR to produce an audit log. § 170.302(r) " Conduct a Security Risk Assessment per HIPAA § 164.308(a)(1), implementing security updates as necessary and correcting deficiencies… Meaningful Use Core Measure 14 for Hospitals, 15 for Providers
© Copyright 2013 All Medical Solu9ons
Insurance Exclusions
" “For arising out of or resulting from any act, error, omission, incident, failure of Computer Security.” " “Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization.”
If found negligent, the Insurance Carrier is not obligated to pay these.
Due to the increasing number of ePHI related breaches since the adoption of EHR, insurance companies are utilizing their exclusion clauses. Many policies do not cover breaches due to reckless indifference of HIPAA obligations (willful neglect).
Civil Money Penalties (CMPs) mandated by the OCR and Class Action Lawsuits Costs associated with fulfilling breach notification requirements and loss of income due to site failure Credit card monitoring services for affected patients, etc.
Source: Beazley, Chubb, Doctors Company, Lloyds of London
© Copyright 2013 All Medical Solu9ons
" This is a responsibility that is supposed to be handled by my EHR vendor (or other health informa9on system) – As required by Federal ONC-‐Cer9fica9on for EHRs, their obliga9on to the client is to ensure that their system is audit capable, that it can generate a “human readable” audit log
" This is a responsibility that can be handled by my IT department – Reviewing audit logs requires prac9cal knowledge of healthcare workflow and as well as the organiza9ons policies and procedures; this is the responsibility of the privacy/security department
Common Misconceptions
© Copyright 2013 All Medical Solu9ons
“While external aiackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destruc9ve and insidious. Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organiza9ons today, up 22 percent since the first survey.” (Larry Ponemon, Chairman of Ponemon Ins9tute)
Why is user activity monitoring important?
© Copyright 2013 All Medical Solu9ons
5 Core Audit Log Attributes
Provide a precise date for organizations to see who has accessed patient information
Maintain record of all authorized and unauthorized access to specific patient information
Provide a precise time for organizations to see who has accessed patient information
Provide a clear definition of all user access within organizations, to know who has data privileges
Must be recorded when health information is viewed, created, modified, exported, or deleted
What does the audit log tell you?
Date
Time
User
Patient
Action
© Copyright 2013 All Medical Solu9ons
Full Review vs Partial Review
The Facts: " Auditing takes so many resources and so much time it is near impossible to do manually. The Math: " Time for auditing 1 line: ~15 seconds
– Event correlation - Is this specific activity permitted? – Users of the EHR: Staff, HIE, Vendors, etc.
" Calculations for level of effort*: – Average daily audit log: ~ 3560 lines per provider (3 to 4 staff)
" 100% review by use of trained staff and an automated incident detection tool is the NIST standard** * Calculations using 20 business days in a month
** NIST SP800-92 – use trained staff and tool to review 100% logs
Range Day Week Month Year
100 % 14.83 hours 74.16 hours 296.60 hours 3,559 hours
80% 11.86 59.32 237.28 2,846
20% 2.97 14.86 59.32 713
© Copyright 2013 All Medical Solu9ons
Basic audi9ng methods These methods will only be allow you to detect large security incidents Examples:
1. Abnormal 9mes of access: Accessing records during non-‐standard hours for that par9cular user
2. Abnormal number of pa9ent records accessed per user: Seeing a spike of 100 pa9ents vs the average 20 that par9cular user sees per day
3. Abnormal exports or dele9ons of informa9on
The method of auditing audit logs
© Copyright 2013 All Medical Solu9ons
Advanced audi9ng methods (known as Behavioral Analy9cs) These methods will allow you to detect smaller security incidents Examples:
1. Role based behavior: Authorized uses of PHI by role (Physicians, Nurses,
Medical Assistants, Administrators, etc.) 2. Individual behavior: Tracking of individual user’s paierns of behavior
i. A medical assistant working in the front office accesses the system in a different way (check-‐in/check-‐out procedures) than a medical assistant working in the back office (documen9ng vital signs)
ii. Individuals may only be allowed to work in a single department, where other individuals float from department to department having mul9ple roles and responsibili9es within the organiza9on
3. Pa9ent Workflow: Tracking of the documented order of events as a pa9ent navigates through the office
The method of auditing audit logs
© Copyright 2013 All Medical Solu9ons
• A sound policy and procedure for audi9ng user ac9vity (reviewing of audit logs) outlining a clear methodology • Frequency and 9meliness of review, as well as to the extent they are reviewed
• A documented history of reviewed audit logs as well as security incident tracking reports (outlining all suspicious security incidents you’ve flagged for further inves9ga9on)
• A sound policy and procedure for an incident response plan outlining how you respond to suspicious security incidents • Timeliness to no9fy/interview key personnel as well as the individual responsible • Who to contact and steps to take in the event that the flagged incident is in fact a
Privacy Breach • A documented history of your inves9ga9on of flagged incidents, the results of
you inves9ga9on, and the response taken (enforcing sanc9on policies or staff re-‐educa9on as needed)
• Educa3on to workforce members and 3rd par9es that have access to your systems must be made aware that their ac9vity is con9nuously monitored • Must be made a aware that they must comply to any further inves9ga9on needed by
the Security Officer(s) • Are subject to Sanc3on Policies in the event that they have caused a privacy breach
How do I demonstrate compliance?
© Copyright 2013 All Medical Solu9ons
• You want to demonstrate your ability to find poten9al security incidents regardless if they were a privacy breach or not • It demonstrates your ability to enforce HIPAA • Non-‐breaches gives you valuable informa9on of where security vulnerabili9es may exist
• Ater the inves9ga9on leads you to believe that the incident does not cons9tute a privacy breach, ask yourself had the individual had malicious intent, could they have caused a breach
• Rou9ne inves9ga9ons with staff members also serves as a means to re-‐educate and reinforce your security posture
• Your ability to immediately iden9fy a breach AND immediately respond to it (within 30 days) works in your favor should you be faced with an OCR inves9ga9on
• The use of an automated security system that reviews ALL access to ePHI is your best defense • The audit log review remains impar9al and allows for automa9c documenta9on
From an auditors perspective
© Copyright 2013 All Medical Solu9ons
Cedars-‐Sinai Medical Center, Los Angeles (June 18th-‐24th)
“Medical Record Breaches Following Kardashian Birth Reveal an Ongoing Issue”
• An automated security system was in place and immediately flagged this ac9vity for review • The internal inves9ga9on and breach no9fica9on process occurred immediately ater the
event took place. • 5 staff members and 1 volunteer from the adjacent Cedars-‐affiliated physician offices were
immediately fired • Physicians had shared with their employees their EHR usernames and passwords to access
the hospital system, in viola9on of hospital policy. Cedars is in the process of addressing the conduct of the physicians partly at fault and has indefinitely terminated their access.
• How will they fair during the OCR inves9ga9on?
Case Study
© Copyright 2013 All Medical Solu9ons
" The OCR may not impose a CMPs on a CE or BA for a viola9on if the CE or BA establishes that the viola9on is: – Not due to willful neglect; and – Corrected during the 30-‐day period beginning on the first date the CE or BA knew, or by exercising reasonable diligence, would have know that the viola9on occurred.
" However, in order to make a claim to affirma9ve defense, you must be able to quickly detect breaches in the first place.
Affirmative Defense and Good Faith Effort
© Copyright 2013 All Medical Solu9ons
" Top factors that lower overall costs as it relates to minimizing/mi9gated breaches 1. Strong security posture (risk management and
educa9on/training) 2. Incident response plan (incident detec9on/
inves9ga9on and breach no9fica9on) 3. Appointment of a CISO or equivalent posi9on
(centralizing the management of data protec9on) 4. Consultants engaged to help remediate the breach
Re-evaluating Your Current Security Posture
© Copyright 2013 All Medical Solu9ons
Automated EHR-Centric Breach Detection
Impartial vs. Manual Log
Review
HIPPA Compliance Audit Log
Requirement
Proactive Incident &
Breach Detection
Self Reporting & Document
Storage
Improved HIPAA
Reporting Accuracy
ComplimentsEHR
Security Framework
Time Savings (more patient
focused)
Six (6) Year Activity
Reporting §164.316(b)(2)(i)
© Copyright 2013 All Medical Solu9ons
To learn more about SPHER™ please visit:
www.AMSSPHER.com
Stephen Salinas
Channel Manager All Medical Solutions
Contact Data Tel: (310) 602-5140 Fax: (310) 531-7397
Free Demo and 15 Day Evaluation www.compliancy-‐group.com
HIPAA Hotline 855.85HIPAA
855.854.4722
HIPAA Compliance HITECH Attestation
Omnibus Rule Ready Meaningful Use Core Measure 15