Embed Size (px)
Citation preview
Accessible content is available upon request.
Three Steps to Automate Compliance for Healthcare OrganizationsDana Simberkoff, JD, CIPP/US
Chief Compliance and Risk Officer, AvePoint
Marc Dreyfus, CIPP/US, CIPP/T
Director, Risk Management & Compliance, AvePoint
• State of IT Compliance
• HIPAA, HITECH - Why worry?
• Assessment: Knowing is Half the Battle
• Three Steps to Automate Compliance: Say it, Do it, Prove it
• Getting to Yes: Privacy & Security by Design
State of IT Compliance
Trust In: Individuals
Organizations
Policies
Procedures
Process
Technology
Transactions
Everyone is a contributor
How do we balance the business benefit of the free flow of information with the risk of inappropriate access and disclosure?
Broad application… to doctors, hospitals, pharmacies, medical billing services, health care plans, HMOs, and business associates of these entities such as their accountants and attorneys
Applies to all recordsRequires that all records regardless of format be managed as part of the organization’s official records management program
Carries hefty penaltiesMedical fraud has increased nearly 20 percent in the past year, affecting an estimated 1.84 million American adults and costing victims $12.3 billion in out-of-pocket medical expenditures.
Openness & transparencyEnsure all data sources link to privacy policies
Collection, use & disclosure limitationSecure methods used to collect PHI through websites and web applications
Safeguards Monitor, notify, and act when PHI is stored inappropriately
AccountabilityMulti-layer reporting to deliver visibility into HIPAA compliance status
Individual choiceAllow for review of privacy policy and opt-out prior to submitting PHI
CorrectionCreate an accessible, protected manner for disputing accuracy of information through secure web-enabled applications
Measurement and Verification are key components to a holistic system
• Policy
• Training
Measurement and Verification are key components to a holistic system
• Policy
• Training
• Technology
Assessment: Knowing is Half the Battle
• What kind of data is stored in your information and collaboration gateways and why?
• How business users within your organization are utilizing the IT systems that hold information that may be at risk.
File System
Cloud
Social
SharePoint
Three Steps for Compliance Automation
Say what you are
going to doDo it…
Prove that you did it
Incident Tracking
Prove It
Assess Prioritize
Say It Do It
1 2 3 4 5
Ongoing Monitoring
7
Incident Management
6
8
Say It: Discover Data & Define Enforceable Compliance Policies
Develop a service level agreement among your compliance officers, your IT team, and the business before you implement a compliance plan.
It’s important to understand:• What kinds of data your business handles and
uses
• How your co-workers are using it for their day-to-day jobs
• Why and how they need to handle protected data in the course of their work
What are you trying to protect and from whom?
Name
Address
Important dates
Telephone & fax numbers
Email address
Social Security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Vehicle/device serial numbers
Do It: Take Action on Risk-Defined Content and Systems to Ensure Compliance
Create common-sense policies, rules, and IT controls
Implement transparent and non-transparent controls to IT environments
Automate the process of regulated content protection
Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so properly.
• Make it easier for your employees to do the right thing than the wrong thing
• Create a transparent security organization to discourage employees from working around security
“Culture eats strategy for lunch!”
Prove It: Monitor and Report on Compliance Initiatives
Compliance Improvement Measurement Over Time
Compliance Activity Tracking
Getting to Yes: Privacy & Security by Design
BusinessUsers
IT Colleagues
Download our free privacy impact assessment toolprivacyassociation.org/resources/apia
Learn more about Compliance Guardianavepoint.com/compliance-guardian
Sign up for a free consultationpages.avepoint.com/compliance-consultation
Article: Automation key to successful policy implementationow.ly/ENB13
Q & A
