healthcare compliance - hipaa and hitrust
TRANSCRIPT
HealthCare Compliance - HIPAA and HITRUST
Kishor Vaswani, Chief Executive Officer – ControlCaseKen Vander Wal, Chief Compliance Officer - HITRUST
Agenda
• About HIPAA• HIPAA, HITECH and the Omni-bus Rule• Fines and Penalties• HIPAA Requirements • HITRUST Mission and Objective• Key Components of CSF Assurance Program• Demonstrating compliance to HIPAA through
HITRUST• Key takeaways • Q&A
2/ 19
What is HIPAA today?
Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical
security and privacy standards• Applies to both healthcare providers and business
associates (3rd parties) • Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare providers
• Assessment of compliance of business associates due 09/23/13
3/ 19
HIPAA, HITECH and the Omni-bus Rule
4 / 19
HITECH
• Specifically extends security, privacy and breach notification requirements to Business Associates (BA)
• Establishes mandatory penalties for ‘willful neglect’
• Imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI.“
• Institutes third party management and monitoring as ‘due diligences and ‘due care’ provisions
• Establishes the right for patients to obtain their PHI in an electronic format (i.e. ePHI)
Omni-bus Rule
• Finalization of interim rules outlined in the HITECH act
• Formalizes enforcement provisions for breaches
• Expands definition of BA to include subcontractors of BA (BA of BA)
• Clarifies that HHS will determine the actual maximum for penalties
• Covered Entities (CE) and BA are liable for the acts of BA and their subcontractors
• Requires a on-going monitoring process for the organization’s security programs and processes.
Fines/PenaltiesHIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA
$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect
$1,000 per violation, with an annual maximum of $100,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period
$10,000 per violation, with an annual maximum of $250,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected
$50,000 per violation, with an annual maximum of $1.5 million
$50,000 per violation, with an annual maximum of $1.5 million
5 / 19
Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
HIPAA Requirements – Privacy Rule
Privacy Rule Main Points:• Requires appropriate safeguards to protect the privacy of personal health
information• Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization • Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request corrections
• Requires compliance with the Security RuleFor BAs• Requires breach notification to the Covered Entity• Requires either the individual or the Covered Entity access to PHI• Requires reporting the disclosure of PHI to the Secretary of HHS• Provide an accounting of disclosures.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
6/ 19
HIPAA Requirements – Security Rule
Administrative Safeguards:Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required), Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required) and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required); Business Associate Agreements (required)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Technical Safeguards:Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff (addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls (addressable), Encryption (addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Physical Safeguards:Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security (required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage (addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
7/ 19
HIPAA Requirements – Breach Notification
8/ 19
Definition of BreachA breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
Unsecure PHITransition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or Federal Information Processing Standards (FIPS) 140-2 validatedDestruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88
Breach Notification Methods: By email or first class mail, to the media, posting the notice on the home page of its web site for at least 90 days, If BA, to the CE, within 60 days of determination
Notification Thresholds> 500 records: notify HHS, to individuals and media, within 60 days< 500 records: notify HHS, annually consolidated listing
Burden of ProofCEs/BAs required to prove that they have notified the affected parties within the time periods specified or face penalties
HIPAA Requirements – BAs and subcontractors
• Comply directly with the HIPAA Regulation• Business associates must identify, assess and monitor their
supporting business associates (BAs of BAs) and provide regular updates to the respective CE
• BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers
• BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers
• Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance
9/ 19
HITRUST Mission and ObjectivesIn 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned healthcare organizations out of the belief improvements in the state of information security and privacy in the industry are critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, all of which are necessary to improve the quality of patient care while lowering the cost of healthcare delivery.
Key focus:• Increase the protection of protected health and other sensitive information • Mitigate and aid in the management of risk associated with health information• Contain and manage costs associated with appropriately protecting sensitive information• Increase consumer and governments’ confidence in the industry's ability to safeguard health
information• Address increasing concerns associated with business associate and 3rd party privacy, security and
compliance• Work with federal and state governments and agencies and other oversight bodies to collaborate
with industry on information protection• Facilitate sharing and collaboration relating to information protection amongst and between
healthcare organizations of varying types and sizes• Enhance and mature the knowledge and competency of health information protection
professionals
10 / 19
HITRUST Overview
• Exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.• Was born out of the belief that information security is critical to the broad
adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information.• Is collaborating with healthcare, business, technology and information
security leaders, all of whom are united by the belief that adopting a higher level of standard security practices will build greater trust in the electronic flow of information through the healthcare system. • Has established a certifiable framework that any and all organizations in
the healthcare industry that create, access, store or exchange personal health and financial information can implement and be certified against.
11 / 19
Strategic Objectives of HITRUST
Establish a fundamental and holistic change in the way the healthcare industry manages information security risks: • Rationalize regulations and standards into a single overarching framework tailored
for the industry • Deliver a prescriptive, scalable and certifiable process• Address inconsistent approaches to certification, risk acceptance and adoption of
compensating controls to eliminate ambiguity in the process • Enable ability to cost-effectively monitor compliance of organizational, business
partner and governmental requirements • Provide support and facilitate sharing of ideas, feedback and experiences within
the industry
Establish trust between organizations within the healthcare industry that exchanged information is protected
Develop an approach for the practical, efficient and consistent adoption of security by the healthcare industry
12 / 19
Standardized tools and processes• Questionnaire › Focus assurance dollars to efficiently assess risk exposure› Measured approach based on risk and compliance› Ability to escalate assurance level based on risk
• Report› Output that is consistently interpreted across the industry
Cost effective and rigorous assurance• Multiple assurance options based on risk• Quality control processes to ensure consistent quality and output across
HITRUST CSF Assessors• Streamlined and measurable process within MyCSF tool• End User support
13 / 19
Key Components of CSF Assurance Program
HITRUST Report
• Certified/validated report issued by HITRUST based on work of independent third-party assessors› Business/functional/organizational units that meet the
associated criteria• Assessment context and scope of systems included in
assessment• Breakdown of CSF control areas with a comparison to industry› Includes maturity scores
• Testing summary, corrective action plans, and completed questionnaire
14 / 19
Demonstrating Compliance to HIPAA through HITRUST
15 / 19
• Risk Assessments› Not performed/not updated or
documented› Limited scope: facilities, processing
environment, personnel, software, personnel
› Not aligned with controls or monitoring
• Inventories (Asset Management)› Out of date/not documented
hardware, software, interfaces, dataflow diagrams/process descriptions, removable media, teleworkers (remote), BAs and subcontractors
• No BA/Vendor Management program
• Policies, procedures and standards (Governance)
• Hardening and patch management› None or not implemented› Not monitored/No follow-up› End-of-life
• Vulnerability Management› Inconsistent/incomplete internal
vulnerability and penetration testing for networks and applications
› Remediation gaps› No Internet content restrictions
Lessons Learned
16 / 19
• System Logging and Monitoring› Not implemented/inconsistent› Not retained or analyzed› Lack of oversight and approval
• None or inconsistent encryption of data in transmission or storage
• Media management and tracking gaps
• Untested incident and breach response processes for PHI related disclosures
• User Provisioning› Excessive privileges/accesses› No formal documentation of
rationale› Lack of oversight and approval
• Training and awareness› Not HIPAA oriented› No refresh› Lack of evidence of attendance
• Inadequate business continuity and disaster recover
• Failure to monitor external maintenance personnel
To Learn More …
17 / 19
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight
Q & A
19/ 19