hitech/hipaa – are you in compliance?
DESCRIPTION
HITECH/HIPAA – Are you in Compliance?. Pamela Hill Managing Director Hyperion Global Partners. Thad Hymel Director of Information Services McGlinchey Stafford PLLC. Agenda. HIPAA/HITECH explanation and definitions Why should you care? Implementation standards (non-tech) - PowerPoint PPT PresentationTRANSCRIPT
1 | Global Partners in Business & Technology Consulting
HITECH/HIPAA – ARE YOU IN COMPLIANCE?Pamela HillManaging DirectorHyperion Global Partners
Thad HymelDirector of Information ServicesMcGlinchey Stafford PLLC
2 | Global Partners in Business & Technology Consulting
AGENDA
HIPAA/HITECH explanation and definitions Why should you care? Implementation standards (non-tech) Technical safeguards
3 | Global Partners in Business & Technology Consulting
DEFINITIONS
Protected Health Information (PHI)• Any oral or recorded information in any form or medium that is
• Created or received by the covered entity/BA –AND-• Relates to past, present or future condition of an individual
• Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable
basis to believe information can be used to identify an individual• Includes any data transmitted or maintained in any form
4 | Global Partners in Business & Technology Consulting
DEFINITIONS
Privacy Rule• Relates to privacy of any protected health information
(PHI) Security Rule
• Relates specifically to electronic PHI (ePHI) at rest or in transit
5 | Global Partners in Business & Technology Consulting
WHY SHOULD YOU CARE?HITECH Impact for Law Firms Casts a much wider net of entities that must comply with
HIPAA regulations, primarily those not originally considered under the original regulations
Requires Business Associates “BA’s” to comply with most HIPAA Privacy and all Security Rules• Law firms are BA’s to their clients (called “covered entities”)• Your vendors/service providers are BA’s to you
6 | Global Partners in Business & Technology Consulting
WHY SHOULD YOU CARE?
HITECH Impact for Law Firms• Significantly expands formal Federal enforcement group • Allows State Attorneys General to enforce compliance • Imposes new data breach notification by BAs to clients,
and imposes strict guidelines for subsequent client notification to OCR/HHS and/or the media • Doesn’t matter if you knew about the breach or not, you will
be held liable if it happens on your watch• Expands/allows for both criminal and civil penalties of up
to $1.5M/year
7 | Global Partners in Business & Technology Consulting
WHY SHOULD YOU CARE?
The Privacy and Security Rules consist of implementation standards
Implementation standards outline what your Firm should do to get into compliance, but they don’t state how
They are intentionally vague in order to be flexible to allow for compliance regardless of the size of your organization• Good news – you have flexibility in choosing what to/or not to
implement• Bad news - they are intentionally vague. That means the
government gets to decide if you were using basic standards of care in safeguarding your PHI
8 | Global Partners in Business & Technology Consulting
ITEMS OF NOTE State vs. Federal laws
• 40 states now have privacy and/or security laws covering both personally identifiable information and/or PHI
• That which is more stringent, wins• California and Illinois laws are more stringent than federal laws for
breach notification• Massachusetts have the strictest PII privacy and security laws
• Make sure to familiarize yourself with both Biggest News…
• Penalties and fines are paid back to the enforcement agencies, effectively making them self-funded
• Money = enforcement, enforcement, enforcement
9 | Global Partners in Business & Technology Consulting
ALLOW ME A MINUTE ON THE SOAPBOX… Soapbox points that most experts agree on
• Compliance will take time and effort to implement and new guidelines and rules are rolling out each year – time to get started
• Need to show a “good faith effort “ that the Firm is working towards compliance
• “Gross negligence” or “willful misconduct” (i.e., not doing anything to secure sensitive information) can result in criminal charges at a maximum, and serious reputation and/or client relationship issues at a minimum (large civil penalties coming in 2011)
• Document everything so when the finger pointing begins, it doesn’t end up pointed at you
10 | Global Partners in Business & Technology Consulting
HITECH/HIPAA IN A NUTSHELL
11 | Global Partners in Business & Technology Consulting
BLATANT OVERSIMPLIFICATION OF THE SAFEGUARDS AND IMPLEMENTATION STANDARDS
All the rules can be summarized in a few bullets• Know what PHI is out there and understand the associated risks of its
disclosure or loss (risk assessment and mitigation)• Access control for PHI (define who can see it, then lock it down)• Protect it (encryption, media reuse policies, information security,
portable or removable media)• Make sure you can get to it (BC/DR)• Document until your eyes roll back in your head (policies, procedures,
BA agreements, assign responsibility)
12 | Global Partners in Business & Technology Consulting
BLATANT OVERSIMPLIFICATION OF THE SAFEGUARDS AND IMPLEMENTATION STANDARDS
Before finalizing what to implement, consider:• The size, complexity and capabilities of the Firm• What risk the firm is at for unauthorized access and disclosure• Current technical infrastructure, hardware and software security
capabilities• How much the implementation(s) will cost in money and resources
Ultimately its up to legal interpretation - your Firm must decide what to implement (or not)
13 | Global Partners in Business & Technology Consulting
A FEW SEEMINGLY NON-TECHY HIGHLIGHTS Administrative Safeguards
• Comprise half of the Security Rule requirements• Risk assessment and management (R) • Sanction policy against employees who fail to comply with security policies (R)• Information security activity review (audit logs, access reports, security incident
reports) (R) • Identify a Privacy and Security Official (R) • Workforce security (access control) (R) • Contingency plan (R) • Business Associate contracts (R)
Physical Safeguards• Facility access (A)• Workstation use and security (A) • Device and media reuse (R)
14 | Global Partners in Business & Technology Consulting
A FEW SEEMINGLY NON-TECHY HIGHLIGHTS
Organizational, Policies and Procedure Safeguards• Policies
• Privacy• Media reuse• Use (or not) of mobile devices (flash drives, PDAs)• Standardized BA agreements• Security and Privacy training for employees
• Procedures• Data security breach notification and escalation • Use of BA agreements with clients
• Compliance documentation (R)
15 | Global Partners in Business & Technology Consulting
TECHNOLOGY SAFEGUARDS
Technology safeguards relate to “The technology and the policy and procedures for its use that protect ePHI and control access to it”
Safeguards do not require specific technical solutions New technical specifications coming out in November, 2010
16 | Global Partners in Business & Technology Consulting
TECHNOLOGY SAFEGUARDS
Access control • Unique user ID• Emergency access• Automatic logoff• Encryption/decryption
Integrity• Ensure data are not altered or destroyed
Audit control• Record and examine who is looking at ePHI
Person or entity authentication• Make sure the person looking at ePHI is who they claim to be
Transmission security • Protect it in transit (as well as at rest)
Remote use security• Removable or portable devices
17 | Global Partners in Business & Technology Consulting
GETTING STARTED
Form a Compliance Team• Risk Partner, COO/DofA/Executive Director, HR Director, IT Director
Complete a formal risk assessment • Address risks, policies and processes for the following:
• Storage– Address removable or mobile media and all sources of data inside the office or
that may be taken outside the office
• Transmission– Addresses the integrity and safety of ePHI transported over the network,
internet, portals, intranets, extranets, collocation facilities, WAN, remote access, email, PDA’s, home computers
• Access– Limit users access to ePHI to authorized personnel only– Access should be based upon a users role in the organization
18 | Global Partners in Business & Technology Consulting
GETTING STARTED Risk Assessment• Figure out where your data are
• Interview all related practices• Document data flow into/out of the Firm• Be realistic about the use of removable or mobile media
• Baseline current security protocols and practices for all sources of ePHI• Evaluate access, storage and transmission security for ePHI on each device
type and/or transmission method
• Develop a mitigation plan for each security issue• Document everything to show you are making a good faith effort to
safeguard ePHI
19 | Global Partners in Business & Technology Consulting
RISK ASSESSMENT SPECIFICS Access control
• Does each user have a unique ID and can we track what they look at?• Have we limited who can see ePHI?• Have we implemented encryption/decryption protocols where feasible to
control access outside the Firm?• Do we have disaster recovery in place for all sources of ePHI?• Do we have formal password policies for all devices?
Integrity• Do we have processes in place to ensure data are not altered or
destroyed? Would we know if it was? Audit control
• Do we monitor who is looking at ePHI? • Do we have technologies and processes in place that allow us to audit
this?
20 | Global Partners in Business & Technology Consulting
RISK ASSESSMENT SPECIFICS
Person or entity authentication• Is the person looking at ePHI I who they claim to be?
Transmission security • What protocols are in place to secure data in transit?
Remote use security• Do you have policies and processes to address ePHI on
removable or portable devices?
21 | Global Partners in Business & Technology Consulting
TECHNICAL IMPLEMENTATION COMPLEXITIES Being comprehensive in defining where the data are
• Healthcare, product liability, med mal, mass/toxic torte, labor/employment, environmental, litigation, aviation, insurance defense
Lack of standardized encryption/decryption tools or protocols to cover all clients
Providing security for removable or mobile media• PDAs• Flash drives• Laptops• CD’s• DVDs
22 | Global Partners in Business & Technology Consulting
TECHNICAL IMPLEMENTATION COMPLEXITIES Access control
• Practice groups have to define who can see what • Then the logic must be built into systems
• Expense of securing ePHI in all its various sources• Email• DM• Records systems• Litigation databases• Practice support databases• EMR systems• Copy machines (that cache information)• Fax machines
• Monitoring who is looking at what• Complex disaster recovery issues for all sources of ePHI
23 | Global Partners in Business & Technology Consulting
TECHNICAL IMPLEMENTATION COMPLEXITIES Defining standards and practices for data security breach
notification and mitigation• Includes policies, processes, monitoring tools, escalation protocols
Assisting the Firm in understanding ALL outside entities that may require a Business Associate agreement, such as• Document production vendors• Collocation facilities• Managed services or ASP providers• Extranet providers
24 | Global Partners in Business & Technology Consulting
FINAL THOUGHTS
The most important things to remember• Complete a formal risk assessment to get a good
handle on the extent of the problem• Get your risk partner involved right away to
establish the Firm’s legal position on the issues (before you spend too much time or resources)
• Eat the elephant one bite at a time
25 | Global Partners in Business & Technology Consulting
THANKS FOR COMING!
Questions? Pamela Hill• [email protected]• www.hgplive.com • 217.778.6976
Thad Hymel• [email protected]