privacy and security requirements, ocr hipaa audits and the...
TRANSCRIPT
![Page 1: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/1.jpg)
Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol
1
![Page 2: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/2.jpg)
Learning Objectives
• Understand Privacy and Security Requirements
• Understand the new OCR audit protocol
• Learn how to prepare for upcoming HIPAA Audits
• Learn differences between Meaningful Use security requirements and OCR HIPAA audits.
![Page 3: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/3.jpg)
About the Presenter
John DiMaggio, Chief Executive Officer, Blue Orange Compliance
John DiMaggio is the co-founder and CEO of Blue Orange Compliance, a firm dedicated to helping health care
providers and business associates navigate the required HIPAA and HITECH Privacy and Security
regulations. John is a recognized healthcare information compliance speaker to state bar associations and
healthcare associations including HIMSS, LTPAC, NAHC, LeadingAge and ALFA. John is also a LeadingAge
CAST Commissioner.
John’s extensive healthcare experience includes Chief Information Officer with NCS Healthcare and Omnicare;
senior operations roles with NeighborCare, and general consulting to the industry. John began his career as a
key expert in Price Waterhouse’s Advanced Technologies Group and served on several national and
international standards organizations including the American National Standards Institute (ANSI) and the
International Standards Organization (ISO).
John is the named inventor for multiple healthcare technology and process patents. He holds an MBA in
Finance from Katz Graduate School of Business and a BS in Computer Science from the University of
Pittsburgh.
John DiMaggio, CEO
Blue Orange Compliance
5131 Post Rd
Dublin, OH 43017
614.270.9623
![Page 4: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/4.jpg)
Specialize in healthcare information privacy and security solutions.
We understand that each organization is busy running its business and that human capital
is limited. Our high-tech, low-touch, cost-effective approach provides continuous, maximum
information and guidance and requires minimal staff time and engagement.
• Security Risk Assessments
• HIPAA Privacy and Breach Analysis & Remdiation
• Penetration testing
• Mock Office for Civil Rights HIPAA Audits
About Blue Orange
![Page 5: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/5.jpg)
Organization Questions
1. Have you performed a HIPAA security risk analysis? Has it been regularly updated?
2. Do you have an active security plan?
3. Do you have operational policies and procedures for Security? Privacy? Breach?
4. Have they been updated since Omnibus (2013)?
5. Has your staff been trained in HIPAA and your policies and procedures?
6. Do you have a HIPAA Privacy officer and Security Officer designated?
7. Have you reviewed the latest Office for Civil Rights HIPAA Audit protocol?
![Page 6: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/6.jpg)
Privacy and Security
Regulations
Privacy
Security
Breach
Enforcement
Office for Civil Rights
CMS
Department of Justice
State Attorneys General
Office of Inspector General
Threats
Malicious Outsider
Malicious Insider
Human Error
Environmental
Risks
Audit
Breach
Complaint, Whistleblower
Consequences
Fines
Reputation
Legal
![Page 7: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/7.jpg)
Is Privacy and Security Important?
Who thinks it is important?
• Government
• Clients (Business Associate)
• Insurance Companies
• Your patients and residents
What will happen if we don’t do it?
• It’s not “if”, it’s “when”
• Random Audit
• For Cause Audit
• Breach
• Legal
• Reputation
![Page 8: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/8.jpg)
Why HIPAA?
• Exchange and transmit claims information in a standard way
• Public feel safe their health information is protected
– How information can be shared
– Patient rights
– Specifics around protecting electronic health information
![Page 9: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/9.jpg)
HIPAA – Who needs to comply?
Covered Entity (CE):• Health Plans
• Health Care Providers: Any provider who electronically transmits health information in connection with standardized transactions regulated by HIPAA (e.g., claims transactions, benefit eligibility inquires, etc.).
• Health Care Clearinghouses: Entities that process nonstandard information they receive from one entity into a standard format (or vice versa).
Business Associate (BA): • A person or organization (other than a member of the CE’s workforce) that performs
certain functions or activities on behalf of the CE that involves the use or disclosure of protected information.
HIPAA Entity Types• Covered Entity
• Affiliated Covered Entity (ACE)
• Hybrid
• Organized Healthcare Arrangement (OHCA)
![Page 10: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/10.jpg)
What’s at Risk? Penalties Plus…
![Page 11: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/11.jpg)
Audit Process
• 2016 in process
• Covered Entities and Business Associates
• Email verification
• Questionnaire
• Audit pool selection
• Desk Audits
![Page 12: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/12.jpg)
Regulations
• HIPAA (Federal floor)
– 45 CFR 164 Subpart C - SECURITY STANDARDS FOR THE PROTECTION OF ELECTRONIC PROTECTED HEALTH INFORMATION
– 45 CFR 164 Subpart E - PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
– 45 CFR 164 Subpart D - NOTIFICATION IN THE CASE OF BREACH OF UNSECURED PROTECTED HEALTH INFORMATION
• State Regulations
– Confidentiality
– Patient Rights
– Breach
![Page 13: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/13.jpg)
Privacy, Security, Breach Scope Overview
Security
– “C.I.A.” Confidentiality, Integrity, Availability
– HIPAA Security Rule Safeguards• Administrative
• Technical
• Physical
• Organizational
Example Security Control Families
Access Control
Audit and Accountability
Certification, Accreditation, and Security
Assessment
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical and Environmental
Security Planning
Security Awareness and Training
Personnel Security
Risk Assessment
System and Service Acquisition
System and Communications
System and Information Integrity
PrivacyPatient RightsUses and DisclosuresTrainingBusiness AssociatesForms, logs, reports, audit
BreachDetectionDocumentationNotificationTraining
![Page 14: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/14.jpg)
Office for Civil Rights HIPAA Audits
• Random Audits
– Performed Test Audits in 2012
– 2016 Audits Underway
– New Audit Protocol Published April, 2016
• For Cause Audits/Investigations
– Incident or Breach
– Whistleblower
– Complaint
![Page 15: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/15.jpg)
Office for Civil Rights HIPAA Audit Protocol
• 180 Audit Items
• General Item Structure
1. Do Policies and procedures exist for the item?
2. Does the entity perform the necessary requirements if the item?
3. Obtain and review policies and procedures for the item and ensure they have required
elements
4. Obtain and review documentation demonstrating the item is being performed in accordance
with policies and procedures
![Page 16: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/16.jpg)
Office for Civil Rights HIPAA Audit Protocol- Security
0
5
10
15
20
25
30
§164.308 §164.310 §164.312 §164.314 §164.316 §164.306
# Ite
ms
Regulation
# Audit Items Per Security Regulation
![Page 17: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/17.jpg)
Office for Civil Rights HIPAA Audit Protocol- Privacy
0
5
10
15
20
25
# Ite
ms
Regulation
# Audit Items Per Privacy Regulation
![Page 18: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/18.jpg)
Office for Civil Rights HIPAA Audit Protocol- Breach
0
1
2
3
4
5
6
7
# I
tem
s
Regulation
# of Audit Items Per Breach Regulation
![Page 19: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/19.jpg)
General Audit Item Structure
1. Do Policies and procedures exist for the item?
2. Does the entity perform the necessary requirements if the item?
3. Obtain and review policies and procedures for the item and ensure they
have required elements
4. Obtain and review documentation demonstrating the item is being
performed in accordance with policies and procedures
![Page 20: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/20.jpg)
OCR Audit Protocol Walkthrough
• Browse through the protocol walkthrough
![Page 21: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/21.jpg)
OCR Audit Protocol Sample Drilldown -Security
• Security example walkthrough
![Page 22: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/22.jpg)
OCR Audit Protocol Sample Drilldown -Privacy
• Privacy example walkthrough
![Page 23: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/23.jpg)
OCR Audit vs. Meaningful Use Audit
• Privacy and Security
• Meaningful Use Audit
– Risk Analysis only (subset of Security Rule)
– Cover EHR only
• OCR Audit
– Deep dive
– Covers full Security, Privacy, Breach
• Passed Meaningful Use Audit?
![Page 24: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/24.jpg)
Call to Action - Security
• Assess– Perform thorough and accurate Risk Analysis
– Develop and actively manage security plan
– Remediate
– Rinse and repeat
• Test– Vulnerability Scans - External/Internal
– Penetration Test
• Train– Workforce
– IT Specific
• Include in Risk Management– Include in Executive Meeting Agenda
– Share with Board of Directors
– This is NOT just an “I.T. Thing”
Assess
Prioritize/
ManageRemediate
![Page 25: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/25.jpg)
Call to Action – Privacy and Breach
•Perform Gap Analysis• Evaluate Policies and Procedures & Documentation
• Review HIPAA Entity Designation
• Review Business Line Regulations
• Review State Regulations
• Review Operations
![Page 26: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/26.jpg)
Call to Action – Audit Preparation
•Tabletop exercise/Mock Audit
•Organize information
•Policy/Procedure
•Keep at it
![Page 27: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/27.jpg)
Organization Questions
1. Have you performed a HIPAA security risk analysis? Has it been regularly updated?
2. Do you have an active security plan?
3. Do you have operational policies and procedures for Security? Privacy? Breach?
4. Have they been updated since Omnibus (2013)?
5. Has your staff been trained in HIPAA and your policies and procedures?
6. Do you have a HIPAA Privacy officer and Security Officer designated?
7. Have you reviewed the latest Office for Civil Rights HIPAA Audit protocol?
![Page 28: Privacy and Security requirements, OCR HIPAA Audits and the …s3.amazonaws.com/rdcms-himss/files/production/public... · 2016-05-19 · HIPAA –Who needs to comply? Covered Entity](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4dd57813337f35a12ec9a4/html5/thumbnails/28.jpg)
Contact Info and Additional Information
John DiMaggio
CEO
Blue Orange Compliance
614.270.9623
Thank You