The Role of IT in HIPAA Security & Compliance

Transcription

1 The Role of IT in HIPAA Security & Compliance Mario Cruz OFMQ Chief Information Officer For audio, you must use your phone: Step 1: Call (866) Step 2: Enter code #.

2 Mario Cruz Mario Cruz is the Chief Information Officer for OFMQ and has over 18 years of Information Technology experience. He began his career as a software engineer where he developed a number of HIPAA compliant software applications. His career evolved into systems administration, management, and information security before becoming OFMQ s CIO. Using his diverse background in IT, Mario assists OFMQ and its clients in the deployment of technology infrastructure and security compliance.

3 The Role of IT in HIPAA Security & Compliance Mario Cruz OFMQ Chief Information Officer

4 Topics OFMQ s Experience Observations within IT/HIPAA Brief Overview of HIPAA Security HIPAA Safeguards and IT Developing a Healthy Culture Conclusion Questions

5 OFMQ s Experience 40+ Years of Experience as a Company in areas such as: Measures Development Big Data Analytics Quality Improvement: Nursing Homes Physician Offices Hospitals Home Health

6 OFMQ s Experience Regional Extension Center Providers 100+ EHR Vendors 200+ IT Professionals and Vendors Single Physician Practices Large Health Systems Rural and Urban Settings Over Providers and 40+ Hospitals Achieved Meaningful Use

7 Observations Along the Way

8 Observation Landscape of IT Fully Staffed IT Partially Staffed IT Single IT Ad-Hoc Outsourced IT Semi-Outsourced IT Fully Outsourced IT

9 Observation Cultural Perspective of IT Break Fix IT systems are a necessary evil and someone is needed to constantly fix issues. Helpdesk IT systems need continuous attention and someone is needed to keep the system running. Do All/Be All IT is needed to keep all electronics and software working. Along with phone system, generators, office moves, compliance, etc. Hidden IT is needed to keep things running. IT s focus is to keep things running and not be involved in daily operations. Value Added Resource IT is used to enhance operations and someone is needed to keep organization progressive.

10 Observation Landscape of HIPAA (Security) Developed (Don t Need Help) Developed (Needing Refinement) In Development Extension of Privacy Program Delegated Responsibility Stagnant Non-Existent

11 Observation IT s Cultural Perspective of HIPAA Concerned about compliance Little to no budget/resources to implement comprehensive program Not equipped to develop or implement P&P Not knowledgeable enough to address HIPAA requirements HIPAA is too vague Staff and leadership are resistant to implement necessary safeguards Staff and leadership do not understand HIPAA concerns Fearful of consequences of not meeting compliance Misunderstanding of overall roles and responsibility

12 Observation Organization s Perspective of HIPAA and IT IT is overly sensitive (paranoid) to security concerns HIPAA security is IT s responsibility HIPAA security is handled by vendor IT or EHR IT policies do not apply to us IT has it covered IT only needs to be concerned with computer and EHR issues We will tell IT what to do IT needs to be actively involved in HIPAA processes IT s policies are slowing us down

13 Brief Overview of HIPAA Security

14 HIPAA Security Rule Applies to Covered Entities and Business Associates Divided into 3 Major Components Administrative Safeguards Physical Safeguards Technical Safeguards Designed to be Flexible and Interpretive Should Be Considered a Minimum Standard Opinion Confusing, Outdated, Gaps

15 Administrative Safeguards Program Management Policies and Procedures Documentation of Your Risks Documentation of Your Mitigations to Defined Risks Documentation of How Your Security Environment Operates

16 Physical Safeguards Protections from Theft or Accidental Disclosure Building and Office Protections Computer Protections Employee Protections Tangible Controls in Place to Protect PHI

17 Technical Safeguards IT Components IT Configurations for Protection Auditing Tools Monitoring Tools

18 HIPAA Safeguards and IT

19 Design Planning Decision Making Procurement Policy Development Implementation Enforcement Maintenance Monitoring Auditing Role of IT in HIPAA Security

20 The Big Picture Ensure Confidentiality, Integrity, and Availability of ephi Protect against Anticipated Threats/Hazards, Uses or Disclosures of ephi Perform PHI Flow Analysis, Training, P&P Management, Risk Analysis and Self-Assessments Review Security Measures to Ensure Protection of ephi Provide Evidence of Security for Compliance Audits

21 More Specifically

22 Administrative Safeguards IT should be an active contributor with responsibilities to develop, enforce, and facilitate the automation of various procedures. Furthermore, IT should contribute to majority of policy content. IT should help design the Risk Management Plan. IT should help devise and address an Enterprise Risk Assessment. IT should facilitate and contribute to content for Policies & Procedures. IT should develop internal IT Policies and Procedures and have thorough IT systems documentation (not just HIPAA specific). IT should provide content and resources for corporate disaster recovery plan. IT should be an active participant in following teams: Management Team Risk Management Team HIPAA Security Team Policy & Procedure Team Disaster Recovery Team Compliance Team Incident Response Team

23 Physical Safeguards IT should be an active facilitator and enforcer of various physical controls, processes, and safeguards to physically secure resources. IT should support and provide systems to monitor physical security. IT should deploy equipment in safe locations factoring in environmental hazards. IT should deploy technology to secure computing systems. IT should deploy software for the management and security maintenance of IT systems.

24 Technical Safeguards IT should have the ultimate responsibility of implementing and recommending technical safeguards. IT should deploy technology with a security focus mentality. Choose solutions based upon security features and functionality. Compare cost with level of compliance. IT should configure systems with a baseline security standard that is enforceable. Systems should be automated where applicable. Systems should be centrally managed where applicable. Minimum standards should be established across enterprise. IT should configure systems such that configurations are auditable. IT should focus on enterprise level management.

25 Developing a Healthy Culture

26 The Big Picture IT and leadership must work together to understand risks, mitigation strategies, and controls to adequately satisfy HIPAA requirements Administrative Controls (Risk Management Plan, Risk Assessment, HIPAA Teams, etc.) IT and leadership must create a short-term and long-term strategy for implementing a security program Administrative, Physical, Technical Controls (Policies and Procedures, Controls, etc.) IT and leadership must devote adequate resources (financial and personnel) to get to the end goal of a secure environment budget, technology, personnel Physical and Technical Controls (equipment, software, people) Leadership needs to drive and support the initiatives. Realize it is a Process Culture Commitment

27 Raise Awareness Understand Your Risks Risk Assessment with Residual Review Educate Attend Webinars and Workshops Develop In-Service Programs Send Security Reminders Create a Security Team Cross Discipline Team Regularly Meet Discuss Key Issues

28 Document Develop a Plan Risk Management Plan Document What Is Important to the Organization Document and Assign Responsibilities Develop and Enhance Policies and Procedures Consider End User Policies and Procedures Consider Security Policies and Procedures (Confidential) Document Actual Procedures and Workflows Deploy automated tools for tracking, enforcing, and monitoring workflow.

29 Implement Improving Technology Technology solutions should solve problems not create them. Focus on areas where you can make the biggest impact on the problem at hand. Focus on implementing technology that will bring immediate positive results. Procure to improve the biggest complaint. Standardize

30 Ease into Big Changes Inoculate Staff to Changes Beta Test Changes Incentivize Beta Testers Reward Positive Feedback Champion the Cause

31 Audit to Improve, Not Punish Audit program is a requirement. Use audits to create efficiencies and address security concerns. Punish worthy offenses, but use offenses to showcase need for better processes, procedures, and technology. Reward positive results and good behavior.

32 Where Do We Start?

33 Single IT or Fully Outsourced Consider having a member of outsourced IT Department sit in on Teams (Risk Management, HIPAA Security, DR, etc.) Valuable input for technical aspect of planning projects Can identify gaps and limitations CIO Services (IT Consultant) from company with emphasis on security in the healthcare environment Can help build platform for secure environment Single IT sometimes too busy with everyday user/environment issues to devote proper time to security and planning

34 Fully Staffed & Partially Staffed IT Make IT Manager/staff a member of Risk Management, HIPAA Security, DR and other relevant teams. Attend Education Workshops Certifications Training Can still benefit from CIO Services (IT Consultant) from company with emphasis on security in the healthcare environment. Planning Projects Security

35 Conclusion Ultimately, IT s role in HIPAA is to: Help design a program. Help manage the program. Educate organization on technology to make organization more effective with less personnel and more technology. Implement technology to make organization more secure, effective, and efficient with less personnel and more technology. Implement standardized and centralized technology to ease the manual burden of HIPAA. Support mechanisms to facilitate automated reporting and monitoring.

36 Questions Please submit questions via chat window.

37 Free HIT Workshop HIT Workshop #3 March 2, 2016 Ardmore Convention Center Register at

38 Thank you!