Critical HIPAA Privacy & Security Crossover Areas

Transcription

1 Critical HIPAA Privacy & Security Crossover Areas Presented by HIPAA Solutions, LC Peter MacKoul, JD Senior Privacy SME Ken Hughes Senior Security SME HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Introduction - Disclaimer This presentation is for informational purposes only and is not intended as legal advice. The material in this presentation is only for use in training formats authorized by HIPAA Solutions, LC (HSLC) and the Health Care Compliance Association (HCCA). HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 1

2 Introduction HSLC HIPAA Solutions, LC HIPAA Solutions, LC (HSLC) specializes in providing the highest quality in HIPAA and HITECH compliance assessments and audits; consulting; and hosted software tools that automate compliance with the Privacy and Security regulations. HSLC has specialized in this field since 2003 and has developed a national presence as a provider of quality compliance resources. HSLC clients include healthcare providers, insurance companies, health IT groups, pharmaceutical organizations, medical device manufacturers, businesses, government entities, law firms, and educational institutions. Client size ranges from small clinics to multinational corporations. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Introduction Speakers Peter MacKoul, JD (HIPAA Privacy SME) is an attorney and technical analyst with over 20 years of legal and technical consulting experience in both public and private sectors. He has consulted for Fortune 500 groups including Blue Cross, IBM, Nextel, and General Dynamics. He has assisted clients in responding to OCR auditors and has managed HIPAA audits/remediation for healthcare providers educational institutions, state and local governments, business associates, and healthcare IT groups since His legal background includes criminal and civil law at trial and appellate levels. He has extensive expertise with HIPAA and HITECH compliance, IT development, internet law, healthcare issues, and handicapped access to technology involving law, technology, privacy, and security. He is also the chief architect of comprehensive compliance software tools. He has published multiple articles on HIPAA and has been a featured speaker on HIPAA compliance for regional and state conferences hosted by associations and government entities. Ken Hughes (HIPAA Security SME) is a Senior IT Security Consultant and network engineer with over 25 years of experience in both current technology and legacy systems. He has an extensive background in design, implementation and securing of local and wide area networks in health care delivery settings as well as total solution implementation of free standing emergency room clinics and EMR solutions. He has been a Senior HIPAA Security consultant since He has coordinated major HIPAA Security audits and remediation for healthcare providers, multinational organizations, Health IT groups, state and local governments, insurance groups, and business associates. He has also coordinated forensic analysis of potential breach scenarios. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 2

3 Questions If you have questions that you would like to submit during or after the Webinar, please adhere to the following guidelines: During the session Submit questions directly to Peter using the WebEx chat function and he will respond if time allows. At the end of the session (if time allows) Ask a question without giving your name. After the session - Submit questions via to info@hipaasolutions.org. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Topics for Webinar This webinar will cover the following topics related to the crossover areas of HIPAA : Developing a strategy to comply with the Minimum Necessary Use Rule and Roles Based Access (Privacy & Security) Implementing process controls to prevent Impermissible Uses and Disclosures (Required Tasks) HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 3

4 Strategic HIPAA Compliance Issues - Overview The compliance strategy that an organization employs should involve both privacy and security considerations. The strategy should be based around ongoing compliance related to ensuring that all employees who access PHI are accessing the minimum necessary amount to perform their job functions. Please note It is the Privacy Officer s responsibility to authorize access and use to a specific amount and type of PHI for each job function. This authorization should take the form of a minimum necessary policy per job function. The strategy employed must document your analysis as proof of compliance. In addition, roles based access (or access to PHI based on job functions), is an ongoing task and not a static activity. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Strategic HIPAA Compliance Issues Critical When new hires come into your organization, does the organization have minimum necessary use policies ready to guide that new hire? Does your organization terminate access when an employee departs from the organization? Does your Privacy Officer know where PHI resides within the organization and has it been tracked? Smaller organizations may find it easier to comply with the crossover portion of the HIPAA rules because often everyone in the office requires access to PHI to perform their job functions. Medium and larger organizations may require more efforts to pass audit scrutiny. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 4

5 Strategic HIPAA Compliance Issues Required Tasks First Step - Identify job functions in your environment that need to use PHI and record your discovery findings. For each job function (person), record the amount and type of PHI that the job function needs to access. This analysis must take into consideration what the job function does. Some functions require a greater amount of access to PHI than do others. The Privacy Officer has the responsibility to make this decision. In other words, the PO authorizes access to PHI. The Security Officer implements that authorized access. Do not short cut. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Strategic HIPAA Compliance Issues Required Tasks Second Step Identify where do the job functions use that PHI? Track PHI in all forms. Track hard and soft copy files Track on all devices: Workstations Laptops, all portable devices PHI on cell phones, etc. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 5

6 Strategic HIPAA Compliance Issues Required Tasks Third Step - Identify and record conditions appropriate to accessing PHI for all job functions that access PHI. Another way of saying this is make sure safeguards are in place! This is critically important! Audit safeguard controls (procedures) as often as possible. Fourth Step - Make a reasonable effort to ensure that you perform all of the activities mentioned above. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Strategic HIPAA Compliance Issues Required Tasks Final Step - Keep up with who has access to PHI in your environment. Example: Make sure that new hires receive an accurate Minimum Necessary Use policy, Ensure that terminated employees or any employee leaving the organization no longer has access remotely or in any form to your PHI. IMPORTANT - Monitor your Business Associates. If they have a breach, it can be your problem! HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 6

7 Strategic HIPAA Compliance Issues Security Examples of Typical Scenarios Involving PHI in Workplace Billing Department saves EOMB s Local workstations Shared file server Manager / Billing Department Creates / Saves collection letters for patients on local drives or shared network drives Incoming Faxes Typically enterprise copier/fax machines save all incoming faxes to a shared drive on server. Users then attach the faxes to encounter record for patient in EMR. Files are often not deleted. If files are deleted, they may still exist in the trash folder. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Strategic HIPAA Compliance Issues Security Scenarios Examples of Typical Scenarios Involving PHI in Workplace Local Scanners Many front desk personnel scan patient driver s license and insurance cards from patients. Files are typically saved on the local workstation. Often, no security is implemented for these scanned images HL7 Interfaces Some practices will connect the EMR to the local radiology group s PACS system. Typically uses an HL7 interface that exchanges data between the two systems. Some HL7 interfaces transmit the file to the physicians system and remain on the hard drive where the EMR then scans to pick them up. Reports are in clear text format easily available to anyone who can access the directory where reports are stored. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 7

8 Strategic HIPAA Compliance Issues Security Scenarios Examples of Typical Scenarios Involving PHI in Workplace Microsoft Active Directory should to be configured based on groups that are defined by job roles. IT administrators can then place users in appropriate groups to restrict access to files that are necessary for their job roles. Some EMR/Billing systems do not allow the practice to create security groups to control user s access. In this scenario, you must create policies and procedures that implement sanctions if violations occur. HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas Q & A / Contact Information HIPAA Solutions, LC Peter MacKoul, JD Privacy SME Ken Hughes - Security SME info@hipaasolutions.org Toll Free (877) HIPAA Solutions, LC Critical HIPAA Privacy / Security Crossover Areas 8