SECURETexas Health Information Privacy & Security Certification Program

Similar documents
The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

HITRUST CSF: One Framework

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Introduction to the HITRUST CSF. Version 8.1

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Risk Management Frameworks

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Introduction to the HITRUST CSF. Version 9.1

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

The Future of HITRUST

All Aboard the HIPAA Omnibus An Auditor s Perspective

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

Leveraging HITRUST CSF Assessment Reports

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

MNsure Privacy Program Strategic Plan FY

Security and Privacy Governance Program Guidelines

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Putting It All Together:

CSF to Support SOC 2 Repor(ng

HIPAA Security and Privacy Policies & Procedures

Privacy Policy on the Responsibilities of Third Party Service Providers

Risk Analysis Guide for HITRUST Organizations & Assessors

HIPAA Privacy, Security and Breach Notification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

SOC for cybersecurity

HITRUST Common Security Framework - Are you prepared?

Why you should adopt the NIST Cybersecurity Framework

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Update on Statewide HIE Activities and 2015 HIT/HIE-Related Legislation

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Data Security Standards

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

Peer Collaboration The Next Best Practice for Third Party Risk Management

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

01.0 Policy Responsibilities and Oversight

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Phase I CAQH CORE 102: Eligibility and Benefits Certification Policy version March 2011

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Data Backup and Contingency Planning Procedure

MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,

TEL2813/IS2820 Security Management

Achieving third-party reporting proficiency with SOC 2+

What Why Value Methods

Cybersecurity & Privacy Enhancements

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

Phase II CAQH CORE 202 Certification Policy version March 2011 CAQH 2011

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Security Management Models And Practices Feb 5, 2008

HIPAA & Privacy Compliance Update

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

Information Technology (CCHIT): Report on Activities and Progress

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

HCISPP HealthCare Information Security and Privacy Practitioner

Guidance for Exchange and Medicaid Information Technology (IT) Systems

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Information Security Continuous Monitoring (ISCM) Program Evaluation

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Towards an integrated regulation platform in Luxembourg. Information Security Education Day th of april

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

EXAM PREPARATION GUIDE

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Maryland Health Care Commission

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Policy. Policy Information. Purpose. Scope. Background

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Introduction CHAPTER 1

GDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Introduction to AWS GoldBase

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Getting Security Right: The CISO of the Future

COMPLIANCE SCOPING GUIDE

SOC 3 for Security and Availability

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Certification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

PULSE TAKING THE PHYSICIAN S

Framework for Improving Critical Infrastructure Cybersecurity

April 2018 Page 1 of 14

The NIS Directive and Cybersecurity in

The NIST Cybersecurity Framework

COBIT 5 With COSO 2013

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Transcription:

Partners in Texas Health Informa3on Protec3on SECURETexas Health Information Privacy & Security Certification Program 2015 HITRUST, Frisco, TX. All Rights Reserved.

Outline Introduction Background Benefits SECURETexas Certification Framework Criteria Process Tools Pricing About HITRUST About THSA 2

Introduction Background (1) Multitude of challenges Significant government oversight Evolving requirements Complex business relationships Uncertain standard of care Reasonable and appropriate? Adequate protection? 3

Introduction Background (2) Texas legislators concerned about health information protection Increased use of electronic health records Federal HIPAA guidance lacking Significant increase in data breaches Texas House Bill (HB) 300 Passed May 30, 2011 Signed June 17, 2011 Effective Sept. 1, 2012 Amended the following statutes: Texas Health and Safety Code Chapters 181 & 182; Texas Business and Commerce Code, Chapters 521 and 522; Texas Government Code, Chapter 531; and Texas Insurance Code, Chapter 602 4

Introduction Background (3) Maintains the broader, Texas definition of Covered Entity Covers any business or individual coming into contact with PHI Supports patient rights re: Electronic Health Records (EHRs) Provides for the collection/reporting of consumer complaints Increases penalties for non-compliance/breach $5K to $1.5M per year based on 5 factors, not just intent and risk of harm Capped at $250M per year based on specific circumstances A pattern of non-compliance could result in license revocation Establishes Texas standards for healthcare information privacy and security Standards ratified by Texas Health and Human Services Commission and codified at 1 TAC 390 Provides for certification of compliance with the Texas standards Potential to mitigate penalties from regulatory and legal penalties 5

Introduction Background (4) THSA selects HITRUST for SECURETexas Certification program HITRUST Risk Management Framework (RMF) provides robust support for SECURETexas Certification Comprehensive coverage, relevant to healthcare, that is scalable, prescriptive and tailorable to meet entity requirements Certification supports assertions of compliance Common framework & reporting provide significant efficiency & cost savings Most widely adopted information protection framework in U.S. healthcare industry simplifies adoption For this program to be successful, it must provide the appropriate level of assurance and verifica3on while s3ll being prac3cal and implementable; therefore, it was important we select the best possible partner for developing and implemen3ng the SECURETexas Health Informa3on Privacy and Security Cer3fica3on Program. We are confident in our choice given HITRUST s leading role in the assessment and cer3fica3on of compliance with mul3ple health informa3on protec3on regula3ons and best prac3ces through the HITRUST Common Security Framework (CSF). - Tony Gilman, CEO, THSA 6

Introduction Benefits In addition to the those provided by leveraging the HITRUST RMF, covered entities receive specific benefits from obtaining SECURETexas Certification Mitigation of civil and administrative penalties Evidence of good faith efforts to comply with federal and state requirements 7

SECURETexas Certification Framework (1) Resources and tools available by HITRUST CSF Scalable, prescriptive and certifiable framework incorporated a multitude of state and federal regulations, US and International Standards, and best practices maintained and updated for health care industry CSF Assurance A covered entity information protection certification program with an existing base of certified assessor organizations MyCSF Automated support for CSF assessment and certification CSF CSF Assurance HITRUST RMF Methods & Tools (e.g., MyCSF) 8

SECURETexas Certification Framework (2) HITRUST s healthcare-centric RMF Leverages international and U.S. RMFs Rationalizes multiple healthcare requirements Provides industry standard of due diligence and care Three risk-based control baselines Organizational, system and regulatory factors Texas compliance demonstrated through detailed mappings to the CSF control requirements 9

SECURETexas Certification Criteria Examples of Texas requirements mapped to the CSF CSF Control All HIPAA xrefs 02.e, Level 1 07.e, Level 1 11.a, TX Covered EnVVes TX Requirement Texas Health and Safety Code (THSC) 181.004a A covered envty, as that term is defined by 45 C.F.R. SecVon 160.103, shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards. THSC 181.101(a) Each covered envty shall provide a training program to employees of the covered envty regarding the state and federal law concerning protected health informavon as it relates to the covered envty's parvcular course of business and each employee's scope of employment. THSC 81.103, referenced by 1 Texas AdministraVve Code (TAC) 390.2(a)(4)(A)(ii) Specifies that care shall be given to ensure sensivve informavon subject to special handling, e.g., HIV test results, mental health and substance abuse- related records, is idenvfied and appropriate labeling and handling requirements are expressly defined and implemented consistent with applicable federal and state legislavve and regulatory requirements and industry guidelines. THSC 577, referenced by 1 TAC 390.2(a)(4)(A)(ii) To comply with the requirements specified in THSC 577, private psychiatric (mental) hospitals, crisis stabilizavon units and other mental health facilives shall incorporate procedures in their security and privacy incident response programs to assist with state invesvgavons, including the release of otherwise confidenval informavon related to the invesvgavon, as required under THSSC 157. *Refer to the 2013 CSF, 2013 interim Summary of Changes, and the 2014 Summary of Changes for all the SECURETexas Certification requirements 10

SECURETexas Certification Process (1) SECURETexas Certification Completely flexible implementation, as organizations may: Request SECURETexas Certification with CSF (HIPAA) assessment Increment to SECURETexas Certification after CSF (HIPAA) assessment is done Varying levels and costs of assurance Risk Exposure HIGH MEDIUM CSF Assurance (Self) Compliance with HIPAA CSF Assurance (Remote) CSF Assurance (3rd Party) The CSF Assurance Program balances the cost of assurance with the risk exposure. The program is designed to cost effecvvely gather the informavon about privacy and security controls that is required to appropriately understand and mivgate risk. Compliance with ISO Compliance with PCI Compliance with NIST LOW 11 Cost of Assurance

SECURETexas Certification Process (2) Covered entity engages independent assessor organization* CSF Assessor conducts assessment against certification requirements CSF assessor submits assessment results to HITRUST for review HITRUST conducts QA review; resolves outstanding issues HITRUST prepares report with SecureTexas Certification Scorecard If covered entity achieves appropriate scores, HITRUST will provide a certification recommendation to be submitted to THSA THSA reviews recommendation and issues certification letter Covered entity is added to website listing certified covered entities Assessor engaged* Assessment conducted* Results submiied to HITRUST HITRUST conducts QA; prepares report HITRUST determines scoring; if appropriate recommends THSA grants or denies cervficavon OrganizaVon Listed on Website *Small organizavons may conduct a remote- assessment 12

SECURETexas Certification Tools (1) MyCSF GRC-based platform CSF controls Illustrative procedures Assessment scoping Workflow management Documentation repository Dashboards and reporting Automated submission for HITRUST validation and certification Simplifies SecureTexas Certification 13

SECURETexas Certification Tools (2) HITRUST Website General Support HITRUST RMF content News / updates Blogs / chats SecureTexas Certification Support Provide specific guidance Address user questions THSA SecureTexas Website SecureTexas Certification support Who should certify Benefits of certifying How to get started Pricing FAQs 14

Pricing (1) Covered entity assessment and report generation fee Certification Remote Assessment (if applicable) $3500 to perform remote assessment and generate recommendation for Texas Certification $1000 if adding SECURETexas Certification to an existing HITRUST certification Certification Third Party Assessment $3750 - $7500 to review third party assessment and generate recommendation for Texas Certification $1500 if adding SECURETexas Certification to existing HITRUST certification Fees paid to HITRUST Covered entity certification fee Certification Remote Assessment: $100 to $1500 (less than $750, if 150 employees of fewer) Certification Assessment: $2500 - $7500 (depending on revenue) Fees paid to THSA 15

Pricing (2) Fee Schedule TX Only Remote < $5M Third Party < $50M Third Party < $500M Third Party < $1B/yr Third Party < $10B Third Party >$10B Assessor Fees N/A TBD TBD TBD TBD TBD HITRUST Fees $3500 $3750 $4500 $5250 $6000 $7500 THSA Fees $1500 $2500 $3250 $5000 $6250 $7500 Total $5000 $6250 $7750 $10,250 $12,250 $15,000 Fee Schedule TX Added to CSF Remote < $5M Third Party < $50M Third Party < $500M Third Party < $1B/yr Third Party < $10B Third Party >$10B Assessor Fees N/A TBD TBD TBD TBD TBD HITRUST Fees $1000 $1500 $1500 $1500 $1500 $1500 THSA Fees $1500 $2500 $3250 $5000 $6250 $7500 Total $2500 $4000 $4750 $6500 $7750 $9000 16

Pricing (3) Fee Schedule For Small Businesses 1-25 employees 26-50 employees 51-100 employees 101-150 employees Assessor Fees N/A N/A N/A N/A HITRUST Fees $1400 $1750 $2000 $2250 THSA Fees $100 $250 $500 $750 Total $1500 $2000 $2500 $3000 17

Summary The SECURETexas Health Information Privacy & Security Certification Is competitively priced and sufficiently robust to support wide adoption; Demonstrates compliance with the Texas Medical Records Privacy Act and associated standards; Specifically addresses high-risk threats associated with reported data breaches; Supports overall compliance with HIPAA (Final Omnibus Rule) implementation specifications; Leverages HITRUST s online GRC-based tool, MyCSF, to provide automated workflow for certification assessment, quality assurance and reporting; Provides a standardized method of reporting compliance and risk, including the recommendation for SECURETexas Certification; Facilitates the communication of assurances with other business partners, patients and their families, and other key stakeholders, such as federal and state regulators; and Provides for potential, limited safe harbor from regulatory and legal penalties 18

About HITRUST In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned healthcare organizations out of the belief improvements in the state of information security and privacy in the industry are critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, all of which are necessary to improve the quality of patient care while lowering the cost of healthcare delivery. Key focus: Increase the protection of protected health and other sensitive information Mitigate and aid in the management of risk associated with health information Contain and manage costs associated with appropriately protecting sensitive information Increase consumer and governments confidence in the industry's ability to safeguard health information Address increasing concerns associated with business associate and 3rd party privacy, security and compliance Work with federal and state governments and agencies and other oversight bodies to collaborate with industry on information protection Facilitate sharing and collaboration relating to information protection amongst and between healthcare organizations of varying types and sizes Enhance and mature the knowledge and competency of health information protection professionals 19

About THSA In 2007, the Texas Legislature created THSA to help improve the Texas healthcare system Promote and coordinate HIE and HIT throughout the state Ensure the right information is available to right provider at the right time In 2011, the Texas Legislature authorized THSA to: Identify relevant privacy and security standards Develop a privacy and security certification for Texas covered entities In 2013, THSA partnered with HITRUST to create the SecureTexas Health Information Privacy and Security Certification Program 20

For more information www.hitrustalliance.net/texas www.securetexas.org 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback