Health Insurance Portability and Accountability Act, Security Rule

Similar documents
Departmental Change in Management Audit Fiscal Year 2012

TAC 202 Requirements 2017

Office of Internal Audit

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Putting It All Together:

Texas A&M University: Learning Management System General & Application Controls Review

Office of MN.IT Services Data Centers

Policy and Procedure: SDM Guidance for HIPAA Business Associates

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

DETAILED POLICY STATEMENT

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

System Chief Business Officer - B. J. Crain The Texas A&M University System Position Description--January 13, 2010

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

01.0 Policy Responsibilities and Oversight

Virginia Commonwealth University School of Medicine Information Security Standard

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

General Information Technology Controls Follow-up Review

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Standard for Security of Information Technology Resources

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Policies and Procedures Date: February 28, 2012

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Privacy Breach Policy

MNsure Privacy Program Strategic Plan FY

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Credit Card Data Compromise: Incident Response Plan

STATE OF NORTH CAROLINA

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Subject: University Information Technology Resource Security Policy: OUTDATED

DATA CENTER OPERATIONS CALIFORNIA STATE UNIVERSITY, DOMINGUEZ HILLS. Audit Report June 15, 2012

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Data Backup and Contingency Planning Procedure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Office of Internal Audit 800 W. Campbell Rd. SPN 32, Richardson, TX Phone Fax December 12, 2016

All Aboard the HIPAA Omnibus An Auditor s Perspective

Information Security Incident Response and Reporting

FOLLOW-UP REPORT Industrial Control Systems Audit

Policy. Policy Information. Purpose. Scope. Background

HIPAA Security and Privacy Policies & Procedures

HITRUST CSF: One Framework

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

NYDFS Cybersecurity Regulations

NERC Staff Organization Chart Budget 2018

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Information Security Policy

NERC Staff Organization Chart Budget 2019

Information Security Incident Response Plan

University System of Maryland Frostburg State University

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Access to University Data Policy

Audit and Compliance Committee - Agenda

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

NERC Staff Organization Chart Budget 2019

Information Security Policy

Integrating HIPAA into Your Managed Care Compliance Program

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

UNIVERSITY OF NORTH CAROLINA CHAPEL HILL

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Information Security Incident Response Plan

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

HIPAA Security Rule Policy Map

The HIPAA Omnibus Rule

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Is Your Compliance Strategy Putting Your Business at Risk?

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

HIPAA Federal Security Rule H I P A A

UCLA AUDIT & ADVISORY SERVICES

HIPAA Compliance Checklist

Information Technology General Control Review

CCISO Blueprint v1. EC-Council

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity & Privacy Enhancements

Not Just Another Day of HIPAA

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

HIPAA Compliance and OBS Online Backup

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

EMERGENCY MANAGEMENT

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

John Snare Chair Standards Australia Committee IT/12/4

A Global Look at IT Audit Best Practices

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Transcription:

Health Insurance Portability and Accountability Act, Security Rule Athletics Sports Medicine The University of Texas at Austin Office of Internal Audits UTA 2.302 (512) 471-7117

The University of Texas at Austin Institutional Audit Committee Mr. William O'Hara, External Member, Chair Dr. Gregory Fenves, President Dr. Judith Langlois, Executive Vice President and Provost, ad interim Dr. Patricia Clubb, Vice President for University Operations Ms. Patricia Ohlendorf, Vice President for Legal Affairs Dr. Daniel Jaffe, Vice President for Research Dr. Gage Paine, Vice President for Student Affairs Mr. Darrell Bazzell, Senior Vice President and Chief Financial Officer Ms. Mary Knight, CPA, Associate Vice President for Finance Mr. Paul Liebman, Chief Compliance Officer, University Compliance Services Mr. Cameron Beasley, University Information Security Officer Ms. Christine A. Plonsky, Women's Athletics Director and Executive Senior Associate Athletics Director for External Services Mr. Tom Carter, External Member Ms. Lynn Utter, External Member Ms. Susan Whittaker, External Member Mr. Michael Vandervort, Chief Audit Executive, Office of Internal Audits Mr. J. Michael Peppers, Chief Audit Executive, University of Texas System Audit Office The University of Texas at Austin Office of Internal Audits Chief Audit Executive: Associate Director: Assistant Directors: Audit Manager: Auditor III: Auditor II: Auditor I: IT Auditor: Michael Vandervort, CPA Jeff Treichel, CPA Angela McCarter, CIA, CRMA *Chris Taylor, CIA, CISA *Brandon Morales, CISA, CGAP Michael Hammond, CIA, CISA, CFE Cynthia Martin-Hajmasy, CPA Ashley Oheim, CPA Bobby Castillo Stephanie Grayson Kerri Jordan Miranda Pruett, CFE Jason Boone Tiffany Yanagawa Mike Mcintosh * denotes project members This report has been distributed to Internal Audit Committee members, the Legislative Budget Board, the State Auditor's Office, the Sunset Advisory Commission, the Governor's Office of Budget and Planning, and The University of Texas System Audit Office for distribution to the Audit, Compliance, and Management Review Committee of the Board of Regents. Health Insurance Portability and Accountability Act, Security Rule - Athletics Sports Medicine Project Number: 15.311

OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS AT AUSTIN 1616 Guadalupe Street, Suite 2.302 Austin, Texas 78701 (512) 471-7117 FAX (512) 471-8099 June 8, 2016 President Gregory L. Fenves The University of Texas at Austin Office of the President P.O. Box T Austin, Texas 78713 Dear President Fenves, We have completed our audit for compliance with the Health Insurance Portability and Accountability Act (HIP AA), Security Rule at Athletics Sports Medicine (ASM). Our scope included applicable IT controls within ASM. Based on the audit procedures performed, we conclude that ASM is generally in compliance with HIP AA guidelines. Our audit report provides detailed observations for each area under review. Suggestions are offered throughout the report for improvement in the existing control structure. We appreciate the cooperation and assistance of ASM throughout the audit and hope that the information presented herein is beneficial. cc: Institutional Audit Committee Members Mr. Allen Hardin, Senior Associate Athletics Director, Intercollegiate Athletics Ms. Patricia Ohlendorf, Vice President for Legal Affairs Mr. Jeff Treichel, Associate Director, Office of Internal Audits

TABLE OF CON TEN TS Executive Summary............................................................................................................. 1 Background.......................................................................................................................... 2 Scope, Objectives, and Procedures...................................................................................... 2 Audit Results........................................................................................................................ 3 Conclusion........................................................................................................................... 5 Appendix.............................................................................................................................. 6

EXE CUTIVE SUMM ARY Conclusion Based on the audit procedures performed, it appears that Athletics Sports Medicine (ASM) is generally in compliance with the Health Insurance Portability and Accountability Act (HIP AA) Security Rule guidelines. Two recommendations were made regarding contingency planning and review of information system activity logs. Management agreed with the recommendations and is taking corrective actions... Summary of Recommendations Internal Audits identified two notable issues which led to the following recommendations:.management should ensure that a comprehensive contingency plan is documented and tested regularly. (Audit Issue Ranking: High) Management should implement procedures to regularly review records of information system activity related to HIP AA data. (Audit Issue Ranking: High) No additional recommendations were necessary. Audit Scope and Objective The scope of this audit included applicable information technology controls within ASM. The specific audit objective was to determine whether ASM is in compliance with HIP AA Security Rule guidelines. Background Summary Title II of HIP AA defines policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. The Department of Health and Human Services' Administrative Simplification of HIPAA's Security Rule specifically relates to electronic protected health information and requires appropriate security standards to ensure the confidentiality, integrity, and security of electronic protected health information. ASM is responsible for ensuring the health and safety of every student-athlete in The University of Texas at Austin's 20 intercollegiate sports programs. Trainers, physical therapists, and sports medicine physicians use state-of -the-art technology to aid in injury and illness prevention and diagnostic, therapeutic, and rehabilitative services. As part of its operations, ASM works with electronic protected health information. This audit was conducted as part of the Fiscal Year 2015 Audit Plan, based on risk identified in the annual risk assessment. Page 1

BACKGR OUND Title II of the Health Insurance Portability and Accountability Act (HIP AA) defines policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. The Department of Health and Human Services provides an Administrative Simplification of Title II and divides its requirements into the following areas: The Privacy Rule - requires appropriate safeguards to protect the privacy of personal health information and regulates the use and disclosure of this information; The Security Rule - establishes standards to protect individuals' electronic personal health information that is created, received, used, or maintained by covered entities; The Breach Notification Rule - requires notifications following a breach of unsecured protected health information; The Transactions and Code Sets Standards - standardizes health care transactions; Identifier Standards for Employers and Providers - require the use of standardized identification numbers; and The Enforcement Rule - relates to compliance and investigations and sets civil monetary penalties for HIP AA violations. The focus of this audit is the Administrative Simplification of the Security Rule. The Security Rule specifically relates to electronic protected health information and requires appropriate administrative, physical, and technical safeguards, as well as organizational requirements, policies and procedures, and documentation to ensure the confidentiality, integrity, and security of electronic protected health information. Athletics Sports Medicine (ASM) is responsible for ensuring the health and safety of every student-athlete in The University of Texas at Austin's 20 intercollegiate sports programs. Trainers, physical therapists, and sports medicine physicians use state-of-theart technology to aid in injury and illness prevention and diagnostic, therapeutic, and rehabilitative services. As part of its operations, ASM works with electronic protected health information. SCOPE, OBJE CTIVES, AND PR O CED URES The scope of this audit included applicable IT controls within ASM. The specific audit objective was to determine whether ASM is in compliance with the HIP AA Security Rule guidelines. To achieve this objective, we: Gained an understanding of ASM's IT environment and the IT controls in place for accessing and storing electronic protected health information; Page 2

Reviewed current documented policies and procedures at ASM related to HIP AA Security Rule guidelines; Reviewed the results of network vulnerability scans; and Tested a sample of computers within ASM. This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and with Government Auditing Standards. AUDIT RES UL TS The HIP AA Security Rule consists of required and addressable implementation specifications in the following areas: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. ASM does not house electronic HIP AA data, instead opting to use the third party - Workflow to store and access their HIP AA data. The following two recommendations were made in the area of Administrative Safeguards. Each issue has been ranked according to the University of Texas System Administration (UT System) Audit Issue Ranking guidelines. Please see the Appendix for ranking definitions. Administrative Safeguards - Contingency Plan Audit Issue Ranking: High The Intercollegiate Athletics contingency plan is not routinely tested and does not include instructions pointing to the Workflow Disaster Recovery Plan (DRP) which covers Athletics Sports Medicine HIP AA data. Without a documented and tested contingency plan in place that includes the program housing Athletics Sports Medicine electronic HIP AA data, operators, technicians, and management may not be able to adequately recover and continue operations of critical systems and data in the event of a disaster. HIPAA Administrative Simplification Regulation Text 1 part164.308 a.7 states: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. 1 HIPAA Administrative Simplification Regulation Text - http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification- 201303.pdf Page 3

Implement procedures for periodic testing and revision of contingency plans. Recommendation 1: Management should ensure that a comprehensive contingency plan is in place including information pointing to the Workflow DRP which covers Athletics Sports Medicine electronic HIP AA data. This contingency plan should be documented within The University of Texas at Austin's UT Ready Continuity Planning tool and should be tested at least annually. Management's Response and Corrective Action Plan: Emergency Access Procedure: Sports Medicine Policy & Procedure Manual serves as Contingency Plan. These procedures will be acknowledged in the Disaster Preparedness Plan and will be documented within UT Ready Continuity Planning tool. The procedures will be tested annually. Responsible Person: Phillip Jaeger, Athletics IT Services Planned Implementation Date: July 1, 2016 Post Audit Review: Internal Audits will perform follow-up activities in the first quarter of fiscal year 201 7. Administrative Safeguards - Information System Activity Records Review Audit Issue Ranking: High Athletics Sports Medicine has the capability to log information system activity and run reports but there is no routine schedule for reviewing the logs or reports. Without regularly reviewing records of information system activity, there is an increased risk of loss or misuse of HIP AA data. HIP AA Administrative Simplification Regulation Tex? part 164.308 a. l.ii.d states, Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Recommendation 2: Management should implement procedures to regularly review records of information system activity related to HIP AA data. This review should be documented. Management's Response and Corrective Action Plan: Procedure will be established to review User Authentication Successes and User Authentication. Failures and document review of such. Reports are viewable but not exportable. 2 HIP AA Administrative Simplification Regulation Text - http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification- 201303.pdf Page4

Athletics will request from vendor that creation of exportable reports be established. Responsible Person: LaQuinta Pollard, Athletics Sports Medicine Planned Implementation Date: July 1, 2016 Post Audit Review: Internal Audits will perform follow-up activities in the first quarter of fiscal year 2017. CONCLUSI ON Based on the audit procedures performed, it appears that ASM is generally in compliance with the HIP AA Security Rule guidelines. Two recommendations were made regarding contingency planning and the review of information system activity logs. Management agreed with the recommendations and is taking corrective actions. In accordance with directives from The University of Texas System Board of Regents, the Office of Internal Audits will perform follow-up procedures to confirm that audit recommendations have been implemented. Page 5

APPEND IX Audit Issue Ranking Audit issues are ranked according to the following definitions, consistent with UT System Audit Office guidance. These determinations are based on overall risk to UT System, UT Austin, and/or the individual college/school/unit if the issues are left uncorrected. These audit issues and rankings are reported to UT System directly. Priority-A Priority Issue is an issue that, if not addressed immediately, has a high probability to directly impact achievement of a strategic or important operational objective of UT Austin or the UT System as a whole. High - An issue that is considered to have a medium to high probability of adverse effects to UT Austin either as a whole or to a significant college/school/unit level. Medium - An issue that is considered to have a low to medium probability of adverse effects to UT Austin either as a whole or to a college/school/unit level. Low - An issue that is considered to have minimal probability of adverse effects to UT Austin either as a whole or to a college/school/unit level. Issues with a ranking of "Low" are reported verbally to the unit and are not included in the final report. Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback