The ABCs of HIPAA Security

Similar documents
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA Security and Privacy Policies & Procedures

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Putting It All Together:

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA & Privacy Compliance Update

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Healthcare Privacy and Security:

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Security Awareness Training

The Relationship Between HIPAA Compliance and Business Associates

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Privacy, Security and Breach Notification

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA-HITECH: Privacy & Security Updates for 2015

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

Security and Privacy Breach Notification

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA Security Manual

The simplified guide to. HIPAA compliance

All Aboard the HIPAA Omnibus An Auditor s Perspective

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA 101: What All Doctors NEED To Know

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA Security Checklist

HIPAA For Assisted Living WALA iii

HIPAA Security Checklist


Integrating HIPAA into Your Managed Care Compliance Program

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

EXHIBIT A. - HIPAA Security Assessment Template -

Data Backup and Contingency Planning Procedure

HIPAA Federal Security Rule H I P A A

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Security and Privacy Governance Program Guidelines

HIPAA Compliance Checklist

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA FOR BROKERS. revised 10/17

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

and Privacy HIPAA-Compliance Checklist

Altius IT Policy Collection

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Not Just Another Day of HIPAA

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

EU General Data Protection Regulation (GDPR) Achieving compliance

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

HIPAA Cloud Computing Guidance

Implementing an Audit Program for HIPAA Compliance

Overview of Presentation

Lakeshore Technical College Official Policy

Support for the HIPAA Security Rule

TITLE: HIE System Audit

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Seven gray areas of HIPAA you can t ignore

Altius IT Policy Collection Compliance and Standards Matrix

Getting OCR Audit-Ready in 7 Steps:

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

What s New with HIPAA? Policy and Enforcement Update

Employee Security Awareness Training Program

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Transcription:

The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1

Daniel F. Shay, Esq. Alice G. Gosfield and Associates, PC 2309 Delancey Place Philadelphia, PA 19103 (215) 735-2384 Dshay@gosfield.com

Introduction HIPAA is a fact of life for most physicians. True since 1996. First regulations (Privacy Rule) published in 2000. Deals with common obligations for health care providers with respect to patient protected health information (PHI), such as: Leaving messages on answering machines. Calling patients names in waiting rooms. Issues with business associates. Also established patient rights, such as: Access to copies of their PHI. Right to request amendments to their PHI. Right to request restrictions on uses and disclosures of their PHI. Our clients are most familiar with the Privacy Rule.

Introduction (Part 2) Security Rule has proven much more difficult for our clients to grasp. First published in 2003. Addresses more technical issues. Requires an understanding of technological infrastructure, or having IT staff who knows this. Federal Government is now enforcing Security Rule much more. E.g., OCR s auditing program.

Steps to Security Compliance Security Rule is broken into three general areas. Administrative Safeguards Physical Safeguards Technical Safeguards First step in compliance: Appoint a Security Officer. Required under Administrative Safeguards. Should be someone familiar with the technological infrastructure of the covered entity. Should be comfortable discussing technological issues. Current Security Officer should be listed in covered entity s security policies.

Security Risk Assessment Keystone of HIPAA compliance. Also required under Administrative Safeguards. HHS Office of Civil Rights (OCR) has described security risk assessments (SRAs) as foundational. Necessary to identify covered entity s risk areas, and know whether it has implemented effective security measures, or if not, where to begin implementing such measures. If a covered entity has not conducted one, it is flying blind! OCR Security Rule enforcement frequently finds that no SRA was conducted before an incident. Afterwards is too late. Example: Adult & Pediatric Dermatology.

Security Risk Assessment (Part 2) SRAs can be outsourced. May be helpful to seek outside assistance. Consultants can perform the SRA for a covered entity, if covered entity lacks the internal capabilities to do so itself. Outside consultants are often experts in security matters, capable of thinking of risks our clients might never consider. E.g., wifi printers; where passwords are written down; how workstations are physically positioned within the office. Also understand electronic security standards in connection with legal obligations. Can be done under the privilege. Won t protect the SRA document itself, but may protect the documents generated in the process of creating it.

Security Risk Assessment (Part 3) OCR has published guidance on SRA elements: Scope of SRA. Data collection re: storage, use, maintenance, and transmission of electronic PHI (ephi). Identifying and documenting potential threats and vulnerabilities. Assessing current security measures (if any). Determining impact of potential threats occurring. Determining level of risk. Finalized documentation. SRA need only be conducted periodically, e.g. when infrastructure changes.

Security Rule Safeguards Once SRA is conducted, can establish the Administrative, Physical, and Technical Safeguards, based on results of SRA. Administrative Safeguards Security management. (e.g., policies/procedures re: preventing/detecting/correcting security violations) Assignment of security responsibilities. Workforce security. (e.g., ensuring only appropriate workforce members have access to ephi) Security awareness and training. Incident procedures for security violations. Information access management. (e.g., who can access what levels of ephi)

Security Rule Safeguards (Part 2) Administrative Safeguards (continued) Technical and non-technical evaluations. Obtaining assurances from business associates that they will protect ephi in accordance with HIPAA requirements. Conduct/update SRA. Physical Safeguards Facility access controls. (e.g., floorplan, locks on doors, etc.) Workstation use policies. (e.g., when to log off) Workstation security. (e.g., only authorized individuals can use workstations. Device and media controls. (e.g., policies re: removing thumb drives)

Security Rule Safeguards (Part 3) Technical Safeguards What most people think of when they think of security. Authentication. (e.g., passwords to prove you are who you say you are; 2-factor authentication) Audit controls. (e.g., tracking user activity on systems with ephi) Integrity policies/procedures. (e.g., ensuring ephi isn t improperly modified/destroyed) Transmission security. (e.g., encryption)

Security Rule Enforcement & Audits First Security Rule enforcement action came in 2009 4 years after Security Rule effective date, and 6 years after OCR given authority to enforce. Enforcement was previously focused on larger institutions. Phoenix Cardiac Surgery, P.C., in 2012, changed that. HITECH Act created duty to conduct periodic audits.

Security Rule Enforcement & Audits (Part 2) Audit Pilot Program launches in 2011. Main purpose: To examine mechanisms for compliance, identify best practices and discover risk and vulnerabilities that may not have come to light through OCR s ongoing complaint investigations and compliance reviews. Led to Audit Evaluation Program from November, 2011 December, 2012. Led to Phase 2 in October, 2014. Continues today. Conducted on-site where possible, but usually a desk audit.

What Goes Wrong? Audit program discovered: Small providers have many problems, usually with Security Rule compliance. Can also look at Resolution Agreements. Common problems: Ineffective/no SRA. Lost/stolen thumb drive/laptop. Improperly configured computer systems that make ephi public. Ineffective/no risk-management plans. Failed to implement policies and procedures to detect/prevent/contain/correct security violations. Expensive settlements. $100,000 up to multiple millions!

Practical Advice Look at educational materials from Federal agencies. HealthIT.gov website. Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices. Cybersecurity 10 Best Practices for the Small Healthcare Environment. Resolution Agreements = How not to do it.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback