Putting It All Together:

Similar documents
HIPAA Security and Privacy Policies & Procedures

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA FOR BROKERS. revised 10/17

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Policy and Procedure: SDM Guidance for HIPAA Business Associates

01.0 Policy Responsibilities and Oversight

HIPAA Federal Security Rule H I P A A

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA For Assisted Living WALA iii

The simplified guide to. HIPAA compliance

HIPAA Privacy, Security and Breach Notification

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Federal Breach Notification Decision Tree and Tools

University of Wisconsin-Madison Policy and Procedure

Healthcare Privacy and Security:

HIPAA & Privacy Compliance Update

Data Backup and Contingency Planning Procedure

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Cyber Risks in the Boardroom Conference

HIPAA Tips and Advice for Your. Medical Practice

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Checklist: Credit Union Information Security and Privacy Policies

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

PRIVACY-SECURITY INCIDENT REPORT

HIPAA Controls. Powered by Auditor Mapping.

The ABCs of HIPAA Security

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Employee Security Awareness Training Program

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Altius IT Policy Collection Compliance and Standards Matrix

HIPAA-HITECH: Privacy & Security Updates for 2015

Cybersecurity in Higher Ed

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Privacy and Security Training Program

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Integrating HIPAA into Your Managed Care Compliance Program

Security and Privacy Breach Notification

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

The Relationship Between HIPAA Compliance and Business Associates

Data Protection Policy

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

The HIPAA Omnibus Rule

Hospital Council of Western Pennsylvania. June 21, 2012

CYBER RISK MANAGEMENT

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Altius IT Policy Collection Compliance and Standards Matrix

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security and Privacy Governance Program Guidelines

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Table of Contents. PCI Information Security Policy

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud


Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Data Compromise Notice Procedure Summary and Guide

NOTICE OF PRIVACY PRACTICES

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Critical HIPAA Privacy & Security Crossover Areas

Breach Notification Remember State Law

HIPAA 101: What All Doctors NEED To Know

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

HIPAA Security Awareness Training

Privacy Breach Policy

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

HIPAA Security Manual

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Privacy Policy on the Responsibilities of Third Party Service Providers

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

EXHIBIT A. - HIPAA Security Assessment Template -

Policy. Policy Information. Purpose. Scope. Background

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy & Information Security Protocol: Breach Notification & Mitigation

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Regulation P & GLBA Training

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Introduction CHAPTER 1

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Transcription:

Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24, 2017

Overview of HIPAA The Privacy Program The Security Program The Intersection of Privacy & Security Questions

HIPAA

Health Insurance Portability & Accountability Act Privacy Rule Security Rule 1996 Enacted 2003 Privacy Rule in effect 2005 Security Rule in effect 2009 Health Information for Technology for Economic & Clinical Health (HITECH) Act 2013 Omnibus Final Rule

Promotes Patient Rights The HIPAA Basics: There must be a Covered Entity There must be Protected Health Information (PHI) PHI requires both: Identifiers (1 or more of 18), and, Health Information (past, present or future) Framed by Needing to Know vs. Wanting to Know And be protected by using Reasonable Safeguards

Protected Health Information (PHI) Consists of all individually identifiable health information regarding past, present and future health care encounters Verbal Written/Paper Electronic

Components of HIPAA Portability & Accountability: Provides continuity of healthcare coverage, limits exclusions for pre-existing conditions, and prohibits discrimination based on health status

Administrative Simplification: Requires privacy & security protections for all forms of individually-identifiable health information

The Privacy Program

The Privacy Program: Overview of the Privacy Program Provides strategic and thought leadership Creates privacy policies, processes and internal controls Develops and maintains an appropriate framework on which the company collects, stores, processes and transfers personal data Privileged and Confidential

Overview of the Privacy Program Protects the privacy of protected health information (PHI), and sets limits and conditions on the uses and disclosures of PHI without patient authorization Implements appropriate training for Covered Persons", integrating policies and procedures for protecting and safeguarding PHI Acquires and develops necessary HIPAA related forms and documentation Privileged and Confidential

Privacy Program Components Privacy Program Components Policies & Procedures Protects Patient Rights Privacy Program Privacy Training Incident Response Privileged Confidential and Risk Management

HIPAA gives patients federal privacy rights The Notice of Privacy Practice explains these rights and describes how a Covered Entity will use and disclose PHI There are criminal and civil fines and sanctions for non-compliance All Covered Entities must have a sanctions policy

The Balancing Act The Balancing Act Access, Use and Disclosure of Minimum Necessary PHI for TPO: Treatment: Clinicians, providers and care team members Payment: Schedulers, registrars, coders and billers Healthcare Operations: Performing reviews, extracting necessary information, performing audits, surveys and investigations, etc. Upholding and Safeguarding Patient Rights under HIPAA: Itemized in the Notice of Privacy Practices Taken seriously by consumers and oversight agencies

The Interactive Privacy Officer The Interactive Privacy Officer Patients and Family Members Covered Individuals and Workforce Members Training, consultation, investigation, enforcement Business Associates Involved Third Parties Law enforcement, legal, Privileged religious and representatives, etc. Confidential Oversight Agencies

Roles and Responsibilities of the Privacy Function Builds a strategic and comprehensive privacy program that defines, develops, maintains and implements policies and processes that enable effective privacy practices Minimizes risk and ensures the confidentiality of PHI - oral, paper and/or electronic, across all media types Privileged and Confidential

Roles and Responsibilities of the Privacy Function Ensures privacy forms, policies, and procedures are up-to-date Conducts ongoing compliance monitoring in coordination with the organization's other compliance and operational assessment functions Privileged and Confidential

Roles and Responsibilities of the Privacy Function Oversees, develops and delivers initial and ongoing privacy training to the workforce Monitors all business associates and business associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed Privileged and Confidential

Roles and Responsibilities of the Privacy Function Manages all required breach determination and notification processes under HIPAA and applicable state confidentiality and/or breach rules and requirements Establishes and administers a process for investigating and acting on privacy and security complaints Privileged and Confidential

The Security Program

Overview of a Security Program Ensures that the data held at the organization remains secure Responsible for ensuring the Confidentiality, Integrity, and Availability (CIA) of data Responsible for the implementation of Administrative, Physical, and Technical Safeguards to protect sensitive data Heads the creation of policies and procedures to ensure this protection such as: Acceptable use Access control Data Handling and Retention Data Classification Ensures employees receive the proper training in order to enable them to protect sensitive information

Information Security protects PHI Confidentiality Only people with a need to know have access to patient records Integrity Lab results, etc., aren t changed or destroyed accidentally or maliciously Availability Patient records are there when you need them, computer systems are up and running, your user ID and password are working, etc.

Administrative Safeguards Careful hiring practices Training and education Policies and procedures Termination and separation protocols

Physical Safeguards Confidential patient care Document care and storage Document disposal and destruction

Electronic Safeguards User authentication Systems protection Safe hardware disposal

Components of a Security Program Security Policies Physical Security Personnel Security System & Data Identification Security Standards & Best Practices Incident Response System Security Plan System Development Life Cycle Organization s Security Policies & Programs Configuration Management Training & Awareness Laws & Regulations System Documentation Disaster Recovery Privileged and Confidential

Roles and Responsibilities of the Security Function Roles and Responsibilities of the Security Function Understanding the HIPAA Security Rule and keeping up-to-date with any and all changes to the law Developing and implementing policies and procedures to safeguard PHI Identifying and evaluating threats to the integrity of PHI Developing and implementing action plans for addressing risks to PHI Less people-centric than the privacy officer

The Intersection of the Privacy and Security Functions

How Does a Breach Affect Your Organization? Fines from government OCR can fine an organization up to $1.65 million per HIPAA provision violated per calendar year Litigation (class action) Breach notification costs/credit monitoring System downtime Reputational damage Patient loyalty Table: Categories of HIPAA Violations & Fine Amounts Violation category Each violation Violations of an identical provision (in a calendar year) Did Not Know $110-55,010 $1.65 million Reasonable Cause $1,100-55,010 $1.65 million Willful Neglect Corrected Willful Neglect Not Corrected $11,002-55,010 $1.65 million $55,010-1.65M $1.65 million

Privacy and Security Relationship Privacy and security go hand-in-hand Privacy All PHI - Oral, written or electronic Rules on the use of PHI Who is authorized to access PHI Patient rights and access to their medical information Limits PHI uses & disclosures to the minimum amount necessary Training Data Safeguards Confidentiality Appropriate Access (paper, physical or electronic) Policies & procedures Contracts (BAA) Incident Mitigation Security e-phi - Electronic PHI received, maintained or transmitted Rules on how to Protect e- PHI Mechanisms to ensure authorized access to e-phi Assurances for data integrity and availability Reviews to evaluate potential risks of e-phi

Privacy and Security Shared Responsibilities The Privacy and Security Officers: Have a role in developing the policies and procedures and training the workforce in HIPAA s requirements Establish and maintain a culture of compliance within the organization Work together to safeguard patient PHI Oversee internal sanctions for failure to comply with HIPAA policies Internal contact point for a security or privacy incident and/or PHI breach Regularly review and edit internal policies and procedures A marriage between the technical person and the one who understands compliance requirements. - Angela Rose, director of HIM Practice Excellence at the American Health Information Management Association

Breach Notification By law the covered entity must notify the affected Individuals, Health and Human Services, and if 500+ individuals, the Media

Incident Response: Privacy and Security Privacy and Security are interconnected Both can contribute to workforce readiness and awareness A Security breach is often a Privacy breach both areas would mobilize in incident investigation and response

Incident Response: Privacy and Security Example: i. A breach occurs ii. The Chief Information Security Officer activates an incident response team which assesses the scope of the incident - What information was accessed or misused? iii. The Incident Response coordinator contacts the Privacy Officer to determine if there needs to be a breach declaration - Does the breach impact solely privacy, security, or a combination of both? iv. If there has been a breach of personal information, Privacy and Security will mutually determine the appropriate response and relief; e.g. patient notification, credit monitoring, etc.

Auditing and Monitoring: The Union of Privacy and Security Regulations that affect Privacy and Security: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The American Recovery and Reinvestment Act of 2009 (ARRA)- HITECH Modifications to the HIPAA Privacy, Security, and Enforcement Rules the Health Information Technology for Economic and Clinical Health Act; Final Rule The Payment Card Industry Data Security Standard (PCI DSS)

Auditing and Monitoring: The Union of Privacy and Security (Continued) The focus of the security program is to protect the Confidentiality, Availability, and Integrity of data Controls and procedures for both areas make up the umbrella which protects the organization from threats and unauthorized disclosures of protected information Compliance monitoring is important for both privacy and security The controls are only as good as they are effective! Must provide evidence that the controls are in working order for audits document!

Treat PHI as if it was your OWN!

Questions? Regina Verde, MS, MBA, CHC Chief Corporate Compliance and Privacy Officer University of Virginia Health System Corporate Compliance and Privacy Office Office: 434-924-9741 Mobile: 434-465-0761

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback