HIPAA Privacy, Security and Breach Notification

Similar documents
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA-HITECH: Privacy & Security Updates for 2015

The HIPAA Omnibus Rule

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Putting It All Together:

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Hospital Council of Western Pennsylvania. June 21, 2012

All Aboard the HIPAA Omnibus An Auditor s Perspective

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Policy and Procedure: SDM Guidance for HIPAA Business Associates

The GDPR Are you ready?

Breach Notification Remember State Law

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

The Relationship Between HIPAA Compliance and Business Associates

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Security and Privacy Policies & Procedures

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Federal Breach Notification Decision Tree and Tools

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

The ABCs of HIPAA Security

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Security and Privacy Breach Notification

View the Replay on YouTube

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

efolder White Paper: HIPAA Compliance

University of Wisconsin-Madison Policy and Procedure

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Healthcare Privacy and Security:

HIPAA COMPLIANCE AND

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA Tips and Advice for Your. Medical Practice

DeMystifying Data Breaches and Information Security Compliance

HIPAA 101: What All Doctors NEED To Know

HIPAA & Privacy Compliance Update

Data Backup and Contingency Planning Procedure

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

by Robert Hudock and Patricia Wagner April 2009 Introduction

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

01.0 Policy Responsibilities and Oversight

TERMS OF USE Effective Date: January 1, 2015 To review material modifications and their effective dates scroll to the bottom of the page. 1.Parties.

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA FOR BROKERS. revised 10/17

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I


Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

GDPR: A QUICK OVERVIEW

HIPAA Security Manual

LCU Privacy Breach Response Plan

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Is Your Compliance Strategy Putting Your Business at Risk?

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

HIPAA Audits and the New Audit Protocol

Data Use and Reciprocal Support Agreement (DURSA) Overview

HIPAA Compliance Checklist

NYDFS Cybersecurity Regulations

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

A Panel Discussion. Nancy Davis

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Cyber Risks in the Boardroom Conference

SOC for cybersecurity

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Credit Card Data Compromise: Incident Response Plan

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

IT Audit Auditing IT General Controls

Cyber Security Issues

IT Attestation in the Cloud Era

HIPAA Security Checklist

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

HIPAA Security Checklist

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Policy. Policy Information. Purpose. Scope. Background

HIPAA Cloud Computing Guidance

Information Security Incident Response Plan

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Transcription:

HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance and is intended to offer the user general information of interest. The information provided is not intended to replace or serve as substitute for any audit, advisory, tax or other professional advice, consultation or service. You should consult with a KPMG professional in the respective audit, advisory, tax or other professional area to obtain such services. The application of laws and regulations may vary depending on specific facts or circumstances. In no event shall KPMG, its related partners, managing directors, principals, agents or employees be liable for any direct, indirect, incidental, special, exemplary, punitive, consequential or other damages whatsoever (including but not limited to, liability for loss of use, data or profits), without regard to the form of any action, including but not limited to, contract, negligence or other tortious actions, arising out of or in connection with this information or any copying, display or other use hereof. 1 1

Table of contents Healthcare Insurance Portability and Accountability Act (HIPAA) key concepts Omnibus Updates The Office of Civil Rights (OCR) audits Audit results analysis HIPAA privacy audit findings and observations analysis HIPAA security audit findings and observations analysis HIPAA breach notification audit findings and observations analysis Lessons learned Leading practices 2 HIPAA Key Concepts 2

Program background Health Information Technology for Economic and Clinical Health (HITECH) Act, Section 13411 Audits The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires the US Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. Transaction Code Sets and Identifiers Formatting and processing of healthcare claims related transactions Privacy Protection of patient rights and information from undue exposure Security Safeguarding of the technology systems that process health information 4 Key concept: Business associates PHI disclosures may be made to a business associate, and the business associate may create or receive PHI, provided that satisfactory, documented assurance is obtained that the business associate will appropriately safeguard the information. A BA has direct responsibility to maintain Privacy and Security and if they use third parties, they must obtain satisfactory assurance from those third parties. 5 3

Key concepts: HIPAA security Ensure confidentiality, integrity and availability of electronic protected health information (ephi), i.e., protect technology and processes Standards set a minimum baseline of controls and safeguards CEs should develop information protection and security programs based on: Performance of a risk assessment Acceptable level of risk that organizations are willing to tolerate BA s contract vehicle with CE s should specify this obligation. 6 HIPAA security basics Key concepts: HIPAA security standards Standards are supported by Implementation Specifications 20 Required vs. 22 Addressable Specifications Addressable specification options: Implement addressable specifications Implement alternative security measures Implement combination of both Not implement specifications or alternatives Decision must be based on risk assessment and documented and retained for 6 years Examples include: Workforce Security Access Authorization Facility Access Controls Facility Security Plan Transmission Security Encryption Application and data workflows for the control and necessary use determination need to be completed. 7 4

Omnibus Updates Omnibus Final Rule Issued January 17, 2013, Effective March 26, 2013 Compliance Date: September 23, 2013 Major Changes: Expands Liability Business Associates/Subcontractors and Agents of Covered Entities Presumption of Breach unless low probability of data compromise CE must make assessment of risk following breach Use PHI for marketing and fundraising (opt-out) Individual s right of access to electronic PHI Enforcement Penalties 9 5

Revised Definition of Breach Prior definition: Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHI Interim final rule defined compromise Poses a significant risk of financial, reputational or other harm 10 Revised Definition of Breach An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach Unless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised 11 6

Conduct a risk assessment to determine probability of compromise Factors that must be weighed in assessing probability of compromise The nature and extent of the PHI involved The unauthorized person who used the PHI or to whom the disclosure was made Was the PHI actually acquired or viewed, and Has the risk to the PHI been mitigated 12 The Office of Civil Rights Audits 7

Overview & objective of the audits Overview ARRA requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Program Objectives OCR piloted a program to perform up to 150 audits* of covered entities to assess privacy and security compliance. Key objectives of the program are: Assess HIPAA compliance efforts by a range of covered entities. Examine mechanisms for compliance Identify leading practices Discover risks and vulnerabilities OCR will broadly share leading practices gleaned through the audit process and guidance targeted to observed compliance challenges on its web site and other outreach portals. * Pilot program ultimately completed 115 audits in 2012 14 Who is being audited? Every covered entity and business associate is eligible for an audit. Selections in the initial round were designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities which was intended to audit as wide a range of types and sizes of covered entities Business Associates will be included in future audits. 15 8

HIPAA key data points $194 per record average cost of a breach $1000 average cost of breach per patient based on recent class-action lawsuits, plus legal fees/credit monitoring 498 number of organizations reporting breaches of over 500 individuals to OCR since 2009 $1.5M fine for large southern payor organization; $17M total costs from breach $.46 cost/first class stamp for notification per individual for breach $ TBD Reputational Costs Sources: Ponemon Institute Sutter Health/Tricare Class Action Filings http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 16 Audit Results Analysis 9

Auditees by entity type Identified below is the targeted mix of auditees by level and type. This mix of organizations allowed the program to gain an understanding of the level of HIPAA compliance from a crosssection of the overall industry. Level 1 Level 2 Level 3 Level 4 Total Health Plans 13 12 11 11 47 Healthcare Providers 11 16 10 24 61 Healthcare Clearinghouses 2 3 1 1 7 Total 26 31 22 36 115 18 Overall audit results analysis Findings and observations 13 entities (2 Providers, 9 Health Plans, and 2 Clearinghouses) had no findings or observations. 64% of the selected audit protocol pertained to Privacy, 28% pertained to Security and 8% pertained to Breach Notification. 60% of the findings and observations were in the audited Security protocol No clear trends in the Privacy findings and observations; the challenges were wide-spread. Providers had more findings and observations than Health Plans and Clearinghouses. 19 10

Overall audit results analysis Findings and observations (continued) There are several overarching trends in the audit results noted in the 115 entities audited. There were 979 audit findings and observations across all entities: 293 Privacy audit findings and observations; 592 Security audit findings and observations; and, 94 Breach Notification audit findings and observations. 58 of 59 providers having observations had at least one finding or observation in HIPAA Security. 47 of 59 providers having observations, 20 out of 35 health plans having observations and 2 out of 7 clearinghouses having observations did not have a complete and accurate risk assessment. Almost every entity that met without a finding or observation within an area that is defined as an Addressable Implementation Specification within the HIPAA Security rule, did so by fully implementing the addressable specification. Level 4 entities continue to struggle with HIPAA Privacy and Security and Breach Notification. 20 Overall audit results analysis cause analysis Unaware of the requirement In connection with 39% (115 of 293) of Privacy audit findings and observations the entities said they were unaware of the requirement. 75% (86 of the 115) were on areas of the audit protocol where the performance criteria was derived directly from the HIPAA Privacy Rule. Top Privacy areas with this cause: Notice of Privacy Practices; Access of Individuals; Minimum Necessary; and, Authorizations. 21 11

Overall audit results analysis cause analysis Unaware of the requirement (continued) In connection with 27% (163 of 592) of Security audit findings and observations the entities said they were unaware of the requirement. 94% (153 of 163) were on areas of the audit protocol where the criteria was derived directly from the HIPAA Security Rule. Top Security areas with this cause: Risk Analysis; Media movement and disposal; and, Audit controls and monitoring. In connection with 12% (11) of the Breach Notification audit findings and observations. All 11 findings were on areas of the audit protocol where the criteria was derived directly from the Breach Notification Rule. 22 HIPAA privacy, security and breach notification Audit findings and observations Audit Findings and Observations by Rule Audit Findings and Observations by Level Audit Findings and Observations by Type of Covered Entity 23 12

HIPAA privacy, security and breach notification Audit findings and observations (continued) Audit Findings and Observations Distribution 24 HIPAA Privacy Audit Findings and Observations Analysis 13

HIPAA privacy audit findings and observations Percentage of Findings and Observations by Area of Focus 26 HIPAA privacy audit findings and observations (continued) Findings and Observations by Area and Type of Entity 27 14

HIPAA privacy audit findings and observations (continued) Findings and Observations by Level 28 Individual HIPAA privacy area of focus Audit findings and observations Access of Individual to PHI Findings and Observations Administrative Requirements Findings and Observations 29 15

Individual HIPAA privacy area of focus Audit findings and observations (continued) Uses and Disclosures of PHI Findings and Observations 30 Individual HIPAA privacy area of focus Audit findings and observations (continued) Notice of Privacy Practices for PHI Findings and Observations Notice of Privacy Practices for PHI Unaudited Observations* *The graph on the bottom includes an analysis of observations from additional areas of the Notice of Privacy Practice content requirements that were not included in the audit protocol at the time. Notice of Privacy Practices Letters were provided to covered entities indicating deficiencies noted in the content. 31 16

HIPAA Security Audit Findings and Observations Analysis HIPAA security audit findings and observations Percentage of Audit Findings and Observations by Area of Focus 33 17

HIPAA security audit findings and observations (continued) Total Audit Findings and Observations by Area of Focus and Entity Type 34 HIPAA security audit findings and observations (continued) Total Security Audit Findings and Observations by Area of Focus and Level of Entity 35 18

HIPAA Breach Notification Audit Findings and Observations Analysis Breach notification audit findings and observations Audit Findings and Observations by Requirement and Type of Entity 37 19

Breach notification audit findings and observations (continued) Audit Findings and Observations by Requirement and Level of Entity 38 Lessons Learned: Preparing for an Audit 20

Next steps to consider Plan ahead for impact of HIPAA across the organization Determine possible common responsibilities and oversight of IT, Information Security, and Internal Audit Assess overlap between controls oversight and management Clearly identify and alert Lines of Business affected by HIPAA Coordinate with impacted departments (IT, HR, Business, IA) and create an ongoing dialogue Have a communication plan ready and engage senior leadership Conduct a robust Assessment with an Annual or Bi-Annual reassessment for compliance Perform self-assessments using the OCR Audit Protocols Conduct mock interviews of staff to prepare them for the Audit If compliance issues exist, use a risk based approach to identify remediation priorities 40 Next steps to consider (continued) Perform Data discovery to trace the lifecycle of PHI at your organization Determine control and safeguard catalogue for HIPAA prior to remediation know what you re going after Know where high risk PHI exists Determine whether data encrypted and if not, how is it protected Ensure that you know where system generated information, such as audit logs, exist and the lead time requested to extract the information Where gaps are identified, establish effective technical safeguards over PHI (encryption, access management, restriction for required use only) Consider internal employee health information in evaluation (Group Health Plan) Assess your ability to combine HIPAA compliance activities with other compliance activities like PCI (Unified Compliance) to increase the effectiveness & efficiency of your compliance programs 41 21

Given what we know a practical approach to getting ready Create a regulatory binder that contains the OCR and HHS guidance for the Audit and what/where/how list to access the required documents within your organization The regulatory binder should include the following items: The Audit Protocol found at http://ocrnotifications.hhs.gov/hipaa.html List of contracts within your organization to assist in document retrieval for all aspects of the Audit, namely, privacy, security and breach notification. This area is especially important given the recent updates to the omnibus HITECH rules. Recent Risk Assessment. The guidance indicates that an annual risk assessment is most appropriate. Policies and Procedures related to the Privacy and Security Rules Notice of Privacy Practices Monitoring/Audit log reports 42 Contact details Richard Archer Partner KPMG LLP rearcher@kpmg.com 412-232-1590 43 22

2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 155003 The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback