HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Similar documents
HIPAA Security and Privacy Policies & Procedures

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Healthcare Privacy and Security:

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Putting It All Together:

HIPAA Federal Security Rule H I P A A

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

The simplified guide to. HIPAA compliance

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

The HIPAA Omnibus Rule

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Privacy, Security and Breach Notification

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance Checklist

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

All Aboard the HIPAA Omnibus An Auditor s Perspective


HIPAA Security Checklist

HIPAA Security Checklist

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

The Relationship Between HIPAA Compliance and Business Associates

Support for the HIPAA Security Rule

Data Backup and Contingency Planning Procedure

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA-HITECH: Privacy & Security Updates for 2015

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA Privacy, Security and Breach Notification 2018

HIPAA Privacy, Security and Breach Notification 2017

Summary Analysis: The Final HIPAA Security Rule

Hospital Council of Western Pennsylvania. June 21, 2012

Seven gray areas of HIPAA you can t ignore

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

The ABCs of HIPAA Security

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA & Privacy Compliance Update

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

efolder White Paper: HIPAA Compliance

A Security Risk Analysis is More Than Meaningful Use

HIPAA Cloud Computing Guidance

HIPAA COMPLIANCE AND

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA 101: What All Doctors NEED To Know

HIPAA Security Manual

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Integrating HIPAA into Your Managed Care Compliance Program

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA For Assisted Living WALA iii

HIPAA Enforcement Training for State Attorneys General

HIPAA Security & Privacy

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Compliance & Privacy What You Need to Know Now

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Security and Privacy Breach Notification

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Subject: University Information Technology Resource Security Policy: OUTDATED

What s New with HIPAA? Policy and Enforcement Update

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Policy. Policy Information. Purpose. Scope. Background

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

and Privacy HIPAA-Compliance Checklist

Information Security Policy

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA Security Rule Policy Map

HIPAA Security Rule: Annual Checkup. Matt Sorensen

01.0 Policy Responsibilities and Oversight

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA FOR BROKERS. revised 10/17

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

HIPAA COMPLIANCE FOR VOYANCE

2015 HFMA What Healthcare Can Learn from the Banking Industry

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Checklist: Credit Union Information Security and Privacy Policies

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Compliance and OBS Online Backup

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

Transcription:

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements Impact on Firm Operations Compliance Program Tips

My Background Adam Carlson 12+ years in information security M.S. from UC Davis, ISACA CISM Security researcher studying Internet threats Security auditor for financial services/fortune 500 Chief Security Officer at UC Berkeley Legal IT security consultant (and some healthcare) Currently security solutions consultant at Intapp Member of ILTA LegalSEC Vendor Advisory Board I am not a lawyer

Acronyms To Remember PHI Protected Health Information HHS Health and Human Services OCR Office of Civil Rights in HHS CE Covered Entity BA Business Associate BAA Business Associate Agreement

HIPAA Background A Long And Winding Road

HIPAA Origins Health Insurance Portability and Accountability Act Originally passed in 1996 Title I: Strengthens health care coverage guarantees for employees Title II: Reduce fraud, simplify administration, medical liability Contained privacy and security requirements Only applied to covered entities

Who Are These Covered Entities Possibly your clients A Health Care Provider A Health Plan A Health Care Clearinghouse So why do law firms care? Business associates of covered entities managing protected health information are expected to implement similar protections Group health plans

Law Firms Are Business Associates A business associates agreement (BAA) is meant to ensure that business associates afford protected health information the same types of protections as the covered entity.

Protected Health Information Broad definition Includes names and addresses Data must be affiliated with Covered Entity

Patient vs. Hospital Example Patient Law Firm: Medical Records Received From Patient Are Not PHI Hospital Law Firm: Medical Records Received From Hospital Are PHI

Straightforward Situation Covered Entity Covered Entity Business Associate Law Firm Business Associate Subcontractor 1 Subcontractor 2 Law Firm Business Partners requiring Business Associate Agreements Subcontractor 3

Much Harder To Classify Covered Entity Covered Entity Business Associate Business partner of a covered entity and law firm client Your Law Firm Your Law Firm Key decision: How will you identify and classify PHI?

Recent Changes Increased Liability Business associates had only contractual obligations Large number of breaches prompted change 57% of Reported Breaches Involved Third-Parties HITECH Act of 2009 Applied certain security requirements directly to law firms Increased breach notification requirements Omnibus Rule of 2013 Clarified security and privacy expectations of law firms Set date for compliance (Mar 2013) and enforcement (Sep 2013)

Civil Penalties for Noncompliance HHS Civil Monetary Penalties for Violations $100 to $50,000 per violation Up to $1.5 million per year for violations of identical provision Noncompliant entities likely to have multiple violations Separate violation for each person affected or each day of continuing noncompliance

Brief Recap HIPAA contains privacy and security requirements for protecting health information These requirements were traditionally imposed on law firms through contract The Omnibus Rule of 2013 applied these requirements directly to law firms Law firms will face fines for non-compliance starting in September 23, 2013

Requirements Overview

Three Key Rules To Understand Privacy Rule Security Rule Breach Notification Rule All three rules apply to law firms classified as business associates

Privacy Rule Finalized in 2000, compliance required by 2003 Applies to ALL protected health information (PHI) Imposes restrictions on uses and disclosures Calls for reasonable and appropriate safeguards Administrative Technical Physical Requires business associates agreements

Security Rule Finalized in 2003, compliance required by 2005 Applies only to ephi (electronic protected health information) Meant to address fears about digitization of health records called for by HIPAA Enumerates more detailed requirements: Administrative Safeguards Technical Safeguards Physical Safeguards

Relationship Between The Rules From official Health and Human Services Guidance: The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access. While Security Rule was meant to apply to only ephi, Privacy Rule requirements call for similar protections described by the Security Rule

Breach Notification Rule Created as a part of the 2009 HITECH Act Requires breaches of PHI to the individuals, HHS, and in some cases the media Breaches must be reported within 60 days Breaches of over 500 records are permanently listed on the HHS website Omnibus strengthened reporting requirements by broadening the definition of a breach

What This Means For Law Firm Operations

Formal Compliance Program Law firms must address compliance requirements Privacy Rule Security Rule Breach Notification Rule May require changes to business processes How matters are taken in How matters are protected and managed May require increased monitoring and oversight May impact relationship with law firm vendors and service providers

Determining the Scope of HIPAA Recommended best practices Formalize business associate agreement intake process Systematically review every practice area Classify matters during intake Inventory vendors/business partners with access to PHI Bonus: Use DLP software

Common Practice Areas Handling PHI Pharmaceutical & Medical Device Litigation Employment Litigation Insurance (and Insurance Litigation) Health Care (and Health Care Litigation) ERISA Litigation And many more.

Privacy Rule Compliance Limit how PHI is disclosed externally Already addressed by professional responsibility and MRPC Implement reasonable and appropriate safeguards Minimum necessary requirement more specific make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Implementation specification for internal use Identify the persons who need access to PHI For each role, identify the type of PHI and the conditions for access

Security Rule Goals Covered entities must ensure the confidentiality, integrity, availability of all ephi they create, receive, maintain or transmit Anticipate and address threats to PHI Protect against reasonably anticipated impermissible uses or disclosures Ensure workforce compliance

Three Types Of Protections Administrative Safeguards Security Management and Information Access Management Physical Safeguards Facility Access and Workstation/Device Security Technical Safeguards Access Controls, Audit Controls, Integrity Controls, Transmission Security

Projected Level of Effort ( Estimated ) Administrative Safeguards Physical Safeguards Technical Safeguards

Physical Safeguards Facility Access Controls Business continuity, facility protections, maintenance management Workstation Use Approved use-cases, workstation privacy, remote access users Workstation Security Physical security of workstations accessing ephi Device and Media Controls Media disposal and reuse, backup systems, secure deletion

Technical Safeguards Access Control Unique user identification Emergency access procedures Automatic logoff protections Encryption and decryption Audit Controls Integrity Person or Entity Authentication Transmission Security

Administrative Safeguards Security Management Process Come back to this in a minute Assigned Security Responsibility Designate security official Workforce Security Authorization and/or supervision, workforce clearance, termination Information Access Management Isolate health care clearinghouse, access authorization, access establishment and modification

Admin. Safeguards Continued Security Awareness and Training Security reminders, malicious software, log-in monitoring, password management Security Incident Procedures Response and reporting Contingency Plan Data backups, disaster recovery, emergency mode operation plan Evaluation Periodic technical and non-technical evaluation Business Associate Agreements

Security Management Process- 164.308(a)(1) Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information Risk Management Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level Sanction Policy Develop sanction policy for violations of policies and procedures Information System Activity Review Regularly review records of system activity and audit logs

In Other Words Do whatever is reasonable and appropriate to protect the confidentiality, integrity and availability of PHI Take a process-oriented rather than checklist-oriented approach Document the results of the risk assessment and risk management processes Periodically review and re-assess existing protections

Risk Analysis Guidance Necessary elements: Scope of the Analysis Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk Finalize Documentation

Tips For An Effective HIPAA Program

First Steps Engage and educate firm stakeholders Security investments or business process changes may be needed Designate a HIPAA Privacy Officer Designate a HIPAA Security Officer Inventory existing Business Associate Agreements Identify practice groups working with PHI Determine scope of HIPAA compliance concerns

Address The Low Hanging Fruit Update firm policies to address HIPAA requirements Revise vendor contracts to include BAA language Inventory systems and physical locations storing PHI Review systems against technical safeguards Review locations against physical safeguards Educate and train employees on HIPAA fundamentals Document these efforts

Policies That Might Be Impacted Privacy Policy Sanction Policy Remote Access Policy Incident Response Policy Mobile Device Policy Portable Device/Encryption Policy Business Associate/Vendor Management Policy

Breach Notification Rule Ensure attorneys/staff can recognize a HIPAA breach Provide a means to report/escalate breaches quickly Prepare required breach analysis process Establish rapid communications plan Form the appropriate teams ahead of time Investigation team Breach analysis team Communications/response team

Strategic Compliance Questions How will your firm identify and classify matters containing PHI? How will your firm interpret and implement the minimum necessary requirement? How will your firm address the information system activity review requirement? How will your firm address the risk analysis requirement

Effective Ways To Limit Effort Identify matters containing PHI during intake Centralize PHI into fewer systems Reduces risk analysis scope dramatically Minimizes access control maintenance and management Minimizes amount of requisite logging and monitoring Designate approved vendors and business partners who may need to access ephi

If You Feel Behind Document what you are doing today for security Implement encryption on mobile devices Evaluate your celebrity exposure Focus initially on matters with high volumes of records Develop a compliance roadmap of where you are going

Some Useful Resources Official HHS HIPAA Website http://www.hhs.gov/ocr/privacy/index.html Official Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html Official Minimum Necessary Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html Sample BAA Provisions http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Additional Resources HIPAA Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html HIPAA Enforcement Examples http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/casebyissue.html NIST 800-60-1 HIPAA Security Rule Guidance http://csrc.nist.gov/publications/nistpubs/800-66-rev1/sp-800-66-revision1.pdf NIST HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/ Educause HIPAA Resources http://www.educause.edu/library/health-insurance-portability-and-accountability-act-hipaa Tweet (#LegalSEC) or share more on the forums!

Thanks! Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback