The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Similar documents
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA Privacy, Security and Breach Notification

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Putting It All Together:

HIPAA-HITECH: Privacy & Security Updates for 2015

All Aboard the HIPAA Omnibus An Auditor s Perspective

The HIPAA Omnibus Rule

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Tips and Advice for Your. Medical Practice

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA Cloud Computing Guidance

HIPAA 101: What All Doctors NEED To Know

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Risk-based security in practice Turning information into smart screening. October 2014

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA & Privacy Compliance Update


Healthcare Privacy and Security:

Hospital Council of Western Pennsylvania. June 21, 2012

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Cyber Risk and Networked Medical Devices

Anticipating the wider business impact of a cyber breach in the health care industry

From Dabbling to Doing The Age of the Intuitive Enterprise

The Relationship Between HIPAA Compliance and Business Associates

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

University of Wisconsin-Madison Policy and Procedure

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

GDPR: A QUICK OVERVIEW

Cyber Security Incident Response Fighting Fire with Fire

Breach Notification Remember State Law

Building and Testing an Effective Incident Response Plan

American Academy of Audiology Responses to Questions from HIPAA Webinar

NOTICE OF PRIVACY PRACTICES

HIPAA Security Rule: Annual Checkup. Matt Sorensen

efolder White Paper: HIPAA Compliance

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Critical HIPAA Privacy & Security Crossover Areas

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Controls. Powered by Auditor Mapping.

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

01.0 Policy Responsibilities and Oversight

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

and Privacy HIPAA-Compliance Checklist

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

HIPAA Security Manual

Security and Privacy Breach Notification

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

HIPAA Compliance and Auditing in the Public Cloud

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

MassMEDIC s 21st Annual Conference

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

Cybersecurity in Higher Ed

The ABCs of HIPAA Security

The Deloitte-NASCIO Cybersecurity Study Insights from

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

Policy. Policy Information. Purpose. Scope. Background

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Data Backup and Contingency Planning Procedure

A Panel Discussion. Nancy Davis

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

HIPAA and HIPAA Compliance with PHI/PII in Research

An Employer s Guide to the

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Performing HIPAA Security Reviews

Cloud & Managed Server Hosting for Healthcare Professionals

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

ISACA Cincinnati Chapter March Meeting

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Transcription:

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San Francisco

Disclaimer This training presentation is provided solely for educational purposes and, in developing and presenting these courses, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This training presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on these courses for such purposes. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 1 HIPAA Security & Privacy: Preparing for Compliance

Agenda Industry Challenges Trends in Security and Privacy Omnibus Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rule Requirements - Recap Security Risk Assessment and Privacy Assessment Approach What Does This Mean For a Hybrid Entity 2 HIPAA Security & Privacy: Preparing for Compliance

Industry Challenges Trends in Security and Privacy

Industry trends: data breach perspective The number of individuals impacted by breaches reported to the Department of Health and Human Services (HHS) is steadily increasing. According to the HHS Website for Breaches Affecting 500 or More Individuals, 682 data breaches of unsecured PHI in 40+ states have been reported between September 2009 and September 2013* 5,382,911 individuals have been impacted Business associates were involved in ~23% of the reported breaches 1 Theft (58%) and Loss(16%) were the two major causes of breaches involving unsecured PHI Breached information was stored in laptops (28%), paper records (22%), desktop computers (16%) and portable devices (15%) States with more than 5 breaches and/or more than 100,000 impacted individuals States with less than 5 breaches and less than 100,000 impacted individuals States with no posted breaches Theft of and unauthorized access to laptops, computers, paper records, and portable electronic devices (e.g., USB Drives) are lo-tech, yet significant causes of PHI data breaches for which organizations are being reported. *Based on data published by HHS as of September 30, 2013 1 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 4 HIPAA Security & Privacy: Preparing for Compliance

Omnibus HIPAA Security and Privacy Rule Requirements - Recap

Summary of Major Provisions The following includes several major provisions and updates included within the HIPAA Omnibus Rule: 1 Business Associates and Subcontractors Definition of business associate ( BA ) has been expanded to include vendors that not only view Protected Health Information (PHI), but also exclusively maintain it. This also includes subcontractors of BAs Delineation of BA expanded to additional organizations 2 Breach Notification Rule Breach notification requirements have been subject to changes for breaches of unsecured (PHI) Four (4) defined risk assessment factors 3 Increased Civil Penalties and Enforcement HIPAA adopts the tiered civil money penalty structure set forth in the Health Information Technology for Economic and Clinical Health (HITECH) Act 4 Increase in Patients Rights and Access Increased patient access to electronic medical records 5 Limitations on Use and Disclosures Changes of patient authorization procedures have been made for the use and disclosure of PHI such as marketing and research purposes 6 HIPAA Security & Privacy: Preparing for Compliance

Effective Date and Compliance Date The following table represents specific dates associated with the recent updates to HIPAA Privacy and Security rules, also known as the final omnibus rule : [1] Specific Dates Comments Effective Date March 26, 2013 Date in which the final rule is effective. Required Compliance Date September 23, 2013 Covered entities and business associates must comply with the applicable requirements of the final omnibus rule within 180 days of the Effective Date. Additional time is allowed for business associates in the following case: Situations Extended Compliance Date Comments Existing BAAs which are in compliance with pre-omnibus rule September 22, 2014 Such BAAs are provided one additional year to conform to the final omnibus rule. Compliance with the final omnibus rule is required for business associates when existing BAAs are renewed or modified. 7 HIPAA Security & Privacy: Preparing for Compliance

Implementation of New Rule (Covered Entities) Covered entities should consider the following high level action items to effectively respond to the HIPAA updated requirements and initiate steps toward compliance: Covered Entity - Top Priority Action Items 1 Business Associate and Subcontractor Agreements: Review and revise BA and Subcontractor Agreements to incorporate new requirements set forth by the final omnibus rule. Incorporate amendments where necessary. 2 Update HIPAA Policies and Procedures: Review and revise, where necessary, HIPAA Privacy and Security policies and procedures. Incorporate new rules related to Bas and subcontractors. 3 Update Breach Notification Policies, Procedures and Training: Review and update breach notification policies and procedures to incorporate the new definition of breach. Also, review and update both HIPAA and breach notification trainings. 4 Perform Risk Assessment Scope and Procedures: Review previous risk assessment results and procedures and make updates to incorporate new requirements set forth by the final omnibus rule. 8 HIPAA Security & Privacy: Preparing for Compliance

Implementation of New Rule (Business Associates) Business associates and subcontractors should consider the following high level action items to effectively respond to the HIPAA updated requirements and initiate steps toward compliance: Business Associates Top Priority Action Items 1 2 3 4 5 6 Update HIPAA Policies and Procedures: Review and update, as necessary, HIPAA Privacy and Security policies and procedures, including the definition of PHI, as the new final omnibus rule has made such a distinction. Update Business Associates Agreements: Review and revise Business Associate Agreement to incorporate the new provisions required under the final omnibus rule. Develop amendments for current BAA s and amend the process for drafting BAA s going forward. Update and Distribute Notice of Privacy Practice (NPP): Review and make updates to the NPP to include statements required by the new final omnibus rule (i.e. changes to sale of PHI, paid out-of-pocket restrictions, etc. Provide individuals with updated NPP s regarding improved patient access Update HIPAA Authorization Forms: Review and update all HIPAA authorization forms to include statements required by the new final omnibus rule. Perform Risk Assessment Scope and Procedures: Review previous risk assessment results and procedures and make updates to incorporate new requirements set forth by the final omnibus rule. Update Breach Notification Policies, Procedures and Training: Review and update breach notification policies and procedures to incorporate the new definition of breach as defined by Office of Civil Rights (OCR). 9 HIPAA Security & Privacy: Preparing for Compliance

Security Risk Assessment and Privacy Assessment Approach

Security Risk Assessment and Privacy Assessment The following describes Deloitte s approach for executing a security risk and privacy assessment for HITECH/HIPAA. Phase1 Phase 2 Phase 3 Phase 4 Business Processes Prioritization and Application Inventory HIPAA Privacy and Security Assessment Remediation Plan Development Cost Estimation and Remediation Assistance Business processes are identified for privacy and security assessment PHI data maps are developed Applications / systems are identified HIPAA privacy assessment (HIPAA Privacy Rule and HITECH requirements) HIPAA security assessment (Administrative, Physical, and Technical Safeguards) A list of projects to address HIPAA privacy and security control gaps, considering: Addressable vs. Required requirements Customer requirements PHI breach risks Dependencies Quantitative analysis for a realistic remediation project cost estimation Refinement of the remediation projects execution plan Assist in remediation execution 11 HIPAA Security & Privacy: Preparing for Compliance

Security Risk Assessment and Privacy Assessment Preparing for an HHS OCR HIPAA Security and Privacy Audit 2 HIPAA Privacy Rule Are policies and procedures up-to-date? Have all policies and procedures been implemented? Do policies and procedures actually work? Have all appropriate stakeholders been adequately trained on the HIPAA Privacy Rule? Is evidence of training documented? Do you have a clear, written sanctions policy? Has sanctions policy been applied consistently? 2 The HIPAA Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 12 HIPAA Security & Privacy: Preparing for Compliance

Audit considerations Preparing for an HHS OCR HIPAA Security and Privacy Audit 3 HIPAA Security Rule Not a checklist of controls approach Do you have a risk management framework in place? Can you provide evidence that the risk management framework is leveraged as a normal course of business? Can you trace the HIPAA Security Rule to your actual policies and procedures? 3 The HIPAA Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 13 HIPAA Security & Privacy: Preparing for Compliance

Q&A How frequently does your organization perform an information security risk assessment and privacy assessments? How would you characterize the risk assessment - e.g., application vs. process based, stakeholders involved, risk management process, alignment with privacy, reporting? Does your organization leverage a framework approach to information security and privacy? 14 HIPAA Security & Privacy: Preparing for Compliance

What Does This Mean For A Hybrid Covered Entity?

HIPAA Compliance Are State, county or local health departments required to comply with the HIPAA Privacy Rule? Answer: Yes, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. http://www.hhs.gov/ocr/privacy/hipaa/faq/covered_entities/358.html 16 HIPAA Security & Privacy: Preparing for Compliance

What Is A Hybrid Entity The HIPAA Privacy Rule gives you the option to restrict application of the HIPAA Privacy Rule to certain parts of the organization by designating the health care components That written designation then makes that part of the organization a Covered Entity Function 17 HIPAA Security & Privacy: Preparing for Compliance

Hybrid Covered Entity The Covered Entity maintains the legal and administrative responsibilities. Policies, procedures, and the safeguard requirement Must ensure that the health care component complies with the Privacy Rule Erect fire walls between the Covered Entity and non-covered entity portions of the organization Workforce members who work on both sides must not inappropriately share information between their responsibilities Transfer of PHI held by the health care component to other components is a disclosure subject to the HIPAA privacy rule and is allowed only under the same circumstances as would make it permissible for a separate entity Has legal responsibility(ies) for compliance with the Privacy Rule 18 HIPAA Security & Privacy: Preparing for Compliance

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback