at Kaiser Permanente Mary Henderson HIPAA Program Director Kaiser Permanente

Similar documents
Integrating HIPAA into Your Managed Care Compliance Program

Turning Risk into Advantage

Putting It All Together:

Test Data Management for Security and Compliance

UNC Campus Security Initiatives Update. Business Affairs Committee May 9, 2017

HIPAA Case Study. Long Term Care (LTC) Industry. October 26, Presented by: James Pfeiffer Brian Zoeller

SM04: Transforming Your Security Command Post into a Strategic Information Nerve Center

General Data Protection Regulation (GDPR) The impact of doing business in Asia

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Post-Secondary Institution Data-Security Overview and Requirements

COBIT 5 With COSO 2013

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

An Integrated Approach to Technology Risk Management and Compliance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Summary of Gartner COMPARE Survey of HIPAA Readiness Conducted Feb-March 2003

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Are your data ready for GDPR Compliance?

SOLUTION OVERVIEW: DATA CATALOGS FOR RISK AND COMPLIANCE

Cybersecurity in Higher Ed

HIPAA Security and Privacy Policies & Procedures

NHII and EHR: Protecting Privacy and Security - Current Issues and Recommendations

Privacy & Information Security Protocol: Breach Notification & Mitigation

The Role of IT in HIPAA Security & Compliance

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Healthcare Information and Management Systems Society HIMSS. U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results: Summer 2002

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

GDPR: A QUICK OVERVIEW

01.0 Policy Responsibilities and Oversight

Healthcare Security Success Story

Embedding Privacy by Design

DeMystifying Data Breaches and Information Security Compliance

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Compliance 101: Basics for Security Professionals

Adaptive & Unified Approach to Risk Management and Compliance via CCF

EY s Data Privacy Services. January 2019

What is ISO ISMS? Business Beam

Modern Database Architectures Demand Modern Data Security Measures

Critical HIPAA Privacy & Security Crossover Areas

Information Security Risk Strategies. By

SAC PA Security Frameworks - FISMA and NIST

Academic Program Review at Illinois State University PROGRAM REVIEW OVERVIEW

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Vendor Security Questionnaire

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Medical device security The transition from patient privacy to patient safety

Audit and Compliance Committee - Agenda

The Relationship Between HIPAA Compliance and Business Associates

2 The IBM Data Governance Unified Process

Next Generation Policy & Compliance

Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

CISO as Change Agent: Getting to Yes

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Prohire Software Systems Limited ("Prohire")

Education Network Security

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Symantec Data Center Transformation

Breaches and Remediation

FRAMEWORKING COMPLIANCE. NYDFS Cyber Regs: BIG I. Longtime Moniker Becomes Official Name for N.Y. & N.J...PAGE 34 GUIDE TO PAID FAMILY LEAVE INSIDE!

HIPAA 101: What All Doctors NEED To Know

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

HITRUST Common Security Framework - Are you prepared?

2016 Survey: A Pulse on Mobility in Healthcare

IMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE

EXHIBIT A. - HIPAA Security Assessment Template -

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Improve Internal Controls with Governance, Risk, and Compliance Solutions

Checklist: Credit Union Information Security and Privacy Policies

Planning for disaster recovery in a health care setting


ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

s, Texts and Social Media: What Physicians Need to Know

Background FAST FACTS

Regulation P & GLBA Training

Portlet Reference Guide. Release

Oracle Data Cloud ( ODC ) Inbound Security Policies

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

HIPAA Privacy, Security and Breach Notification

Compliance Program Design Lessons learned from a COSO framework

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Best Practices in Securing a Multicloud World

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

The Common Controls Framework BY ADOBE

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

The simplified guide to. HIPAA compliance

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Anticipating the wider business impact of a cyber breach in the health care industry

Transcription:

A Case Study: Implementing HIPAA at Kaiser Permanente Mary Henderson HIPAA Program Director Kaiser Permanente

Kaiser Permanente: A Snapshot Kaiser Permanente has: regions in 9 states and Washington, DC 8.2 million members (6.1 million in Calif.) 35 Hospitals/Medical Centers 423 Medical Offices 11,345 physicians 90,000 non-physician employees More than 4,000 applications that may contain HIPAA relevant information

We need to move all of this forward into HIPAA compliance...

Leveraging HIPAA for Organizational Transformation HIPAA forces the industry to become electronically capable External imperative = internal leverage Momentum to transform an entire organization Identify the collateral benefits early

Strategic Questions for the KP HIPAA Transformation Who should be accountable for the transformation? How do we get this done on time? How do we handle the money? How do we get maximum value for resources invested? We re in a moving car. How do we change the tire?

KP s Strategies for Making HIPAA Happen High level sponsorship Multi-disciplinary core advisory group Distribute ownership/engage those affected Integrated national and regional teams One national budget with funding rules Defined responsibilities An orientation to the benefits

National Team Organization HIPAA Program Sponsors Regional Project Structure Regional President & Medical Director Core Advisory Group Program Management Office HIPAA Program Director Regional Business Leads Regional Health Care Ops Leads Regional IT Leads Policy Analyst Communications Business Team Director (EDI) Health Care Ops Team Director IT Team Director Regional Business Leads Regional Health Care Ops Leads Regional IT Leads

How Far Has This Taken Us? Assessed regulations and set strategy/timeline Secured sponsorship and funding Built systems, teams, funding model, awareness Conducted high-level analyses resulting in e.g., applications inventory, security matrix Developed an EDI approach Developed a multi-year funding forecast Developed intranet site for internal communication and document access

Where Are We Going Now? Implementing EDI solution Completing a baseline assessment: surveying our current practices and identifying gaps in security and privacy Designing a risk assessment process for determining security and privacy remediation approaches Establishing an internal review process

Challenges for KP: EDI/Code Set Regulations Recognizing the benefits and planning broadly enough to achieve them Integrating with ongoing efforts (e.g., e-business) No easy answers for complex organizations with legacy systems: replace legacy systems with HIPAA compliant modify legacy systems to become HIPAA complaint modify incoming and outgoing transactions to be compliant in a separate application Explaining the approach to sponsors and others in sound bites Identifier requirements still in draft form

Challenges for KP: Privacy Regulations Assessing risk and making policy decisions Getting consent as an organized health care arrangement what about former members? members who haven t come in for care? Tracking consent, effective date, revocation Effectively and efficiently tracking disclosures Minimum necessary - how to use subset of paper or electronic chart

Challenges for KP: Security Regulations Estimating/securing resources prior to final regs (probably most costly area of HIPAA) Understanding our current situation (i.e., multiple regions and varying policies) Developing a baseline assessment of what we already do and don t do Assessing risk and making policy decisions Finding security officers Adding an audit trail We have: a security matrix which provides a general framework confidentiality measures in place

From Strategy to Tactics: A Risk Management Approach Conducting security and privacy baseline assessments (regional, functional) Establishing a Privacy Work Group Developing a Review Process Involving the people who are affected

Security and Privacy Regulations: Risk Management Challenge Flaw in intervention or tool e.g., inadequate training Risk Triggering Event e.g., curious employee Interventions or Tools Policies and Training Role based access to applications Physical security e.g. locks on medical records room Diagram modified from James Reason s Accident Causation Model Audit trail of on line access Other Bad outcome (e.g. misuse of confidential info.) Fines Sanctions Criminal charges Reputation Harm to individual VARIABLES Which events Number slices Size of holes Timing Risk/$$

Transformational Value of Our Risk Management Approach Provides a baseline of data and information for future initiatives Allows us to build a rational, replicable model for risk management Acknowledges that total elimination of risk may not be possible

KP HIPAA: Big Picture Benefits Builds evolutionary capacity A step toward common systems and processes Develops people who know how to do transformation Success disarms some of the fear around future transformation

What Supports Transformation at Kaiser Permanente? KP is a learning organization We have a national IT structure HIPAA is in alignment with Kaiser Permanente values We re proud of our 55-year history of providing high quality health care service to diverse populations

Questions? mary.henderson@kp.org (510) 271-5651

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback