CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Similar documents
Security and Privacy Breach Notification

Data Use and Reciprocal Support Agreement (DURSA) Overview

Putting It All Together:

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

University of Wisconsin-Madison Policy and Procedure

The HIPAA Omnibus Rule

Pennsylvania s HIE Journey

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Federal Breach Notification Decision Tree and Tools

HIPAA Privacy, Security and Breach Notification

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Privacy & Information Security Protocol: Breach Notification & Mitigation

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

01.0 Policy Responsibilities and Oversight

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA-HITECH: Privacy & Security Updates for 2015

Breach Notification Remember State Law

Cyber Security Issues

QUALITY HIPAA December 23, 2013

HIPAA FOR BROKERS. revised 10/17

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Security and Privacy Policies & Procedures

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Tips and Advice for Your. Medical Practice

Data Compromise Notice Procedure Summary and Guide

Federal-State Connections: Opportunities for Coordination and Collaboration

A Panel Discussion. Nancy Davis

The ABCs of HIPAA Security

Security and Privacy Governance Program Guidelines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Implementing an Audit Program for HIPAA Compliance

HIPAA Federal Security Rule H I P A A

SECURITY & PRIVACY DOCUMENTATION

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Overview of Presentation

Beam Technologies Inc. Privacy Policy

Summary Comparison of Current Data Security and Breach Notification Bills

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Cybersecurity in Higher Ed

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Information Technology General Control Review

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

for the Dental Industry

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

_isms_27001_fnd_en_sample_set01_v2, Group A

ISAO SO Product Outline

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

The simplified guide to. HIPAA compliance

The Common Controls Framework BY ADOBE

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

CHAPTER 13 ELECTRONIC COMMERCE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

SECURETexas Health Information Privacy & Security Certification Program

TITLE: HIE System Audit

Information Security Incident Response Plan

HIPAA Compliance Checklist

PRIVACY-SECURITY INCIDENT REPORT

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

NOTICE OF PRIVACY PRACTICES

Information Security Incident Response Plan

DOD Medical Device Cybersecurity Considerations

Cyber Risks in the Boardroom Conference

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Recruitment Privacy Notice

HIPAA Regulatory Compliance

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

HIPAA and HIPAA Compliance with PHI/PII in Research

Managing Trust in e-health with Federated Identity Management

NYSIF.com Online Account Third-Party Billers.V3

ConnectingGTA Combined Back-End and Front-End Solution Privacy Impact Assessment (Executive Summary & Conclusion)

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Schedule Identity Services

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

HIPAA & Privacy Compliance Update

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

(60 min) California State Updates

Transcription:

Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh, PA

The Journey to the Triple AIM 21 st Century Upgrade for the Triple Aim: Better care for individuals Better health for populations Lower per-capita costs Slide adapted from Trudi Matthews, HealthBridge/Greater Cincinnati Beacon Collaboration Presentation at ONC Meeting 4/3/13

Makeover for Healthcare Uncoordinated care Over-loaded schedule Physician & practice-centric Arbitrary quality improvement projects Lack of clear leadership & support (for patient centered primary care) Team-based approach Open access Patient engagement & empanelment Data directed quality improvement efforts Engaged leadership 3 Slide adapted from Trudi Matthews, HealthBridge/Greater Cincinnati Beacon Collaboration Presentation at ONC Meeting 4/3/13

PA s Transformation Journey Collaborative system to achieve consensus and produce outcomes Diverse stakeholder engagement in open and transparent manner Data driven decision-making Iterative and layered approach to design and problem solving ~ Blended diverse views create better steps forward ~ Incrementally address issues 4

Pennsylvania HIE Strategic Plan Stakeholders Recommended: Establish public/private authority to become overarching HIE governing entity after federal grant ends and then transition to independent non-profit organization Authority will provide community shared services to enable and advance health information exchange within and beyond PA among disparate organizations Federated model - all participants maintain their own information and no health data will be centrally stored One-to-many connection to achieve related efficiencies for public and private sector health information exchanges Multiple exchange tools 5

Stakeholder Collaboration Participant Workgroup engaged to: Recommend approach for technical infrastructure and services Identify policy and operational framework and training considerations related to privacy and security Solidify sustainability model Establish criteria for certification program 6

Pennsylvania ehealth Partnership Authority

Planned HIE Coverage

Legal, Privacy and Security

Legal, Privacy and Security The Nationwide Privacy and Security Framework 8 Principles (ONC, 2008) 1) INDIVIDUAL ACCESS. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format 2) CORRECTION. Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied 10

Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 3) OPENNESS AND TRANSPARENCY. There should be openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information 4) INDIVIDUAL CHOICE. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information 11

Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 5) COLLECTION, USE, AND DISCLOSURE LIMITATION. Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately 6) DATA QUALITY AND INTEGRITY. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up-to-date to the extent necessary for the person s or entity s intended purposes and has not been altered or destroyed in an unauthorized manner 12

Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 7) SAFEGUARDS. Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure 8) ACCOUNTABILITY. These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches 13

Policy and Operations Tiger Team Policies and Documents produced: PA HIE-Network Privacy Policy P&P PA HIE-Network User Management Policy P&P PA HIE-Network Monitor-Audit-Breach Policy P&P Draft Notice Privacy Practices for HIE Draft Statewide form for Opt Out PAePA DURSA (between Community Shared Services (CSS) and Certified Participant(CP)) PAePA BA Agreement (between CP and Member Organization (MO)) PAePA MO DURSA (between CP and MO) 14

Policy and Operations Tiger Team Electronic Sharing of Health Records Containing Super Protected Data (SPD): Ideal Software/EHRs capable of sorting and segmenting SPD from the primary record, so that SPD is not improperly shared Current Compromise expansion of the CSS Opt Out (Consent) Registry to include specialized SPD sharing permissions from patients who wish their SPD to be available for targeted sharing 15

HISP Certification

HISP Operations/Certification PA HISP Trust Community consists of any certified HISP that demonstrates ability to: Exchange secure, encrypted and authenticated emails using DIRECT specifications with other certified HISPs Ensures adherence to Authority requirements to protect PA citizens and their PHI 17

HIE Certification

HIE Operations/Certification Certification program will be finalized based on details of CSS technical deployment Certified participants (CP) Member organizations (MO) Aligned with HIPAA, HITECH and commonwealth laws and regulations Security of information is of highest importance to Authority 19

Monitoring, Auditing and Breach Notification Policy

Purpose of Policy Implementation of effective system auditing and monitoring practices to detect inappropriate access to PHI and hold accountable those who violate privacy requirements; and Compliance with Federal and state legal requirements for the reporting of privacy violations and security breaches to the appropriate entities and to affected individuals. 21

Scope of Policy The document applies to all Certified Participants connected to the Pennsylvania HIE-Network Community Shared Services (CSS), and their Member Organizations, Users and workforce members (as defined by HIPAA). 22

Scope, continued This policy is intended to be consistent with and does not replace or supersede any Federal regulations or laws (such as HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH)) or State privacy and security laws and regulations. 23

Objectives of Policy Define the requirements of the Authority and Certified Participants to establish policies and procedures for the auditing and monitoring of system transactions and ensuring accountability by attributing activities to individuals and enforcing consequences for privacy violations. 24

Objectives, continued Establish the responsibility of the Authority and Certified Participants to comply with Federal (HITECH) and State laws with regard to reporting and notification of a breach. Assign responsibility to the Authority to facilitate awareness and compliance with this policy. 25

Breaches All PHI incidents are now considered breaches, unless conclusively proven otherwise. Old Standard: Notification of breach was required only where significant risk of financial, reputational, or other harm to individual. Burden was on the covered entity or business associate to show there was no significant risk. 26

Breaches New Standard: Outside of certain existing exceptions, any use or disclosure of unsecured PHI in violation of the Privacy Rule is presumed a breach unless can demonstrate low probability that PHI has been compromised based on a risk assessment involving at least these factors: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Unauthorized person who used the PHI or to whom disclosure was made Whether PHI was acquired or actually viewed Extent of mitigation of risk to PHI 27

Breaches Response Roles Certified Participant and Member Organization: Identify breach, notify Authority, notify affected persons, address security issue Authority: Preliminary investigation, action plan recommendations to Board, actions recommended by Board, follow up on any required action plans, possible HHS notification Stakeholder CP Oversight Committee(s): Trust community action as to continued access of CP/MO to CSS or any other projected system or agreement impact 28

Breach Roles, continued Board of Directors and Associated Committees: Informed by Authority as to security incidents within trust community, any effects on CSS, will vote on any recommended response to incident that affects any entity access HHS: Will be appropriately notified when required by law or when recommended for notification 29

Breaches PA Specific Pennsylvania Statutes, Title 73 Trade and Commerce Chapter 43 Breach of Personal Information Notification Act 2302. Definitions. "Breach of the security of the system." The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure. 30

Breaches PA Specific, cont. Pennsylvania Statutes, Title 73 Trade and Commerce Chapter 43 Breach of Personal Information Notification Act 2303. Notification of breach. Notification made for each breach to affected person 2307. Notice exemption. An entity that has established a notification policy as part of an information privacy or security policy for the treatment of personal information and is consistent with the notice requirements of this act shall be deemed to be in compliance 31

Next Steps Finalize certification program Operationalize roles Monitor, learn and evolve 32

PA ehealth Partnership Authority Questions? For further information: www.paehealth.com Alix Goss PA Health IT Coordinator Program Director algoss@pa.gov 717-346-1115

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback