Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
HIPAA and HITECHJudgment Day – 2/17/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLUThe Industry Radar
Get Compliant, Stay CompliantJack AndersonCompliance Helper
Clearing Common HIPAA and HITECH HurdlesRebecca Herold CIPP, CISSP, CISM, CISA, FLMIRebecca Herold & Associates, LLC
Biographies of the Host and Presenters
Webinar Host and Moderator
John J. Nail CLU – Principal and Newsmaster – The Industry Radar
John Nail is a 30+ year industry veteran who spent the first 17 years of his career at
Unionmutual/Unum. In late 1995 He founded Employease, the first native web based benefits
administration platform which was bought by ADP in 2006. He is principal and founder of The Industry
Radar, the leading industry news aggregator and technology consultancy whose newsletters and more
than 500 industry specific newsfeeds reach over 100,000 industry professionals daily.
The Industry Radar
3802 N. Stratford Rd. NE
Atlanta, GA 30342
404.418.5550 (O) |404.862.6039 (C)
johnnail (Skype)
www.theindustryradar.com
http://irbn.wordpress.com (Blog)
www.twitter.com/radartweets
HIPAA HITECH Compliance Policies, Procedures et al
Jack Anderson – CEO – Compliance Helper
Jack Anderson, has been an executive in healthcare IT for over 30 years. He was a founder of Cost Containment Systems in 1978, which developed the first operating room management system and negotiated the merger with Serving Software in 1989. He served as director from 1989 to 1994. Serving Software went public in 1992 and was acquired by HBO & Co in 1994. He has been on the forefront of web services development since 1994 when he was the founder, CEO and Chairman of Velocity.com. In 2001 he joined Validare and served as VP Business Development until 2004 when he became President. Validare developed a web services model for helping office based surgery facilities prepare for accreditation. He is a co-founder of Accreditation Helper LLC and Compliance Helper
Compliance Helper 866-984-3573 ext 709 [email protected] www.compliancehelper.com
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI,
Rebecca Herold, “The Privacy Professor”® has provided information security, privacy and compliance leadership, services, and services to organizations in many industries throughout the world for over two decades. Rebecca is an internationally recognized information security, privacy and compliance expert and has received many honors, including being named a “Best Privacy Adviser” by Computerworld magazine and also being named a "Top 59 Influencers in IT Security" by IT Security magazine. The information security and privacy program Rebecca created for a multi-national healthcare insurer and financial company received the CSI “Security Program of the Year” award in 1997.
Rebecca Herold & Associates, LLC “The Privacy Professor”® 1408 Quail Ridge Avenue Van Meter, Iowa 50261 Phone 515-996-2199 [email protected] www.theprivacyprofessor.com Blog: www.realtime-itcompliance.com http://twitter.com/PrivacyProf
Page 1© Rebecca Herold. All rights reserved.
Agenda
• HIPAA / HITECH Quick Overview
• Misconceptions
• Experiences
• Common risks and problems
• Effectively and efficiently handling compliance
Page 2© Rebecca Herold. All rights reserved.
HIPAA is…
• On August 21, 1996, the U.S. Congress enacted the
Health Insurance Portability and Accountability Act
(HIPAA).
• The HIPAA Privacy Rule went into effect in April
2001, and gave covered entities (CEs) two years to
meet compliance.
• The HIPAA Security Rule went into effect in April
2003 and CEs had until April 2005 to get into
compliance.
Page 3© Rebecca Herold. All rights reserved.
HITECH is…
• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
• HIPAA now applies to CE business associates (BAs) directly.
• HITECH includes a statutory obligation for BAs to comply with HIPAA.
• HITECH also increased the penalties for HIPAA violations of HIPAA.
• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
Page 4© Rebecca Herold. All rights reserved.
All BAs Must Comply!
• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements
• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity
• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract
Page 5© Rebecca Herold. All rights reserved.
Misconception #1
Small organizations don’t have to worry about
compliance because regulators don’t check them
FALSE!
Page 6© Rebecca Herold. All rights reserved.
Misconception #2
Security and privacy incidents don’t occur at small
organizations
FALSE!
Page 7© Rebecca Herold. All rights reserved.
Misconception #3
There are no sanctions applied for HIPAA or HITECH
non-compliance findings
FALSE!
Page 8© Rebecca Herold. All rights reserved.
Experiences
• As an information security and privacy officer for a
large healthcare insurer / financial organization, big
problems with brokers and agents
• ~200 business partner information security and
privacy program reviews, big problems during
business associate, partner and vendor reviews
Page 9© Rebecca Herold. All rights reserved.
Common Risks & Problems (1)
No assigned responsibilities
Page 10© Rebecca Herold. All rights reserved.
Common Risks & Problems (2)
No documented policies, procedures,
forms
Page 11© Rebecca Herold. All rights reserved.
Common Risks & Problems (3)
No training or awareness
communications
Page 12© Rebecca Herold. All rights reserved.
Common Risks & Problems (4)
No compliance monitoring
Page 13© Rebecca Herold. All rights reserved.
Common Risks & Problems (5)
Non-compliance with contractual
obligations
Page 14© Rebecca Herold. All rights reserved.
Common Risks & Problems (6)
Un-secure disposal
Page 15© Rebecca Herold. All rights reserved.
Common Risks & Problems (7)
Inappropriate sharing and
subcontracting
Page 16© Rebecca Herold. All rights reserved.
Common Risks & Problems (8)
No documented incident or breach
response plans
Page 17© Rebecca Herold. All rights reserved.
Common Risks & Problems (9)
Lack of logs and documentation
Page 18© Rebecca Herold. All rights reserved.
Common Risks & Problems (10)
No mobile computing controls
Page 19© Rebecca Herold. All rights reserved.
Common Risks & Problems (11)
No use of encryption
Page 20© Rebecca Herold. All rights reserved.
Common Risks & Problems (12)
No BCP/DRP
Page 21© Rebecca Herold. All rights reserved.
Word To The Wise…
Compliance is not a one-time event…
All CEs *AND* BAs must meet, and continuously stay
in, compliance with all HIPAA and HITECH
requirements!
Don’t be foolish, maintain
compliance!
Page 22© Rebecca Herold. All rights reserved.
Compliance Helper Supports Meeting & Staying In Compliance
http://www.compliancehelper.com
Page 23© Rebecca Herold. All rights reserved.
Compliance Helper Supports Meeting & Keeping Compliance
• Secure “cloud computing” technology
• Compliance program management content created by
information security/privacy/HIPAA/HITECH expert
– Policies
– Procedures
– Forms
– Task Lists
– Resources
• Dedicated personal helpers
• Compliance Meter™ to measure progress
Maintenance Updates
Monthly to Keep You in
Compliance as Laws Change.
Your Compliance Meter Shows Your
Progress and Status at all Times
Compliance program management content created by information security/privacy/ HIPAA/HITECH expert Rebecca Herold:
3 Service Levels to Meet Your Needs
www.compliancehelper.com
Step By Step Online Tools to Assure Your Success
Web Based Tools + Expert Created Content + Expert Helper = Compliance Helper 1
Self Help: $495 / $49.95 monthly maintenanceYou get access to a personal website with templates of policies and procedures, forms, and a step by step process to guide you to compliance. You will be able to provide a window into your compliance to your covered entities with the Compliance Metertm.
Compliance Helper: $995 / $99.95 monthly maintenanceYou get access to a personal website with templates of policies and procedures, forms, and a personal Helper to guide and support you. The Helper will answer all of your questions through our notes feature, check all your edits to assure that you remain in compliance and generally act as your privacy and security compliance expert. You will be able to provide a window into your compliance to your covered entities with the Compliance Metertm.
Compliance Helper Plus: $1495 / $149.95 per month maintenanceYou get everything in Compliance Helper, plus telephone access to your Helper.
“Turbo Tax “ Style
Interface
Contact Information
Rebecca Herold & Associates, LLC“The Privacy Professor”®
1408 Quail Ridge Avenue
Van Meter, Iowa 50261
Phone 515-996-2199
Web sites: www.theprivacyprofessor.com
www.compliancehelper.com
Blog: www.realtime-itcompliance.com
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
TwitterID: http://twitter.com/PrivacyProf
HIPAA and HITECHJudgment Day – 2/17/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLUThe Industry Radar
Get Compliant, Stay CompliantJack AndersonCompliance Helper
Clearing Common HIPAA and HITECH HurdlesRebecca Herold CIPP, CISSP, CISM, CISA, FLMIRebecca Herold & Associates, LLC
Protecting Client and Employee Information
HIPAA HITECH Is Just Part of a Major ConvergenceEvolving Standard for Protecting Personal Information
• HITECH
• EHR
• Healthcare Reform
• True Cost Reduction
• States Attorney General
• 47 State HIPAA/Breach Laws
• Gramm Leach Billey Privacy
• “Red Flag” i.e. Identity Theft Protection
• Data Encryption/Privacy Laws (MA, NV et al)
201 CMR 17.00 - “Standards for The Protection of Personal Information of Residents of the Commonwealth”
Trust | Security | Systemic Responsibility
Creating a Secure Communication Network
“Safe Harbor” for You and Your Clients
Separate Portals with
Unique URLs, logins and
passwords to remember
No record in Outlook for
messages sent or received
All of You Use the ZIX Network RegularlyBut may not realize it
The Value of the Zix Network for You and Your Clients
Transparent Inbox to Inbox Encryption to
any Zix Network user
Automatic, Rules Based Encryption
State privacy laws in MA and NV
1000 Emails Last Year
Alone
Better Service
Full Tracking
Reporting
The Power of the Zix DirectoryThink of the Zix Network like “In Network” and “Out of Network” in a health plan. In the health plan cost is the differentiator. For email it is time, convenience, full HIPAA/HITECH compliant security and
transparent communication.
Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers7
User Retrieves, Responds ,
Attaches files etc. here in the message center
Automatic, Rules Based Encryption
The message in their inbox has a link to your Portal
“ Click here” takes user to secure portal embedded in
your Website reinforcing your Brand and web tools
Encrypted Email Service for HIPAA HITECHBest Protection - Outbound & Inbound
Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service
Branded with your logo and
accessible from your website
Encrypted Responses go right to your team or Zix
Network member’s inbox
transparently
Blackberry Encryption Built In
Non Zix User gets Email like the one to the right
Inbox to Inbox Encryption to
any Zix Member Network user
9
Clients also login in to initiate communication, securely send files etc.eliminating the risk of
breach via normal email
Transparent Inbox to Inbox Encryption to
any Zix Network user
Automatic, Rules Based Encryption
The Value of Joining the Zix Network
State privacy laws in MA and NV
Manual Inbox to Inbox
Not rules basedPassword to decrypt
RadarMail360 HIPAA HITECH Compliant Email Tools
Generic PortalFree
Zix WebsiteNo Reporting
Users can’t Initiate
Branded to Your Firm Embedded in Website
Marketing ValueDrives user to Website
Full Reporting
Manual Subject to Human Error
Password to decryptCan Be Used w/ Other Tools
Our Tools Are Fully Compliant With - HIPPA HITECH | 47 State HIPAA Laws | “Red Flag” | MA NV State Privacy Laws
Simple Outlook Plugin
Transparent Automatic
Rules BasedExchange Server Req’d
Automatic | Rules Based |State Law | HIPAA Encryption
Hosted
Fortune 500 Solution Used by over 100 Insurers
Shared Service/SAAS Delivery
Blackberry Email Encryption Built In
Manual Encryption | NO Automatic Rules Based Tools Recipients Can Retrieve | Respond Only
Inbox to Inbox Encryption Solutions Secure Messaging Delivery Solutions
1X Setup : $500 | $90/user/yr. ($7.50/mth.)
Users Retrieve | Respond | Initiate Messages From Your Website
Per User/Yr. - $100 Free – Used With All Zix Solutions
11
Events
www.theindustryradar.com | [email protected] | 404-418-5550
Web 2.0 Communication, HITECH Compliance, SEO and Marketing Solutions
Googleability
RSS / Syndication
Subscribe / Share
Social Media / Connect
ROI / Measurement
Content
Be Found, Be Seen
Be Heard, Be Compliant and Be Successful