HIPAA and HITECHJudgment Day – 2/17/2010

Securing ePHI as a “Safe Harbor” John J. Nail CLUThe Industry Radar

Get Compliant, Stay CompliantJack AndersonCompliance Helper

Clearing Common HIPAA and HITECH HurdlesRebecca Herold CIPP, CISSP, CISM, CISA, FLMIRebecca Herold & Associates, LLC

Biographies of the Host and Presenters

Webinar Host and Moderator

John J. Nail CLU – Principal and Newsmaster – The Industry Radar

John Nail is a 30+ year industry veteran who spent the first 17 years of his career at

Unionmutual/Unum. In late 1995 He founded Employease, the first native web based benefits

administration platform which was bought by ADP in 2006. He is principal and founder of The Industry

Radar, the leading industry news aggregator and technology consultancy whose newsletters and more

than 500 industry specific newsfeeds reach over 100,000 industry professionals daily.

The Industry Radar

3802 N. Stratford Rd. NE

Atlanta, GA 30342

404.418.5550 (O) |404.862.6039 (C)

johnnail (Skype)

jnail@theindustryradar.com

www.theindustryradar.com

http://irbn.wordpress.com (Blog)

www.twitter.com/radartweets

HIPAA HITECH Compliance Policies, Procedures et al

Jack Anderson – CEO – Compliance Helper

Jack Anderson, has been an executive in healthcare IT for over 30 years. He was a founder of Cost Containment Systems in 1978, which developed the first operating room management system and negotiated the merger with Serving Software in 1989. He served as director from 1989 to 1994. Serving Software went public in 1992 and was acquired by HBO & Co in 1994. He has been on the forefront of web services development since 1994 when he was the founder, CEO and Chairman of Velocity.com. In 2001 he joined Validare and served as VP Business Development until 2004 when he became President. Validare developed a web services model for helping office based surgery facilities prepare for accreditation. He is a co-founder of Accreditation Helper LLC and Compliance Helper

Compliance Helper 866-984-3573 ext 709 jack@compliancehelper.com www.compliancehelper.com

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI,

Rebecca Herold, “The Privacy Professor”® has provided information security, privacy and compliance leadership, services, and services to organizations in many industries throughout the world for over two decades. Rebecca is an internationally recognized information security, privacy and compliance expert and has received many honors, including being named a “Best Privacy Adviser” by Computerworld magazine and also being named a "Top 59 Influencers in IT Security" by IT Security magazine. The information security and privacy program Rebecca created for a multi-national healthcare insurer and financial company received the CSI “Security Program of the Year” award in 1997.

Rebecca Herold & Associates, LLC “The Privacy Professor”® 1408 Quail Ridge Avenue Van Meter, Iowa 50261 Phone 515-996-2199 rebeccaherold@rebeccaherold.com www.theprivacyprofessor.com Blog: www.realtime-itcompliance.com http://twitter.com/PrivacyProf

Page 1© Rebecca Herold. All rights reserved.

Agenda

• HIPAA / HITECH Quick Overview

• Misconceptions

• Experiences

• Common risks and problems

• Effectively and efficiently handling compliance

Page 2© Rebecca Herold. All rights reserved.

HIPAA is…

• On August 21, 1996, the U.S. Congress enacted the

Health Insurance Portability and Accountability Act

(HIPAA).

• The HIPAA Privacy Rule went into effect in April

2001, and gave covered entities (CEs) two years to

meet compliance.

• The HIPAA Security Rule went into effect in April

2003 and CEs had until April 2005 to get into

compliance.

Page 3© Rebecca Herold. All rights reserved.

HITECH is…

• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.

• HIPAA now applies to CE business associates (BAs) directly.

• HITECH includes a statutory obligation for BAs to comply with HIPAA.

• HITECH also increased the penalties for HIPAA violations of HIPAA.

• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.

Page 4© Rebecca Herold. All rights reserved.

All BAs Must Comply!

• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements

• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity

• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract

Page 5© Rebecca Herold. All rights reserved.

Misconception #1

Small organizations don’t have to worry about

compliance because regulators don’t check them

FALSE!

Page 6© Rebecca Herold. All rights reserved.

Misconception #2

Security and privacy incidents don’t occur at small

organizations

FALSE!

Page 7© Rebecca Herold. All rights reserved.

Misconception #3

There are no sanctions applied for HIPAA or HITECH

non-compliance findings

FALSE!

Page 8© Rebecca Herold. All rights reserved.

Experiences

• As an information security and privacy officer for a

large healthcare insurer / financial organization, big

problems with brokers and agents

• ~200 business partner information security and

privacy program reviews, big problems during

business associate, partner and vendor reviews

Page 9© Rebecca Herold. All rights reserved.

Common Risks & Problems (1)

No assigned responsibilities

Page 10© Rebecca Herold. All rights reserved.

Common Risks & Problems (2)

No documented policies, procedures,

forms

Page 11© Rebecca Herold. All rights reserved.

Common Risks & Problems (3)

No training or awareness

communications

Page 12© Rebecca Herold. All rights reserved.

Common Risks & Problems (4)

No compliance monitoring

Page 13© Rebecca Herold. All rights reserved.

Common Risks & Problems (5)

Non-compliance with contractual

obligations

Page 14© Rebecca Herold. All rights reserved.

Common Risks & Problems (6)

Un-secure disposal

Page 15© Rebecca Herold. All rights reserved.

Common Risks & Problems (7)

Inappropriate sharing and

subcontracting

Page 16© Rebecca Herold. All rights reserved.

Common Risks & Problems (8)

No documented incident or breach

response plans

Page 17© Rebecca Herold. All rights reserved.

Common Risks & Problems (9)

Lack of logs and documentation

Page 18© Rebecca Herold. All rights reserved.

Common Risks & Problems (10)

No mobile computing controls

Page 19© Rebecca Herold. All rights reserved.

Common Risks & Problems (11)

No use of encryption

Page 20© Rebecca Herold. All rights reserved.

Common Risks & Problems (12)

No BCP/DRP

Page 21© Rebecca Herold. All rights reserved.

Word To The Wise…

Compliance is not a one-time event…

All CEs *AND* BAs must meet, and continuously stay

in, compliance with all HIPAA and HITECH

requirements!

Don’t be foolish, maintain

compliance!

Page 22© Rebecca Herold. All rights reserved.

Compliance Helper Supports Meeting & Staying In Compliance

http://www.compliancehelper.com

Page 23© Rebecca Herold. All rights reserved.

Compliance Helper Supports Meeting & Keeping Compliance

• Secure “cloud computing” technology

• Compliance program management content created by

information security/privacy/HIPAA/HITECH expert

– Policies

– Procedures

– Forms

– Task Lists

– Resources

• Dedicated personal helpers

• Compliance Meter™ to measure progress

Maintenance Updates

Monthly to Keep You in

Compliance as Laws Change.

Your Compliance Meter Shows Your

Progress and Status at all Times

Compliance program management content created by information security/privacy/ HIPAA/HITECH expert Rebecca Herold:

3 Service Levels to Meet Your Needs

www.compliancehelper.com

Step By Step Online Tools to Assure Your Success

Web Based Tools + Expert Created Content + Expert Helper = Compliance Helper 1

Self Help: $495 / $49.95 monthly maintenanceYou get access to a personal website with templates of policies and procedures, forms, and a step by step process to guide you to compliance. You will be able to provide a window into your compliance to your covered entities with the Compliance Metertm.

Compliance Helper: $995 / $99.95 monthly maintenanceYou get access to a personal website with templates of policies and procedures, forms, and a personal Helper to guide and support you. The Helper will answer all of your questions through our notes feature, check all your edits to assure that you remain in compliance and generally act as your privacy and security compliance expert. You will be able to provide a window into your compliance to your covered entities with the Compliance Metertm.

Compliance Helper Plus: $1495 / $149.95 per month maintenanceYou get everything in Compliance Helper, plus telephone access to your Helper.

“Turbo Tax “ Style

Interface

Contact Information

Rebecca Herold & Associates, LLC“The Privacy Professor”®

1408 Quail Ridge Avenue

Van Meter, Iowa 50261

Phone 515-996-2199

Web sites: www.theprivacyprofessor.com

www.compliancehelper.com

Blog: www.realtime-itcompliance.com

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI

rebeccaherold@rebeccaherold.com

TwitterID: http://twitter.com/PrivacyProf

HIPAA and HITECHJudgment Day – 2/17/2010

Securing ePHI as a “Safe Harbor” John J. Nail CLUThe Industry Radar

Get Compliant, Stay CompliantJack AndersonCompliance Helper

Clearing Common HIPAA and HITECH HurdlesRebecca Herold CIPP, CISSP, CISM, CISA, FLMIRebecca Herold & Associates, LLC

Protecting Client and Employee Information

HIPAA HITECH Is Just Part of a Major ConvergenceEvolving Standard for Protecting Personal Information

• HITECH

• EHR

• Healthcare Reform

• True Cost Reduction

• States Attorney General

• 47 State HIPAA/Breach Laws

• Gramm Leach Billey Privacy

• “Red Flag” i.e. Identity Theft Protection

• Data Encryption/Privacy Laws (MA, NV et al)

201 CMR 17.00 - “Standards for The Protection of Personal Information of Residents of the Commonwealth”

Trust | Security | Systemic Responsibility

Creating a Secure Communication Network

“Safe Harbor” for You and Your Clients

Separate Portals with

Unique URLs, logins and

passwords to remember

No record in Outlook for

messages sent or received

All of You Use the ZIX Network RegularlyBut may not realize it

The Value of the Zix Network for You and Your Clients

Transparent Inbox to Inbox Encryption to

any Zix Network user

Automatic, Rules Based Encryption

State privacy laws in MA and NV

1000 Emails Last Year

Alone

Better Service

Full Tracking

Reporting

The Power of the Zix DirectoryThink of the Zix Network like “In Network” and “Out of Network” in a health plan. In the health plan cost is the differentiator. For email it is time, convenience, full HIPAA/HITECH compliant security and

transparent communication.

Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers7

User Retrieves, Responds ,

Attaches files etc. here in the message center

Automatic, Rules Based Encryption

The message in their inbox has a link to your Portal

“ Click here” takes user to secure portal embedded in

your Website reinforcing your Brand and web tools

Encrypted Email Service for HIPAA HITECHBest Protection - Outbound & Inbound

Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service

Branded with your logo and

accessible from your website

Encrypted Responses go right to your team or Zix

Network member’s inbox

transparently

Blackberry Encryption Built In

Non Zix User gets Email like the one to the right

Inbox to Inbox Encryption to

any Zix Member Network user

9

Clients also login in to initiate communication, securely send files etc.eliminating the risk of

breach via normal email

Transparent Inbox to Inbox Encryption to

any Zix Network user

Automatic, Rules Based Encryption

The Value of Joining the Zix Network

State privacy laws in MA and NV

Manual Inbox to Inbox

Not rules basedPassword to decrypt

RadarMail360 HIPAA HITECH Compliant Email Tools

Generic PortalFree

Zix WebsiteNo Reporting

Users can’t Initiate

Branded to Your Firm Embedded in Website

Marketing ValueDrives user to Website

Full Reporting

Manual Subject to Human Error

Password to decryptCan Be Used w/ Other Tools

Our Tools Are Fully Compliant With - HIPPA HITECH | 47 State HIPAA Laws | “Red Flag” | MA NV State Privacy Laws

Simple Outlook Plugin

Transparent Automatic

Rules BasedExchange Server Req’d

Automatic | Rules Based |State Law | HIPAA Encryption

Hosted

Fortune 500 Solution Used by over 100 Insurers

Shared Service/SAAS Delivery

Blackberry Email Encryption Built In

Manual Encryption | NO Automatic Rules Based Tools Recipients Can Retrieve | Respond Only

Inbox to Inbox Encryption Solutions Secure Messaging Delivery Solutions

1X Setup : $500 | $90/user/yr. ($7.50/mth.)

Users Retrieve | Respond | Initiate Messages From Your Website

Per User/Yr. - $100 Free – Used With All Zix Solutions

11

Events

www.theindustryradar.com | jnail@theindustryradar.com | 404-418-5550

Web 2.0 Communication, HITECH Compliance, SEO and Marketing Solutions

Googleability

RSS / Syndication

Subscribe / Share

Social Media / Connect

ROI / Measurement

Content

Be Found, Be Seen

Be Heard, Be Compliant and Be Successful