Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
HIPAA Risk Assessment
Presented By:
This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 401897
Nathan A. KottkampMcGuireWoods, LLP
Take advantage of this special offer for $50 off of a Lorman
live webinar!
C O N V E N I E N T:Lorman offers a wide variety of live webinars covering current issues affecting numerous industries. Learn the latest on legal compliance, cost savings and strategies, and business trends.
E X P E R I E N C E D :Learn about today’s hot topics presented by our expert speakers who represent prominent firms and have years of industry experience and knowledge.
C U R R E N T :In today’s business world, staying current of the ever-changing regulations is absolutely necessary in order to advance in your field. Earn continuing education credits, educate your entire team and ask questions of the speakers. For a complete listing of upcoming live webinars visit www.lorman.com.
SPECIAL OFFER
$50 OFFYOUR NEXT Discount Code Y1719669This offer can not be used in combination with other discounts.
LIVE WEBINAR
HIPAA Risk Assessment
©2018 Lorman Education Services. All Rights Reserved.
All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.
Full terms and conditions available at www.lorman.com/terms.php.
This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were
prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional
advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.
This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by
the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 401897
Prepared By:Nathan A. KottkampMcGuireWoods, LLP
Learn What You Want, When You Want From Our Entire
Course Library
UNLIMITED ACCESS
ON-THE-GO LEARNING
We Offer Accredited Training Including CLE, CPE, HRCI, ENG and Many More
A L L - A C C E S S P A S SLORMAN EDUCATION SERVICES
Learn at Your Own Pace From Your Computer,
Tablet or Mobile Device
lorman.com/pass
GET CERTIFIED
Want to learn more? Contact a Lorman
All-Access Pass Specialist:
[email protected] or call 1-877-296-2169
www.mcguirewoods.com
Click to edit Master title style
www.mcguirewoods.com
HIPAA Security Rule Risk Assessments
Presented by:
Nathan A. Kottkamp, McGuireWoods
1
2
McGuireWoods | 2
OMNIBUS FINAL RULE
• On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act
• Effective date: March 26, 2013• Compliance date: September 23, 2013• Revision date for certain existing business
associate agreements: September 22, 2014
McGuireWoods | 3
After the Omnibus Final Rule, Who is Requiredto Protect PHI?
HIPAA
• Covered Entity: health care provider, health plan, or health care clearinghouse (billing services).
• Business Associate: An individual or entity that provides services on behalf of the Covered Entity or another Business Associate that require the entity to create, receive, maintain, or transmit protected health information (PHI).– Includes subcontractors
3
McGuireWoods | 4
CORE ELEMENTS OF HIPAA—UNCHANGED BY THE OMNIBUS FINAL RULE
• The Privacy Rule – establishes individuals’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates
• The Security Rule – establishes requirements for protecting electronic PHI
• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI
• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA
McGuireWoods | 5
• Access Controls
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls
• Security Management
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• BA Contracts and Other Arrangements
Privacy Rule
Reasonable safeguards for all PHI
Administrative Safeguards for ePHI
Physical Safeguards for ePHI
Technical Safeguards
for ePHI
HIPAA in a NutshellT
rain
ing
Breach Notification
Policies and Procedures
4
McGuireWoods | 6
PENALTIES FOR HIPAA VIOLATIONS
Civil Penalties
$100-$50,000 per violation
Tiered Penalties Based on Culpability
• Unknowing ($100 per violation/ $25K max)
• Reasonable Cause ($1K per violation /$100 K max)
• Willful neglect ($10K per violation/$250K max)
• Uncorrected willful neglect ($50K per violation/$1.5M max)
Criminal Penalties up to $250,000
Imprisonment up to 10 years
McGuireWoods | 7
HIPAA Audits Pilot Program
• KPMG LLP conducted a pilot program involving audits of 115 covered entities
• Conducted audits from November 2011-December 2012• Only covered entities
• Auditee selection criteria:– Public v. Private– Entity’s size, e.g., level of revenues/assets, number patients or
employees, use of health information technology– Affiliation with other health care organizations– Geographic location– Type of entity and relationship to patient care
• Results of pilot program:– Smaller entities had more issues than larger entities– Security Rule compliance issues predominated (65%)
5
McGuireWoods | 8
Security Rule Top Issues
McGuireWoods | 9
Security Rule Risk Analysis
• A repeatable methodology that addresses the entity’s understanding of the flow of HIPAA processes and systems and is updated as major business events occur
• Scope of the flow of PHI within your organization as well as externally to vendors, affiliates and business associates and mapping of related processes to applications, databases, systems, and data centers
• Implementation of effective administrative, technical and physical safeguards over PHI and alignment to authoritative sources including ISO and NIST
• Identification of required safeguards not addressed and associated risk mitigation plans
• Progress on corrective actions to remediation gaps identified
2/3rds of entities audited during the pilot phase had not performed an adequate risk analysis
6
McGuireWoods | 10
Self-Reviews/Self-Audits
• Utilize audit protocol from HITECH Act Audit Pilot Program
– available on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
– Updated as of April 2016 to reflect Omnibus Final Rule
• The Audit Program Protocol covers:
– Privacy Rule requirements
– Security Rule requirements
– Breach Notification Rule requirements
• Recommended at least annually
• New audit protocol to be released
McGuireWoods | 11
Security Rule History
• Final Rule issued February 20, 2003
7
McGuireWoods | 12
Security Rule Risk Assessments
• Required “periodically” by HIPAA – 45 CFR § 164.316(b)(2)(iii)
• “Periodically” is not defined.– Ask OCR—you’ll probably hear that it means
“annually”
– Look around—you’ll see HUGE variance
McGuireWoods | 13
How are your self-assessment skills?
8
McGuireWoods | 14
Good News!
• “Flexibility of approach” 45 CFR § 164.306
McGuireWoods | 15
Bad News!
• “Flexibility of approach”
9
McGuireWoods | 16
IDENTIFY WHERE YOUR PHI LIVES, THREATS, GAPS, AND RESPONSES
PHI Location Threats Gaps/Vulnerabilities Analysis/Action
McGuireWoods | 17
ADMINISTRATIVE SAFEGUARDS MATRIX
Standards Implementation Specifications (R)- Required; (A)- As needed
Rule
Security Management Process
•Risk Analysis (R)- Thorough assessment of potential vulnerabilities to PHI confidentiality, integrity, and availability•Risk Management (R)- Measures to reduce risks to reasonable levels•Sanction Policy (R)- Actions against workforce who fail to comply with security policies and procedures•Information Security Activity Review (R)- Audit, logs, access, & incident tracking reports
164.308(a)(1)
Assigned Security Responsibility
Identify an entity’s Security Official 164.308(a)(2)
Workforce Security
Authorization and/or Supervision (A)- Authorization of employees who work with ePHIWorkforce Clearance Procedure (A)- Determine employee access to ePHI is appropriateTermination Procedures (A) for access to ePHI when employee ends employment
164.308(a)(3)
Information Access Management
Isolating Healthcare Clearinghouse Functions (R)- Protect ePHI from unauthorized access by a parent groupAccess Authorization (A)- Policies for ePHI access through workstationsAccess Establishment and Modification (A)- Policies of user's right of access to a workstation
164.308(a)(4)
Security Awareness and Training
Security Reminders/Updates (A)Protection from Malicious SoftwareLog-in MonitoringPassword Management
164.308(a)(5)
10
McGuireWoods | 18
ADMINISTRATIVE SAFEGUARDS MATRIX cont.
Standards Implementation Specifications (R)- Required; (A)- As needed
Rule
Security Incident Procedures
Response and Reporting (R)- Security incidents, mitigation, and outcome 164.308(a)(6)
Contingency Plan
Data Backup Plan (R)Disaster Recovery Plan Emergency Mode Operation Plan (R)Testing and Revision Procedure (A)- For testing contingency plansApplications and Data Criticality Analysis (A)- Assess specific data relative criticality in support of other contingency components
164.308(a)(7)
Evaluation (R) Perform periodic evaluation in response to environmental and operational changes 164.308(a)(8)
BA Agreements
Written Contract (R) to protect ePHI while using it to perform an activity for a covered entity 164.308(b)(1)
McGuireWoods | 19
PHYSICAL SAFEGUARDS MATRIX
Standards Implementation Specifications(R)- Required; (A)- As needed
Rule
Facility Access Controls
•Contingency Operations (A)- Procedures that allow facility access to restore lost data under disaster recovery/in case of emergency•Facility Security Plan (A)- Procedures to safeguard building and equipment from unauthorized access•Access Control and Validation Procedures (A)- To verify access to building, software, data, based on a person’s functions•Maintenance Records (A)- To document repairs modifications to building related to security, eg. change in locks
164.310(a)(1)
Workstation Use
Procedures for proper workstation uses and physical attributes of surroundings of work station that accesses PHI
164.310(b)
Workstation Security
Physical safeguards for workstations that acess ePHI and restric access to authorized users 164.310(c)
Device and Media Control
Disposal (R)- Procedures on how to dispose of ePHI and hardware or electronic media on which it is storedMedia Re-Use (R)- Procedures for PHI removal from hardware and electronic media before it can be re-usedAccountability (A)- Record hardware and electronic media movements and any person responsible for electronic mediaData Backup and Storage (A)- Create retrievable copies of ePHI before equipment is moved
164.310(d)(1)
11
McGuireWoods | 20
TECHNICAL SAFEGUARDS MATRIX
Standards Implementation Specifications(R)- Required; (A)- As needed
Rule
Access Controls •Unique User Identification (R)-•Emergency Access Procedure (R)-•Automatic Logoff (A)- Procedures that end electronic session after predetermined time of inactivity•Encryption and Decryption (A)- Mechanism to lock/unlock ePHI
164.312(a)(1)
Audit Controls Hardware, software mechanism that record, examine activity in IT systems that contain or use PHI 164.312(b)
Integrity Mechanism to authenticate ePHI (A)- Corroborates that PHI has not been altered or destroyed in an unauthorized manner
164.312(c)(1)
Person or Entity Authentication
Verifies that person, entity seeking ePHI access is the one claimed 164.312(d)
Transmission Security
Integrity Controls (A)- Measures to ensure ePHI not improperly modified without detection until disposed ofEncryption (A)- Mechanisms to safeguard ePHI in transmission from unintended recipients
164.312(e)(1)
McGuireWoods | 21
NIST!!!!
• NIST ≠ HIPAA
• Lots of overlap, though.
• HHS published HIPAA/NIST Crosswalk in 2016– https://www.hhs.gov/hipaa/for-
professionals/security/nist-security-hipaa-crosswalk/index.html
12
McGuireWoods | 22
ISO 27001
• ISO 27001 ≠ HIPAA
• Overlap, though.
McGuireWoods | 23
HITRUST
• HITRUST ≠ HIPAA
• Proprietary.
13
McGuireWoods | 24
CONTINUOUS COMPLIANCE
• Establish a mechanism and schedule for self-monitoring and auditing
• Annual training should be supplemented by regular HIPAA teaching moments
• Focus on high risk areas– Mobile devices
– High profile patients and members
– Improper disclosures
– Disposal of records
• Follow up promptly when problems are found
• Invite staff to provide comments and raise concerns at any time about any HIPAA-related issue
24
McGuireWoods | 2525
ALWAYS
Use or disclose PHI only as needed to perform your job
Keep documents containing PHI secure and out of sight
Secure your workstation if it contains PHI
Encrypt any PHI held on a laptop or portable device
Follow all documentation and recordkeeping procedures
Verify the identity of anyone who requests PHI from you
Notify the Privacy Officer (or designee) if you see any improper activity
Ask the Privacy Officer (or designee) for guidance if you are unsure about the appropriateness of any activity
ALWAYS:
HIPAA Training Summary
14
McGuireWoods | 2626
NEVER
HIPAA Training Summary
Leave your laptop alone and unsecured
Leave your computer when logged on to accessible PHI
View PHI when not necessary to do your job
Discuss PHI unless necessary to do your job
Leave PHI out where others could see them
Disclose or give PHI to anyone who does not have authorization to receive it
Participate in conversations in which you think PHI is being discussed improperly – Speak up about your concerns to the others involved!
Make exceptions to policies for safeguarding health information privacy
NEVER:
Questions?
McGuireWoods | 27
A Few Technology Recommendations
Smartphones
• Always use a password—no “swiping” only
• Smartphones have password protection.
• Have plans in place for lost smartphones, including remote data removal.
Saving data
• Use access and other privacy controls.
• Sensitive data should not be stored on removable media, such as USB thumb drives, CD/DVD, portable hard drives, etc.
• Sensitive data should not be sent to personal email if at all possible.
Emailing data• Use a secure file transfer system which will allow for off-site file
transfer with encryption.
15
McGuireWoods | 28
More Compliance Tips
Considerations:• Minimize the circumstances under which you receive PHI from
clients; receive the minimum necessary.
• Do not discuss PHI with or in front of unauthorized persons.
• Remove all PHI from plain view.
• Do not remove PHI from your workplace, if possible.
• Report potential unauthorized disclosures promptly.
• As a Business Associate, coordinate with Covered Entity partners and subcontractors involved in a breach.
McGuireWoods | 29
HIPAA Resources
Federal Register 45 C.F.R. Part 160 and Subparts A and E of Part 164.
Office for Civil Rights (“OCR”) Website: http://www.hhs.gov/ocr/office/index.html
OCR FAQ: http://www.hhs.gov/ocr/office/faq/index.html
HIPAA List Serve: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/listserv.html
Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
16
McGuireWoods | 30
The McGuireWoods Approach
McGuireWoods | 31McGuireWoods | 31
INFORMATION ASSURANCE
PROTECTING information while ensuring the functionality and resiliency of operating systems.
WHY IT MATTERS
The information environment is replete with technical vulnerabilities and legal and reputational risks. Information assurance focuses limited resources on the most challenging problems and mitigates risk.
17
McGuireWoods | 32McGuireWoods | 32
WHY IT MATTERS
INFORMATION GOVERNANCE
MANAGING information through plans and procedures, data inventories and mapping for compliance.
Information is a company’s most valuable asset. Information governance helps to maximize the value of information while minimizing risks and costs.
McGuireWoods | 33McGuireWoods | 33
WHAT WE DO ABOUT IT
WHY IT MATTERS
INCIDENT RESPONSE & REMEDIATION
RESPONDING to events that place a business or its customers at risk and executing long-term resolutions.
The worst time to make a decision is during a crisis. Deliberate contingency planning ensures that companies act decisively in their best interests.
• Incident response plan• Breach notification counseling• Backup and disaster recovery policy• Legal hold policy and procedures• Forensic investigation and public relations oversight• Internal investigations• Regulatory investigations• Law enforcement interaction• Litigation – individual and class action
18
McGuireWoods | 34
Questions or Comments?
Nathan A. [email protected]
www.mcguirewoods.com©2013 McGuireWoods LLP
19
20
Notes