Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Managing Risk as a Business Associate
Session #104, February 21, 2017
Rodney Murray, Principal, DHG
Ryan Boggs, Manager, DHG
2
Rodney Murray, CISA,
CRISC
Principal, IT Advisory
More than 30 years of experience in
information technology and business
applications, including providing internal
audit and risk management services
Leads the firm’s IT advisory service
offerings including HIPAA and GLBA
privacy compliance, Sarbanes-Oxley,
and cybersecurity
Ryan Boggs, CISA, CRISC,
HCISPP, CCSFP
Manager, IT Advisory
Serves as a Subject Matter Expert in the
areas of Compliance Consulting, Internal
Audit, and Service Organization Control
(SOC) reports
Extensive experience working with federal
regulations including SOX, GLBA, HIPAA,
HITECH, FFIEC, and NIST
3
Conflict of Interest
Rodney Murray, CISA, CRISC
Has no real or apparent conflicts of interest to report.
Ryan Boggs, CISA, CRISC
Has no real or apparent conflicts of interest to report.
4
Agenda
• Learning Objectives
• Definition and Classification of a Business Associate
• Risk Identification and Management Strategies
• Case Study
5
Learning Objectives
• Discuss contract and business associate agreement management
• Assess and mitigate risk associated with being a business associate
• Analyze compliance reporting requirements and methods
• Identify considerations for staying up-to-date on compliance requirements
and changes
6
STEPS: Electronic Secure Data
Decrease in
Compliance
issues with
Business
Associates
Increase
awareness of
compliance
requirements
for BAs
Establish
reporting
Confusion
on requirements
Risk
of being a Business
Associate
Inefficiencies
reporting to Covered
Entities
Awareness
of compliance
requirements
Efficiencies
in BA compliance and
reporting
7
The Issue at Hand• Compliance efforts have been focused on covered entities
• Increased reliance on third parties and secure electronic data
• Continued development of new service offerings and products for the healthcare industry
• Many business associates have not established functions to evaluate and monitor compliance requirements and the potential impact to the business
8
Who is a Business Associate?
• Performs service(s) on behalf of a covered entity
– Legal
– Accounting
– Billing
– Transcription
– Claims processing
• Receives a combination of protected health information
– Name
– Address
– Social security number
– Diagnosis codes
9
Business Associate Considerations
Exceptions to Business Associates
• Incidental access to protected health information
• Conduit of protected health information
• Participation with an organized health care arrangement
• Disclosure of protected health information for research
• Processing normal financial transactions
10
Business Associate Considerations
Potential Impacts to Business Associates
• Legal action (Breach Costs)
• Office of Civil Rights (OCR) audit
• Business Development – advantage or disadvantage compared to peers
• Reputation risk
11
Why should Business Associates Care?
• Required by Business Associate Agreements
• Regulatory / Industry Fines or Penalties
• Audit and Assessment Costs
• Remediation / Infrastructure Change Costs
12
Entering into a Business Associate Agreement (BAA)
• Confirm requirements to execute a BAA
• Identify contracts that require a business associate agreement
• Establish a process to manage new contracts and enter into new business associate agreements
13
Entering into a Business Associate Agreement (BAA)
• Perform regular evaluations of contracts and business associate agreements
• Identify downstream third parties
• Integrate third party management into the governance risk and compliance program
14
Risk Analysis or Risk Assessment?
• Required for both Covered Entities and Business Associates within the Security Rule.
• Based on general and specific risks and guides and categorizes remediation efforts
• Identifies vulnerabilities and potential risks to the confidentiality, integrity, and availability of a system’s ePHI and determines the likelihood of occurrence and impact to the organization.
15
Why Conduct a Risk Analysis
• Required by HIPAA administrative safeguard 164.308(a)(1)(ii)(A) to assess potential risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI
• Assist organizations prioritize remediation efforts
• Establishes a compliance baseline
• Provides information to decision makers
16
Goals of a Risk Analysis
• Identify what needs to be protected
• Determine who/what are the threats and vulnerabilities
• Consider the implications if they were damaged or lost
• Determine the value to the organization
• Build an action plan to minimize exposure to the loss or damage
17
Risk Analysis Process
• What are our exposures?
– Threats
– Vulnerabilities
• What are our defenses to these exposures?
– Controls
– Technology
– People
• What are our action items?
– Prioritize
– Communicate
• How do we maintain and improve?
– Implement technology
– Train
– Assess
18
Prepare for the Risk Analysis
• Identify purpose
– Regulatory requirements
– Senior Management concerns
• Scope the assessment
– Locations
– Applications and systems
• Data Collection
– Policies and procedures, systems configurations, etc.
19
Performing a Risk Analysis1. Scope and identify inventory
2. Assess threats and vulnerabilities
3. Policy and procedure assessment
4. Staff interviews
5. Physical security inspection
6. Network and system inspection
7. Assess risk and assign rating
Risk Analysis
Identify Scope
Assess Threats and
Vulnerabilities
Policy and Procedure
Assessment
Staff Interviews
Physical Security
Inspection
Network and System
Inspection
Assess Risk and Assign
Rating
20
Risk Analysis Results
• Provides guidance to assist executives and management to make better and more informed decisions
• Recognize the data you maintain, store, or transmit
• Ensure an organizational risk management process and eliminate silos
21
Risk Analysis Results
• Consider risk mitigation, transfer, or elimination
• Ongoing process that requires management collaboration
• Balance the costs and benefits of managing risk
22
Reporting to Covered Entities
• Report compliance efforts
• Respond to covered entity requests for information
• Communicate potential breaches to covered entities
• Market compliance efforts to potential customers
23
Establish baseline from inventory of Business Associate Agreements
• Identify compliance requirement outliers
• Consider negotiations with covered entities
• Do not overcommit and underperform
24
Utilize current compliance reporting methods as potential conduits
• Determine other compliance requirements outside of HIPAA
• Integrate all compliance requirements into one effort
• Challenge duplicate efforts and encourage leverage
25
Scope based on your size and complexity
• Ensure a holistic approach
• Consider time and cost to your organization
• Evaluate recurring impact and repetitiveness
26
Maintaining Compliance
• Identify a key stakeholder to manage and lead efforts
• Segregated functions, if possible
• Segregated budget item(s)
• Independent reporting and communication
27
Establish a recurring communication and review strategy
• Establish a compliance committee
• Ensure timely and meaningful reporting to senior management
• Review and update policies, procedures, and assessments
28
Communicate with covered entities
• Integrate compliance, security, and privacy into sales and marketing
efforts
• Identify key stakeholders within the covered entities environment to
build trust and communication
• Communicate subject matter expert’s name and contact information
29
Covered Entity's Right to Audit• Addressed within the Business Associate Agreement or Contract
• Sample Business Associate Agreement Language:
– The Business Associate shall at any time requested bythe Covered Entity, whether during or after completion ofthis agreement, and at Business Associate’s ownexpense make such records available for inspection andaudit (including copies and extracts of records as required)by the Covered Entity.
30
Covered Entity's Right to Audit• Sample Business Associate Agreement Language:
– Business Associate also agrees to make available toCovered Entity a summary report of the results of any thirdparty’s testing or auditing or its own testing, monitoring, andauditing of such systems and procedures.
31
Business Associate to Covered Entity Reporting Options
• Third party assessments provide covered entities with a window into the interworking of business associates including operations and compliance
• Obtaining one or more of these reports reduces the effort to respond to questionnaires and requests for information
• Options to consider: SOC reports and HITRUST
32
Overview of Service Organization Controls (SOC) Reports• SOC 1 Report: (also known as SSAE 16, formerly SAS 70) – Report
on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
• SOC 2 Report: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
• Covers a period of time, typically between 6 to 12 months
33
Overview of HITRUST Reports
• Based on ISO/IEC 27001:2005 and ISO/IEC 27002:2005, HITRUST’s CSF codifies multiple frameworks into a Governance, Risk and Compliance (GRC) tool
• HITRUST CSF is based on maturity levels that assess five levels of implementation
• HITRUST’s MyCSF tool allows organizations to scale assessments relative to their size, complexity and applicable regulatory and compliance standards
34
Other Reporting Options• Responding to Covered Entity’s request for information
• Developing and distributing an information security overview
• Compiling a reporting package including policies, procedures, and an overview of information security controls
• Utilizing Health and Human Services HIPAA Risk Assessment Tool
35
Scope of Information Security Questionnaires
– Organization Security
– Asset Management and Classification
– Human Resources
– Physical and Environmental Security
– Software Development and Maintenance
– Regulatory Compliance
– Business Continuity
– Information Security Incident Management
– Communications and Operations Management
– Access Control
36
Case StudyScenario:
New software company has developed a solution to decrease the days
outstanding for hospitals’ accounts receivables
The company will need to obtain covered entities’ patient information to
analyze the accounts receivables and decrease days outstanding
Organization is limited in staff and has outsourced the hosting of their
IT equipment
37
Case Study Considerations:
• Organization enters into Business Associate Agreements to market
product offerings
• Organization needs to assess organization’s risk
• Organization needs to report on compliance
38
Take Away(s) for Monday Morning:
• Determine if your organization is a Business Associate
• Begin to inventory executed Business Associate Agreements
• Evaluate risk assessment(s) or initiate risk management discussion
• Report compliance to covered entities
39
STEPS: Electronic Secure Data
Decrease in
Compliance
issues with
Business
Associates
Increase
awareness of
compliance
requirements
for BAs
Establish
reporting
Confusion
on requirements
Risk
of being a Business
Associate
Inefficiencies
reporting to Covered
Entities
Awareness
of compliance
requirements
Efficiencies
in BA compliance and
reporting
40
Questions
Contact Information:
Rodney Murray
4350 Congress Street, Suite 900
Charlotte, NC 28209
704.367.7062
Ryan Boggs
11 Brendan Way, Suite 200
Greenville, SC 29615
864.213.4034