Your SlideShare is downloading. ×
Dec. Healthcare LIG Presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Dec. Healthcare LIG Presentation

672
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
672
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Implementing Healthcare Security Compliance Projects: HIPAA, HITECH, and CMS © 2009 Austin Strategic Partners
  • 2. Headline News
    • Stolen BCBST hard drives leads to Credit Watch
    • TN doctors fax patient data to Indiana
    • 15 Kaiser workers fired for peeking at Octomom’s files
    • CVS works on privacy following fines
    • HealthNet data breach affects 450,000 people
    • Hacker holds VA health records for ransom
    • Man receives confidential info by accident
    • Tenet employee charged with HIPAA violations f
    • Computer hard drives sold with data on eBay
    • Bosses to blame for computer attacks
    © 2009 Austin Strategic Partners
  • 3. Regulations
    • HIPAA Privacy & Security Acts
      • Health Insurance Portability and Accountability Act of 1996
        • Administrative Simplification: established standards and requirements for health information
      • Privacy Rule compliance date: 4/14/2003
      • Security Rule compliance date: 4/20/2005
    • ARRA / HITECH Act
      • American Recovery and Reinvestment Act of 2009 became law on 2/17/2009.
        • Health Information Technology for Economic and Clinical Health: investment in electronic health records (EHR) necessitated tightening electronic security regulations
      • Compliance dates begin 2/18/2010 (+)
    © 2009 Austin Strategic Partners
  • 4. HITECH Security Provisions
    • Regulations that previously only applied to “covered entities” now also apply to “business associates” and must be incorporated into BA agreements
    • Increased criminal and civil/monetary penalties apply to everyone, not just covered entities
    • Mandates use of a certified EHR for each person in the US by 2014
    • Mandates data encryption for healthcare data (standardized)
    • Requires patient consent for sharing of information, even if for treatment or payment or operations. “Healthcare operations” now excludes marketing & paid communications.
    • Periodic audits of entities (including BA) to verify compliance, with reviews and outcomes being made public (via HHS website) annually
    • Patient has right to receive details of all disclosures of PHI going back 3 years from date of request, beginning 1/1/2011
    • Prohibits sale or remuneration for exchange of health records without patient’s consent, extends to business associates (effectively kills “data mining”)
    • For security breaches involving < 500 people, entity must notify each individual whose information was compromised within 60 days of discovery – proof of notification, report annually to HHS
    • For security breaches involving > 500 people, entity must notify local news media within 60 days, HHS immediately, law enforcement as appropriate – HHS reports breaches to congress and on website
    © 2009 Austin Strategic Partners
  • 5. Security is a Business Requirement
    • Systems & data are essential for the business
      • Must maintain a safe and secure computing environment
      • Minimize disruptions to systems & network infrastructure, renewed emphasis on Disaster Recovery & Business Continuity (DR/BC)
      • Confidential data must be protected from unauthorized access
    • Marketplace
      • Clients are demanding security assurances (RFPs, etc.)
      • Increased electronic exchanges with business partners
      • Other regulations overlap: SOX, PCI, etc.
    • We live in a new electronic environment
      • Increased threats: identity fraud, theft, hacking, denial of service, cyber criminals, social engineering, phishing, dumpster diving, etc.
      • Changing attitudes towards technology leads to relaxed sense of danger
      • Everyone uses technology in their daily lives, not just IT professionals
    © 2009 Austin Strategic Partners
  • 6.
    • Authors of HIPAA Privacy & Security Acts
    • See http://www.cms.hhs.gov for regulations & details
    • Now OCR (Office of Civil Rights) is responsible for administration & enforcement
    • Federal IT security standards are the most rigorous/strict, also the most documented
      • NIST (National Institute of Standards & Technology): approx. 100 pubs on best practices/guidelines; most security programs patterned after these
      • FISMA (Federal Information Security Management Act of 2002): made NIST guidelines mandatory for federal government IT
    • CMS has multiple overlapping standards and has codified these explicitly in their security standards
    © 2009 Austin Strategic Partners
  • 7. HIPAA specifies what must be done (the outcome) CMS specifies how it should be done (the implementation)
    • Risk-based: High, Moderate, Low
      • Based on impact of loss of confidentiality, integrity, & availability
    • CMS standards are useful as a framework for your own security program
      • Provides the detail missing from HIPAA regulations
      • Tells you what “proof” an inspector/auditor wants to see
      • If implemented to the letter, you know you can pass a HIPAA audit
    • CMS certification program
      • Unless you are working on government information systems, or are contracted to the federal government to process Medicare/Medicaid claims, you are not even eligible to become CMS certified.
    © 2009 Austin Strategic Partners
  • 8. Valuable Sources
    • HITRUST: Health Information Trust Alliance
      • http://www.hitrustalliance.net/
      • Common Security Framework (CSF): a certifiable framework that can be used by organizations that create, access, store or exchange personal health and financial information.
    • Health IT Standards Committee (HIT)
      • http://healthit.hhs.gov, right panel “HIT Standards Cmte”
      • Chair: Jonathan Perlin, MD (HCA’s CMO)
      • 4 Workgroups: clinical quality, clinical operations, privacy & security , implementation
      • Recommendations for ARRA implementation schedule (2011 – 2015)
    • NIST SP800-66: Implementing the HIPAA Security Rule
    © 2009 Austin Strategic Partners
  • 9. Project Management Caveats
    • Security and compliance is not a project!
      • Projects have a definite beginning and definite end
      • “ Projectize” parts of security/compliance efforts
        • Allows use of contract/temporary resources
        • May allow capitalizing some related expenses
    • Cannot be seen solely as an IT project !
      • Security compliance is everyone’s responsibility!
      • IT resources alone are insufficient for attacking all aspects of a security compliance program.
    • Niche technical expertise required
      • Healthcare industry regulations expertise
      • Network design, telecom, systems architecture, & encryption expertise
      • Security-related certifications: CISSP, CISM, CIPP, CSSLP, SSCP
      • DR/BC expertise
      • Legal & compliance expertise
      • Training & operations expertise
    © 2009 Austin Strategic Partners
  • 10.
    • Viewing compliance as a one-time project
    • Viewing compliance as a set of “technical solutions” or as a product you can buy
    • Having well-documented policies & procedures that are not implemented
    • Limiting efforts to the “minimum possible requirement” or trying to maneuver around the obstacles
    • Doing what is easy, i.e., non-proportional responses – not using an appropriate risk-based approach
    • Allowing many exceptions to policies
    • Not collaborating with technical operations people in the writing of the policies & procedures, resulting in policies that cannot be implemented
    Common Mistakes Made When Implementing Compliance Projects © 2009 Austin Strategic Partners
  • 11.
    • Must have involved, supportive management (a top down initiative)
    • Must have appropriate expertise in key roles
    For project success, all PMI principles are applicable! © 2009 Austin Strategic Partners
  • 12. Summary Q & A
    • Security compliance is difficult to do well
      • Touches all PMI topic areas
      • Requires niche expertise
      • Involves entire organization
      • Stakes are higher than ever now!
    • Get help: don’t feel you have to go it alone
      • Brochures/handout for more info
      • In-depth training/consulting available
    • Slides available on PMI Nashville website
    © 2009 Austin Strategic Partners