Dec. Healthcare LIG Presentation


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dec. Healthcare LIG Presentation

  1. 1. Implementing Healthcare Security Compliance Projects: HIPAA, HITECH, and CMS © 2009 Austin Strategic Partners
  2. 2. Headline News <ul><li>Stolen BCBST hard drives leads to Credit Watch </li></ul><ul><li>TN doctors fax patient data to Indiana </li></ul><ul><li>15 Kaiser workers fired for peeking at Octomom’s files </li></ul><ul><li>CVS works on privacy following fines </li></ul><ul><li>HealthNet data breach affects 450,000 people </li></ul><ul><li>Hacker holds VA health records for ransom </li></ul><ul><li>Man receives confidential info by accident </li></ul><ul><li>Tenet employee charged with HIPAA violations f </li></ul><ul><li>Computer hard drives sold with data on eBay </li></ul><ul><li>Bosses to blame for computer attacks </li></ul>© 2009 Austin Strategic Partners
  3. 3. Regulations <ul><li>HIPAA Privacy & Security Acts </li></ul><ul><ul><li>Health Insurance Portability and Accountability Act of 1996 </li></ul></ul><ul><ul><ul><li>Administrative Simplification: established standards and requirements for health information </li></ul></ul></ul><ul><ul><li>Privacy Rule compliance date: 4/14/2003 </li></ul></ul><ul><ul><li>Security Rule compliance date: 4/20/2005 </li></ul></ul><ul><li>ARRA / HITECH Act </li></ul><ul><ul><li>American Recovery and Reinvestment Act of 2009 became law on 2/17/2009. </li></ul></ul><ul><ul><ul><li>Health Information Technology for Economic and Clinical Health: investment in electronic health records (EHR) necessitated tightening electronic security regulations </li></ul></ul></ul><ul><ul><li>Compliance dates begin 2/18/2010 (+) </li></ul></ul>© 2009 Austin Strategic Partners
  4. 4. HITECH Security Provisions <ul><li>Regulations that previously only applied to “covered entities” now also apply to “business associates” and must be incorporated into BA agreements </li></ul><ul><li>Increased criminal and civil/monetary penalties apply to everyone, not just covered entities </li></ul><ul><li>Mandates use of a certified EHR for each person in the US by 2014 </li></ul><ul><li>Mandates data encryption for healthcare data (standardized) </li></ul><ul><li>Requires patient consent for sharing of information, even if for treatment or payment or operations. “Healthcare operations” now excludes marketing & paid communications. </li></ul><ul><li>Periodic audits of entities (including BA) to verify compliance, with reviews and outcomes being made public (via HHS website) annually </li></ul><ul><li>Patient has right to receive details of all disclosures of PHI going back 3 years from date of request, beginning 1/1/2011 </li></ul><ul><li>Prohibits sale or remuneration for exchange of health records without patient’s consent, extends to business associates (effectively kills “data mining”) </li></ul><ul><li>For security breaches involving < 500 people, entity must notify each individual whose information was compromised within 60 days of discovery – proof of notification, report annually to HHS </li></ul><ul><li>For security breaches involving > 500 people, entity must notify local news media within 60 days, HHS immediately, law enforcement as appropriate – HHS reports breaches to congress and on website </li></ul>© 2009 Austin Strategic Partners
  5. 5. Security is a Business Requirement <ul><li>Systems & data are essential for the business </li></ul><ul><ul><li>Must maintain a safe and secure computing environment </li></ul></ul><ul><ul><li>Minimize disruptions to systems & network infrastructure, renewed emphasis on Disaster Recovery & Business Continuity (DR/BC) </li></ul></ul><ul><ul><li>Confidential data must be protected from unauthorized access </li></ul></ul><ul><li>Marketplace </li></ul><ul><ul><li>Clients are demanding security assurances (RFPs, etc.) </li></ul></ul><ul><ul><li>Increased electronic exchanges with business partners </li></ul></ul><ul><ul><li>Other regulations overlap: SOX, PCI, etc. </li></ul></ul><ul><li>We live in a new electronic environment </li></ul><ul><ul><li>Increased threats: identity fraud, theft, hacking, denial of service, cyber criminals, social engineering, phishing, dumpster diving, etc. </li></ul></ul><ul><ul><li>Changing attitudes towards technology leads to relaxed sense of danger </li></ul></ul><ul><ul><li>Everyone uses technology in their daily lives, not just IT professionals </li></ul></ul>© 2009 Austin Strategic Partners
  6. 6. <ul><li>Authors of HIPAA Privacy & Security Acts </li></ul><ul><li>See for regulations & details </li></ul><ul><li>Now OCR (Office of Civil Rights) is responsible for administration & enforcement </li></ul><ul><li>Federal IT security standards are the most rigorous/strict, also the most documented </li></ul><ul><ul><li>NIST (National Institute of Standards & Technology): approx. 100 pubs on best practices/guidelines; most security programs patterned after these </li></ul></ul><ul><ul><li>FISMA (Federal Information Security Management Act of 2002): made NIST guidelines mandatory for federal government IT </li></ul></ul><ul><li>CMS has multiple overlapping standards and has codified these explicitly in their security standards </li></ul>© 2009 Austin Strategic Partners
  7. 7. HIPAA specifies what must be done (the outcome) CMS specifies how it should be done (the implementation) <ul><li>Risk-based: High, Moderate, Low </li></ul><ul><ul><li>Based on impact of loss of confidentiality, integrity, & availability </li></ul></ul><ul><li>CMS standards are useful as a framework for your own security program </li></ul><ul><ul><li>Provides the detail missing from HIPAA regulations </li></ul></ul><ul><ul><li>Tells you what “proof” an inspector/auditor wants to see </li></ul></ul><ul><ul><li>If implemented to the letter, you know you can pass a HIPAA audit </li></ul></ul><ul><li>CMS certification program </li></ul><ul><ul><li>Unless you are working on government information systems, or are contracted to the federal government to process Medicare/Medicaid claims, you are not even eligible to become CMS certified. </li></ul></ul>© 2009 Austin Strategic Partners
  8. 8. Valuable Sources <ul><li>HITRUST: Health Information Trust Alliance </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Common Security Framework (CSF): a certifiable framework that can be used by organizations that create, access, store or exchange personal health and financial information. </li></ul></ul><ul><li>Health IT Standards Committee (HIT) </li></ul><ul><ul><li>, right panel “HIT Standards Cmte” </li></ul></ul><ul><ul><li>Chair: Jonathan Perlin, MD (HCA’s CMO) </li></ul></ul><ul><ul><li>4 Workgroups: clinical quality, clinical operations, privacy & security , implementation </li></ul></ul><ul><ul><li>Recommendations for ARRA implementation schedule (2011 – 2015) </li></ul></ul><ul><li>NIST SP800-66: Implementing the HIPAA Security Rule </li></ul>© 2009 Austin Strategic Partners
  9. 9. Project Management Caveats <ul><li>Security and compliance is not a project! </li></ul><ul><ul><li>Projects have a definite beginning and definite end </li></ul></ul><ul><ul><li>“ Projectize” parts of security/compliance efforts </li></ul></ul><ul><ul><ul><li>Allows use of contract/temporary resources </li></ul></ul></ul><ul><ul><ul><li>May allow capitalizing some related expenses </li></ul></ul></ul><ul><li>Cannot be seen solely as an IT project ! </li></ul><ul><ul><li>Security compliance is everyone’s responsibility! </li></ul></ul><ul><ul><li>IT resources alone are insufficient for attacking all aspects of a security compliance program. </li></ul></ul><ul><li>Niche technical expertise required </li></ul><ul><ul><li>Healthcare industry regulations expertise </li></ul></ul><ul><ul><li>Network design, telecom, systems architecture, & encryption expertise </li></ul></ul><ul><ul><li>Security-related certifications: CISSP, CISM, CIPP, CSSLP, SSCP </li></ul></ul><ul><ul><li>DR/BC expertise </li></ul></ul><ul><ul><li>Legal & compliance expertise </li></ul></ul><ul><ul><li>Training & operations expertise </li></ul></ul>© 2009 Austin Strategic Partners
  10. 10. <ul><li>Viewing compliance as a one-time project </li></ul><ul><li>Viewing compliance as a set of “technical solutions” or as a product you can buy </li></ul><ul><li>Having well-documented policies & procedures that are not implemented </li></ul><ul><li>Limiting efforts to the “minimum possible requirement” or trying to maneuver around the obstacles </li></ul><ul><li>Doing what is easy, i.e., non-proportional responses – not using an appropriate risk-based approach </li></ul><ul><li>Allowing many exceptions to policies </li></ul><ul><li>Not collaborating with technical operations people in the writing of the policies & procedures, resulting in policies that cannot be implemented </li></ul>Common Mistakes Made When Implementing Compliance Projects © 2009 Austin Strategic Partners
  11. 11. <ul><li>Must have involved, supportive management (a top down initiative) </li></ul><ul><li>Must have appropriate expertise in key roles </li></ul>For project success, all PMI principles are applicable! © 2009 Austin Strategic Partners
  12. 12. Summary Q & A <ul><li>Security compliance is difficult to do well </li></ul><ul><ul><li>Touches all PMI topic areas </li></ul></ul><ul><ul><li>Requires niche expertise </li></ul></ul><ul><ul><li>Involves entire organization </li></ul></ul><ul><ul><li>Stakes are higher than ever now! </li></ul></ul><ul><li>Get help: don’t feel you have to go it alone </li></ul><ul><ul><li>Brochures/handout for more info </li></ul></ul><ul><ul><li>In-depth training/consulting available </li></ul></ul><ul><li>Slides available on PMI Nashville website </li></ul>© 2009 Austin Strategic Partners