Your SlideShare is downloading. ×
Dec. Healthcare LIG Presentation
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Dec. Healthcare LIG Presentation


Published on

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Implementing Healthcare Security Compliance Projects: HIPAA, HITECH, and CMS © 2009 Austin Strategic Partners
  • 2. Headline News
    • Stolen BCBST hard drives leads to Credit Watch
    • TN doctors fax patient data to Indiana
    • 15 Kaiser workers fired for peeking at Octomom’s files
    • CVS works on privacy following fines
    • HealthNet data breach affects 450,000 people
    • Hacker holds VA health records for ransom
    • Man receives confidential info by accident
    • Tenet employee charged with HIPAA violations f
    • Computer hard drives sold with data on eBay
    • Bosses to blame for computer attacks
    © 2009 Austin Strategic Partners
  • 3. Regulations
    • HIPAA Privacy & Security Acts
      • Health Insurance Portability and Accountability Act of 1996
        • Administrative Simplification: established standards and requirements for health information
      • Privacy Rule compliance date: 4/14/2003
      • Security Rule compliance date: 4/20/2005
    • ARRA / HITECH Act
      • American Recovery and Reinvestment Act of 2009 became law on 2/17/2009.
        • Health Information Technology for Economic and Clinical Health: investment in electronic health records (EHR) necessitated tightening electronic security regulations
      • Compliance dates begin 2/18/2010 (+)
    © 2009 Austin Strategic Partners
  • 4. HITECH Security Provisions
    • Regulations that previously only applied to “covered entities” now also apply to “business associates” and must be incorporated into BA agreements
    • Increased criminal and civil/monetary penalties apply to everyone, not just covered entities
    • Mandates use of a certified EHR for each person in the US by 2014
    • Mandates data encryption for healthcare data (standardized)
    • Requires patient consent for sharing of information, even if for treatment or payment or operations. “Healthcare operations” now excludes marketing & paid communications.
    • Periodic audits of entities (including BA) to verify compliance, with reviews and outcomes being made public (via HHS website) annually
    • Patient has right to receive details of all disclosures of PHI going back 3 years from date of request, beginning 1/1/2011
    • Prohibits sale or remuneration for exchange of health records without patient’s consent, extends to business associates (effectively kills “data mining”)
    • For security breaches involving < 500 people, entity must notify each individual whose information was compromised within 60 days of discovery – proof of notification, report annually to HHS
    • For security breaches involving > 500 people, entity must notify local news media within 60 days, HHS immediately, law enforcement as appropriate – HHS reports breaches to congress and on website
    © 2009 Austin Strategic Partners
  • 5. Security is a Business Requirement
    • Systems & data are essential for the business
      • Must maintain a safe and secure computing environment
      • Minimize disruptions to systems & network infrastructure, renewed emphasis on Disaster Recovery & Business Continuity (DR/BC)
      • Confidential data must be protected from unauthorized access
    • Marketplace
      • Clients are demanding security assurances (RFPs, etc.)
      • Increased electronic exchanges with business partners
      • Other regulations overlap: SOX, PCI, etc.
    • We live in a new electronic environment
      • Increased threats: identity fraud, theft, hacking, denial of service, cyber criminals, social engineering, phishing, dumpster diving, etc.
      • Changing attitudes towards technology leads to relaxed sense of danger
      • Everyone uses technology in their daily lives, not just IT professionals
    © 2009 Austin Strategic Partners
  • 6.
    • Authors of HIPAA Privacy & Security Acts
    • See for regulations & details
    • Now OCR (Office of Civil Rights) is responsible for administration & enforcement
    • Federal IT security standards are the most rigorous/strict, also the most documented
      • NIST (National Institute of Standards & Technology): approx. 100 pubs on best practices/guidelines; most security programs patterned after these
      • FISMA (Federal Information Security Management Act of 2002): made NIST guidelines mandatory for federal government IT
    • CMS has multiple overlapping standards and has codified these explicitly in their security standards
    © 2009 Austin Strategic Partners
  • 7. HIPAA specifies what must be done (the outcome) CMS specifies how it should be done (the implementation)
    • Risk-based: High, Moderate, Low
      • Based on impact of loss of confidentiality, integrity, & availability
    • CMS standards are useful as a framework for your own security program
      • Provides the detail missing from HIPAA regulations
      • Tells you what “proof” an inspector/auditor wants to see
      • If implemented to the letter, you know you can pass a HIPAA audit
    • CMS certification program
      • Unless you are working on government information systems, or are contracted to the federal government to process Medicare/Medicaid claims, you are not even eligible to become CMS certified.
    © 2009 Austin Strategic Partners
  • 8. Valuable Sources
    • HITRUST: Health Information Trust Alliance
      • Common Security Framework (CSF): a certifiable framework that can be used by organizations that create, access, store or exchange personal health and financial information.
    • Health IT Standards Committee (HIT)
      •, right panel “HIT Standards Cmte”
      • Chair: Jonathan Perlin, MD (HCA’s CMO)
      • 4 Workgroups: clinical quality, clinical operations, privacy & security , implementation
      • Recommendations for ARRA implementation schedule (2011 – 2015)
    • NIST SP800-66: Implementing the HIPAA Security Rule
    © 2009 Austin Strategic Partners
  • 9. Project Management Caveats
    • Security and compliance is not a project!
      • Projects have a definite beginning and definite end
      • “ Projectize” parts of security/compliance efforts
        • Allows use of contract/temporary resources
        • May allow capitalizing some related expenses
    • Cannot be seen solely as an IT project !
      • Security compliance is everyone’s responsibility!
      • IT resources alone are insufficient for attacking all aspects of a security compliance program.
    • Niche technical expertise required
      • Healthcare industry regulations expertise
      • Network design, telecom, systems architecture, & encryption expertise
      • Security-related certifications: CISSP, CISM, CIPP, CSSLP, SSCP
      • DR/BC expertise
      • Legal & compliance expertise
      • Training & operations expertise
    © 2009 Austin Strategic Partners
  • 10.
    • Viewing compliance as a one-time project
    • Viewing compliance as a set of “technical solutions” or as a product you can buy
    • Having well-documented policies & procedures that are not implemented
    • Limiting efforts to the “minimum possible requirement” or trying to maneuver around the obstacles
    • Doing what is easy, i.e., non-proportional responses – not using an appropriate risk-based approach
    • Allowing many exceptions to policies
    • Not collaborating with technical operations people in the writing of the policies & procedures, resulting in policies that cannot be implemented
    Common Mistakes Made When Implementing Compliance Projects © 2009 Austin Strategic Partners
  • 11.
    • Must have involved, supportive management (a top down initiative)
    • Must have appropriate expertise in key roles
    For project success, all PMI principles are applicable! © 2009 Austin Strategic Partners
  • 12. Summary Q & A
    • Security compliance is difficult to do well
      • Touches all PMI topic areas
      • Requires niche expertise
      • Involves entire organization
      • Stakes are higher than ever now!
    • Get help: don’t feel you have to go it alone
      • Brochures/handout for more info
      • In-depth training/consulting available
    • Slides available on PMI Nashville website
    © 2009 Austin Strategic Partners