HIPAA omnibus rule update


Published on

Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Describe our combination and the benefits
  • HIPAA omnibus rule update

    1. 1. HealthCare Information Security An Evolving Regulatory Landscape with Increasing Stakes Thomas J. DeMayo Director IT Audit and Consulting Services TDeMayo@odpkf.com
    2. 2. HIPAA – The History • • • Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996 to encourage electronic transmission of payer/patient information and payment Privacy Rule – (2003) Designed to ensure patient health information was guaranteed a minimum level of protection across all states Security Rule – (2005) Added administrative, technical and procedural safeguards to electronic protected health information (ePHI) – Compliments the Privacy Rule 2
    3. 3. HIPAA – The History • HITECH – (2009) Enacted to promote and expand the adoption of Health Information Technology – Added increased restrictions (e.g. Privacy and Security Rules now apply to Business Associates (“BA”) – enhanced civil monetary penalties – e.g. Tiered penalty structured with penalties up to $1.5m per year for each violation – Introduced the Breach Notification Rule – Required HHS to perform periodic audits of Covered Entities (“CE”) 3
    4. 4. HIPAA – The History • Omnibus Rule (2013) – Finalized and/or modified provisions of the Interim Rule and/or added additional provisions 4
    5. 5. Privacy Rule!!!!! • Sorry - We will not be discussing the Privacy Rule 5
    6. 6. Security Rule Changes • The Final Rule did not make any changes to the Security Rule – Confirmed that the Security Rule applies to business associates – Extended the application of the rule to subcontractors – Expanded liability for storage providers (e.g. Cloud Providers) 6
    7. 7. Security Rule Clarification • Health and Human Services (“HHS”) clarified: • “Flexibility of approach” or “Reasonableness” of the controls continue to apply; however, documentation of the approach and rationale is required • Internet, Extranets, and Intranets are forms of electronic transmission media – If they transmit ePHI they are in scope – Certain transmissions including paper via facsimile and of voice via telephone, are not considered transmission via electronic media if the information did not exist in electronic form immediately prior to transmission. • Copiers and fax machines that store ePHI are subject to the Security Rule requirements 7
    8. 8. What exactly is the Security Rule? • Consists of 78 standards that encompass administrative, technical, and physical safeguards – Administrative – policies, awareness training, assigning a security officer – Technical – passwords, antivirus, firewalls – Physical – physical storage of electronic media, positioning of equipment 8
    9. 9. What exactly is the Security Rule? • The standards (what must be done) contain implementation specifications (how it must be done) • Implementation Specifications are either: – Required – the specification must be implemented as stated 9
    10. 10. What exactly is the Security Rule? • Implementation Specifications are either: (cont…) – Addressable - Must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will: • Implement the addressable implementation specification as stated; • Implement an equivalent alternative measure that allows the entity to comply with the standard; or, • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment 10
    11. 11. What exactly is the Security Rule? • Of the 78 standards: – 26 are Addressable – 52 are Required ***Addressable Does NOT imply OPTIONAL*** 11
    12. 12. Results of Office For Civil Rights Audit • Audits in 2012 showed that the Security Rule requirements are not being met by covered entities – Office for Civil Rights (“OCR”) officials have publicly stated this must change • Of the 159 covered entities audited – 10% of selectees had no audit findings – 10% of selectees were totally unprepared for audit 12
    13. 13. Results of OCR Audit • Of the 159 covered entities audited (cont…) – – – – Security accounted for more than 60% of audit findings Providers had greatest proportion of findings – 65% Smallest entities struggled the most in all three areas Significantly fewer findings for those entities who fully implemented addressable specifications – Most common excuse heard for non-compliance – “unaware of the requirement” – Lack of application of sufficient resources, incomplete implementation, complete disregard 13
    14. 14. Results of OCR Audit • Top Areas Reported – Security – Privacy • • • • Risk analysis Access control Contingency planning Media movement and disposal, • Audit controls and monitoring • Notice of privacy practices • Access of individuals • Minimum necessary, and • Authorizations 14
    15. 15. Results of OCR Audit 15
    16. 16. Risk Assessment – Why the Fuss? • Conducting a formalized Risk Assessment is essential • The HIPAA Security and Breach Rule Framework is built on the results of the Risk Assessment process – The results of the risk assessment are what will drive the compliance initiative and will be the foundation on which the security activities are built 16
    17. 17. Risk Assessment – Why the Fuss? • OCR has made it very clear that all covered entities must have a formalized risk assessment – Prediction – if your organization is selected for an audit your documented risk assessment will be one of the items selected for review 17
    18. 18. Risk Assessment Requirement • Required implementation specification at §164.308(a)(1)(ii)(A) – Requires a covered entity to “*c+onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 18
    19. 19. Risk Management Requirement • Once the risks are identified they must be managed • Required implementation specification at §164.308(a)(1)(ii)(b) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).” 19
    20. 20. §164.306 Security standards: General rules • §164.306(a) - Covered entities and business associates must do the following: – (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits – (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information – (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part – (4) Ensure compliance with this subpart by its workforce 20
    21. 21. Risk in Perspective 21
    22. 22. What are the steps? • Scope of the Analysis - the scope of the risk analysis includes all the people, processes and technology that are involved in the creation, transmission, maintenance and/or storage of ePHI • Data Collection – an organization must identify where data is being stored, received, maintained or transmitted. If your organization is hosting health information at a HIPAA compliant data center, the organization will need to contact their hosting provider to document where and how the data is stored • Identify and Document Potential Threats and Vulnerabilities – identify and document any reasonably anticipated threats to ePHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution 22
    23. 23. What are the steps? • Assess Current Security Measures – inventory all of the existing security controls implemented by the organization and determine how effective they are in managing the threats and vulnerabilities identified in the previous step • Determine the Likelihood of Threat Occurrence – for each threat event, determine how likely the event is to occur relative to the organization’s specific circumstances • Determine the Potential Impact of Threat Occurrence – by using either qualitative or quantitative methods, assess the maximum impact that a data threat would have on your organization – How many people could be affected? What extent of private data could be exposed – just medical records, or both health information and billing information combined? 23
    24. 24. What are the steps? • Determine the Level of Risk – combine the likelihood of the occurrence with the potential impact to determine the ultimate risk level. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk, should the resulting risk be too high • Finalize Documentation – summarize everything in an organized document – HHS doesn’t specify a specific format, but they do require the analysis in writing • Periodic Review and Updates to the Risk Assessment – it is important to ensure that the risk analysis process is ongoing – one requirement includes conducting a risk analysis on a regular basis ***Be sure the person conducting the risk assessment has the technical capacity to understand and communicate all the risks*** 24
    25. 25. Penalties for Non-Compliance • Tiered structure based on the level of culpability: – Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation – Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect – Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery – Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery 25
    26. 26. Penalties for Non-Compliance * CMP = Civil Monetary Penalty 26
    27. 27. Penalties for Non-Compliance • While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, there is some flexibility built into the Final Rule with respect to imposition of such penalties as long as the violations are NOT due to Willful Neglect 27
    28. 28. Breach Notification Rule • HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI • Under the interim rule, the phrase “compromise” meant the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm – Risk of harm standard was too subjective 28
    29. 29. Breach Notification Rule The Final Rule changed the term “compromise” to mean that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a fourpart risk assessment 29
    30. 30. Breach Notification Rule • Four part Risk Assessment: – The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification – The unauthorized person who used the PHI or to whom the disclosure of PHI was made – Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired – The extent to which the risk to the PHI has been mitigated ***The Risk Assessment and results thereof must be documented and stored for reference*** 30
    31. 31. Notification Requirements • Varies based on the number of affected individuals – Must notify the individual, without unreasonable delay and in no case later than 60 days from discovery of the breach – If less than 500 people are affected, must notify the Secretary annually within 60 days after the end of the calendar year in which the breach occurred – If greater than 500 people affected, must notify the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach – If greater than 500 people affected in a single state or jurisdiction, must notify prominent media outlets 31
    32. 32. Notification Requirements Covered entities are ultimately responsible for notifying individuals. The task can be contracted to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner 32
    33. 33. Questions? Tom DeMayo, CISSP, CIPP, CPT, CEH, MCSE Director, IT Audit and Consulting Services TDeMayo@odpkf.com 646.449.6353 33