• Save
HIPAA HITECH  E-Prescribing / E-Prescription
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

HIPAA HITECH E-Prescribing / E-Prescription

on

  • 1,776 views

HIPAA HITECH Privacy & Security Rules for E-prescribing ...

HIPAA HITECH Privacy & Security Rules for E-prescribing

Disclaimer

The materials available on this document and web site are for informational purposes only and not for the purpose of providing legal and or clinical advice.

You should contact your attorney and information security officer to obtain proper advice with respect to any particular issue or problem. Use of and access to this document or any of the e-mail links, materials, etc., contained within the document do not create an attorney-client relationship, consulting between the authors, legal and / or medical advice . between the user or browser. Only guidance from U.S. Government agencies directly should be used.for decision making.

Statistics

Views

Total Views
1,776
Views on SlideShare
1,771
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 5

http://www.linkedin.com 4
https://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Two-factor credentials include two of the following: – Something you know—password, PIN. – Something you have—hard token separate from computer being accessed. – Something you are—any biometric that meets the DEA’s requirements (e.g., must operate at a false match rate of 0.001 or lower, etc.). • Prescribers must retain sole possession of hard tokens (if used) and must not share passwords, other knowledge factors, or biometric information with anyone. Failure by prescribers to secure these items may be the basis for revocation or suspension of their DEA registration.
  • Two-factor credentials include two of the following: – Something you know—password, PIN. – Something you have—hard token separate from computer being accessed. – Something you are—any biometric that meets the DEA’s requirements (e.g., must operate at a false match rate of 0.001 or lower, etc.). • Prescribers must retain sole possession of hard tokens (if used) and must not share passwords, other knowledge factors, or biometric information with anyone. Failure by prescribers to secure these items may be the basis for revocation or suspension of their DEA registration.
  • SSAE 16 Audit Process - Statement on Standards for Attestation Engagements (SSAE) No. 16 An SSAE 16 (SOC 1) can only be performed by a CPA or CPA Firm, however SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor's reporting periods ending on or after June 15, 2011. Two (2) types of SSAE 16 reports are to be issued, a Type 1 and a Type 2.  Additionally, SSAE 16 requires that the service organization provide a description of its "system" along with a written assertion by management. For a brief overview of the SSAE 16 (SOC 1) Audit Process, please see below: - On-site consultation to support management in pinpointing the control objectives and control procedures. - Present guidance to management regarding the adequacy of their control objectives and controls. - Execute the on-site testing at various points in time during the testing period to ascertain the effectiveness of the controls put into operation as well as the operating effectiveness of the controls for Type II reports. Testing typically includes inquiry, inspection, and observation. - Preparation of the draft report to be evaluated by the service organization for accuracy and completeness of the details. Distribution of a findings memo to management noting any control deficiencies uncovered throughout the course of the review. Delivery of the SSAE 16 report in hardcopy and electronic PDF format. Some issues to be aware of: The audit should be limited to the area(s) of the business which the service offering under review touches as it is being performed. If controls are being tested that do not have a correlation to the service under review, they should be excluded. Having superfluous controls in place will lead to more complex, higher cost, and a higher chance for a failure on the report.

HIPAA HITECH E-Prescribing / E-Prescription Presentation Transcript

  • 1. HIPAA –HITECH e-Prescribing & Risk Analysis Valdez Ladd – CISSP, CISA, MBA, MS ISM, MAIA, ISO TC 215 WG 4
  • 2. HIPAA –HITECH e-Prescribing & Risk Analysis
  • 3. HIPAA –HITECH Medical Security
    • BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be responsible for
    • Administrative Safeguards
    • Physical Safeguards
    • Technical Safeguards
    • Policies and Procedures and
    • Documentation requirements of the Security Rule
    • 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively.
    •  
  • 4. HIPAA –HITECH Breach Example
    • Stanford Hospital sued over data breach:
    • New York Times September 8, 2011
    • A Class-Action lawsuit was filed following a reported data breach of 20,000 patients' medical records claims Stanford Hospital & Clinics unlawfully disclosed confidential medical information.
    • A detailed spreadsheet made its way from one of its vendors, a billing
    • contractor identified as Multi-Specialty Collection Services, to a Web
    • site called Student of Fortune, which allows students to solicit paid
    • assistance with their schoolwork.
    • Ref: Patient Data Posted Online in Major Breach of Privacy, NY Times
    • http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
  • 5. HIPAA –HITECH Breach Example
    • Stanford Hospital sued over data breach
    • New York Times September 8, 2011, KEVIN SACK
    • A detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
    • The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, ...
    • Ref: Patient Data Posted Online in Major Breach of Privacy
    • http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
  • 6. HIPAA –HITECH Breach Example
    • Dr. Cline said health care providers depend unjustifiably on legal contracts with vendors to protect medical records. “That just doesn’t work, as we can see,” he said. “You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”
    • Ref: Patient Data Posted Online in Major Breach of Privacy
    • http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
  • 7. HIPAA – HITECH e-Prescribing & Risk Analysis The Center for Improving Medication Management www.thecimm.org
  • 8. HIPAA – HITECH e-Prescribing & Risk Analysis The Center for Improving Medication Management www.thecimm.org
  • 9. Delaware E-Prescribing Process Flow 42nd ISM Annual Conference September 1, 2009 Physician Software vendors Pharmacy Network Surescripts SIG Master Beneficiary and Formulary Database Surescripts PRN Medicaid Other Pharmacy Benefit Manager Other Payers Mail Order Pharmacy Retail Pharmacy Pharmacy Network Payer Network Institutional Pharmacy
  • 10. Computerized Provider (Physician) Order Entry (CPOE) Prescribing
    • Computerized physician order entry (CPOE), is a process of electronic entry of medical practitioner instructions for the treatment of patients.
    • (CPOE) Prescribing errors are the largest identified source of preventable errors in hospitals. A 2006 report by the Institute of Medicine estimated that a hospitalized patient is exposed to a medication error each day of his or her stay.
    • Computerized provider order entry (CPOE),can reduce total medication error rates by 80%, and adverse medication (serious with harm to patient) errors by 55%.
    • Electronic Prescribing of Controlled Substances (EPCS)
    • Ref: Wikipedia.com: Health Information Technology; CPOE
  • 11. HIPAA – HITECH e-Prescribing & Risk Analysis
    • Clinician’s Guide to e- Prescribing
    • • E-prescribing and pharmacy applications must conduct internal audits to determine whether security incidents have occurred (the DEA expects this will be an automated process that generates a report for human review).
    • • If the person reviewing the report determines that a security incident has occurred, they must report the incident to the application provider and the DEA within one business day
    • (US Drug Enforcement Agency: DEA)
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 12. HIPAA – HITECH e-Prescribing & Risk Analysis
    • The DEA now permits prescriptions for controlled substances to be issued:
    • • Prescribers that wish to manage these prescriptions electronically must use technology that has been certified for this transmission
    • • Prescribers themselves must undergo an ID Proofing process before they begin to submit prescriptions for controlled substances electronically
    • • Prescribers must use a ‘two-factor authentication process’ each time they send a prescription for a controlled substance electronically.
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 13. Use of an E-Prescribing Application Certified for EPCS - Certified to manage
    • 1) The prescriber must use an e-prescribing application that has been certified to manage these prescriptions electronically.
    • • Prescribers unsure of the status of a current or prospective e-prescribing application should
    • ask that application’s vendor of the status of this compliance.
    • E-Prescribing Application Requirements and Notifications of Non-Compliance
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 14. Use of an E-Prescribing Application Certified for EPCS - ID Proofing
    • ID Proofing
    • • The prescriber must complete an ID Proofing Process conducted by credential service providers (CSP) or certification authorities (CA) approved by the federal government.
    • • Prescribers should be informed by their e-prescribing application vendor or practice administrator as to which CSP or CA they should work with.
    • • CSP or CA may also issue a two-factor credential to the prescriber.
    • • Remote identity proofing is permissible.
    • • Institutional prescribers may conduct identity proofing in-house and in person.
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 15. Use of an E-Prescribing Application Certified for EPCS – Two-Factor
    • Two-Factor Authentication
    • • The prescriber must use a “two-factor authentication” credential each and every time they issue a prescription for a controlled substance.
    • • Credentials are designed to protect prescribers from misuse of credentials by insiders and/or from external threats because prescribers retain control of a biometric or hard token.
    • • Two-factor credentials will be used for two purposes:
    • – To approve access controls.
    • – To sign prescriptions.
    • • The two-factor authentication requirement is designed to protect prescribers from misuse of credentials by insiders and/or from external threats because prescribers retain control of a biometric or hard token.
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 16. Use of an E-Prescribing Application Certified for EPCS – Two-Factor
    • Two-Factor Authentication
    • • In The Event of A Lost or Stolen Hard Token:
    • Prescribers must notify designated individuals within one business day of a prescription for a controlled substance each and every time they issue
    • discovery that a hard token has been lost, stolen, or compromised or the authentication
    • protocol has been otherwise compromised.
    • • Failure to comply may result in prescribers being held responsible for any controlled
    • substance prescriptions written using their credentials.
    • .
    • The Center for Improving Medication Management
    • www.thecimm.org
  • 17. HIPAA – HITECH e-Prescribing & Risk Management
    • Application Audits or Certifications
    • • E-prescribing and pharmacy applications must undergo independent audit or certification by:
    • Persons qualified to conduct SysTrust, WebTrust, or SAS 70 audits.
    • [SSAE 16 supersedes Statement on Auditing Standards ( SAS ) No. 70]
    • – Certified Information System Auditors (CISA)
    • – Independent certification organizations approved by the DEA.
    • • Audit/certification must determine if the application meets the DEA’s EPCS requirements.
    • • Application providers must make their audit or certification reports available to prescribers or pharmacies using or considering using their applications.
    • • Prescribers and pharmacies may only sign or process EPCSs using applications that have been determined to meet the DEA’s requirements through the types of audits mentioned above.
    The Center for Improving Medication Management www.thecimm.org
  • 18. HIPAA – HITECH e-Prescribing & Risk Management
    • (EPCS) is voluntary from DEA’s perspective—
    • written, manually signed, and oral prescriptions for controlled substances, where applicable, are still permitted.
    • The rule also permits pharmacies to receive, dispense, and archive electronic prescriptions for controlled substances.
    The Center for Improving Medication Management www.thecimm.org
  • 19. e-Prescribing & Risk Analysis
            • Elements of a Risk Analysis
    • Scope of the Analysis
    • Data Collection
    • Identify and Document Potential Threats and Vulnerabilities
    • Assess Current Security Measures
    • Determine Likelihood of Threat Occurrence
    • Determine Potential Impact of Threat Occurrence
    • Determine the Level of Risk
    • Finalize Documentation; Periodic Updates to the Assessment
    • Ref: Dell SecureWorks Meaningful Use and the Security Rule : Risks and Rewards
    • www.eseminarslive.com/c/a/Health-Care-IT/Dell100611/
  • 20. e-Prescribing & Risk Analysis – Additional Resources
    • Additional Security Resources:
    • NIST SP-800-66-Revision1
    • An Introductory Resource Guide for Implementing the HIPAA Security Rule
    • Cloud Security Alliance’s:
    • Cloud Controls Matrix
    • - Principles to guide cloud vendors and assist cloud customers.
    • Consensus Assessments Initiative Questionnaire
    • - Questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
    • Ref. https:// cloudsecurityalliance.org /
  • 21. Questions?!
    • Thank you.
    • Valdez Ladd
    • contact me: Linkedin
    • CISSP, CISA,COBIT 4.1, ITIL v3 F., CNSS 4011, CIW-SA
    • MBA, MS ISM, MAIA
    • ISO TC 215 WG 4
    • Cloud Security Alliance
    • NCHICA