1. 18 March 2014
HIPAA Compliance 101: Part 1
A Brief History of Healthcare Regulation
Kurt Hagerman
Chief Information Security Officer
2. Today’s Speaker
Kurt Hagerman
Chief Information
Security Officer
Kurt Hagerman oversees all compliance
related and security initiatives. He is
responsible for leading FireHost in attaining
ISO, PCI, HIPAA and other certifications,
which allows FireHost customers to more
easily achieve their own compliance
requirements. He regularly speaks and
writes on information security topics in the
payments and healthcare spaces as well as
on cloud security.
HIPAA Compliance 101
3. Agenda
• The History of HIPAA
• Other Agency Oversight
• What Does It Mean to Be HIPAA Compliant?
• Security Rule
• Privacy Rule
• Breach Notification Rule
• HIPAA’s Impact on
Your Organization
• Getting Started
• Questions & Answers
HIPAA Compliance 101
4. The History of HIPAA
• HIPAA
• Created 1996
• Manifesto: no enforcement provisions
• HITECH
• Created 2009 as part of the Recovery
and Reinvestment Act
• Gave Office of Civil Rights (OCR)
ability to enforce, levy fines
• Omnibus Rule
• Created 2013
• Expanded and clarified
Business Associate (BA) role
• Addressed some of HITECH
audit findings
HIPAA Compliance 101
5. Other Agency Oversight
FDA
• Pharmaceuticals
• Medical devices, expanded
to include software
FTC
• Advertising Rules
• What you can and can’t say
• Communication do’s and don’ts
HIPAA Compliance 101
6. HIPAA Compliance: what it means
• No official HIPAA certification
• OCR has published audit protocols
• Organizations must understand:
• Security Rule
• Privacy Rule
• Breach Notification Rule
• Health Information Trust
Alliance (HITRUST)
• CSF Certification Program
HIPAA Compliance 101
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
8. Privacy Rule
Deals with the collection and use of
medical records and ePHI:
• Health plans, health care
clearinghouses, and health
care providers
• Defines rules for the collection
& use of patient data
• Sets limits and conditions on
data uses without patient
authorization
• Gives patients rights over
their information
HIPAA Compliance 101
9. Breach Notification Rule
If a breach occurs:
• Organizations and business
associates must notify:
• Impacted individual
• Media (in some cases)
• HHS Secretary
• Similar provisions enforced
by the FTC
HIPAA Compliance 101
10. Your entire organization is impacted
• HR, billing, finance, IT and IT security, customer service
• Records retention and policies
• Internal processes & procedures
• Don’t forget 3rd parties – called Business Associates (BA)
HIPAA & Its Impact on Your Organization
HIPAA Compliance 101
11. Overall security and compliance programs
• Compliance does not equal security
• Build a security program based on best practices and
assessment of risk in your organization
• Compliance should be considered a reporting function of your
security program
HIPAA Compliance 101
Bigger Picture
SECURITY
COMPLIANCE
12. • Find a consulting firm who can help you
understand how HIPAA impacts your business
• Learn about the requirements
• HSS: www.hhs.gov/
• OCR audit protocol:
www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.
html
• External Resources
• www.hitrustalliance.net
• www.hipaacentral.com
Getting Started
HIPAA Compliance 101
13. April 1, 2014
HIPAA Compliance 101: Part 2
• Risk Assessment
• Building Your Security Programs to address HIPAA
• Business Associates and Covered entities
What’s next
HIPAA Compliance 101
Chris:
Hello and welcome to the first webinar in our series on HIPAA compliance. Today we’ll be talking about the history of healthcare regulation and what it means to be HIPAA compliant. We’ll leave some time at the end to take your questions, and you can also submit questions during the webinar through the chat feature. To mute your phone, <instructions>.
Chris:
I’m Will Morgan and I’ll be moderating our discussion. I’d like to introduce our speaker today, Kurt Hagerman, FireHost’s Chief Information Security Officer, who will lead today’s session on HIPAA compliance.
Chris: Now let’s take a look at our agenda today. We’ll be talking about what it means to be compliant, the three main rules you’ll need to understand and HIPAA’s impact on your organization. Finally, we’ll have some time at the end to take your questions live.
Chris:
Kurt, can you give us an overview of the history of HIPAA?
Kurt:
Thanks, Will, and absolutely. The history of HIPAA will help everyone understand where we are today and how we got there.
HIPAA was created in August 1996 to protect the privacy of health and medical information. At first there was a lot of interest in it – but while there was a lot of wisdom there, there were no enforcement provisions and no agency oversight. HIPAA was more of a manifesto than anything. So it went ignored after an initial flurry of dialogue.
And that brings us to HITECH, which was created in 2009, as part of the Recovery and Reinvestment Act. It put an agency – the Office of Civil Rights - in charge of enforcing HIPAA and gave them the ability to levy fines. The OCR also began conducting audits.
Those audits turned up several findings, which led to the Omnibus Rule last year. It was enacted January 2013 and took effect September 2013. The Omnibus Rule tidied things up, and expanded and clarified some things, based on HITECH audit findings. It focused quite a bit on the role of business associates (BA.)
Chris:
Kurt – you talked about OCR on the previous slide, but it looks like other agencies are involved. Can you talk to us about that?
Kurt:
It’s important to understand that while OCR controls HIPAA, other agencies have oversight too when it comes to healthcare data.
The FDA, for instance, obviously has some oversight over pharmaceuticals.
But what many people don’t realize is that FDA also has oversight over medical devices – and that now has been expanded to include software. So when we’re talking about healthcare IT, we need to consider the FDA rules.
The FTC also gets involved because of advertising. They have rules on what you can and can’t say in marketing and communications and do’s and don’ts. For instance, they try to combat deceptive advertising and false claims.
Chris:
That’s interesting and a good foundation. Let’s shift here and talk a little about what it actually means to be HIPAA compliant.
Kurt:
Right – this is what I call the nuts and bolts section.
First thing to know, there’s no official certification for HIPAA compliance. If you’ve worked with other compliance certifications, that might surprise you. But according to Leon Rodriguez of OCR, there won’t be an official certification. However, there are audit protocols from OCR.
Let’s talk now about the three rules your organization must understand: the Security Rule, Privacy Rule and Breach Notification Rule.
The Security Rule sets national standards for the security of electronic protected health information
The Breach Notification Rule requires covered entities and business associates to provide notification after a breach.
The Patient Safety Rule protects any identifiable information being used to analyze patient safety events and improve patient safety.
It’s also important to understand HITRUST, particularly the CSF Certification Program.
Will:
Excellent. Can we look a little deeper at those three rules you mentioned? What do we need to know about the Security Rule?
Kurt:
if you want to be compliant with HIPAA, you’ll need to follow the Security Rule. This was created to protect private healthcare data, such as medical records, test results, personal information – any kind of individual health data.
The rule states that you must protect the confidentiality of a person’s data, as well as its integrity and security. Obviously this is partly about protecting patient privacy, but also ensuring that the data stays accurate and free from breaches and reasonably anticipated threats.
It’s also important to note that this goes beyond just adopting technical security controls – you need to look at your administrative processes and physical devices as well to ensure the complete security. This could include something like a rule that paper medical files would need to be physically secure, and administrative processes that controlled access to sensitive data.
Chris: Great. What about the Privacy Rule? It must deal heavily with electronic protected health information, right?
Kurt:
Absolutely and it’s also an important rule. This rule protects medical records and other personal health information in a few ways – specifically it deals with the collection and use of those records and ePHI.
One is in regard to health plans, health care clearinghouses, and health care providers who transmit data electronically.
It also sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Finally, the Privacy Rule gives patients rights over their health information, such as the rights to examine and obtain a copy of their health records, and to request corrections. I’m sure all of you are familiar with the forms you sign whenever you go to a doctor appointment – that’s because of the Privacy Rule.
Chris: And finally the Breach Notification Rule. That sounds pretty self explanatory.
Kurt –The Breach Notification Rule is just what it sounds like. If your organization suffers a breach – or your business associate, your third-party provider, does – you must notify all impacted parties, the Secretary and sometimes the media.
There are very specific procedures to follow – for instance, you must notify through first-class mail or electronic mail, and you must include a working toll-free number to learn more about the breach for at least 90 days. You must also act “without unreasonable delay” and no later than 60 days following the discovery of a breach.
Even if your BA is the source of the breach, you are still ultimately responsible for ensuring notification. But you can delegate the notification to your BA, if that makes the most sense
If a breach affects more than 500 residents of a state or jurisdiction, you’re required to provide notice to prominent media outlets serving that area. Usually people do this with a press release. Again, this needs to happen without unreasonable delay and in no case later than 60 days following the discovery of a breach.
Your organization must also notify the Health and Human Services Secretary of any breaches. If it’s a breach affecting 500 or more people, you’ll need to notify within the same 60 day timeframe; but if it’s a smaller breach, an annual report is fine. You’ll submit your report electronically at the HHS site.
Please be aware this isn’t just HIPAA - the Federal Trade Commission (FTC) has similar policies, so you’ll need to take both HIPAA and the FTC into account if you have a breach.
Chris:
That’s great info, Kurt. What I’m wondering and I’ll bet our attendees are, too, is how HIPAA impacts an organization and which parts of a healthcare organization are affected by all these rules?
Kurt:
Most people wonder that and the answer is that all parts of your business are impacted by these rules.
Consider the Privacy rule, for instance. That impacts:
HR, billing, finance, IT and IT security, customer service
records rentention and policies
Internal processes and procedures, like communication
And don’t forget 3rd parties – called Business Associates. We’ll go over those in more detail in our next webinar.
In short, this is not just a legal issue or security issue – HIPAA compliance permeates your entire organization.
Chris – Now, Kurt, I know you have some thoughts about how security and compliance programs work together. Can you talk to us about those?
Will:
So, there’s a lot of impact and a lot for healthcare IT organizations to do to get started. Where should they start?
Kurt:
If you’re new to HIPAA compliance, or if you’re in the midst of it and trying to get a grip on it, there are a few steps you can take.
First, find an experienced consulting firm who understands HIPAA and can work with you to determine what the impact will be on your organization.
Next, read up on online resources and learn about the requirements. Specifically I recommend:
The HSS main website at hhs.gov
The OCR audit protocols
Then for external resources, we have :
Hitrustalliance.net
Hipaacentral.com – which has videos, webinars and other resources to walk you through all of the HIPAA elements.
Kurt:
Next month, we’ll have another webinar on HIPAA – this time we’ll go into more detail and talk about risk assessment and how to build your security programs to address HIPAA. We’ll also talk about your Business Associates and how to manage HIPAA compliance.
Chris, back to you.
.
Will:
Now that we’ve taken a look at the basics of HIPAA compliance, let’s hear your questions. If you have any questions of the Rules we’ve discussed, or how HIPAA could impact your organization, let us know and we’ll talk about the right actions to take. Just use the chat feature to submit your questions.
Will:
Thank you for joining us today. We hope our webinar on HIPAA was helpful and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on HIPAA Compliance Part 2, which will take place in April. We look forward to seeing you again.