Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HealthCare Compliance - HIPAA
and HITRUST
Kishor Vaswani, Chief Executive Officer – ControlCase
Ken Vander Wal, Chief Comp...
Agenda
• About HIPAA
• HIPAA, HITECH and the Omni-bus Rule
• Fines and Penalties
• HIPAA Requirements
• HITRUST Mission an...
What is HIPAA today?
Health Insurance Portability & Accountability Act of 1996
& HIPAA Omnibus Rule:
• Establishes adminis...
HIPAA, HITECH and the Omni-bus Rule
4 / 19
HITECH
• Specifically extends security, privacy
and breach notification require...
Fines/Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable dili...
HIPAA Requirements – Privacy Rule
Privacy Rule Main Points:
• Requires appropriate safeguards to protect the privacy of pe...
HIPAA Requirements – Security Rule
Administrative Safeguards:
Security Management Process (Risk Analysis (required), Risk ...
HIPAA Requirements – Breach Notification
8/ 19
Definition of Breach
A breach is, generally, an impermissible use or disclo...
HIPAA Requirements – BAs and subcontractors
• Comply directly with the HIPAA Regulation
• Business associates must identif...
HITRUST Mission and Objectives
In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerne...
HITRUST Overview
• Exists to ensure that information security becomes a core pillar of, rather
than an obstacle to, the br...
Strategic Objectives of HITRUST
Establish a fundamental and holistic change in the way the healthcare industry
manages inf...
Standardized tools and processes
• Questionnaire
› Focus assurance dollars to efficiently assess risk exposure
› Measured ...
HITRUST Report
• Certified/validated report issued by HITRUST based on work of
independent third-party assessors
› Busines...
Demonstrating Compliance to HIPAA through HITRUST
15 / 19
• Risk Assessments
– Not performed/not updated or
documented
– L...
Lessons Learned
16 / 19
• System Logging and
Monitoring
– Not implemented/inconsistent
– Not retained or analyzed
– Lack o...
To Learn More …
17 / 19
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content...
To Learn More …
18/ 19
Visit www.controlcase.com
Email us at contact@controlcase.com
Q & A
19/ 19
Upcoming SlideShare
Loading in …5
×

HealthCare Compliance - HIPAA and HITRUST

921 views

Published on

- Healthcare compliance in general - What is HIPAA - What is HITRUST - How do they relate? - Advantages of being HITRUST certified

Published in: Healthcare
  • Be the first to comment

HealthCare Compliance - HIPAA and HITRUST

  1. 1. HealthCare Compliance - HIPAA and HITRUST Kishor Vaswani, Chief Executive Officer – ControlCase Ken Vander Wal, Chief Compliance Officer - HITRUST
  2. 2. Agenda • About HIPAA • HIPAA, HITECH and the Omni-bus Rule • Fines and Penalties • HIPAA Requirements • HITRUST Mission and Objective • Key Components of CSF Assurance Program • Demonstrating compliance to HIPAA through HITRUST • Key takeaways • Q&A 2/ 19
  3. 3. What is HIPAA today? Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule: • Establishes administrative, physical and technical security and privacy standards • Applies to both healthcare providers and business associates (3rd parties) • Attributes responsibility for monitoring HIPAA compliance of business associates to healthcare providers • Assessment of compliance of business associates due 09/23/13 3/ 19
  4. 4. HIPAA, HITECH and the Omni-bus Rule 4 / 19 HITECH • Specifically extends security, privacy and breach notification requirements to Business Associates (BA) • Establishes mandatory penalties for ‘willful neglect’ • Imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI.“ • Institutes third party management and monitoring as ‘due diligences and ‘due care’ provisions • Establishes the right for patients to obtain their PHI in an electronic format (i.e. ePHI) Omni-bus Rule • Finalization of interim rules outlined in the HITECH act • Formalizes enforcement provisions for breaches • Expands definition of BA to include subcontractors of BA (BA of BA) • Clarifies that HHS will determine the actual maximum for penalties • Covered Entities (CE) and BA are liable for the acts of BA and their subcontractors • Requires a on-going monitoring process for the organization’s security programs and processes.
  5. 5. Fines/Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 5 / 19 Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability- accountability-act/hipaa-violations-enforcement.page
  6. 6. HIPAA Requirements – Privacy Rule Privacy Rule Main Points: • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • Requires compliance with the Security Rule For BAs • Requires breach notification to the Covered Entity • Requires either the individual or the Covered Entity access to PHI • Requires reporting the disclosure of PHI to the Secretary of HHS • Provide an accounting of disclosures. Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 6/ 19
  7. 7. HIPAA Requirements – Security Rule Administrative Safeguards: Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required), Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required) and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required); Business Associate Agreements (required) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html Technical Safeguards: Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff (addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls (addressable), Encryption (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Physical Safeguards: Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security (required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf 7/ 19
  8. 8. HIPAA Requirements – Breach Notification 8/ 19 Definition of Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Unsecure PHI Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or Federal Information Processing Standards (FIPS) 140-2 validated Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88 Breach Notification Methods: By email or first class mail, to the media, posting the notice on the home page of its web site for at least 90 days, If BA, to the CE, within 60 days of determination Notification Thresholds > 500 records: notify HHS, to individuals and media, within 60 days < 500 records: notify HHS, annually consolidated listing Burden of Proof CEs/BAs required to prove that they have notified the affected parties within the time periods specified or face penalties
  9. 9. HIPAA Requirements – BAs and subcontractors • Comply directly with the HIPAA Regulation • Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE • BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers • BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers • Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance 9/ 19
  10. 10. HITRUST Mission and Objectives In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned healthcare organizations out of the belief improvements in the state of information security and privacy in the industry are critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, all of which are necessary to improve the quality of patient care while lowering the cost of healthcare delivery. Key focus: • Increase the protection of protected health and other sensitive information • Mitigate and aid in the management of risk associated with health information • Contain and manage costs associated with appropriately protecting sensitive information • Increase consumer and governments’ confidence in the industry's ability to safeguard health information • Address increasing concerns associated with business associate and 3rd party privacy, security and compliance • Work with federal and state governments and agencies and other oversight bodies to collaborate with industry on information protection • Facilitate sharing and collaboration relating to information protection amongst and between healthcare organizations of varying types and sizes • Enhance and mature the knowledge and competency of health information protection professionals 10 / 19
  11. 11. HITRUST Overview • Exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. • Was born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information. • Is collaborating with healthcare, business, technology and information security leaders, all of whom are united by the belief that adopting a higher level of standard security practices will build greater trust in the electronic flow of information through the healthcare system. • Has established a certifiable framework that any and all organizations in the healthcare industry that create, access, store or exchange personal health and financial information can implement and be certified against. 11 / 19
  12. 12. Strategic Objectives of HITRUST Establish a fundamental and holistic change in the way the healthcare industry manages information security risks: • Rationalize regulations and standards into a single overarching framework tailored for the industry • Deliver a prescriptive, scalable and certifiable process • Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the process • Enable ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements • Provide support and facilitate sharing of ideas, feedback and experiences within the industry Establish trust between organizations within the healthcare industry that exchanged information is protected Develop an approach for the practical, efficient and consistent adoption of security by the healthcare industry 12 / 19
  13. 13. Standardized tools and processes • Questionnaire › Focus assurance dollars to efficiently assess risk exposure › Measured approach based on risk and compliance › Ability to escalate assurance level based on risk • Report › Output that is consistently interpreted across the industry Cost effective and rigorous assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST CSF Assessors • Streamlined and measurable process within MyCSF tool • End User support 13 / 19 Key Components of CSF Assurance Program
  14. 14. HITRUST Report • Certified/validated report issued by HITRUST based on work of independent third-party assessors › Business/functional/organizational units that meet the associated criteria • Assessment context and scope of systems included in assessment • Breakdown of CSF control areas with a comparison to industry › Includes maturity scores • Testing summary, corrective action plans, and completed questionnaire 14 / 19
  15. 15. Demonstrating Compliance to HIPAA through HITRUST 15 / 19 • Risk Assessments – Not performed/not updated or documented – Limited scope: facilities, processing environment, personnel, software, personnel – Not aligned with controls or monitoring • Inventories (Asset Management) – Out of date/not documented hardware, software, interfaces, dataflow diagrams/process descriptions, removable media, teleworkers (remote), BAs and subcontractors • No BA/Vendor Management program • Policies, procedures and standards (Governance) • Hardening and patch management – None or not implemented – Not monitored/No follow-up – End-of-life • Vulnerability Management – Inconsistent/incomplete internal vulnerability and penetration testing for networks and applications – Remediation gaps – No Internet content restrictions
  16. 16. Lessons Learned 16 / 19 • System Logging and Monitoring – Not implemented/inconsistent – Not retained or analyzed – Lack of oversight and approval • None or inconsistent encryption of data in transmission or storage • Media management and tracking gaps • Untested incident and breach response processes for PHI related disclosures • User Provisioning – Excessive privileges/accesses – No formal documentation of rationale – Lack of oversight and approval • Training and awareness – Not HIPAA oriented – No refresh – Lack of evidence of attendance • Inadequate business continuity and disaster recover • Failure to monitor external maintenance personnel
  17. 17. To Learn More … 17 / 19 Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight
  18. 18. To Learn More … 18/ 19 Visit www.controlcase.com Email us at contact@controlcase.com
  19. 19. Q & A 19/ 19

×