Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
HIPAA & HITECH Requirements, Compliance, and Meaningful Use We know it’s confusing. Let’s focus on what you need to know! Information Security Assessments “We Take Your Security Personally” Phyllis Patrick, MBA, FACHE, CHC Dan Berger, Executive Vice President Phyllis A. Patrick and Associates LLC Redspin, Inc. Phyllis@phyllispatrick.com firstname.lastname@example.org
Agenda- New Era in Health IT – What it means to you- Risk Assessment Strategies and Components- Effective Security Process- Meaningful Use and how to get incentive $- Practical Example –Case Study
New Era in Health IT– New Regulations and Initiatives– Incentive Funding (Medicare & Medicaid)– New Consumer and Patient Issues
New ProgramsEHRs • Electronic Health RecordsHIEs • Health Information ExchangesRECs • Regional Extension CentersEHRs • Achieving meaningful use of certified EHRs
Privacy and Security Policies and Programs• Privacy as a Patient Satisfaction Issue• Synergy with Quality and Safety Programs• Right of Private Action/State AG Activities – New Regulations and Initiatives – Incentive Funding (Medicare & Medicaid) – New Consumer and Patient Issues
The ONC MandateAmericans will benefit from electronic health records as “part of a modernized, interconnected, and vastly improved system of care delivery.”
ONC Mandate and Initiatives • Temporary Certification Program • Standards and Certification Criteria Final Rule • Medicare and Medicaid EHR Incentive Programs • Meaningful Use of EHRs Final Rule • Certified Health IT Product List
New Federal Regulations– Meaningful Use of Electronic Health Records (Final Rule) – Medicare and Medicaid Incentive Programs– Certification Process/Criteria– Certification Standards– HITECH Amendments to HIPAA– Breach Notification Requirements
Security Laws– Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule– Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records– Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)– Family Educational Rights and Privacy Act (FERPA)– Payment Card Industry Data Security Standard (PCI DSS)– State Breach Notification, Social Security Numbers, Data Protection, and other laws– Children’s Online Privacy Protection Act– Federal Information Security Management Act (FISMA)– H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation– Encryption Laws (e.g., State laws)– Sarbanes-Oxley Act (Public Companies)– Gramm-Leach-Bliley Act (Financial Services)– And more………
Some rules haven’t changed – Have you fully implemented the HIPAA Security Rule?
The HIPAA Security Rule– Compliance Date: April, 2005– 42 Standards and Implementation Specifications– Information Security Management Program– Applies to Electronic Protected Health Information (ePHI) that a Covered Entity Creates, Receives, Maintains, or Transmits
Security Rule StandardsEvaluation StandardPerform a periodic technical and non-technical evaluation,based initially upon the standards and implemented under thisrule and subsequently, in response to environmental oroperational changes affecting the security of electronicprotected health information, that establishes the extent towhich an entity’s security policies and procedures meet therequirements of this subpart.” [§164.308(a)(8)] Related StandardsSecurity Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)
New Enforcement Efforts and PrioritiesHHS made changes to the HIPAA regulations to conformthe enforcement component of the regulations to thestatutory revisions made pursuant to the HITECH Act.• Civil Monetary Penalties• Violations categorized• Tiered ranges of civil money penalty amounts
Penalties – Per Calendar Year$100 - $50K/violation, not to $10K - $50K/violation, not to exceed $25K - $1.5MM exceed $250K - $1.5MM Person did not know (and by Due to willful neglect and exercising reasonable due violation was corrected diligence) would not have known$1,000 - $50K/violation, not At least $50K/violation, not toto exceed $100K - $1.5MM exceed $1.5MM Violation due to reasonable Due to willful neglect andcause and not to willful violation was not correctedneglect
GOVERNANCE Leadership Organizational Structures Processes that support the security and privacy programs while supporting and sustaining the organization’s mission and strategic goals Relationships with Business Associates and 3rd parties
Effective Security Program Governance– Involves appropriate organizational personnel– Defines a governance framework or methodology– Enables uniform risk measurement across the organization– Produces quantifiable, meaningful deliverables– Reflects business practices, organizational risk appetites, and changing levels of risk Reference: IT Compliance Institute
Business AssociatesCovered Entity (CE)A health plan, health care clearinghouse, or healthcare provider who transmits any health information inelectronic form in connection with a transactioncovered under the HITECH ActBusiness Associate (BA)Party who performs a function on behalf of a CoveredEntity and has access to PHI in the performance ofthat function
Business Associate ComplianceLiability:-BAs are contractually liable to CEsfor breach of BA agreement Business Associates (BAs):-BAs are civilly and criminally liable - IT vendorsto Federal government for violations - coding vendors - outsourced call center - subcontractorsNotification: - insurance companies-BA notify CE of any breach - pharmacies-CE has obligation to notify patients - hospitalsand HHS - physicians-If 500+ persons, notify media Covered - e-prescribing ecosystemserving their area Entity (CE) - CPOE - radiology labs - HIEsRecommendations: - RHIOs-Identify BAs with highest risk - ACOs-Communicate expectations to BAs - lawyers-Automate contract and BA - CPAsagreement files - housekeeping services-Develop auditing and monitoring - etc. !!!process-Educate executives and key playerson BAs
Components of the Assessment• Governance of the • Education and Training Privacy and Security Programs Programs • Security Breach Notification• Privacy Rule and Security Policy and Procedures Rule Standards • Readiness to meet• Policies and Procedures HITECH/HIPAA requirements• Risk Assessment and RA and Meaningful Use criteria Management • Impacts of Business• Program Infrastructure Partner/Business Associate – Designation of Privacy Relationships and Security Officers • Auditing and Monitoring – Reporting Processes Relationships – Staffing and Resources
Strategies for a Risk Assessment• Formal and ongoing evaluation and review process• Periodic Risk Analysis, in particular following significant changes• Senior leader support• Adequate and available resources• Steering committee
Strategies for a Risk Assessment• Governance/Reporting/Metrics• Organization-wide Risk Analysis• Communication of Risk Profile• Documentation and Action Plans• Independent Consultants?
Show Me the MoneyHow to Access Federal Dollars
Eligible Entities– Eligible professionals (EPs)– Eligible hospitals– Critical access hospitals– Certain Medicare Advantage Organizations whose affiliated EPs and hospitals are meaningful users of certified EHR technology
What is “Meaningful Use?”• Use of a certified EHR in a meaningful manner (e.g.,e-prescribing)• Use of certified EHR technology for electronicexchange of health information to improve quality ofhealth care• Use of certified EHR technology to submit clinicalquality and other measures
Meaningful Use – Criteria and Standards – Is the practice or hospital is making adequate use of EHRs? – Has a risk analysis been conducted? – Is their a platform for staged implementation? To achieve meaningful use, providers must: – Provide and monitor privacy and security protection of confidential PHI through operating policies, procedures, and technologies – Comply with all applicable federal and state laws and regulations – Provide transparency of data sharing to patients
Meaningful Incentive Program Medicare EHR Medicaid EHR Participation as early as Voluntarily offered by FY 2011 individual states EPs may receive up to May begin as early as FY $44,000 over 5 years, plus 2011 incentive if in HSPA EPs may receive up to Must begin by 2012 to get $63,750 over 6 years maximum Incentives for hospitals may Incentives for hospitals begin in 2011 may begin in 2011 w/a No payment adjustment for $2 million base payment providers who do not show Medicare EPs, hospitals meaningful use and CAHs who do not show meaningful use have payment decrease beginning 2015
CMS Meaningful Use Goals Improve quality, safety, and efficiency of health care and reduce health disparities Engage patients and families Improve care coordination Improve population and public health, and Ensure adequate privacy and security protections for personal health information
HIPAA/HITECH ComplianceWhat are the objectives of aHIPAA Risk Analysis andSecurity Assessments?Compliance: a HIPAA Risk Analysisverifies compliance with the standardsdefined in the Security Rule of theAdministrative Provisions in Title II ofHIPAA.Security : Utilizes a risk-basedapproach to minimize the risk of acompromise of Electronic ProtectedHealth Information (EPHI) triggeringthe breach notification requirements.
Some Types of Assessments Wireless Pen Web App External Pen Internal Pen Social EngineeringOther possible assessments: Controls- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley Data Network Physical Systems Security Analysis Security Analysis
Components of RiskThe assets The vulnerabilities (what you are trying to protect is PHI) (how could the threat occur?)• You need to know where it is, how it is used, and • Targeted social engineering attacks; malware how it is transported over the network. exploiting Adobe .pdf and MS office .doc vulnerabilitiesThe threats • Application vulnerabilities (e.g., SQL injection, (what are you afraid of happening?) command injection)• Sophisticated cybercriminals stealing account • Misconfigured database access controls credentials, credit card records, or medical Current mitigationhistory to file false claims. (what is currently reducing the risk?)• Hackers using application attacks to gain access • Staff to database records. • Technology• Insiders gathering inappropriate data through • Processes misconfigured access control.
AxolotlHealth Information Exchange (HIE) Solution ProviderCASE STUDY
Axolotl Overview• Since 1995, Axolotl has been providing Founded: 1995 advanced Clinical Networking solutions Location:• Health Information Exchange has San Jose, California become a necessary foundation to Industry: support the “meaningful use” of health Healthcare Technology Provider information technology Solutions For: Hospitals & Health Systems• Cloud environment – supports electronic RHIOs sharing of data among hospitals, State Health Agencies physicians, clinical laboratories, Physicians pharmacies, health plans (insurers), and Employees: 200 public health department• Security and regulatory compliance are imperative for Axolotl’s customers
Solution for AxolotlAreas Covered• Comprehensive information security assessment of governance and operational processes covering both production and internal systems• Thorough assessment of policies, practices, and procedures from both an internal and external point of view• Axolotl has been able to use information security and compliance as a distinct advantage in a fiercely competitive segment of the healthcare market.
Common Themes and Issues• Lack of Documentation • Managers unaware of• Lack of Awareness of their role and Programs responsibilities in privacy• Insufficient Training and and security Education • Management of Business• Lack of adequate Associate Relationships Disaster and Business • Lack of or outdated Continuity Planning Encryption Policy and• Privacy and Security less Procedures priority than Safety or • Who to Contact in case of Quality Programs perceived or actual• Mobile Device Policy and Security Breach or Procedures Privacy Incident
EHR for the Future• Whatever happens to the health care agenda, EHRs will continue to evolve and regionalization will occur• Some geographical areas will develop mature EHRs faster than others• Patients/consumer engagement is gaining traction• Vendor market will consolidate and be more accountable
Strategies for a Risk Assessment •Evaluation/ Review• Establish a formal, ongoing Evaluation Process •Risk Analysis and Review Process using independent •Steering consultant/third party. Conduct the review Committee •Governance using project management tools and •Metrics/ methods. Scoreboard •Risk/Threats •Integrated Assessment• Perform Risk Analysis, following •Risk Profile established policies and procedures, at a •Consultant Criteria minimum, every three years or whenever •Sr. Mgmt. there is a significant change in the Support •Penalties environment (e.g.,new system, new regs, •Document! new service, new threats, changes in senior management)
Strategies for Risk Assessment •Evaluation/ Review• Establish an ongoing Steering Committee: Process •Risk Analysis o Dedicate a multi-disciplinary team •Steering responsible for guiding the Evaluation and Committee •Governance Risk Assessment Processes; utilize existing •Metrics/ team/committee if appropriate Scoreboard •Risk/Threats •Integrated• Establish governance structure/process for Assessment •Risk Profile Security and Privacy reports to BOD, Audit & •Consultant Compliance Committee, Strategic Planning Criteria Committee, etc. •Sr. Mgmt. Support •Penalties• Security and Privacy Metrics/Scoreboard •Document!
Strategies for Risk Assessment •Evaluation/ Review• Determine level of risk and threat to the Process organization, e.g., •Risk Analysis •Steering • Security Breach Committee • Identity Theft/Medical Identity Theft •Governance •Metrics/ • Privacy Complaints/OCR Complaints/Patient Scoreboard Suits •Risk/Threats • Organization’s “Risk Appetite” •Integrated Assessment • Organizational reputation •Risk Profile • Financial consequences •Consultant Criteria •Sr. Mgmt.• Integrate risk assessment for security and privacy Support into organization-wide risk assessment risk •Penalties •Document! assessment for all types of risk• Develop and communicate Risk Profile
Strategies for a risk assessment •Evaluation/ Review• Retain independent consultant that meets Process •Risk Analysis specific criteria: •Steering Determine qualifications of individuals Committee performing review •Governance •Metrics/ Ask questions to ascertain if consultants Scoreboard possess “hands on” experience •Risk/Threats •Integrated Do reports summarize data or provide noted Assessment gaps analysis? •Risk Profile Does the consultant provide a “to do list” based •Consultant upon the audit results, mapping a path for the Criteria •Sr. Mgmt. organization to follow or is it buried in the Support summary? •Penalties Do you understand the results and have •Document! support from the organization to resolve issues identified?
Strategies for a Risk Assessment •Evaluation/ Review• Elicit support from senior management to Process provide adequate resources to address areas •Risk Analysis •Steering of identified risks Committee •Governance •Metrics/• Note: Organizations that ignore findings are Scoreboard •Risk/Threats subject to increased penalties! •Integrated Assessment •Risk Profile• Documentation and retention of action plans •Consultant and follow-up is key to surviving and resolving Criteria audits and investigations. •Sr. Mgmt. Support •Penalties •Document!
Successful informationrisk management program1. Organizing for performance2. Assessing risk3. Decision analysis4. Policy implementation5. Measuring program effectiveness6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business requirements
Risk Management Process: DetailStep 1. Assess Risk Step 3. Policy ImplementationIdentify and prioritize risks to the Policy implementation. Acquisition and deployment of business. controls to carry out the policy.a. Plan data gathering. a. Ensure policy specifications are enforceable.b. Gather risk data. b. Integrate process automation, people, and technology inc. Prioritize risks. the mitigation solution. c. Defense in depth – coordinate application, system, data,Step 2. Decision Analysis and network controls.Evaluate requirements, understand d. Communicate policies and control responsibilitiespossible solutions, select controls, throughout the organization.estimate costs, and choose the mosteffective mitigation strategy. Step 4. Measure Effectivenessa. Define functional requirements to Develop and disseminate reports. Provide management a mitigate risks. dashboard of program effectiveness.b. Outline possible control solutions. a. Management dashboard that summarizes organization’sc. Estimate risk reduction. risk profile.d. Estimate solution cost. b. Report on changes under consideration and underway.e. Choose mitigation strategy. c. Communicate effectiveness of the control solutions in mitigating risk. d. Report on existing environment in terms of threats, vulnerabilities and risk profile.