Maninging Risk Exposure in Meaningful Use Stage 2


Published on

The Compliancy Group features FREE HIPAA education Series. Please view our profile to see all of our webinars or visit us at

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Maninging Risk Exposure in Meaningful Use Stage 2

  1. 1. 855.85HIPAA   Industry  leading  Education   •  Please  ask  questions   •  #CGwebinar   •  Todays  slides  are  available     http://compliancy-­‐     •  Past  webinars  and  recordings   http://compliancy-­‐        
  2. 2. This document may not be reproduced, transmitted, or distributed without the prior permission of All Medical Solutions Ensuring Patient Privacy The Need to Monitor for Inappropriate Access to ePHI
  3. 3. ©  Copyright  2013  All  Medical  Solu9ons   About  the  Speaker:   Stephen  Salinas  serves  as  Senior  Business  Development  Consultant  and  Channel   Manager  at  All  Medical  Solu9ons  (AMS).    While  at  AMS,  Stephen  has  worked   alongside  California’s  two  most  successful  Regional  Extension  Centers  (HITEC-­‐LA   and  COREC),  overseeing  the  successful  adop9on  of  EHR  technology  and  Meaningful   Use  to  over  1,200  California  physicians.     About  All  Medical  Solu4ons:   All  Medical  Solu9ons  (AMS)  is  a  healthcare  organiza9on  consultancy  and  solu9ons   development  division  of  Fusion  Systems  Co.,  Ltd.,  a  global  Informa9on  Technology   Solu9ons  consul9ng  business.  Based  in  California,  AMS  has  over  20  years  of   experience  in  developing  proprietary  technology  products  for  Fortune  500   companies  and  over  10  years  in  bringing  tailored  and  insighWul  solu9ons  to  na9onal   and  regional  healthcare  providers.  As  a  Service  Partner  of  two  RECs,  AMS  has   witnessed  first  hand  the  many  issues  healthcare  organiza9ons  face  with  regards  to   HIPAA  and  Meaningful  Use.    AMS  launched  SPHER™  in  2013,  an  online  state-­‐of-­‐the-­‐ art  Electronic  Health  Record  (EHR)  monitoring  solu9on  which  fulfills  federal  HIPAA   audit  requirements.  For  more  informa9on,  go  to Introduction
  4. 4. ©  Copyright  2013  All  Medical  Solu9ons   Today’s  Topic:     Ensuring  Pa4ent  Privacy   The  Need  to  Monitor  for  Inappropriate  Access  to  ePHI       A  look  into  the  current  state  of  healthcare  and  security,  your  obliga4ons  under   HIPAA  to  monitor  user  ac4vity  of  your  EHR  to  ensure  pa4ent  privacy  rights  are   protected,  and  an  outline  of  what  should  be  done  to  protect  your  organiza4on   from  the  threat  of  a  privacy  breach  
  5. 5. ©  Copyright  2013  All  Medical  Solu9ons   The  Need  to  Become  Compliant  with  HIPAA   •  The  current  state  of  healthcare  and  security   •  Results  of  the  OCR  Pilot  HIPAA  Audits  of  2012   •  User  Ac9vity  Monitoring  –  the  #1  security  deficiency   •  The  official  OCR  HIPAA  Audits  enforced  in  2013     A  Deeper  Dive  into  User  Ac4vity  Monitoring  (Privacy  Monitoring)   •  The  importance  of  User  Ac9vity  Monitoring   •  User  Ac9vity  Monitoring  references  in  HIPAA  and  Meaningful  Use   •  Iden9fying  the  hurdles  organiza9ons  face  when  aiming  for  compliance   •  How  to  correctly  implement,  document,  and  maintain  a  Privacy  Monitoring   program   Re-­‐evalua4ng  Your  Current  Security  Posture   •  The  need  to  priori9ze  Privacy  Monitoring  and  Workforce  Educa9on   •  Case  Studies     Agenda
  6. 6. ©  Copyright  2013  All  Medical  Solu9ons   According  to  HIPAA,  “an  impermissible  use  or   disclosure  of  protected  health  informa9on  is   presumed  to  be  a  breach  unless  the  covered  en9ty  or   business  associate  demonstrates  that  there  is  a  low   probability  that  the  protected  health  informa9on  has   been  compromised.”   –  4  factors:   •  Nature  and  extend  of  the  PHI  involved   •  Unauthorized  person  who  the  used  the  PHI  or  to  whom   disclosure  was  made  to   •  Whether  PHI  was  actually  acquired  or  viewed   •  Extent  to  which  the  risk  to  the  PHI  has  been  mi9gated   What is a Privacy Breach?
  7. 7. ©  Copyright  2013  All  Medical  Solu9ons   The  cost  of  a  Privacy  Breach   •  Healthcare  industry  loses  $7  Billion  a  year  due  to   privacy  breaches   •  Average  cost  of  a  privacy  breach  =  $2.4  million   •  94%  of  healthcare  organiza9ons  have  had  at  least   one  data  breach  in  the  last  two  years   •  Compared  to  all  other  industries  in  the  US,   healthcare  had  the  highest  per  capita  breach  cost   •  54%  of  organiza9ons  have  liile  or  no  confidence  they  can   quickly  detect  privacy  breaches  (Ponemon  Ins9tute)   The Current State of Healthcare and Security
  8. 8. ©  Copyright  2013  All  Medical  Solu9ons   The Need to be Compliant with HIPAA “The  HIPAA/HITECH  rule  marks  the  most  sweeping  changes  to  the  HIPAA   Privacy  and  Security  Rules  since  they  were  first  implemented.    These   changes  not  only  greatly  enhance  a  pa9ent’s  privacy  rights  and   protec9ons,  but  also  strengthen  the  ability  of  [the  Office  of  Civil  Rights]   to  vigorously  enforce  the  HIPAA  privacy  and  security  protec9ons.”   (Leon  Rodriguez,  Head  of  OCR)  
  9. 9. ©  Copyright  2013  All  Medical  Solu9ons   "   Section 13411 of the HITECH Act –  Mandatory audits will occur separate from the standard audits now in place. "   US Government Accountability Office GAO-12-481 –  GAO evaluates the HITECH EHR/Meaningful Use Incentive Program managed by CMS •  Proposes the need for “Meaningful Use Audits” to ensure hospitals and providers participating in the program have not falsely attested to achieving Meaningful Use –  10% Hospitals and 20% of Providers that attested for Meaningful Use will be audited "   HIPAA Omnibus Final Rule redefines and increases Civil Monetary Penalties –  Civil Money Penalties (CMPs) for covered entities have been increased to a $1.5 million cap per violation for violations due to willful neglect (“did not know”) •  Willful Neglect – Not Corrected: defined as a breach resulting from an intentional failure or reckless indifference of HIPAA obligations, and the breach was not corrected immediately after discovery. Violations are defined as the number of patient records affected. "   HHS Contracts KPMG – 2012 Audit Pilot Program –  115 Covered Entities (CEs) Audited during Q4 2012 •  Selection of CEs was based on random selection, and not based on prior HIPAA infractions •  #1 Discrepancy: NO User Activity Monitoring   The Driver for HIPAA/HITECH Audits
  10. 10. ©  Copyright  2013  All  Medical  Solu9ons   KPMG Pilot Audits: Privacy/Security/Breach Non-Compliance
  11. 11. ©  Copyright  2013  All  Medical  Solu9ons   *Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation KPMG Findings – Top 9 Security Issues Auditors reported that the CEs “did not know” it was required
  12. 12. ©  Copyright  2013  All  Medical  Solu9ons   "   Covered  En99es  can  expect  two  (2)  separate   audits  where  they  will  be  required  to   demonstrate  HIPAA  Compliance   •  Q1  2013  –  CMS  Meaningful  Use  (MU)  Audits   •  Q4  2013  –  HHS  OCR  Privacy/Security/Breach  Audit   Program HIPAA/HITECH Audits Occurring in 2013
  13. 13. ©  Copyright  2013  All  Medical  Solu9ons   "   Q1  2013  –  CMS  Meaningful  Use  (MU)  Audits   –  10% Hospitals, 20% of Providers will be audited and be able to demonstrate that they met the required MU criteria •  If an audited entity has failed to correctly attest to even a single metric then that participant will be required to return all of the funds and face the possibility of fraud charges •  Specifically MU Core Measure 14 for Hospitals, MU Core Measure 15 for Providers (HIPAA Security Rule Compliance) –  Measure: Conduct or review a security risk analysis in accordance with § 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the risk management process. –  You will be required to submit a copy of your Security Risk Assessment as well as an outline of your risk management process showing the security safeguards (? policies and procedures) both implemented to date and in progress. •  If the entity is unable to demonstrate compliance with the HIPAA Security Rule, the entity may be subject to the more stringent HHS OCR Audit CMS Meaningful Use Audits
  14. 14. ©  Copyright  2013  All  Medical  Solu9ons   "   Q4  2013  –  HHS  OCR  Privacy/Security/Breach  Audit   Program   "   Increased  number  of  Audit  Protocol  Procedures   compared  to  the  OCR  KPMG  Pilot  Audit  Program   –  Privacy  Audit  Procedures  68  →  81   –  Security  Audit  Procedures  77  →  78   •  9  of  the  Audit  Procedures  directly    relate  to  User  Ac9vity  Monitoring   –  Breach  No9fica9on  Audit  Procedures  10   Learn more about the HIPAA Audit Program Protocol :   HHS OCR Audit Program
  15. 15. ©  Copyright  2013  All  Medical  Solu9ons   "   Advanced  30-­‐90  day  no9fica9on  by  mail   "   15  day  deadline  to  respond  a  large  documenta9on  request   "   3-­‐5  day  on-­‐site  data  collec9on  of  up  to  5  auditors   –  Interviews  of  key  personnel  and  assorted  staff  members,  site   walkthroughs,  opera9onal  reviews,  and  requests  for  further   informa9on   "   Drat  report  issued,  10  days  window  to  respond   "   Final  report  issued,  imposing  CMPs  and  correc9ve  ac9on   The OCR Audit Process Notification letter and request for documentation sent to Covered Entity Receiving and reviewing documentation and planning the audit field work On-site field work Draft audit report Covered Entities review and comment on draft audit report Final audit report
  16. 16. ©  Copyright  2013  All  Medical  Solu9ons     A  Deeper  Dive  into  User   Ac4vity  Monitoring       HIPAA  requires  user  ac4vity  monitoring     You  must  review  your  EHR  audit  logs  for  inappropriate  access     Protect  your  Pa4ents’  Privacy  by  adhering  to  the  law  
  17. 17. ©  Copyright  2013  All  Medical  Solu9ons   "   HHS  outlines  what  is  defined  as  inappropriate  access   and  disclosure  under  the  HIPAA  Privacy  Rule:   “HIPAA  is  based  on  sound  current  prac9ce  that  protected   health  informa9on  should  not  be  used  or  disclosed  when  it   is  not  necessary  to  sa9sfy  a  par9cular  purpose  or  carry  out   a  func9on.  The  minimum  necessary  standard  requires   covered  en99es  to  evaluate  their  prac9ces  and  enhance   safeguards  as  needed  to  limit  unnecessary  or  inappropriate   access  to  and  disclosure  of  protected  health  informa9on.”   What is Inappropriate Access and Disclosure?
  18. 18. ©  Copyright  2013  All  Medical  Solu9ons   "   Internal  workforce  and  3rd  par9es  have  access  to  your   pa9ents  ePHI   "   You  grant  access  to  PHI  under  the  assump9on  that  privacy  policies   will  be  followed  in  the  strictest  sense   "   New  informa9on  systems  put  in  place  (EHR)   "   Implemen9ng  new  policies,  procedures,  and  security  safeguards   are  an  aterthought   "   Staff  not  effec9vely  educated  on  the  new  policies  and  procedures   "   Management  not  strictly  and  rou9nely  enforcing   "   Current  and  newly  adopted  policies  and  procedures  may  not  strong   enough  and  will  need  revised   "   It  is  the  covered  en99es  responsibility  to  monitor  all  access  to  ePHI,   including  access  granted  to  Business  Associates   "   Your  Risk/Vulnerability  of  facing  an  internal  privacy  breach   is  high   Outline the Problem
  19. 19. ©  Copyright  2013  All  Medical  Solu9ons   HIPAA Security Related Regulations HIPAA Security Rules "   Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D) "   Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(B) "   Implement procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C) "   Retain required documentation of policies, procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(B)(1)(ii) Meaningful Use Requirements "   ONC certification for EHR technology requires an EHR to produce an audit log. § 170.302(r) "   Conduct a Security Risk Assessment per HIPAA § 164.308(a)(1), implementing security updates as necessary and correcting deficiencies… Meaningful Use Core Measure 14 for Hospitals, 15 for Providers
  20. 20. ©  Copyright  2013  All  Medical  Solu9ons   Insurance Exclusions "   “For arising out of or resulting from any act, error, omission, incident, failure of Computer Security.” "   “Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization.” If found negligent, the Insurance Carrier is not obligated to pay these. Due to the increasing number of ePHI related breaches since the adoption of EHR, insurance companies are utilizing their exclusion clauses. Many policies do not cover breaches due to reckless indifference of HIPAA obligations (willful neglect).  Civil Money Penalties (CMPs) mandated by the OCR and Class Action Lawsuits  Costs associated with fulfilling breach notification requirements and loss of income due to site failure  Credit card monitoring services for affected patients, etc. Source: Beazley, Chubb, Doctors Company, Lloyds of London
  21. 21. ©  Copyright  2013  All  Medical  Solu9ons   "   This  is  a  responsibility  that  is  supposed  to  be  handled   by  my  EHR  vendor  (or  other  health  informa9on   system)   –  As  required  by  Federal  ONC-­‐Cer9fica9on  for  EHRs,  their   obliga9on  to  the  client  is  to  ensure  that  their  system  is   audit  capable,  that  it  can  generate  a  “human  readable”   audit  log   "   This  is  a  responsibility  that  can  be  handled  by  my  IT   department   –  Reviewing  audit  logs  requires  prac9cal  knowledge  of   healthcare  workflow  and  as  well  as  the  organiza9ons   policies  and  procedures;  this  is  the  responsibility  of  the   privacy/security  department   Common Misconceptions
  22. 22. ©  Copyright  2013  All  Medical  Solu9ons   “While  external  aiackers  and  their  evolving   methods  pose  a  great  threat  to  companies,  the   dangers  associated  with  the  insider  threat  can  be   equally  destruc9ve  and  insidious.    Eight  years  of   research  on  data  breach  costs  has  shown   employee  behavior  to  be  one  of  the  most  pressing   issues  facing  organiza9ons  today,  up  22  percent   since  the  first  survey.”   (Larry  Ponemon,  Chairman  of  Ponemon  Ins9tute)   Why is user activity monitoring important?
  23. 23. ©  Copyright  2013  All  Medical  Solu9ons   5 Core Audit Log Attributes Provide a precise date for organizations to see who has accessed patient information Maintain record of all authorized and unauthorized access to specific patient information Provide a precise time for organizations to see who has accessed patient information Provide a clear definition of all user access within organizations, to know who has data privileges Must be recorded when health information is viewed, created, modified, exported, or deleted What does the audit log tell you? Date Time User Patient Action
  24. 24. ©  Copyright  2013  All  Medical  Solu9ons   Full Review vs Partial Review The Facts: "   Auditing takes so many resources and so much time it is near impossible to do manually. The Math: "   Time for auditing 1 line: ~15 seconds –  Event correlation - Is this specific activity permitted? –  Users of the EHR: Staff, HIE, Vendors, etc. "   Calculations for level of effort*: –  Average daily audit log: ~ 3560 lines per provider (3 to 4 staff) "   100% review by use of trained staff and an automated incident detection tool is the NIST standard** * Calculations using 20 business days in a month ** NIST SP800-92 – use trained staff and tool to review 100% logs Range Day Week Month Year 100 % 14.83 hours 74.16 hours 296.60 hours 3,559 hours 80% 11.86 59.32 237.28 2,846 20% 2.97 14.86 59.32 713
  25. 25. ©  Copyright  2013  All  Medical  Solu9ons   Basic  audi9ng  methods   These  methods  will  only  be  allow  you  to  detect  large  security   incidents   Examples:     1. Abnormal  9mes  of  access:    Accessing  records  during  non-­‐standard   hours  for  that  par9cular  user   2. Abnormal  number  of  pa9ent  records  accessed  per  user:    Seeing  a   spike  of  100  pa9ents  vs  the  average  20  that  par9cular  user  sees  per   day   3. Abnormal  exports  or  dele9ons  of  informa9on   The method of auditing audit logs
  26. 26. ©  Copyright  2013  All  Medical  Solu9ons   Advanced  audi9ng  methods  (known  as  Behavioral  Analy9cs)   These  methods  will  allow  you  to  detect  smaller  security  incidents   Examples:     1.  Role  based  behavior:    Authorized  uses  of  PHI  by  role  (Physicians,  Nurses,   Medical  Assistants,  Administrators,  etc.)   2.  Individual  behavior:    Tracking  of  individual  user’s  paierns  of  behavior   i.  A  medical  assistant  working  in  the  front  office  accesses  the  system   in  a  different  way  (check-­‐in/check-­‐out  procedures)    than  a  medical   assistant  working  in  the  back  office  (documen9ng  vital  signs)   ii.  Individuals  may  only  be  allowed  to  work  in  a  single  department,   where  other  individuals  float  from  department  to  department   having  mul9ple  roles  and  responsibili9es  within  the  organiza9on   3.  Pa9ent  Workflow:    Tracking  of  the  documented  order  of  events  as  a   pa9ent  navigates  through  the  office   The method of auditing audit logs
  27. 27. ©  Copyright  2013  All  Medical  Solu9ons   •  A  sound  policy  and  procedure  for  audi9ng  user  ac9vity  (reviewing  of  audit  logs)   outlining  a  clear  methodology   •  Frequency  and  9meliness  of  review,  as  well  as  to  the  extent  they  are  reviewed   •  A  documented  history  of  reviewed  audit  logs  as  well  as  security  incident   tracking  reports  (outlining  all  suspicious  security  incidents  you’ve  flagged  for   further  inves9ga9on)   •  A  sound  policy  and  procedure  for  an  incident  response  plan  outlining  how  you   respond  to  suspicious  security  incidents   •  Timeliness  to  no9fy/interview  key  personnel  as  well  as  the  individual  responsible   •  Who  to  contact  and  steps  to  take  in  the  event  that  the  flagged  incident  is  in  fact  a   Privacy  Breach   •  A  documented  history  of  your  inves9ga9on  of  flagged  incidents,  the  results  of   you  inves9ga9on,  and  the  response  taken  (enforcing  sanc9on  policies  or  staff   re-­‐educa9on  as  needed)   •  Educa3on  to  workforce  members  and  3rd  par9es  that  have  access  to  your   systems  must  be  made  aware  that  their  ac9vity  is  con9nuously  monitored   •  Must  be  made  a  aware  that  they  must  comply  to  any  further  inves9ga9on  needed  by   the  Security  Officer(s)   •  Are  subject  to  Sanc3on  Policies  in  the  event  that  they  have  caused  a  privacy  breach   How do I demonstrate compliance?
  28. 28. ©  Copyright  2013  All  Medical  Solu9ons   •  You  want  to  demonstrate  your  ability  to  find  poten9al  security   incidents  regardless  if  they  were  a  privacy  breach  or  not   •  It  demonstrates  your  ability  to  enforce  HIPAA   •  Non-­‐breaches  gives  you  valuable  informa9on  of  where  security   vulnerabili9es  may  exist   •  Ater  the  inves9ga9on  leads  you  to  believe  that  the  incident  does  not   cons9tute  a  privacy  breach,  ask  yourself  had  the  individual  had  malicious   intent,  could  they  have  caused  a  breach   •  Rou9ne  inves9ga9ons  with  staff  members  also  serves  as  a  means  to   re-­‐educate  and  reinforce  your  security  posture   •  Your  ability  to  immediately  iden9fy  a  breach  AND  immediately   respond  to  it  (within  30  days)  works  in  your  favor  should  you  be   faced  with  an  OCR  inves9ga9on   •  The  use  of  an  automated  security  system  that  reviews  ALL   access  to  ePHI  is  your  best  defense   •  The  audit  log  review  remains  impar9al  and  allows  for  automa9c   documenta9on   From an auditors perspective
  29. 29. ©  Copyright  2013  All  Medical  Solu9ons   Cedars-­‐Sinai  Medical  Center,  Los  Angeles  (June  18th-­‐24th)   “Medical Record Breaches Following Kardashian Birth Reveal an Ongoing Issue” •  An  automated  security  system  was  in  place  and  immediately  flagged  this  ac9vity  for  review   •  The  internal  inves9ga9on  and  breach  no9fica9on  process  occurred  immediately  ater  the   event  took  place.   •  5  staff  members  and  1  volunteer  from  the  adjacent  Cedars-­‐affiliated  physician  offices  were   immediately  fired   •  Physicians  had  shared  with  their  employees  their  EHR  usernames  and  passwords  to  access   the  hospital  system,  in  viola9on  of  hospital  policy.    Cedars  is  in  the  process  of  addressing  the   conduct  of  the  physicians  partly  at  fault  and  has  indefinitely  terminated  their  access.   •  How  will  they  fair  during  the  OCR  inves9ga9on?   Case Study
  30. 30. ©  Copyright  2013  All  Medical  Solu9ons   "   The  OCR  may  not  impose  a  CMPs  on  a  CE  or  BA   for  a  viola9on  if  the  CE  or  BA  establishes  that  the   viola9on  is:   –  Not  due  to  willful  neglect;  and   –  Corrected  during  the  30-­‐day  period  beginning  on  the   first  date  the  CE  or  BA  knew,  or  by  exercising   reasonable  diligence,  would  have  know  that  the   viola9on  occurred.   "   However,  in  order  to  make  a  claim  to  affirma9ve   defense,  you  must  be  able  to  quickly  detect   breaches  in  the  first  place.   Affirmative Defense and Good Faith Effort
  31. 31. ©  Copyright  2013  All  Medical  Solu9ons   "   Top  factors  that  lower  overall  costs  as  it  relates  to   minimizing/mi9gated  breaches   1.  Strong  security  posture  (risk  management  and   educa9on/training)   2.  Incident  response  plan  (incident  detec9on/ inves9ga9on  and  breach  no9fica9on)   3.  Appointment  of  a  CISO  or  equivalent  posi9on   (centralizing  the  management  of  data  protec9on)   4.  Consultants  engaged  to  help  remediate  the  breach   Re-evaluating Your Current Security Posture
  32. 32. ©  Copyright  2013  All  Medical  Solu9ons   Automated EHR-Centric Breach Detection Impartial vs. Manual Log Review HIPPA Compliance Audit Log Requirement Proactive Incident & Breach Detection Self Reporting & Document Storage Improved HIPAA Reporting Accuracy Compliments EHR Security Framework Time Savings (more patient focused) Six (6) Year Activity Reporting §164.316(b)(2)(i)
  33. 33. ©  Copyright  2013  All  Medical  Solu9ons   To learn more about SPHER™ please visit: Stephen Salinas Channel Manager All Medical Solutions Contact Data Tel: (310) 602-5140 Fax: (310) 531-7397
  34. 34. Free  Demo  and  15  Day  Evaluation   www.compliancy-­‐     HIPAA  Hotline       855.85HIPAA   855.854.4722     HIPAA  Compliance     HITECH  Attestation     Omnibus  Rule  Ready     Meaningful  Use  Core  Measure  15