More Related Content Similar to WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance (20) More from KSM Consulting (8) WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance1. 1WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Webinar:
HIPAA 101: 5 Steps Toward Achieving Compliance
Webinar will begin at NOON EST
Twitter: @KSMC_Consulting
@DanResnick14
Webinar Login Information:
For audio, please dial: 1.415.655.0001 # 198 812 829
3. 3WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Director, Cybersecurity and Compliance
• Leads the technology team in assessing
cybersecurity and compliance, developing solutions
for compliance, and managing security ongoing.
• 10+ experience providing cybersecurity solutions to
the healthcare industry
• Graduate of Indiana University
• Twitter: @danresnick14
Dan Resnick
4. 4WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Agenda
HIPAA Introduction
Security Rule Deep Dive
HIPAA Objectives
Cost of Non-Compliance
WEBINAR
1.
2.
4.
3.
5 Tips to Achieving
Compliance
5.
6. 6WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
American Health Insurance Portability and
Accountability Act of 1996
• Passed by Congress and signed by President Clinton.
• Created to provide a set of rules to be followed by
doctors, hospitals, and other healthcare providers.
• Ensures that all medical records, medical billing, and
patient accounts meet certain consistent standards
with regards to documentation, handling, and privacy.
Introduction to HIPAA
The main components:
• Privacy Rule
• Security Rule
• Breach Notification Rule
7. 7WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
What does HIPAA Cover?
Activity Purpose of Inclusion
Transactions Standardizes diagnostic and treatment codes, forms, and processes
Identifiers Standardizes the identifier code sets and numbers used in transactions
Privacy
Addresses who can access PHI (in all forms – oral, written, electronic, etc.), how
records may be shared or may not be shared, and how the information needs to be
safeguarded
Security
Addresses how PHI (electronic only) is protected, both in storage and in
transmission
8. 8WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Who must comply?
A covered entity can be a
business associate of
another covered entity.
Covered
Entities
Provider
Health Plan
Healthcare
Clearinghouse
Business
Associates
Accreditation
Billing
Claims
processing
Consulting
Data analysis
Financial
services
Legal services
Management
administration
9. 9WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
PII vs. PHI Contact Information
(email address, physical address,
telephone and mobile numbers)
Personal Characteristics
(full name, date of birth, birth location,
height, weight, hair/eye color, religious
affiliation, ethnicity, biometric data, copy of
signature, full face/body image, vehicle
numbers, certificate/license)
Social Security Number
Government Issued Identification
(driver’s license, passport, birth certificate,
library card, military ID)
Account Numbers and Financials
(bank, insurance, investments, credit
cards, account balance, wage & salary,
tax filing, credit history)
Medical Records Information
(prescriptions, medical records,
exams, images, histories)
Verification Data
(mother’s maiden name, pets’ and
kids’ names, high school,
passwords)
Online Information
(Facebook, social media,
passwords, PINs, customer
account numbers, Static IP or
URL)
One additional item
• Any other unique identifying
number, characteristic, or code
(Personally Identifiable Information) vs.
(Protected Health Information)
11. 11WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Privacy and Breach Key Takeaways
• Who is covered
– Health Plans
– Healthcare Providers
– Healthcare Clearinghouses
– Business Associates
• What information is protected
– Protected Health Information
• Permitted Uses and Disclosures
• Authorized Uses and Disclosures
• Establishing “Minimum Necessary”
• Notice and Individual Rights
• Penalties for Non-Compliance
Privacy
• When to notify
• Who to notify
– Individuals
– Media
• Timeliness of notifications
Breach
12. 12WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
HIPAA Security Rule Overview
Administrative
Safeguards
• Security Management
• Security Personnel
• Information Access
Management
• Workforce Training
• Evaluation
Physical Safeguards
• Facility Access and Control
• Workstation and Device
Security
Technical
Safeguards
• Access Control
• Audit Control
• Integrity Control
• Transmission Security
Organizational
Requirements
• Covered Entity
Responsibilities
• Business Associate
Contracts
• Policies and
Procedures
• Documentation
Requirements
Required
Addressable
Availability
vs.
14. 14WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Control Standard Safeguard Topics
Security Personnel
Designate a security official who is
formally responsible for security policies,
procedures, and operations
Information Access Management Govern access to ePHI
Workforce Training and
Management
Provide security training and have a
process to apply sanctions when violations
of policy occur
Evaluation
Periodic assessments of the organization’s
policies and procedures against the
Administrative Safeguards
Security Management Process Risk Analysis and Management
Administrative Safeguards
Evaluate
Implement
Document
Maintain
Risk Analysis
and Management
15. 15WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Physical Safeguards
Control Standard Safeguard Topics
Facility Access Control
Limit physical access to facilities to only authorized individuals and
supervised visitors
Workstation and Device Security
Define proper use of and access to workstations and electronic media
Control the transfer, removal, disposal, and re-use of electronic media
16. 16WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Technical Safeguards
Encryption & HIPAA
• Not technically required, however, it must be
considered in the risk analysis…
• Encryption should be implemented if an entity
finds it would safeguard ePHI, or implement
an alternative and document the case for
doing so.
• Encryption is the process of encoding.
• Ex. “HIPAA” -> 4Uzj398jw
• HIPAA is intentionally vague to allow for
technology advancements
• NIST FIPS 197 (AES) and FIPS 140-2
Control Standard Safeguard Topics
Access Control
Control access to ePHI to only authorized
persons
Encryption and decryption mechanism
Audit Controls
Record and examine access and other
activity in information systems that contain
ePHI
Integrity Controls
Ensure that ePHI is not improperly altered or
destroyed
Transmission
Security
Technical security measures which guard
against unauthorized access to ePHI that is
being transmitted over an electronic network
(includes encryption if appropriate)
17. 17WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Organizational Safeguards
Control Standard Safeguard Topics
Covered Entity Responsibilities
CE must ensure that the BA safeguards ePHI
Consistent use of Business Associate Contracts (or Agreements)
BAC/BAA’s must contain security language
Policies, Procedures, and
Documentation Requirements
Create and maintain policies and procedures to comply with the Security
Rule provisions
Maintain governance documentation for six years
Update the documentation periodically based on organizational change (at
least annually)
Compliance
The Department of Health and Human Services (HHS), Office for Civil Rights
(OCR) is responsible for administering and enforcing the standards
19. 19WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Costs of Non-Compliance
• Four different categories of
violations measuring the level of
neglect, ability to avoid, and
actions taken to correct
• Each category carries financial
penalties up to $1,500,000 per
category, per year.
• State or Federal fines
• Criminal penalties can also be
applied – up to 10 years in jail.
HIPAA Violations (Breaches) Non-Compliance Penalties
• Penalties can be imposed for any
number of reasons:
• Failure to maintain documented
policies and procedures
• Failure to conduct employee training
on a regular basis (and documenting
that it was completed)
• Failure to complete and maintain
BAAs with third-party service providers
• BAAs written before 2014 need to be
revised to align with Omnibus
requirements
21. 21WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
5 Key Steps Toward
Achieving HIPAA Compliance
Implement policies and procedures
Data discovery and asset inventory
Training and awareness
Implementing technical controls
Security risk assessment
1
2
3
4
5
22. 22WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Policies and Procedures
• Leverage the HIPAA Audit Protocol to identify gaps in your current policy library.
• Policies should be formally and consistently documented.
– Titles, owners, effective dates, review dates, change log, revision history, links to relevant
procedures
• Policies should be regularly reviewed and updated to reflect the organization’s
current risk analysis, environmental changes, and regulatory requirements.
Policies and procedures create the foundation for your organization’s IT and IS
operations… and success with HIPAA compliance.
1
23. 23WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Data Discovery and Asset Inventory
• Document what types of data your organization collects, stores, and transmits.
– This will help you identify critical systems, data repositories, and organizational units involved
in the data’s lifecycle.
• Create an asset inventory to track sensitive data to the asset where the information resides. The
asset inventory should include:
End user workstations | Asset owners | Configuration information | Physical/logical location
mappings.
• Mature asset inventories can be leveraged as evidence of the presence of encryption on a
workstation or potential access within the environment based on the asset owner.
You can’t protect what you can’t find. Understanding where your sensitive
data resides is the first step in protection.
2
24. 24WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Training and Awareness
• Your workforce should
– Know and understand HIPAA.
– Know and understand your compliance policies and
procedures.
– Complete training (document and maintain it).
• Consider training your users about additional security
topics (phishing, safe web browsing, password
management, data security, etc.).
Educating your workforce is not only a requirement of HIPAA, it is a critical
component to your security program…especially given today’s threat landscape.
End users represent
the largest attack
surface – and often
the weakest link!
3
25. 25WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Implement Technical Controls
• Leverage security technologies to strengthen your program and provide greater
visibility into your organization.
• Encryption, intrusion detection, audit logging, event monitoring are all areas where
tools and technologies can provide value.
• Automated technical controls (when configured properly) can be a strong mechanism
to prevent and/or detect poor end user behaviors.
Not a silver bullet, but an arrow in your quiver.
4
26. 26WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Security Risk Assessment
• In our experience, the #1 most requested item by the OCR.
• The risk analysis report should include a clear description on the scope, audit
methodology, identified risks, and remediation actions.
• There is no single approved risk assessment methodology.
Demonstrates that you understand your environment and take HIPAA security
seriously.
5
28. 28WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance 28
Summary
Five Big Takeaways
1
Policies and
Procedures
2
Data Discovery
and Asset
Inventory
3
Training and
Awareness
4
Implement
Technical
Controls
5
Security Risk
Assessment
29. 29WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
KSM & KSMC is proud to offer a wide range of cybersecurity, operations, and
financial advisory services tailored for the healthcare industry.
How KSM and KSMC can help
Valuation
▪ Benchmarking ▪ FMV/CR opinions ▪ Transaction support ▪ Compliance
Hospitals & Health Systems
• Strategy development
• Financial services
Physicians & Practices
▪ Strategy guidance
▪ Tax, financial planning
▪ Acquisition guidance
▪ Financial operations
30. 30WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Feel free to submit questions in the chat box on your screen.
Webinar: HIPAA 101: 5 Steps Toward Achieving Compliance
Questions?
31. 31WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Thank you
Dan Resnick
Director, Cybersecurity and Compliance
KSM Consulting, LLC
dresnick@ksmconsulting.com
(317) 452-1646