HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule


Published on

HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule

Published in: Health & Medicine
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There has been a total of $572 M paid to MI providers. Approximately ¾ are Medicare; ¼ are Medicaid.Data from www.dashboard.healthit.gov
  • HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule

    1. 1. in partnership with February 20, 2014 MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 2 HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2)
    2. 2. About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since 1980. It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCA’s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan www.MPCA.net 517-381-8000
    3. 3. About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501(c)3 non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide compliance/security related, IT, EPM and EHR services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare. www.OSISSecurity.com 513-677-5600 x1223
    4. 4. Presented by: Jay Trinckes, CISO, OSIS • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified in Risk and Information Systems Control (CRISC) • National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) • Author: • • • Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA Regional Upcoming: PMI National Conference, Chicago, IL – May 2014 Experience: risk assessments, vuln/pen tests, information security management, former law enforcement officer.
    5. 5. Overview of MPCA Seminar Series Series of five Webinars to assist members with HIPAA Compliance and Meaningful Use 1. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1) 2. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2) 3. Meaningful Use Requirements for FQHCs 4. Preliminary Assessment Tool for FQHCs 5. Review of Preliminary Assessment for FQHCs
    6. 6. Webinar 2: Topics • • • • • • • Recap of Part 1 Importance of Security Administrative Physical Technical Business Associates Questions/Answers
    7. 7. “There are only two types of companies: Those that have been hacked, and those that will be.” Former FBI Director Robert Mueller
    8. 8. Recap of Part 1
    9. 9. Overview of HIPAA/HITECH The Health Insurance Portability and Accountability Act (HIPAA) was enacted in1996 as a response from Congress to: – Increase technology in healthcare – Protect against potential fraud or compromise of sensitive information – Different regulations within states contradicting federal regulations – Regional isolation – everyone doing their own thing
    10. 10. HITECH ACT • Part of the American Recovery and Reinvestment Act (ARRA) of 2009 • The Health Information Technology for Economic and Clinical Health Act (The HITECH Act) – Revised HIPAA – Amended enforcement regulations – Stiffer Penalties – Provided enforcement actions for State Attorney General – Increased Breach Notification Rules
    11. 11. Privacy Basics • In the most basic terms, a health center (and business associate) may NOT use or disclose protected health information except as permitted or required by the HIPAA Privacy Rule. • A health center and business associate should apply the least amount of privileges to their individual employees based upon the roles of their employees. • These restrictions should be applied through policies and procedures to restrict access to protected health information as ‘need-to-know’ or to perform their job functions.
    12. 12. Direct Identifiers Direct Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR § 164.514(e)(2) and include the following eighteen (18) items: 1. 2. Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to ‘000’. 3. 4. 5. 6. 7. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; 18. Any other unique identifying number, characteristic, or code. Omnibus Rule includes Genetic Information as Protected Health Information
    13. 13. Minimum Necessary • A health center and business associate must develop policies and procedures to reasonably limit to, the minimum necessary, its disclosures and requests for protected health information for payment and healthcare operations. • There are several different examples to demonstrate how the minimum necessary standards can be applied, but there may be an easier example of what not to do. – It would be a violation of the minimum necessary standard if a hospital employee is allowed routine, unimpeded access to patients’ medical records if that employee does not need this access to do his or her job. Minimum necessary requirements do NOT apply to disclosures to or requests by a healthcare provider for treatment; uses or disclosures made to the individual; uses or disclosures made pursuant to an authorization; disclosures made to the Secretary; uses or disclosures that are required by law; and uses or disclosures that are required for compliance with the Privacy Rule.
    14. 14. Administrative Requirements • • • • • • • • • Privacy Personnel Designations Privacy Training Administrative Safeguards Complaint Handling Workforce Member Sanctions Mitigation Retaliation Waiver of Rights Privacy Policies
    15. 15. • HITECH: Enforcement Violation Category Section 1176(a)(1) Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect – Not Corrected $50,000 $1,500,000 • [Note: State Attorney Generals can also bring enforcement actions.] • OCR has collected over $50 million from enforcement • It is more cost effective to become HIPAA compliant than to risk enforcement
    16. 16. Enforcement (cont.) US Code Title 42 Chapter 7 – 1320d-6 • Wrongful disclosure of individually identifiable health information • Offense: A person who knowingly and in violation of this part– Uses or causes to be used a unique health identifier; – Obtains individually identifiable health information relating to an individual; or – Discloses individually identifiable health information to another person A person described … shall— • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
    17. 17. Privacy Rule vs. Security Rule Security Rule Privacy Rule • Intended to protect • Implement certain Electronic Protected Health appropriate and Information (EPHI) reasonable • Secure the confidentiality, integrity, availability while safeguards to allowing authorized use secure Protected and disclosure – Administrative Health – Physical Information (PHI): – Administrative – Physical – Technical – Technical • More Detailed and Comprehensive
    18. 18. Required vs. Addressable • Addressable is NOT the same as optional! • Addressable means the entity must: – Perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the entity’s environment – Decide whether to implement the addressable specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one – Document the assessments and all decisions
    19. 19. Omnibus Rule • Effective: March 26, 2013 – 180 days to comply – deadline September 23, 2013 – Modifies Privacy, Security, Enforcement Rule, and Breach Notification Rules • Business Associates (and subcontractors of a BA) are now directly liable for compliance – minimum necessary applies – Limit use/disclosure for marketing/fundraising prohibit sale of PHI – Individuals have right to electronic copies of health information – Right to restrict disclosure for ‘out-of-pocket’ payments – Modify authorization for proof of immunization to schools – Enable access to decedent information (after 50 years)
    20. 20. Omnibus Rule (cont.) • Enforcement Rule – Increased tiers for Civil Monetary Penalties (CMP); ‘willful neglect’ • Breach Notification – Removes ‘harm’ threshold; every security incident is presumed a breach, unless risk analysis demonstrates low probability of compromise • Privacy Rules – includes protection of genetic information • De-Identification - guidance
    21. 21. Meaningful Use • Center for Medicare and Medicaid provides incentives (i.e. $) for the use of Electronic Health Record (EHR) Technologies • Since January 2011, there has been an estimated $17 billion paid out for meaningful use incentives. • Stage 1: 15 core objectives to meet – Core 15 – determines if a security risk analysis was conducted or reviewed as required under 45 CFR 164.308(a)(1) – In addition, security updates must be implemented • Stage 2 – Ensure adequate privacy and security protection for personal health information (same as Core 15 above); ALSO addresses the encryption/security of data stored within the EHR software – Use secure electronic messaging to communicate with patients on relevant health information
    22. 22. Importance of Security
    23. 23. “The state of technology security overall is so weak that intelligence officials see hacking as one of the largest threats to western powers.” (Menn 2011)
    24. 24. Importance of Security • In January 2012, Former FBI Director Robert Mueller testified before the Senate Select Committee on Intelligence explaining that cyber-threats would surpass terrorism as the nation’s top concern. • Norton AV: 141 victims of cybercrime per minute • Total bill of cybercrime is $139 billion in US ($388 billion globally) • Gartner: Less than 1% of cybercriminals are arrested • OCR – since September of 2009, – 804 incidents affecting – 29.3 Million individuals. • Ponemon: The impact of medical identity theft crimes is close to $31 billion a year
    25. 25. State of Security -Recent Ponemon Institute Survey • Small companies realize vulnerabilities, but few fully appreciate ramifications – More worried about time/productivity lost than loss of customers or business partners, or damage to reputation and increase cost to winning new prospects – Misconceptions of consequences prevent mitigation • Insufficient people resources – 64% • Lack of in-house skilled or expert personnel – 55% • Lack of central accountability– 50% • Top 3 Threats – Proliferation of unstructured data – 69% – Unsecure third parties including cloud providers – 65% – Not knowing where all sensitive data is located – 62% • Results indicate that companies tend to seriously underestimate potential damage and reveal a great data breach perception gap
    26. 26. Healthcare Security • Target: healthcare information – Insurance Information: Able to resell access to people who don’t have insurance – Access to prescription drugs • Survey: 600 healthcare executives – 50% reported a privacy/security related issue over last 2 years – 75% already sharing patient data (studies, post-market drug analysis, new medical programs) – Only 50% addressing security issues • Hospital Management Systems (HMS) Survey – 53% conducted mandatory risk assessment – 58% had no dedicated staff – 50% spend less than 3% of their resources on security
    27. 27. Data Breach Study • Causes: – – – – – 50% hacking 49% malware 29% physical 17% abuse of privileges 11% social engineering • Participants: 45% of large companies had staff that leaked data (46% of these were very/extremely serious) – 92% external – 17% insider
    28. 28. According to a report from PricewaterhouseCoopers, LLP (PwC), “Electronic health data breaches are increasingly carried out by ‘knowledgeable insiders’ bent on identity theft or access to prescription drugs.” (Eisenberg 2011)
    29. 29. Costs Data security breaches cost US healthcare industry $6.5 billion annually – 75% lack adequate funding – 48% of organization spend less than 10% of annual budget on security • Five categories: – Legal/Regulatory – fines/penalties, lawsuits – Financial – business distraction, remediation, communication, insurance, changing vendors – Operational – recruiting new hires, reorganization – Clinical – diagnosis delays, processing fraud, research – Reputational – loss of future patients, business partners, staff losses
    30. 30. Medical Identity Theft • • • • • Unaware of seriousness Fairly easy Victims tend to be older Hard to determine when crime occurred Share medical information with family
    31. 31. Larry Ponemon, Chairman and Founder of the Ponemon Institute stated, “Our study shows that the risk and high cost of medical identity theft are not resonating with the public, revealing a serious need for greater education and awareness.”
    32. 32. Breach Notification Rule • Breach is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [45 CFR Subpart E – Privacy of Individually Identifiable Health Information] of this part which compromises the security or privacy of the protected health information [or poses a significant risk of financial, reputational, or other harm to the individual].” • Ponemon Survey: – Overall Cost $188 per record (2012) • Healthcare $233 per record (2012) • Pharmaceutical $207 per record (2012) – Full cost of a data breach averages $5.4 million (includes account detection, notification, postresponse and loss of business)
    33. 33. Lessons Learned from Breach • Determine security posture • Assume ALL portable device contain sensitive information • Set expectations of contractors • Security incident handling • Don’t underestimate burden of incident • Keep logs • Take responsibility for your actions (both individually and as an organization)
    34. 34. Important Requirements • Administration – Security Management Process • Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review – Security Awareness Training – Security Incident Procedures – Contingency Planning • Physical – Workstation, Device, Remote Access • Technical – Access Control, Integrity, Transmission
    35. 35. Administrative Safeguards
    36. 36. Administrative Safeguards • Over ½ of the HIPAA Security requirements are covered under the Administrative Safeguards • Administrative Safeguards are: – Administrative actions – Policies/Procedures • To manage security, must measure the: – – – – Selection of mitigating controls Development controls accordingly Implementation of controls Maintenance of controls
    37. 37. Security Management • Must “implement policies and procedures to prevent, detect, contain, and correct security violations.” – Conduct a Risk Assessment • Risk Analysis – “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center.” • Risk Management - “implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level.”
    38. 38. Sanction Policy • “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” • Sign a statement of adherence to security policy/procedures
    39. 39. Information System Activity Review • “regularly review records of information system activities.” – Audit logs – Access reports – Security incident tracking reports • Identify audit/activity review functionality • Can they be adequately used to monitor • Policy to establish review – procedures to follow
    40. 40. Assigned Security Responsibility • Security Official required • The Security Official is “responsible for the development and implementation of the [security] policies and procedures required by [the Security Rule].”
    41. 41. Workforce Security • Covered entities and business associates must “implement [adequate] policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information.”
    42. 42. Authorization and/or Supervision • There should be adequate implementation of “procedures for the authorization and/or supervision of workforce members who work with electronic protected health information.” – Identify Roles – Based on roles, provide appropriate access levels • Workforce Clearance • Termination Procedures
    43. 43. Information Access Management • “implement [adequate] policies and procedures for access authorization to electronic protected health information that are consistent with the applicable [Privacy Rule requirements].” • Develop classification of information – Protected Health Information – Confidential Information – Business Sensitive – Public Information
    44. 44. Security Awareness Training • A health center should provide adequate security awareness training to all members of its workforce including management or executive level personnel. – Security Reminders - “periodic security updates” – Protection from Malicious Software - There should be adequate procedures in place for “guarding against” malicious software.
    45. 45. Log-in Monitoring • To verify that appropriate access is being maintained, the covered entity/business associate should have adequate procedures in place to monitor any log-in attempts. No Expectation of Privacy
    46. 46. Password Management • Procedures in place for “creating, changing, and safeguarding passwords”. – Use unique, complex passwords – Commit passwords to memory – Do NOT write passwords down in unsecured locations – Do NOT share passwords with anyone – Authenticate Users
    47. 47. Security Incident • Security incidents are those situations where it is believed that protected health information has been used or disclosed in an unauthorized fashion. – Actual unauthorized access, use, or disclosure – Interference with system operations (Denial of Service) • According to a report by Solutionary, security service provider, companies pay $6,500 an hour from a DDoS attack and up to $3,000 a day to mitigate/recover from malware infections.
    48. 48. Contingency Plan • Need to be able to sustain or resume business during or after an emergency. • Implement adequate policies and procedures, as needed, to respond to emergency or other situations that could cause damage to systems that contain electronic protected health information. – Fire – Vandalism – System Failures – Natural Disasters
    49. 49. Physical Safeguards
    50. 50. Physical Safeguards – First Layer of Defense • Physical Layer – Controls over physical access – Procedures and maintenance of documents/hardware • Two Areas: – Facility Access Control – Device/Media Controls • Physical security requires a total commitment to a CULTURE of security and an adherence to the principles of physical security. – Proper Identification – Proper Authorization – Need to Know; Minimum Use “60% of all theft is committed by internal staff”
    51. 51. Facility Access Control • Policies/Procedures – Cover all staff members, visitors, and business associates, contractors, subcontractors, (anyone entering facility) The goal of physical and environmental protection is to secure protected health information along with the security of the facility and workforce members working within the facility.
    52. 52. Workstation Use • Asset Inventory – can’t protect what you don’t know you have – Includes workstations, laptops, PDAs, tablets, smart phones, printers, typewriters, etc. • Minimum Necessary Rule applies – Physical Controls to lock down mobile devices – Technical Controls to restrict devices/users – Restricted access to the Internet
    53. 53. Device and Media Controls • Hardware and electronic media includes: – Hard drives; – Magnetic tapes or disks; – Optical disks; – Digital memory cards; – Removable thumb drives; or – Any other items that may contain electronic protected health information.
    54. 54. Controls • • • • • Wiping/Degaussing Encryption Password protection Tracking USB Controls/Data Loss Protection (DLP)
    55. 55. Remote Use and Mobile Device “There have been a number of security incidents related to the use of laptops, other portable and/or mobile devices and external hardware that store, contain or are used to access Electronic Protected Health Information (EPHI) under the responsibility of a HIPAA covered entity. All covered entities are required to be in compliance with the HIPAA Security Rule, which includes, among its requirements, reviewing and modifying, where necessary, security policies and procedures on a regular basis. This is particularly relevant for organizations that allow remote access to EPHI through portable devices or on external systems or hardware not owned or managed by the covered entity.” (The Department of Health and Human Services 2006)
    56. 56. Social Engineering “any act that influences a person to take an action that may or may not be against their best interest.” Examples
    57. 57. Tips to Avoid SE 1. Learn to Identify Social Engineering Attacks 2. Security Awareness Should Be Personal and Interactive 3. Understand the Value of the Information They Possess 4. Updates are essential 5. Develop Scripts 6. Have and Learn from Social Engineering Assessments Credit – Chris Hadnagy, Social Engineering: The Art of Human Hacking
    58. 58. Personnel Security • • • • • Be Aware of Surroundings Attempt to travel in groups and not alone Stay in lighted areas Take different routes; change up routine Out of Town Travel – Stay at reputable hotels – Take special care and control over equipment/information – Key cards (magnetic swipes) – Door stops – Talking on phone
    59. 59. Laws of Security • Law #1: If a malicious individual persuades a user to run his/her program on their computer, it is no longer their computer. • Law #2: If a malicious individual can alter the operating system of a user's computer, it is no longer their computer. • Law #3: If a malicious individual has physical access to a user's computer, it is no longer their computer. • Law #4: If a user allows a malicious individual to upload programs to their website, it isn't their website anymore. • Law #5: Strong security is always undermined by weak passwords.
    60. 60. Laws of Security (cont.) • Law #6: Treat your system administrators well and make sure they can be trusted, since a computer is only as secure as the administrator makes it. • Law #7: The decryption key determines how securely your data is encrypted. (If you use a weak encryption algorithm or don't secure the keys, encryption is worthless.) • Law #8: Keep your virus scanners up to date since an old .dat file is just slightly better than having no virus scanner installed at all. • Law #9: It is very difficult to be anonymous in the real world and on the web. (Your behaviors will determine the level of privacy you will have.)
    61. 61. Law #10: “Security is a process… NOT a product.” (– phrase coined by Bruce Schneier.)
    62. 62. Technical Safeguards
    63. 63. Technical Safeguards • The objective of these safeguards is to mitigate the risk of electronic protected health information being used or disclosed in an unauthorized manner. • CIA Triad – Confidentiality – Integrity – Availability
    64. 64. Risk Assessment • The covered entity (and business associate) are required to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Will discuss more in webinar 3
    65. 65. Access Control • Allow access to only those that are authorized – Includes software programs – Data in databases • Controls on: – Workstations – Laptops – Servers – Network (through firewall/routers)
    66. 66. Unique User Identification • Every workforce member must have an unique user identifier (i.e. username) when accessing information • Account Management Includes: – Account Establishment – Account Activation – Account Modification – Account Termination – Account Removal
    67. 67. Emergency Access Procedure • Emergency procedures should contain methods of supporting continued operations in situations that affect normal operations. • It should be determined whether or not the information systems can allow for the automatic failover to emergency configurations or will a workforce member have to manually configure these failover procedures.
    68. 68. Automatic Logoff • Health centers should implement an automatic logoff of information systems after a period of workforce member inactivity. – Generally, 10 minutes • The automatic logoff feature should be activated on all workstations (and software) with access to electronic protected health information.
    69. 69. Encryption/Decryption • A covered entity (and business associate) needs to identify or address all electronic protected health information that requires encryption so that it is restricted from access by individuals or other software programs that may not be granted access rights to this information. • Reasonable/Appropriate • State of Data – Stored – Processed – Transit
    70. 70. Audit Controls • A health center is required to implement audit control mechanisms that are reasonably implemented to record and examine activity in information systems that contain or use electronic protected health information. – Established by risk assessment – Can take up a lot of hard drive space – Need to be flexible, but account for important items – Need to be reviewed
    71. 71. Integrity • Deals with alteration or modification of data • Awareness – Training – Audit Trails – Sanctions • Risk Assessment identifies possible unauthorized modification areas • Backups
    72. 72. Authentication • An authorized individual is required to present something that only they would know prior to gaining access; • An authorized individual is required to present something that they would only have prior to gaining access; or • The authorized individual is presenting something unique to only that individual prior to gaining accesses.
    73. 73. Transmission Security • A health center needs to implement adequate technical security measures to guard against unauthorized access to electronic protected health information being transmitted over an electronic communications network. • Restrict certain protocols (SNMP, Finger, TFTP)
    74. 74. “ Results require action, not excuses!” – Amy Cotta
    75. 75. Business Associates
    76. 76. Business Associates • Omnibus Rule: – Directly liable – Implement administrative, physical, and technical safeguards to protect CIA of EPHI – BA is any organization that creates, receives, maintains, or transmits PHI on health center’s behalf • Any agent, or subcontractor of BA is also considered a BA – Agent must enter into a BAA with subcontractor to comply with HIPAA Security Rules and applicable Privacy Rules
    77. 77. Examples of Business Associates • Companies that provide certain types of functions, activities, and services to covered entities. – – – – – – – – – – Claims Processing; Data Analysis; Utilization review; Billing; Legal Services; Accounting/financial services; Consulting; Administrative; Accreditation; or Other related services • Omnibus Rule added: – Patient Safety Organizations – Health Information Organizations, E-Prescribing Gateways, other data transmission services that require routine access – Persons that offer personal health records to one or more individuals on behalf of health center
    78. 78. Business Associate • As required by 45 CFR § 164.308(b)(1), a covered entity should obtain “satisfactory assurance” that their business associates will “appropriately safeguard the electronic protected health information created, received, maintained, or transmitted on the covered entity’s behalf.” • Although ‘satisfactory assurance’ is met through a ‘written contract or other arrangement’, it is recommended that the same level of due diligence met by the covered entity to secure electronic protected health information is being met by the business associate. – Omnibus Rule
    79. 79. Business Associate Contracts • BA agrees to not use/disclose PHI other than permitted (explain what is permitted) • Use appropriate safeguards • Ensure subcontractors agree to same restrictions/safeguards • Availability to health center • Additional amendments • Accounting of disclosures • Make practices available to Secretary of HHS for purposes of determining compliance
    80. 80. Business Associate Contracts (cont.) • Report any security incident – Omnibus Rule: reporting of breaches of unsecured protected health information • Termination Clause – Omnibus Rule: BA is obligated to follow standards under HIPAA Security Rule, must also follow applicable HIPAA Privacy Rules • Consider costs of a breach • Consider right to audit
    81. 81. Summary • • • • • • • Assume Audit will happen Conduct Risk Assessment Update Policies/Procedures Revise BAAs and conduct Due Diligence Train and Educate Evaluate Document, Document, Document
    82. 82. Service Offerings • HIPAA Compliance Program • HIPAA/HITECH Information Systems Security Risk Assessment • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Internal/External Vulnerability/Penetration Test • Organizational Requirements • Policies, Procedures, & Documentation Requirements • Policies/Procedures • Security Awareness Training • Mitigation Management • Vendor Due Diligence • Security Incident Response Handling • Business Continuity/Disaster Recovery Planning • Subject Matter Expertise
    83. 83. Questions Jay@OSISSecurity.com 513-707-1623 (direct)
    84. 84. in partnership with Thursday, March 6, 2014 2pm – 3pm EST MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 3 Meaningful Use Requirements for FQHCs from the Security Risk Aspect