HITECH Act - Privacy & Security Solution


Published on

Verizon\'s solution for address HITECH Act\'s Privacy and Security requirements. All US organizations (healthcare providers, payers and partners / business associates) that store or process Protected Healthcare Information (PHI) must comply with this Federal law.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • No max penalty
    Willful neglect
    Must authorize and define the use of PHI in contracts w/ partners
    10% reduction in Medicare reimbursements if organization is not HIPAA compliant
    Subtitle D of HITECH is Privacy
  • Dis-incentives in latter years of HITECH for non-Meaningful Users
  • [WSJ, 02/02/09]
    Notices must be sent within 60 days
    Over-rides FTC Red Flags
  • administrative, physical and technical
    BA’s are now within the jurisdiction of HHS
    Goes into effect on 02/18/2010
    Reduces the risk on CEs (by shifting some of it to BAs)
  • Other = HITECH / HIPAA Compliant Smart Centers, Secure Messaging, etc.
  • For the latest version, please contact Omar Khawaja
    Verizon Business manages 260,000-plus security, network and hosting devices across more than 4,200 customer networks in 142 countries and territories.
    Privacy Rights has tracked only 263 million breached records from Jan ‘05 to July ’09
    Threat & Vulnerability Intel
    Track and analyze new software vulnerabilities and related attacks
    Underground Intel
    Watch discussions, code sharing, planning,... Historically BBS, then Usenet, now more IRC and Cons...
    ICSA Labs Intel
    Security product testing and security consortia operations. 400+ products
    Forensics Intel
    Data and Intel from forensics investigations (200+ cases per year).
    MSS Intel
    Data from IDS, FW, IPS, Applications… Management & Monitoring SOC operations
    Net Intel
    Data from backbone. Sensors on more than 1 Million VzB addresses. Netflow Honey nets, Honey Pots…
    Studies & Surveys
    VZB Studies, surveys (10+/yr), Others published data to drive Risk Models, equations & methodology
  • OCR = Office of Civil Rights
    HHS = Health and Human Services
    State attorneys general can bring civil action in federal court on behalf of residents whose privacy has been violated
    (Independent of ARRA) HHS assigned to the OCR responsibility for enforcing HIPAA Security Rule (in addition to Privacy Rule)
  • Dec09
  • HITECH Act - Privacy & Security Solution

    1. 1. HITECH Act Privacy & Security Solution Omar Khawaja omar.khawaja@verizonbusiness.com GlobalProduct Management November, 2010
    2. 2. 2 HITECH Act Overview = Health Information Technology for Economic and Clinical Health • Title 13 of ARRA • $20B • Objectives – Develop standards by 2010 for electronic exchange of healthcare information – Incentives to encourage doctors and hospitals to digitize – Save government $10B – Strengthen privacy and security to protect PHI • Expanded scope of HIPAA in HITECH 1. Mandates public notification of data breaches 2. Stricter compliance and accounting for ePHI requests 3. Responsibility for managing PHI at Business Associates Stiff enforcement, penalties: $50k to $1.5MM per violation
    3. 3. 3 Background “Meaningful Use” • Criteria that needs to be met by healthcare providers to qualify for HITECH grants and incentives • CMS provides $18B in reimbursement incentives for “meaningful users” • Five Policy Priorities to establish Meaningful Use: 1. Improved Quality, Safety, and Efficiency 2. Engage Patients and Families 3. Improve Care Coordination 4. Improve Public Health 5. Ensure Privacy & Security of PHI • Care Goals • Set of Objectives & Measures for Each Two Year Window (2011, 2013, and 2015)
    4. 4. 4 New Security Requirement 1. Breach Notification
    5. 5. 5 New Security Requirement 2. ePHI Accounting
    6. 6. 6 Background What is a Business Associate? • Person or entity that performs certain functions or activities that involve the use or disclosure of PHI • Work on behalf of, or provides services to, a Covered Entity (CE) • Member of the CE’s workforce is not a BA • May include: – Accountants – Consultants – Pharmacy – Payers (health insurance provider) – Labs (e.g.: LabCorp) – Software Vendors (EHR, PHR, etc.) – HIOs, RHIOs, HIEs • How many BAs? – United Healthcare Group: 3600+ BAs – Humana: 2400+ BAs – Medco: ~900 BAs
    7. 7. 7 New Security Requirement 3. Business Associates
    8. 8. 8 Verizon’s HITECH Solution How it all comes together… Prepare for Compliance • Compliance Strategy • Compliance Review • Readiness Assessment • Data Discovery Obtain Compliance • Remediation • Assessments for… • Company • Business Associates • Products Maintain Compliance SMP-H Consulting Services Managed Services Data Discovery HITRUST
    9. 9. 9 Why Verizon? Indisputable Reputation Transfer effective best practices that have proven to work based on 1700+ security engagements delivered in 2008
    10. 10. 10 Industry Recognition  Verizon is the leading global MSSP (Gartner, Forrester)  Verizon security consultants actively participate in 20+ security industry specific organizations  Verizon Security Consulting practice recognized as a Strong Performer (Forrester)  ICSA Labs is the industry standard for certifying security products Credentials  BSI Associate Consultant for ISO 27001 and BS 25999  PCI ASV, QSA and PA-QSA  CREST approved penetration tester  HITRUST Qualified CSF Assessor and member Leadership Roundtable Global Reach  500+ dedicated security consultants based in 23 countries that speak 24 languages  Serve 77% of Forbes Global 2000  7 sources of risk intelligence Experience  Investigated breaches involving 900+ million records  Verizon SMP is the oldest security certification program in the industry  Provide national identity solutions in over 25 countries  Provide services to 78% of Fortune 100  Delivered 1800+ security consulting engagements in 2009 Why Verizon? Leading Provider of Security Solutions
    11. 11. 11 Finally… • The Federal Government is serious – Apr ‘03 – Feb ‘09: 42k HIPAA complaints  0 penalties – May ‘09: Kaiser fined $250k for privacy breach – Security of PHI is required for Meaningful Use • Lack of security is costly – Aug ‘08: LensCrafters settles class action suit for $20m – Jan ‘09: VA to pay $20m for privacy breach – Individuals (not just organizations) are on the hook • Why VzB? – VzB already has the services to address HITECH Privacy and Security – VzB has 2800+ healthcare customers – VzB has a dedicated Healthcare Solutions team – Transfer knowledge based on 1800+ security consulting engagements in just 2009
    12. 12. 12 ADDITIONAL SLIDES For even more information…
    13. 13. 13 HITECH Act Enforcement and Penalties • Criminal penalties can now be applied to individuals (not just companies) • New system of civil monetary penalties that incorporates concept of “willful neglect” • Establishment of methodology to distribute to harmed individuals a portion of civil penalties collected • State attorneys general can bring civil action on behalf of residents whose privacy has been violated • Requires HHS secretary to periodically audit CEs, BAs • OCR responsible for enforcing HIPAA Security and Privacy Rules
    14. 14. 14 HITRUST-VzB Relationship