WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance

1WEBINAR
ksmconsulting.com© 2017 KSM Consulting, LLC
HIPAA 101: 5 Tips to Compliance
Webinar:
HIPAA 101: 5 Steps Toward Achieving Compliance
Webinar will begin at NOON EST
Twitter: @KSMC_Consulting
@DanResnick14
Webinar Login Information:
For audio, please dial: 1.415.655.0001 # 198 812 829

2WEBINAR
HIPAA 101

3WEBINAR
Director, Cybersecurity and Compliance
• Leads the technology team in assessing
cybersecurity and compliance, developing solutions
for compliance, and managing security ongoing.
• 10+ experience providing cybersecurity solutions to
the healthcare industry
• Graduate of Indiana University
• Twitter: @danresnick14
Dan Resnick

4WEBINAR
Agenda
HIPAA Introduction
Security Rule Deep Dive
HIPAA Objectives
Cost of Non-Compliance
WEBINAR
1.
2.
4.
3.
5 Tips to Achieving
Compliance
5.

5WEBINAR
Introduction to HIPAA

6WEBINAR
American Health Insurance Portability and
Accountability Act of 1996
• Passed by Congress and signed by President Clinton.
• Created to provide a set of rules to be followed by
doctors, hospitals, and other healthcare providers.
• Ensures that all medical records, medical billing, and
patient accounts meet certain consistent standards
with regards to documentation, handling, and privacy.
Introduction to HIPAA
The main components:
• Privacy Rule
• Security Rule
• Breach Notification Rule

7WEBINAR
What does HIPAA Cover?
Activity Purpose of Inclusion
Transactions Standardizes diagnostic and treatment codes, forms, and processes
Identifiers Standardizes the identifier code sets and numbers used in transactions
Privacy
Addresses who can access PHI (in all forms – oral, written, electronic, etc.), how
records may be shared or may not be shared, and how the information needs to be
safeguarded
Security
Addresses how PHI (electronic only) is protected, both in storage and in
transmission

8WEBINAR
Who must comply?
A covered entity can be a
business associate of
another covered entity.
Covered
Entities
Provider
Health Plan
Healthcare
Clearinghouse
Business
Associates
Accreditation
Billing
Claims
processing
Consulting
Data analysis
Financial
services
Legal services
Management
administration

9WEBINAR
PII vs. PHI Contact Information
(email address, physical address,
telephone and mobile numbers)
Personal Characteristics
(full name, date of birth, birth location,
height, weight, hair/eye color, religious
affiliation, ethnicity, biometric data, copy of
signature, full face/body image, vehicle
numbers, certificate/license)
Social Security Number
Government Issued Identification
(driver’s license, passport, birth certificate,
library card, military ID)
Account Numbers and Financials
(bank, insurance, investments, credit
cards, account balance, wage & salary,
tax filing, credit history)
Medical Records Information
(prescriptions, medical records,
exams, images, histories)
Verification Data
(mother’s maiden name, pets’ and
kids’ names, high school,
passwords)
Online Information
(Facebook, social media,
passwords, PINs, customer
account numbers, Static IP or
URL)
One additional item
• Any other unique identifying
number, characteristic, or code
(Personally Identifiable Information) vs.
(Protected Health Information)

10WEBINAR
Objectives of HIPAA

11WEBINAR
Privacy and Breach Key Takeaways
• Who is covered
– Health Plans
– Healthcare Providers
– Healthcare Clearinghouses
– Business Associates
• What information is protected
– Protected Health Information
• Permitted Uses and Disclosures
• Authorized Uses and Disclosures
• Establishing “Minimum Necessary”
• Notice and Individual Rights
• Penalties for Non-Compliance
Privacy
• When to notify
• Who to notify
– Individuals
– Media
• Timeliness of notifications
Breach

12WEBINAR
HIPAA Security Rule Overview
Administrative
Safeguards
• Security Management
• Security Personnel
• Information Access
Management
• Workforce Training
• Evaluation
Physical Safeguards
• Facility Access and Control
• Workstation and Device
Security
Technical
Safeguards
• Access Control
• Audit Control
• Integrity Control
• Transmission Security
Organizational
Requirements
• Covered Entity
Responsibilities
• Business Associate
Contracts
• Policies and
Procedures
• Documentation
Requirements
Required
Addressable
Availability
vs.

13WEBINAR
Deep Dive into the
HIPAA Security Rule

14WEBINAR
Control Standard Safeguard Topics
Security Personnel
Designate a security official who is
formally responsible for security policies,
procedures, and operations
Information Access Management Govern access to ePHI
Workforce Training and
Management
Provide security training and have a
process to apply sanctions when violations
of policy occur
Evaluation
Periodic assessments of the organization’s
policies and procedures against the
Administrative Safeguards
Security Management Process Risk Analysis and Management
Administrative Safeguards
Evaluate
Implement
Document
Maintain
Risk Analysis
and Management

15WEBINAR
Physical Safeguards
Facility Access Control
Limit physical access to facilities to only authorized individuals and
supervised visitors
Workstation and Device Security
Define proper use of and access to workstations and electronic media
Control the transfer, removal, disposal, and re-use of electronic media

16WEBINAR
Technical Safeguards
Encryption & HIPAA
• Not technically required, however, it must be
considered in the risk analysis…
• Encryption should be implemented if an entity
finds it would safeguard ePHI, or implement
an alternative and document the case for
doing so.
• Encryption is the process of encoding.
• Ex. “HIPAA” -> 4Uzj398jw
• HIPAA is intentionally vague to allow for
technology advancements
• NIST FIPS 197 (AES) and FIPS 140-2
Access Control
Control access to ePHI to only authorized
persons
Encryption and decryption mechanism
Audit Controls
Record and examine access and other
activity in information systems that contain
ePHI
Integrity Controls
Ensure that ePHI is not improperly altered or
destroyed
Transmission
Security
Technical security measures which guard
against unauthorized access to ePHI that is
being transmitted over an electronic network
(includes encryption if appropriate)

17WEBINAR
Organizational Safeguards
Covered Entity Responsibilities
CE must ensure that the BA safeguards ePHI
Consistent use of Business Associate Contracts (or Agreements)
BAC/BAA’s must contain security language
Policies, Procedures, and
Documentation Requirements
Create and maintain policies and procedures to comply with the Security
Rule provisions
Maintain governance documentation for six years
Update the documentation periodically based on organizational change (at
least annually)
Compliance
The Department of Health and Human Services (HHS), Office for Civil Rights
(OCR) is responsible for administering and enforcing the standards

18WEBINAR
The Costs of
Non-Compliance

19WEBINAR
Costs of Non-Compliance
• Four different categories of
violations measuring the level of
neglect, ability to avoid, and
actions taken to correct
• Each category carries financial
penalties up to $1,500,000 per
category, per year.
• State or Federal fines
• Criminal penalties can also be
applied – up to 10 years in jail.
HIPAA Violations (Breaches) Non-Compliance Penalties
• Penalties can be imposed for any
number of reasons:
• Failure to maintain documented
policies and procedures
• Failure to conduct employee training
on a regular basis (and documenting
that it was completed)
• Failure to complete and maintain
BAAs with third-party service providers
• BAAs written before 2014 need to be
revised to align with Omnibus
requirements

20WEBINAR
5 Key Steps Toward
Achieving HIPAA
Compliance

21WEBINAR
5 Key Steps Toward
Achieving HIPAA Compliance
Implement policies and procedures
Data discovery and asset inventory
Training and awareness
Implementing technical controls
Security risk assessment
1
2
3
4
5

22WEBINAR
Policies and Procedures
• Leverage the HIPAA Audit Protocol to identify gaps in your current policy library.
• Policies should be formally and consistently documented.
– Titles, owners, effective dates, review dates, change log, revision history, links to relevant
procedures
• Policies should be regularly reviewed and updated to reflect the organization’s
current risk analysis, environmental changes, and regulatory requirements.
Policies and procedures create the foundation for your organization’s IT and IS
operations… and success with HIPAA compliance.
1

23WEBINAR
Data Discovery and Asset Inventory
• Document what types of data your organization collects, stores, and transmits.
– This will help you identify critical systems, data repositories, and organizational units involved
in the data’s lifecycle.
• Create an asset inventory to track sensitive data to the asset where the information resides. The
asset inventory should include:
End user workstations | Asset owners | Configuration information | Physical/logical location
mappings.
• Mature asset inventories can be leveraged as evidence of the presence of encryption on a
workstation or potential access within the environment based on the asset owner.
You can’t protect what you can’t find. Understanding where your sensitive
data resides is the first step in protection.
2

24WEBINAR
Training and Awareness
• Your workforce should
– Know and understand HIPAA.
– Know and understand your compliance policies and
procedures.
– Complete training (document and maintain it).
• Consider training your users about additional security
topics (phishing, safe web browsing, password
management, data security, etc.).
Educating your workforce is not only a requirement of HIPAA, it is a critical
component to your security program…especially given today’s threat landscape.
End users represent
the largest attack
surface – and often
the weakest link!
3

25WEBINAR
Implement Technical Controls
• Leverage security technologies to strengthen your program and provide greater
visibility into your organization.
• Encryption, intrusion detection, audit logging, event monitoring are all areas where
tools and technologies can provide value.
• Automated technical controls (when configured properly) can be a strong mechanism
to prevent and/or detect poor end user behaviors.
Not a silver bullet, but an arrow in your quiver.
4

26WEBINAR
Security Risk Assessment
• In our experience, the #1 most requested item by the OCR.
• The risk analysis report should include a clear description on the scope, audit
methodology, identified risks, and remediation actions.
• There is no single approved risk assessment methodology.
Demonstrates that you understand your environment and take HIPAA security
seriously.
5

27WEBINAR
Summary

28WEBINAR
HIPAA 101: 5 Tips to Compliance 28
Summary
Five Big Takeaways
1
Policies and
Procedures
2
Data Discovery
and Asset
Inventory
3
Training and
Awareness
4
Implement
Technical
Controls
5
Security Risk
Assessment

29WEBINAR
KSM & KSMC is proud to offer a wide range of cybersecurity, operations, and
financial advisory services tailored for the healthcare industry.
How KSM and KSMC can help
Valuation
▪ Benchmarking ▪ FMV/CR opinions ▪ Transaction support ▪ Compliance
Hospitals & Health Systems
• Strategy development
• Financial services
Physicians & Practices
▪ Strategy guidance
▪ Tax, financial planning
▪ Acquisition guidance
▪ Financial operations

30WEBINAR
Feel free to submit questions in the chat box on your screen.
Webinar: HIPAA 101: 5 Steps Toward Achieving Compliance
Questions?

31WEBINAR
Thank you
Dan Resnick
Director, Cybersecurity and Compliance
KSM Consulting, LLC
dresnick@ksmconsulting.com
(317) 452-1646

WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance

More Related Content

What's hot

Similar to WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance

More from KSM Consulting

Recently uploaded

WEBINAR: HIPAA 101: Five Steps Toward Achieving Compliance