How much HIPAA is enough? Session 2: What to Do - HIPAA-compliance with Datto
Focus on physician practices, hospitals and Business Associates Regulatory Compliance Experts on staff, HIT experts on-staff Privacy and Security Analysis (Meaningful Use, HIPAA) EHR Consulting – Emphasis on workflow efficiencies We Untangle Healthcare Technology
Why do HIPAA at all? Because Datto feels it is critical for their channel partners to understand how the backup and restore process impacts HIPAA compliance. Because Datto feels it is critical for their channel partners to understand the relationship between Datto products and HIPAA requirements. Because you must be able to do 3 compliance-critical things, and this ability starts by learning what is in this session.
Things that are backed up that are ePHI…
Enforcement Countdown Business Associates must comply with the final rule by September 23, However, there is a special one-year transition period for implementing business associate agreements to comply with the final rule. What this doesnt say is September 23, 2014 enforcement and settlement agreements begin.
The 3 Compliance-critical things to do with Datto The Datto solution must be HIPAA-Compliant The Datto solution must be installed in HIPAA- Compliant Fashion Must be Installed by HIPAA-Compliant Datto Solution Providers
Compliance-critical thing #1: You Must Have a HIPAA-Compliant Solution Datto Appliance SIRIS or ALTO 2 Cross walk that Maps Datto to HIPAA security rule HITECH? Is the Datto Solution non-compliant with any of the following applicable security rule safeguards: -Administrative -Physical -Technical
Drilldown – HIPAA-Compliant Solutions HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
A HIPAA-Compliant solution: Do a safeguard review Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Compliance-critical thing #2: It Must-Be Installed in a HIPAA- Compliant Fashion HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
Drilldown – Installed in HIPAA- Compliant Fashion Datto Appliance SIRIS or ALTO 2 Map to HIPAA Citations -Administrative -Physical -Technical
A HIPAA-Compliant Installation: Do a safeguard review Ask this for every client Does the usage of the Datto Solution cause non- compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non- compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non- compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non- compliance with these safeguards?
Compliance-critical thing #3: It Must-Be Installed By HIPAA- Compliant Solution Providers We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.
Drilldown – By HIPAA- Compliant Solution Providers We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored. BA Assurance Evergreen Program
A HIPAA-Compliant Business Associate: Do a safeguard review Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
How can you give assurances? Security Rule 18 Standards has 18 Standards Safeguards to Implement defines Safeguards to Implement 36 Specifications have
Administrative example Column 1 shows the standards (9) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (21 specifications for 9 standards)
Physical example Column 1 shows the standards (4) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (8 specifications for 4 standards)
Technical example Column 1 shows the standards (5) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (7 specifications for 5 standards)
Wrap up: Doing The 3 Compliance-critical things with Datto Profile of a HIPAA-Compliant Datto solution Repeatable process for installing Datto solutions in a HIPAA-Compliant Fashion According to a compliance management system adopted by HIPAA-Compliant Datto Solution Provider
Datto meets HIPAA key takeaways Start Now– CEs have been subject to the HIPAA OMNIBUS Rule since September BAs are now subject to enforcement under the same rule on September 23, 2014.
Datto meets HIPAA key takeaways Secure Backups and Restores are both required Covered Entities and Business Associates must backup retrievable exact copies of electronic protected health information (CFR (7)(ii) (A)) and be able to restore any loss of data. (CFR (7)(ii) (B))
Datto meets HIPAA key takeaways Security Requirements are in effect during emergencies compliance requires the protection of the security of electronic protected health information while operating in emergency mode. (CFR (7)(ii) (C))
Datto meets HIPAA key takeaways A Backup policy is not a procedure, a backup procedure is not a backup plan, a backup plan is not a contingency plan (neither is it a disaster recovery plan) - Policies, procedures and plans (CFR (b)(1)) are not interchangeable forms of documentation (CFR (b)(2)(i))is a huge part of HIPAA. Ask me about our HIPAA Book of Evidence Tool
How to use this slide deck as a workbook Step 1 Review CE/BA client solution stacks by following slides 9-12 Step 2 Review Completed CE/BA client implementations by following slides Step 3 Create a repeatable CE/BA new client implementation procedure from slides Step 4 Do a self-Assessment by following slides Step 5 Provide Assurances to each CE/BA client by describing how you implement the standards according to the specifications on slides ( me for PDF of the safeguards in these slides)
Ask Me About these Webinars Ask Me About HIPAA Evergreen for BAs Phone (909) x2101 Chris Johnson is CEO and founder of Untangled Solutions, his motto, We untangle healthcare technology has catapulted his company on to the go to short list for healthcare providers across the United States. With more than fifteen years of experience in IT services and web development, he specializes in helping medical practices make strategic HIT decisions that improve how providers safely treat their patients, productively run their practice and profitably manage their business. A thought leader in his industry and a desire to give back, Chris is the current Vice Chair for CompTIAs IT Security Community, an active CompTIA Ambassador and is the former chairperson of the Healthcare IT Community. Chris Johnson is CEO and founder of Untangled Solutions, his motto, We untangle healthcare technology has catapulted his company on to the go to short list for healthcare providers across the United States. With more than fifteen years of experience in IT services and web development, he specializes in helping medical practices make strategic HIT decisions that improve how providers safely treat their patients, productively run their practice and profitably manage their business. A thought leader in his industry and a desire to give back, Chris is the current Vice Chair for CompTIAs IT Security Community, an active CompTIA Ambassador and is the former chairperson of the Healthcare IT Community.
Ask Me About these Webinars Ask Me About HIPAA Evergreen for BAs Upcoming events: HIPAA Resources User Conference ww.Dattopartnerconference.com/ww.Dattopartnerconference.com/ Phone (909) x2101