Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Health information security & compliance
Purpose of the Standards
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Control environment and control activities. Day II Session III and IV.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Eliza de Guzman HTM 520 Health Information Exchange.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security Final Rule Overview
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
How to Survive a HIPAA Audit Compliance Counsel February 2014.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Privacy & Information Security Basics
An Overview on Risk Management
Understanding HIPAA Dr. Jennifer Lu.
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Paul T. Smith Davis Wright Tremaine LLP
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
National Congress on Health Care Compliance
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
HIPAA Security Risk Assessment (SRA)
Presentation transcript:

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

1 Federal Law Mandates Security Controls for Health Information n HIPAA Statutory Requirement General requirement to safeguard all PHI Framework for security regulation –Privacy Rule General requirement for admin, physical, and technical safeguards Covers all PHI (paper, electronic, spoken) Emphasis on Patient Rights and Appropriate Use –Security Rule Specific standards and implementation specifications Covers electronic PHI Emphasis on Confidentiality, Integrity, and Availability

2 Information Subject to Security Rule n Electronic Protected Health Information (EPHI) –Is PHI that is electronically maintained or transmitted by a Covered Entity –PHI is any individually identifiable information about a patient that is created, received, processed, or stored by a health plan, clearinghouse, or healthcare provider (or their business associates) n Not Included –Any PHI that is not stored electronically, and –Information that was not in electronic form prior to transmission (e.g. oral communications, telephone conversations, paper faxes, film images)

3 HIPAA Security Purpose n Ensure Confidentiality, Integrity (Authenticity) and Availability n Information security is now a patient safety requirement n Elevate Information Risk Management to the level of other compliance areas

4 n General Rule (a) n General Rule § (a) Covered Entities must: 1.Ensure the confidentiality, integrity [authenticity], and availability of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits 2.Protect against any reasonably anticipated threats or hazards to the security or integrity [authenticity] of EPHI 3.Protect against any reasonably anticipated uses or disclosures of EPHI that are prohibited by the HIPAA Privacy Rule 4.Ensure compliance by the workforce HIPAA Security Rule

5 General Rule Significance n Congress intends the Rule to set a high standard –Ensure means to “Make Inevitable” n But Rule also permits Flexibility (b) n But Rule also permits Flexibility § (b) –CE may use any measures that implement the Rule requirements, and –CE must take into account certain factors: Size, complexity, and capabilities Technical infrastructure, hardware and software security capabilities Costs of security measures Probability and criticality of potential risks

6 Acceptable Level of Risk n CE must use formal risk analysis methodology to determine the acceptable level of risk CE can live within the limits of existing IS capabilities, or Current limitations that permit undue risks must be changed The risk mitigation costs too much, or The CE didn’t allocate sufficient budget to address the risk CE can reject security measures that are too complex, or CE must develop the skills and experience to apply best available measures

7 Security Compliance n Compliance means a well designed and integrated Information Risk Management program –Necessary to demonstrate understanding of risks to the EPHI CE must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities” § (a)(1)(ii)(A) –Non-compliant if Not thorough -- failure to consider all significant threats Not accurate -- failure to adequately estimate the likelihood or impact of a threat Not responsive – failure to mitigate risk to an acceptable level

8 Information Risk Management n Program Components 1.Risk Assessment –Determine the risk level 2.Risk Mitigation –Identify how risk will be reduced to an acceptable level 3.Information Management Policy and Procedures –Combination of privacy and security policy that accomplishes the following: –Prevents PHI use or disclosure without authorization –Prevents PHI modification or tampering that could result in integrity/authenticity or availability issues –Ensures workforce is trained, supervised, monitored, and appropriately sanctioned; –Ensures organization is able to monitor PHI activity to determine when and how a compromise has occurred; and –Ensures known risks are appropriately addressed Risk Analysis

9 Information Risk Management n Program Components 4.Standards –Establish minimum security control sets based on risk classification –Develop process for requesting and approving deviation from a required control set 5. Audit and/or Re-assessment –Periodically evaluate whether safeguards and minimum controls sets are still effective –Determine whether a new risk assessment is warranted –Audit high risk areas, known problem areas, new technology, new applications 6.Management Review –Objective and conflict-free –Focused on acceptable risk –Clearly considers patient safety and confidentiality factors

10 Information Risk Management n What’s Acceptable Risk –Rule says acceptable risk is that which satisfies the General Rule § (a) –No objective standard; organization must rely on industry best practices and its own determination of risk and consequences n Key Organizational Requirements –Understand how information security failures impact the organization Patient care and safety Revenue lifecycle Management and financial functions Operations and workflow Compliance, risk management, legal

11 Risk-based Business Decisions n Would you manage differently if you knew that PHI would be compromised? –HIPAA expects PHI to be treated as securely as financial or tax information –Healthcare organizations will be evaluated on the basis of how well they manage their fiduciary responsibilities to protect patient information –Electronic PHI is becoming the norm and data transfer EMR, CPOE, E-prescriptions, PAMF online for patients, Sutter’s virtual ICU –Securing EPHI has to become as important as paper- based records management

12 Conducting a Risk Analysis n Risk Assessment 1.Impact Analysis (Business Manager) –What is the business impact of a loss of confidentiality, integrity, availability 2.Exposure and Controls (Technical Manager) –Where is the system located –What are the big picture exposures –What security controls are in place

13 Conducting a Risk Analysis n Risk Mitigation 3.Risk Characterization (Security, Compliance, Risk Management or Other Management) Greatest impact determines the required security level Security level determines the required control set Risk is mitigated by the implementation of a control Missing controls create unaddressed risk Organizational risk decisions –Accept the risk (not implement a control) –Mitigate the risk (fix a missing control) –Reduce the exposure (isolate the system) –Reduce the impact (reduce dependency)

14 Conclusion n Information Risk Management –Represent the basic set of responsibilities for addressing information security –Permit each organization to determine specific details for how to best achieve an acceptable security level –Important to take security seriously; integrate security requirements into all aspects of information use within the organization –Business functions must learn how to make risk- based operational decisions –Using PHI without due regard for its security is no longer an option