Presentation is loading. Please wait.

Presentation is loading. Please wait.

Community Health Center Security Risk Management

Published bySharyl Parker Modified over 7 years ago

Similar presentations

Presentation on theme: "Community Health Center Security Risk Management"— Presentation transcript:

1 Community Health Center Security Risk Management
Overview of the Security Risk Assessment Policies, Practices and Tools HITEQ Workshop for the AUCH Annual Primary Care Conference May 12, 2017

2 HITEQ Purpose The Health Information Technology Evaluation and Quality (HITEQ) Center is a HRSA-funded Cooperative Agreement that collaborates with HRSA partners to support health centers in full optimization of their EHR/Health IT systems

3 HITEQ Services Web-based health IT knowledgebase
Workshops and webinars Targeted technical assistance

4 HITEQ Focus Areas Health IT Enabled Quality Improvement EHR Selection and Implementation Health Information Exchange QI/HIT Workforce Development Value-Based Payment Privacy and Security Electronic Patient Engagement Population Health Management

5 Legal Disclaimer The information included in this presentation is for informational purposes only and is not a substitute for legal advice. Please consult an appropriate attorney if you have any particular questions regarding a legal issue.

6 Your Presenter Nathan Botts, PhD, MSIS
Senior Study Director – Healthcare Delivery, Research, and Evaluation, Westat Privacy & Security domain lead for the HRSA HITEQ Center project. Health informatics specialist, with over 11 years of clinical software and systems research and development experience. Served as Knowledge Integrator for the Privacy and Security Community of Practice, for the Office of the National Coordinator’s Knowledge Sharing Network for Regional Extension Centers.

7 Security Risk Assessment Agenda
Overview of Healthcare Privacy & Security Policies related to SRA Implications for Health Center SRA requirements Review of the Office of the National Coordinator SRA Toolkit Office for Civil Rights Audits Questions and Discussion

8 Problem Statement Privacy and Security management covers just about every aspect of a healthcare organization Risk measures cover a broad range of physical, analog, and digital systems and include both internally and externally housed systems Settings and technologies deployed vary to such a high degree that there are no singular tests that can be conducted to ensure compliance The Security Risk Assessment is one method for auditing the measures and mitigation strategies in place at a healthcare site.

9 Healthcare Privacy & Security Policies and Regulations
Health Insurance Portability and Accountability Act of 1996 (HIPAA): required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. Health Information Technology for Economic and Clinical Health (HITECH) Act’s Meaningful Use program: required objective measures for ensuring the safety of electronic Protected Health Information (ePHI) as dictated by the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) (OCR 2009).

10 HIPAA Evolution from 1996 HIPAA Omnibus of January 2013 HIPAA 2016
Imposes new requirements on the language of BAs and their own practice in terms of addressing HIPAA related requirements This especially in terms of stewardship of data. All BAs responsible for protection of data according to HIPAA and providers responsible for ensuring their BAs maintain effective practices HIPAA 2016 OCR launched a platform for mobile health developers; purpose is to understand concerns of developers new to health care industry and HIPAA standards:

11 HIPAA Impact on Eligible Providers
HIPAA compliance requires that providers be prepared to handle ePHI properly and follow the requirements in the HIPAA Privacy, Security, and Breach Notification Rules If a problem surfaces, an enforcement action can result—including million-dollar financial settlements, and Corrective Action Plans that can take years to complete and can cost many times the monetary settlements In order to comply with the HIPAA Security Rule, providers need to maintain an ongoing security program.

12 General OCR HIPAA Settlements
Issues: Lack of risk analysis/risk management Large breaches (e.g., 300,000 or more) Improper disposal Unencrypted mobile devices Widespread snooping Triggers: Media attention Breach report DOJ/OIG referral Complaints Reference:

13 Meaningful Use and SRA MU supports the HIPAA Security Rule
MU Objective: Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities MU Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of its risk management process MU Stage Updates: – Protected Patient Health Information: EPs must attest YES to conducting the security risk analysis upon installation or update to the new Edition of certified EHR Technology.

14 MU Impact on Eligible Providers
In order to successfully attest, providers must conduct a security risk assessment (SRA), implement updates as needed, and correctly identify security deficiencies. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them.

15 Security Rule Requirements
Reference: Michigan Center for Effective IT Adoption

16 ONC Meaningful Use and SRA
Meaningful use incorporates and supports HIPAA. To successfully attest, you must conduct a security risk assessment (SRA), a component of the Security Rule in effect since 2005. In order to comply with the 2013 Health Insurance Portability and Accountability Act (HIPAA) final omnibus rule, you need to maintain an ongoing security program. HIPAA mandates security standards to safeguard electronic protected health information (ePHI) maintained by certified electronic health record (EHR) technology. The omnibus rule pays detailed attention to how ePHI is stored, accessed, transmitted, and audited.

17 Attesting to Meaningful Use
Risk assessment requirements Occurs during the calendar year of the EHR reporting period and no later than the provider attestation date Assesses certified EHR technology (CEHRT) and any devices using ePHI (e.g. laptops, desktops, tablets, smartphones) Process is repeated for every reporting period Do not attest until after you have conducted your Security Risk Assessment Reference: Michigan Center for Effective IT Adoption

18 SRA Frequency Practices that participate in MU must conduct an SRA for every year of attestation SRAs should be updated after major changes or upgrades to practice, technology, or environment Recommendation is at least annually for HIPAA compliance Risk management and assessment is a continuous process, so make sure you have documentation to support your ongoing risk assessment and management process Conducting SRA is worth the money, hire a consultant if outside of your organization’s abilities

19 SRA Fact Check Reference: ACR 2 Solutions

20 Enter the ONC Security Risk Assessment (SRA) Tool
Designed to help health care providers and business associates that handle patient information to evaluate risks, vulnerabilities and adherence to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Office of the National Coordinator for Health Information Technology (ONC) worked together with the Office for Civil Rights (OCR), which enforces the HIPAA Security Rule, to develop this tool to enable providers and other entities to meet their HIPAA Security Rule compliance responsibilities.

21 ONC SRA Limitations Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks.

22 NIST 800 Series: Primary Resource for ONC SRA Toolkit

23 NIST Risk Assessment Steps

24 Primary SRA Sections 1-6 Maintaining Your Security Program
Identifying Your Assets Managing Access to Your Assets Managing the Integrity of Your ePHI Managing Your Media Managing Your Facilities Each section broke down into subcategories: Administrative Physical Technical

25 Primary SRA Sections 7-12 Managing Your Workforce
Educating Your Workforce Managing Your Vendors Continuing Your Operations When Emergencies Occur Auditing Your Operations Managing Incidents Each section broke down into subcategories: Administrative Physical Technical

26 ONC SRA Tool Main Menu

27 ONC SRA Tool Interview

28 ONC SRA Toolkit Glossary

29 SRA Dashboard

30 OCR Audit Schedule OCR has been enforcing HIPAA since 2003
The OCR conducted its first set of audits in 2012 The second phase began in 2016 Provider compliance with Security, Privacy, and Breach Rules is audited Most common Security deficiencies from 2012- 2013 pilot audits: Lack of or incomplete SRA (47 out of 59 (79%)) Unaware of Security Rule requirements 2017 Comprehensive onsite audits to begin Reference: Source: IAPP Conference March 7, 2013

31 Reasons for Compliance
Covered entities that suffer a breach and have not performed a SRA, or otherwise do not have an effective risk management program, face the steepest penalties from the OCR A lack of or incomplete SRA is the main reason providers fail Meaningful Use (MU) audits, resulting in loss of incentive money Further costs due to ineffective security plans may include: Breach victims may pursue legal action for damages Many healthcare providers have lost access to their data due to ransomware attacks or contract disputes Reference: Michigan Center for Effective IT Adoption

32 SRA Checklist There are many ways to conduct a SRA but methods should at the very least encompass facets such as: Scope must include all ePHI in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update

33 SRA Summary Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing and expected to continue Practices are expected to take security seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice

34 Comments, Questions, and Discussion

35 Want more information?

36 Contact HITEQ at: hiteqcenter.org
Help Us Help You!   Contact HITEQ at: hiteqcenter.org @HITEQCenter

37 HITEQ Project Funding This project was supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) under cooperative agreement number U30CS29366, Training and Technical Assistance National Cooperative Agreement for $ 1,954,318 with 0% of the total NCA project financed with non-federal sources.  This information or content and conclusions are those of the author and should not be construed as the official position or policy of, nor should any endorsements be inferred by HRSA, HHS or the US Government.

Download ppt "Community Health Center Security Risk Management"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Understanding Meaningful Use Presented by: Allison Bryan MS, CHES December 7, 2012 Purdue Research Foundation 2012 Review of Stage 1 and Stage 2.

Understanding Meaningful Use Presented by: Allison Bryan MS, CHES December 7, 2012 Purdue Research Foundation 2012 Review of Stage 1 and Stage 2.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Minnesota Law and Health Information Exchange Oversight Activities James I. Golden, PhD State Government Health IT Coordinator Director, Health Policy.

Minnesota Law and Health Information Exchange Oversight Activities James I. Golden, PhD State Government Health IT Coordinator Director, Health Policy.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Medicaid EHR Incentive Program For Eligible Professionals Overview of the Proposed 2015 Modification Rule Kim Davis-Allen Outreach Coordinator

Medicaid EHR Incentive Program For Eligible Professionals Overview of the Proposed 2015 Modification Rule Kim Davis-Allen Outreach Coordinator
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Similar presentations

Ads by Google