Download presentation
Presentation is loading. Please wait.
Published byAlisha Bennett Modified over 9 years ago
1
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
2
2 Agenda Role of CMS Security Rule Overview CMS’ HIPAA Security Strategy Providence Resolution Agreement Summary & Conclusion Q&A
3
3 Role of CMS CMS has delegated authority to enforce the non-privacy provisions of the HIPAA regulations: Transactions and Code Sets Identifiers (NPI, EIN) Security CMS is responsible for HIPAA enforcement as well as: Regulatory/Policy Interpretation Outreach and Education Guidance and FAQs New Regulations (including other ehealth related issues e.g. eRx)
4
4 Security Rule Overview Applies to Electronic Protected Health Information (EPHI) that a covered entity creates, receives, maintains, or transmits Scalability/Flexibility Based on organization size, complexity, technical capabilities and infrastructure, cost of security measures and potential security risks Technologically Neutral Describes “what” needs to be done vs. “how” it is to be done Standards are required but the implementation specifications may be either required or addressable
5
5 CMS’ HIPAA Security Strategy CMS takes a three-prong approach to HIPAA Security. The three prongs are: Outreach & Education Enforcement Compliance Reviews
6
6 Outreach and Education Efforts Federal and Non-Federal Collaboration Develop/Disseminate Educational & Guidance Materials Security Papers 1. Administrative, Physical and Technical Safeguards 2. Basics of Risk Analysis and Risk Management 3. Implementation for the Small Provider Frequently Asked Questions Security Compliance Review Checklist Remote Use and Access Guidance The materials can be found on the CMS Website at: http://www.cms.hhs.govhttp://www.cms.hhs.gov (under the link for Regulations and Guidance).
7
7 Outreach & Education - Remote Use & Access Guidance Rationale Increased risk to protected health information Associated with increased remote access to EPHI Increase in workforce mobility Increase in use of portable media storage devices Recent security related incidents Reported loss or theft of devices containing EPHI Reported access to health information by unauthorized users
8
8 Published December 28, 2006 Reiterates requirements of the HIPAA Security Rule Identifies strategies consistent with organizational capabilities (Scalable and Flexible) Pertains to Access, Storage and Transmission of EPHI Three categories of action highlighted: 1. Conducting Security Risk Assessment 2. Developing and Implementing Policies and Procedures 3. Implementing Mitigation Strategies Outreach & Education - Highlights of Remote Access Guidance
9
9 HIPAA Security Enforcement – Current Process Review complaint to determine validity and scope Notify “Filed Against Entity” (FAE) of complaint Request specific documents from the FAE Assess documents to determine if they: 1. Demonstrate compliance 2. Demonstrate the need for a Corrective Action Plan (CAP) Monitor CAPs to completion Close complaint upon demonstration of compliance Issue closure correspondence to all parties
10
10 HIPAA Security Enforcement – Overlapping Complaints CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules Approximately 70% of the CMS Security cases are referrals from OCR Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure
11
11 HIPAA Security Enforcement - Complaint Categories Unauthorized access to EPHI Employees or relatives accessing EPHI Loss or theft of devices containing EPHI Small volume of complaints; large volume of records Insufficient access controls for systems containing EPHI Shared passwords Encryption CMS has received 350 Security Rule complaints 102 cases are open 248 case have been resolved
12
12 Onsite HIPAA Security Compliance Reviews Contracted with Price Waterhouse Coopers (PwC) for 10 reviews in 2008 Reviews place emphasis on remote use and access issues CMS publishes de-identified post-review information Initial target: Entities against whom a complaint has been filed and Reported risk to security of large volume of records The compliance reviews will be used as a tool to achieve voluntary compliance
13
13 Compliance reviews have revealed several key areas of vulnerability to include: 1. Lack of encryption for portable devices and media 2. Lack of verification of role-based access privileges Reviews have resulted in CAPs that include: 1. Policies and procedures for remote use/access 2. Designation of internal security audit personnel Compliance review cases are generally closed when CMS verifies completion of CAP Onsite HIPAA Security Compliance Reviews - Continued
14
14 OIG Security Audit Initiative Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule The recent OIG review of Piedmont Hospital highlighted issues related to: Technical safeguard vulnerabilities for wireless communications Vulnerabilities involving physical access to electronic information systems and the facilities Administrative safeguard vulnerability related to business associate contracts
15
15 Providence Resolution Agreement – What Does it Mean? Background: Case involved 386,000 unencrypted patient records $100,000 resolution amount paid to HHS 3 year corrective action monitoring Significance: Landmark case – First resulting in monetary fine Sets the stage for similar action for similar cases Represents the evolution of CMS’ enforcement efforts
16
16 Summary & Conclusion Security provides opportunity and obligation CMS’ three-pronged approach: Outreach and Education Enforcement Compliance Review Consequences of non-compliance: Loss of resources Loss of time Loss of TRUST
17
17 Discussion and Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.