HIPAA & HITECH Requirements, Compliance, and Meaningful Use

We know it’s confusing.

Let’s focus on what you need to know!

Information Security Assessments“We Take Your Security Personally”

Dan Berger, Executive Vice President

Redspin, Inc.

dberger@redspin.com

Phyllis Patrick, MBA, FACHE, CHC

Phyllis A. Patrick and Associates LLC

Phyllis@phyllispatrick.com

Agenda

- New Era in Health IT – What it means to you

- Risk Assessment Strategies and Components

- Effective Security Process

- Meaningful Use and how to get incentive $

- Practical Example –Case Study

New Era in Health IT

– New Regulations and Initiatives

– Incentive Funding (Medicare & Medicaid)

– New Consumer and Patient Issues

New Programs

• Electronic Health RecordsEHRs

• Health Information ExchangesHIEs

• Regional Extension CentersRECs

• Achieving meaningful use of certified EHRsEHRs

Privacy and Security

Policies and Programs

• Privacy as a Patient Satisfaction Issue

• Synergy with Quality and Safety Programs

• Right of Private Action/State AG Activities

– New Regulations and Initiatives

– Incentive Funding (Medicare & Medicaid)

– New Consumer and Patient Issues

The ONC Mandate

Americans will benefit from electronic health records as

“part of a modernized, interconnected, and vastly

improved system of care delivery.”

ONC Mandate and Initiatives

• Temporary Certification Program

• Standards and Certification Criteria Final Rule

• Medicare and Medicaid EHR Incentive

Programs

• Meaningful Use of EHRs Final Rule

• Certified Health IT Product List

New Federal Regulations

– Meaningful Use of Electronic Health Records

(Final Rule) – Medicare and Medicaid Incentive

Programs

– Certification Process/Criteria

– Certification Standards

– HITECH Amendments to HIPAA

– Breach Notification Requirements

What are the Rules?

Security Laws

– Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule

– Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records

– Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)

– Family Educational Rights and Privacy Act (FERPA)

– Payment Card Industry Data Security Standard (PCI DSS)

– State Breach Notification, Social Security Numbers, Data Protection, and other laws

– Children’s Online Privacy Protection Act

– Federal Information Security Management Act (FISMA)

– H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

– Encryption Laws (e.g., State laws)

– Sarbanes-Oxley Act (Public Companies)

– Gramm-Leach-Bliley Act (Financial Services)

– And more………

Some rules haven’t changed – Have you fully

implemented the HIPAA Security Rule?

The HIPAA Security Rule

– Compliance Date: April, 2005

– 42 Standards and Implementation Specifications

– Information Security Management Program

– Applies to Electronic Protected Health Information (ePHI) that

a Covered Entity Creates, Receives, Maintains, or Transmits

Security Rule Standards

Evaluation Standard

Perform a periodic technical and non-technical evaluation,

based initially upon the standards and implemented under this

rule and subsequently, in response to environmental or

operational changes affecting the security of electronic

protected health information, that establishes the extent to

which an entity’s security policies and procedures meet the

requirements of this subpart.” [§164.308(a)(8)]

Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)

Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)

Related Standards

Consequences of Not Meeting

the Requirements

New Enforcement Efforts and

Priorities

HHS made changes to the HIPAA regulations to conform

the enforcement component of the regulations to the

statutory revisions made pursuant to the HITECH Act.

• Civil Monetary Penalties

• Violations categorized

• Tiered ranges of civil money penalty amounts

Penalties – Per Calendar Year

$100 - $50K/violation, not to

exceed $25K - $1.5MM

Person did not know (and by

exercising reasonable due

diligence) would not have

known

$1,000 - $50K/violation, not

to exceed $100K - $1.5MM

Violation due to reasonable

cause and not to willful

neglect

$10K - $50K/violation, not to

exceed $250K - $1.5MM

Due to willful neglect and

violation was corrected

At least $50K/violation, not to

exceed $1.5MM

Due to willful neglect and

violation was not corrected

GOVERNANCE

Leadership

Organizational Structures

Processes that support the security and privacy

programs while supporting and sustaining the

organization’s mission and strategic goals

Relationships with Business Associates and 3rd

parties

Effective Security Program

Governance

– Involves appropriate organizational personnel

– Defines a governance framework or methodology

– Enables uniform risk measurement across the

organization

– Produces quantifiable, meaningful deliverables

– Reflects business practices, organizational risk

appetites, and changing levels of risk

Reference: IT Compliance Institute

Business Associates

Covered Entity (CE)

A health plan, health care clearinghouse, or health

care provider who transmits any health information in

electronic form in connection with a transaction

covered under the HITECH Act

Business Associate (BA)

Party who performs a function on behalf of a Covered

Entity and has access to PHI in the performance of

that function

Business Associate Compliance

Business Associates (BAs):- IT vendors- coding vendors- outsourced call center- subcontractors- insurance companies- pharmacies- hospitals- physicians- e-prescribing ecosystem- CPOE- radiology labs- HIEs- RHIOs- ACOs- lawyers- CPAs- housekeeping services- etc. !!!

CoveredEntity (CE)

Liability:

-BAs are contractually liable to CEs

for breach of BA agreement

-BAs are civilly and criminally liable

to Federal government for violations

Notification:

-BA notify CE of any breach

-CE has obligation to notify patients

and HHS

-If 500+ persons, notify media

serving their area

Recommendations:

-Identify BAs with highest risk

-Communicate expectations to BAs

-Automate contract and BA

agreement files

-Develop auditing and monitoring

process

-Educate executives and key players

on BAs

Assessing Your Security Program

Components of the Assessment

• Governance of the Privacy and Security Programs

• Privacy Rule and Security Rule Standards

• Policies and Procedures

• Risk Assessment and RA Management

• Program Infrastructure

– Designation of Privacy and Security Officers

– Reporting Relationships

– Staffing and Resources

• Education and Training Programs

• Security Breach Notification Policy and Procedures

• Readiness to meet HITECH/HIPAA requirements and Meaningful Use criteria

• Impacts of Business Partner/Business Associate Relationships

• Auditing and Monitoring Processes

Strategies for a Risk Assessment

• Formal and ongoing evaluation and review process

• Periodic Risk Analysis, in particular following significant changes

• Senior leader support

• Adequate and available resources

• Steering committee

Strategies for a Risk Assessment

• Governance/Reporting/Metrics

• Organization-wide Risk Analysis

• Communication of Risk Profile

• Documentation and Action Plans

• Independent Consultants?

Show Me the Money

How to Access Federal Dollars

Eligible Entities

– Eligible professionals (EPs)

– Eligible hospitals

– Critical access hospitals

– Certain Medicare Advantage Organizations whose affiliated

EPs and hospitals are meaningful users of certified EHR

technology

What is “Meaningful Use?”

• Use of a certified EHR in a meaningful manner (e.g.,

e-prescribing)

• Use of certified EHR technology for electronic

exchange of health information to improve quality of

health care

• Use of certified EHR technology to submit clinical

quality and other measures

Meaningful Use – Criteria and Standards

– Is the practice or hospital is making adequate

use of EHRs?

– Has a risk analysis been conducted?

– Is their a platform for staged implementation?

To achieve meaningful use, providers must:

– Provide and monitor privacy and security

protection of confidential PHI through operating

policies, procedures, and technologies

– Comply with all applicable federal and state laws and regulations

– Provide transparency of data sharing to patients

Meaningful Incentive Program

Medicare EHR

Participation as early as FY 2011

EPs may receive up to $44,000 over 5 years, plus incentive if in HSPA

Must begin by 2012 to get maximum

Incentives for hospitals may begin in 2011 w/a $2 million base payment

Medicare EPs, hospitals and CAHs who do not show meaningful use have payment decrease beginning 2015

Medicaid EHR

Voluntarily offered by individual states

May begin as early as FY 2011

EPs may receive up to $63,750 over 6 years

Incentives for hospitals may begin in 2011

No payment adjustment for providers who do not show meaningful use

CMS Meaningful Use Goals

Improve quality, safety, and efficiency of

health care and reduce health disparities

Engage patients and families

Improve care coordination

Improve population and public health, and

Ensure adequate privacy and security

protections for personal health

information

.

HIPAA/HITECH Compliance

What are the objectives of a

HIPAA Risk Analysis and

Security Assessments?

Compliance: a HIPAA Risk Analysis

verifies compliance with the standards

defined in the Security Rule of the

Administrative Provisions in Title II of

HIPAA.

Security : Utilizes a risk-based

approach to minimize the risk of a

compromise of Electronic Protected

Health Information (EPHI) triggering

the breach notification requirements.

Some Types of Assessments

Controls

Data Security

Network Analysis

Physical Security

Systems Analysis

External Pen

Internal Pen

Wireless Pen

Web App

Social Engineering

Other possible assessments:- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley

Components of Risk

The assets

(what you are trying to protect is PHI)

• You need to know where it is, how it is used, and

how it is transported over the network.

The threats

(what are you afraid of happening?)

• Sophisticated cybercriminals stealing account

credentials, credit card records, or medical

history to file false claims.

• Hackers using application attacks to gain access

to database records.

• Insiders gathering inappropriate data through

misconfigured access control.

The vulnerabilities

(how could the threat occur?)

• Targeted social engineering attacks; malware

exploiting Adobe .pdf and MS office .doc

vulnerabilities

• Application vulnerabilities (e.g., SQL injection,

command injection)

• Misconfigured database access controls

Current mitigation

(what is currently reducing the risk?)

• Staff

• Technology

• Processes

PHI/PII Risk Indication

CASE STUDY

AxolotlHealth Information Exchange (HIE) Solution Provider

Axolotl Overview

Founded: 1995

Location:

San Jose, California

Industry:

Healthcare Technology Provider

Solutions For:

Hospitals & Health Systems

RHIOs

State Health Agencies

Physicians

Employees: 200

•Since 1995, Axolotl has been providing

advanced Clinical Networking solutions

•Health Information Exchange has

become a necessary foundation to

support the “meaningful use” of health

information technology

•Cloud environment – supports electronic

sharing of data among hospitals,

physicians, clinical laboratories,

pharmacies, health plans (insurers), and

public health department

•Security and regulatory compliance are

imperative for Axolotl’s customers

Solution for Axolotl

• Comprehensive information

security assessment of

governance and operational

processes covering both

production and internal systems

• Thorough assessment of

policies, practices, and

procedures from both an internal

and external point of view

• Axolotl has been able to use

information security and

compliance as a distinct

advantage in a fiercely

competitive segment of the

healthcare market.

Areas Covered

Is Your Organization Ready?

Some Additional

Thoughts…

Common Themes and Issues

• Lack of Documentation

• Lack of Awareness of

Programs

• Insufficient Training and

Education

• Lack of adequate

Disaster and Business

Continuity Planning

• Privacy and Security less

priority than Safety or

Quality Programs

• Mobile Device Policy and

Procedures

• Managers unaware of

their role and

responsibilities in privacy

and security

• Management of Business

Associate Relationships

• Lack of or outdated

Encryption Policy and

Procedures

• Who to Contact in case of

perceived or actual

Security Breach or

Privacy Incident

EHR for the Future

• Whatever happens to the health care agenda, EHRs will

continue to evolve and regionalization will occur

• Some geographical areas will develop mature EHRs faster than

others

• Patients/consumer engagement is gaining traction

• Vendor market will consolidate and be more accountable

Appendix

Strategies for a Risk Assessment

• Establish a formal, ongoing Evaluation

and Review Process using independent

consultant/third party. Conduct the review

using project management tools and

methods.

• Perform Risk Analysis, following

established policies and procedures, at a

minimum, every three years or whenever

there is a significant change in the

environment (e.g.,new system, new regs,

new service, new threats, changes in senior

management)

•Evaluation/

Review

Process

•Risk Analysis

•Steering

Committee

•Governance

•Metrics/

Scoreboard

•Risk/Threats

•Integrated

Assessment

•Risk Profile

•Consultant

Criteria

•Sr. Mgmt.

Support

•Penalties

•Document!

• Establish an ongoing Steering Committee:

o Dedicate a multi-disciplinary team

responsible for guiding the Evaluation and

Risk Assessment Processes; utilize existing

team/committee if appropriate

• Establish governance structure/process for Security and Privacy reports to BOD, Audit & Compliance Committee, Strategic Planning Committee, etc.

• Security and Privacy Metrics/Scoreboard

•Evaluation/

Review

Process

•Risk Analysis

•Steering

Committee

•Governance

•Metrics/

Scoreboard

•Risk/Threats

•Integrated

Assessment

•Risk Profile

•Consultant

Criteria

•Sr. Mgmt.

Support

•Penalties

•Document!

Strategies for Risk Assessment

Strategies for Risk Assessment

• Determine level of risk and threat to the organization, e.g.,

• Security Breach

• Identity Theft/Medical Identity Theft

• Privacy Complaints/OCR Complaints/Patient Suits

• Organization’s “Risk Appetite”

• Organizational reputation

• Financial consequences

• Integrate risk assessment for security and privacy into organization-wide risk assessment risk assessment for all types of risk

• Develop and communicate Risk Profile

•Evaluation/

Review

Process

•Risk Analysis

•Steering

Committee

•Governance

•Metrics/

Scoreboard

•Risk/Threats

•Integrated

Assessment

•Risk Profile

•Consultant

Criteria

•Sr. Mgmt.

Support

•Penalties

•Document!

Strategies for a risk assessment

• Retain independent consultant that meets

specific criteria:

Determine qualifications of individuals performing review

Ask questions to ascertain if consultants possess “hands on” experience

Do reports summarize data or provide noted gaps analysis?

Does the consultant provide a “to do list” based upon the audit results, mapping a path for the organization to follow or is it buried in the summary?

Do you understand the results and have support from the organization to resolve issues identified?

•Evaluation/

Review

Process

•Risk Analysis

•Steering

Committee

•Governance

•Metrics/

Scoreboard

•Risk/Threats

•Integrated

Assessment

•Risk Profile

•Consultant

Criteria

•Sr. Mgmt.

Support

•Penalties

•Document!

Strategies for a Risk Assessment

• Elicit support from senior management to

provide adequate resources to address areas

of identified risks

• Note: Organizations that ignore findings are

subject to increased penalties!

• Documentation and retention of action plans and follow-up is key to surviving and resolving audits and investigations.

•Evaluation/

Review

Process

•Risk Analysis

•Steering

Committee

•Governance

•Metrics/

Scoreboard

•Risk/Threats

•Integrated

Assessment

•Risk Profile

•Consultant

Criteria

•Sr. Mgmt.

Support

•Penalties

•Document!

Successful information

risk management program

1. Organizing for

performance

2. Assessing risk

3. Decision analysis

4. Policy implementation

5. Measuring program

effectiveness

6. Repeat steps 2-5,

adjust the

organization defined

in step 1 to evolving

business

requirements

Risk Management Process: Detail

Step 1. Assess Risk

Identify and prioritize risks to the

business.

a. Plan data gathering.

b. Gather risk data.

c. Prioritize risks.

Step 2. Decision Analysis

Evaluate requirements, understand

possible solutions, select controls,

estimate costs, and choose the most

effective mitigation strategy.

a. Define functional requirements to

mitigate risks.

b. Outline possible control solutions.

c. Estimate risk reduction.

d. Estimate solution cost.

e. Choose mitigation strategy.

Step 3. Policy Implementation

Policy implementation. Acquisition and deployment of

controls to carry out the policy.

a. Ensure policy specifications are enforceable.

b. Integrate process automation, people, and technology in

the mitigation solution.

c. Defense in depth – coordinate application, system, data,

and network controls.

d. Communicate policies and control responsibilities

throughout the organization.

Step 4. Measure Effectiveness

Develop and disseminate reports. Provide management a

dashboard of program effectiveness.

a. Management dashboard that summarizes organization’s

risk profile.

b. Report on changes under consideration and underway.

c. Communicate effectiveness of the control solutions in

mitigating risk.

d. Report on existing environment in terms of threats,

vulnerabilities and risk profile.

HIPAA Audit Scope Attributions