HIPAA amp HITECH Privacy and Security Is Your Process Keeping Up With Change Dan Rode MBA CHPS FHFMA FAHIMA Virginia Health Information Management Association Annual Conference A World of OpportunitiesOpening the Door to the Future of HIM ID: 761566
Download Presentation The PPT/PDF document "HIPAA & HITECH Privacy and Security:..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
HIPAA & HITECH Privacy and Security: Is Your Process Keeping Up With Change? Dan Rode, MBA, CHPS, FHFMA, FAHIMA Virginia Health Information Management Association Annual Conference A World of Opportunities-Opening the Door to the Future of HIM
Renew our grounding in HIPAA and the HITECH RequirementsUpdate what’s happening in federal privacy and security….Look into specific areas of concern BreachAudit Training Dan Rode & Associates © 2016 Objectives – Privacy and Security VaHIA -Annual Conference 2016
Agenda – Privacy and SecurityBefore I Start – Whose, Who?A Short History of HIPAA and HITECH….….and the Resulting Regulations Current Environment and AtmosphereWhat’s immediately pending What’s happening now What’s happening in the futureWhat should a privacy or security officer be doing nowResources Questions and Concerns Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
Glossary ACA – Accountable Care Act (“Obama Care” ) PPACA – Patient Protection and Affordable Care Act ARRA – American Recovery and Reinvestment Act of 2009CMS – Centers for Medicare and Medicaid Service GINA – Genetic Information Nondiscrimination ActHIPAA – Health Insurance Portability and Accountability Act of 1996 HITECH – Health Information Technology for Economic and Clinical Health (Title XIII ACCA)Meaningful Use – Incentive Program for EHR/HIE use under ARRA-HITECH NCVHS – National Committee on Vital & Health Statistics NIST – National Institute for Standards and Technology ONC – Office of the National Coordinator for Health Information TechnologyOESS – CMS Office of Electronic Standards and Security OIG – Office of the Inspector General (IG) of HHSPHI – Personal Health Information [HIPAA]PHR – Personal Health Records [HITECH]SAMHSA – Substance Abuse and Mental Health Services Administration X12 – Accredited Standards Committee –X12 (ANSI Accredited)Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….Pre-HIPAAHealthcare “information” exchangeLimited standards for healthcare claims. Limited electronic claims exchangeNo clinical electronic exchange – Fax 1989-1996 Clinton discussion on US healthcare - failedANSI-ASC-X12 development of claims-related electronic standardsNeed for industry agreement – administrative simplificationPrivacy “scare” Health insurance issues – portability Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….Health Insurance Portability and Accountability Act of 1996 (HIPAA)PL 104-191T-I: Health insurance access, portability, and renewability T-II: Administrative Simplification Process for setting standards related to healthcare administrationElectronic transactions Providers, most Health Plans (payers), and ClearinghousesCalled for electronic signatures and unique identifiersEstablished penalties – minimal Exception for workman's compensation and indemnity insurers Exception for banks (§ 1179)Established the National Committee for Vital and Health Statistics (NCVHS) as the oversight advisor to the SecretaryAllowed secretary to establish more standards Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
A Short History of HIPAA and HITECH….HIPAA – Administrative Simplification Law (continued):Called for privacy legislation and regulations in three years! Established security standards for health information: Security standards that take into accountTechnical capabilities of record systems Costs of security measuresNeed for training persons accessing to health informationAudit trails in computerized record systemsNeeds and capabilities of small entities Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….HIPAA – Administrative Simplification Law (continued):Secretary to ensure that covered entities who maintain or transmit health information “shall maintain reasonable and appropriate administrative, technical, and physical safeguards: E-Protect against a reasonably anticipated:threats or hazards to the security or integrity of the informationunauthorized uses or disclosures of the information Ensure compliance Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
A Short History of HIPAA and HITECH….Immediate Post-HIPAA Issues No funding 1997 House Appropriations Bill forbad HHS from pursuing any action on patient identifiers 1999 Congress fails to meet its 3 year commitment to write further privacy rules- Secretary force to issue regulations.Y2K Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….HIPAA Time LineNovember 3, 1999 – NPRM for Privacy issuedDecember 28/29, 2000 – Final Privacy Rule Issued February 28, 2001 – Request for Comment on 12/28 RuleMarch 27, 2001 – NPRM for Privacy Rule IssuesAugust 14, 2002 – Final Rule for Privacy Rule Issued April 14, 2003 – compliance Privacy date large insurers & providersApril 14, 2004 – compliance Privacy date small insurers & providersApril 20,2005 – compliance Security date large insurers & providers April 20, 2006 – compliance Security date small insures.February 17, 2009 – American Recovery and Reinvestment Act of 2009 2009 – OCR assumes responsible for security enforcement Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
A Short History of HIPAA and HITECH….ARRA-HITECH Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) included:Office of the National Coordinator for Health Information Technology ONC Privacy OfficerEstablishment of the HIT Policy and Standards CommitteesProcess for adoption of standards and implementation specifications Application and coordination of standards to federal departments and voluntary use of standards by private entitiesEstablishment of federal health technologyUse of the NIST for testing Establishment of HIT research and development programsIncentives for the “meaningful” use of health information technology (supported by ARRA IV Medicare and Medicaid) Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
A Short History of HIPAA and HITECH….HITECH Subpart D – Privacy and Security:Applied HIPAA security provisions business associates annual guidelines on security provisionsEstablished notification in cases of breachCalled for OCR education efforts Applied some HIPAA privacy provisions and penalties to business associatesRestricted certain disclosures and sales of health informationRequired an accounting of certain PHI disclosuresRequired individual access to certain information in electronic format Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….HITECH Subpart D – Privacy and Security:Further conditioned marketing and fundraising restrictions “Temporarily” established breach notification requirements for PHR vendors and other non-HIPAA covered entities [FTC]Added additional Business Associate contracts Clarified application of wrongful disclosure criminal penaltiesIncreased enforcement actions Added standing reports and guidanceDan Rode & Associates © 2016 VaHIA-Annual Conference 2016
A Short History of HIPAA and HITECH….HITECH Subpart D first defines:BreachPersonal Health Records Vendors of Personal Health RecordsUnsecure Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
A Short History of HIPAA and HITECH….Post HITECH Legislation:Effective immediately: Application of certain HIPAA Security and Privacy regulations to Business AssociatesRevised civil money penalties States Attorney Generals jurisdiction for HIPAA enforcement as defined by HITECHMinimum necessary – until guidance is issued Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
….and the Resulting RegulationsNotification in the Case of BreachInterim Final Rule – August 24, 2009; effective September 23, 2009FTC IFR – August 25, 2009; effective September 24, 2009 Added Enforcement Interim Final Rule – October 30, 2009; effective November 30, 2009Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting RegulationsNotice of Proposed Rule Making-HITECH Changes: July 14, 2010 HIPAA Omnibus Rule: Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under HITECH and GINA and Other Modifications to the RuleFinal Rule – January 25, 2013; compliance by September 23, 2013 with some contractual changes by October 23, 2014.Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleKey Concepts: Business Associates Compliance Breach Notification – Risk Assessment Nondisclosure to health plans Added limits on disclosure Genetic health information use – applies to health plans Patient Access Penalties Workforce Training Notice of Privacy Practices Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleBusiness Associates (BAs): Now covered directly by HIPAA security and some privacy rules BA Subcontractors Business Associate Agreements Updated Contracts and Business Practices: Use of Protected Health Information Breaches – risk assessment Investigations Agents and Agency Workforce! Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleBreach Definition: The acts of acquisition, use or disclosure of unsecured protected health information (PHI) in violation of the privacy rule. Not reportable if: unintended, in good faith, with no future use inadvertent and within job scope information cannot be retained secured or destroyed “..low probability of comprise” based on risk assessment” Document! Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleNondisclosure to Health Plans: Care cannot be denied Provider should educate consumer Provider sets the policy within other limitations Individual and entity must deal with future care issues multiple providers large staff – disclosure components business associates paymentsDan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleNondisclosure to Health Plans – Whose in your network:Facility systems Multiple “departments” Clinicians Associated networks Business Associates BA Subcontractors Plus Anyone that can “see” the information Anyone that the patient encounters “ down the road” Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleNondisclosure to Health Plans – Look for: Established policy, procedures, and processes EHR functions or indicators to meet the regulation – How do you flag? Consider: effects of data flow impact on aggregated data contracts with insurers updates to BAAs Documented Training Notice of Privacy Practices Updated Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleFund Raising Restrictions on Disclosures Department of service Outcome information Treating physician Health insurance status Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleFund Raising Requirements Opt-Out Option Strengthened – Must: Not be conditioned on treatment Be clear and conspicuous Not require significant burden on the patient CE may not communicate for fund raising once individual has decided to opt-out. CE may provide a means to opt back in. Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleMarketing Uses and Disclosure: An authorization is required for any communication about a product or service that encourages the patient/caregiver to purchase. Current exceptions: Marketing communications related to treatment, or Related to health-related products or services offered by the CE. Marketing communications where the CE receives financial remuneration from a 3rd party whose product it is selling/marketing must be disclosed The new rules do not include subsidized refill reminders about a drug that is currently prescribed where remuneration reflects only the costs related to the communication. Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleSale of Protected Health Information (PHI) Covered entity may not receive remuneration in exchange for PHI… …with Exceptions (no limits): Treatment Payment Sale of CE and related due diligence Required Business Associate activities Research To an individual – access or accounting Other (cost based fees)Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleChange related to Research:* Approved use of “combined” and “ unconditional” authorizations Unconditional and combined authorizations must be differentiated Unconditional authorizations must be opt-in and signed. OCR Change in approach to research: Previous : authorization for research must specify study Now: authorization permitted to allow for future research Authorization must specify a notice of potential future research. New – Human Subjects Rules Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleImmunization Record release: CEs may release student immunization records to schools without authorization! IF: State law requires schools to have immunization records for school attendance, and If there is documented written or oral approval from the designated legal parent.Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleDecedent PHI can becomes public information: When an individuals health information is no longer covered by HIPAA protected health information requirements 50 years after the date of recorded death. However, there can be potential state laws, regulations, or facility policies. Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleDecedent information accessible to relatives/friends: An individuals health information may may be disclosed to persons involved in the decedent’s care, or For payment, IF: Not contrary to prior expressed preference or state law. Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleGenetic Nondiscrimination information restriction: Genetic information is health information Health plans (with the exception of long-term care plans) are not permitted to use or disclose genetic information for underwriting purposes. Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RulePatient Rights and Access:At a patient/individual’s request: Must provide form or format requested if readily producible If not readily producible and maintained in paper, then readable hard copy If not readily producible and maintained electronically, then electronic copy May charge for only labor and electronic media (subject to state requirements) Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RulePatient Rights and Access:At a patient/individual’s request: For a records or health information to be sent to a third-party must: Be in writing; Clearly identify the designated person; and, Clearly identify where to send the copy. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleAddition to Enforcement Penalties Willful Neglect / Reasonable Cause Aggressive Investigations OCR will work with CEs, but is also likely to levy meaningful penalties States: laws and regulations attorney general actions related to HIPAA Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleCivil PenaltiesDan Rode & Associates © 2016 HIPAA Violation Minimum PwnLRYMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known$100 / violation with annual maximum of $25,000 for repeat violations. $50,000 per violation with an annual maximum of $1.5 millionViolation due to reasonable cause and not willful neglect$1000 per violation with an annual maximum of $100,000 for repeat violations $50,000 per violation with an annual maximum of $1.5 million Violation due to willful neglect but violation Is corrected within the required time line$10,000 per violation with an annual maximum of $250,000 for repeat violations$50,000 per violation with an annual maximum of $1.5 million Violation is due to willful neglect and is not corrected $50,000 per violation with an annual maximum of $1.5 million $50,000 per violation with an annual maximum of $1.5 million VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus RuleCriminal PenaltiesDan Rode & Associates © 2016 Tier Potential Jail Sentence Unknowingly or with reasonable cause Up to one year Under false pretenses Up to five years For personal gain or malicious reasons Up to ten years +Fines up to $250,000 VaHIA-Annual Conference 2016
….and the Resulting Regulations – HIPAA Omnibus Rule Notice of Privacy Practices: Current and change information “Posting” in the facility on the webpage Languages Restrictions Access Timing Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
….and the Resulting Regulations – Omnibus HITECHWhat was not included and not yet submitted: Accounting of Disclosures and Access Potential RFI/RFC Minimum Necessary guidance Distribution of funds coming from penalties or settlements that harm the individual Reports Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
….and the Resulting Regulations – Omnibus HITECH Other items related to HITECH to watch out for: Meaningful Use Patient Access Security Systems Changes!!! Consumer Engagement Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereWhat’s immediately pending:Congress: Cyber SecurityIdentity Restrictions Genetic Medicine 21st Century Cures Act (pending) Electronic health records and interoperabilityE-Mail Privacy Act (pending) ACA repeal Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereWhat’s immediately pending:White House: Cyber Security IssuesACA Advancement Health Information Exchange Ransomware (FBI)Precision Healthcare (multi-agencyTriple Aim Improve health careImprove population healthLower cost and higher quality Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereWhat’s immediately pending:NCVHS: HIPAA § 1179Review of HIPAA in generalPatient matching Minimum Necessary Guidelines HIT Policy Committee Privacy and Security:Look at HIPAA and ONC long range plan ONC EHR/HIE RoadmapPatient Matching Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
Current Environment and AtmosphereHHS Office of Civil Rights (OCR)Regulations (Privacy 1996/Security 2009) GuidanceEducationApp Portal (FTC/FCC) Investigations ComplaintsBreaches Media ReportsAuditsPhase IIPenalties AgreementsCivil Money Penalties Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereHHS Office of Civil Rights (OCR) HIPAA/HITECH Guidance Crosswalk Between HIPAA Security Rule and NIST Cybersecurity FrameworkThe Real HIPAA Supports InteroperabilityUnderstanding Individuals’ Right under HIPAA to Access their Health InformationAppropriate fees for copies On-going FAQsNIST GuidanceSpecial Publication 800-38G, "Recommendation for Block Cipher Modes of Operation” Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereHHS Office of Civil Rights (OCR) HIPAA Modification Reporting of PHI to the National Instant Criminal Background Check System (NICS )Final Rule: January 6, 2016 (81FR382)Effective: February 5, 2016Modifies §164.512 k Applies:To a limited number of Covered EntitiesInvoluntary Commitment Limited amount of PHI Question: get legal reading Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment - BreachStudy [FireEye-Breach Preparedness & Response Study]: What do you believe to be your organization’s single weakest area of breach preparedness and response? 29%: In-house staff/skills to detect and respond20%: Incident detection17 %: Technology tools to detect and respond10%: Rapid response 8%: Breach response plan 8%: Post-breach response Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Study [FireEye-Breach Preparedness & Response Study]:What do you believe must be your organization’s top 3 breach response priorities for the coming year?53%: Improve skills of existing team(s) dedicated to detecting/investigating breaches47%: Improve user awareness education43%: Implement technologies that help prevent breaches39%: Implement technologies that help detect breaches31%: Implement technologies that help investigate/scope/respond 29%: Develop and implement an incident response plan27%: Improve centralized logging sources and/or technologies25%: Increase headcount dedicated to detecting/investigating breaches Current Environment - Breach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices – Study by Absolute (Minnesota Example) MINNESOTA 2012-2013Minnesota AG HIPAA-HITECH Settlement: $2.5 million Annual loss to the business: $23 – 25 million (for at least 2 years and up to 6 years) Class action settlement $14 millionTotal number of records breached 23,500Total cost per record $2,000 – 6,000 Current Environment - Breach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment - Breach
IBM Statistic Current Environment - Breach
Forbes Statistic Current Environment - Breach
Current Environment - Breach
Current Environment - Breach Dan Rode & Associates © 2016
Breach – Are you prepared?You will have a breachBe prepared!HIPAA training and refreshersYour HIPAA Team Your Security TeamYour Subcontractors / Business Associates New Contracts / Renewed Contracts New hardware and software including mobile devices Current Environment - Breach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Be prepared!Audit – audit – auditBreach drills Workforce staff Business AssociatesConsumer training Ongoing feedback SecurityOngoing monitoring Alert to new threatsInstitute new toolEncryption! Current Environment - Breach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Breach Risk Assessment Includes: What was the information and is its release “adverse to the individual?” To whom was it disclosed? Was the PHI actually acquired or reviewed? What was the extent of mitigation? Coordination with business associates Current Environment - BreachDan Rode & Associates © 2016 VaHIA-Annual Conference 2016
Breach reporting ONCReported with in 60 days (federal) if 500 or moreAnnual report (<500) Other reporting When, where, and how do you contact the patient? When do you, who contacts the media?What will the patient know? Using potential breach as a learning toolCurrent Environment - Breach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditOCR Phase 2 Audits are coming soon!ONC audits health information privacy, security, and breach notification compliance activities: Will include covered entities and business associatesAre a compliance tools for OCR: Such as complaint investigations and reviewsIdentify best practices Proactively uncover and address risks and vulnerabilitiesWill review the policies and procedures adopted and employed to meet selected standards and implementation specifications Will primarily be desk audits Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR Audit2016 Audit Initial Process:Verification of an entity’s address and contact information via e-mail (you are responsible for identifying the e-mail) Transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditeesT his data will be used with other information to create potential audit subject pools. Failure to respond to this request will result in OCR building its own profile from publically available data. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditOCR says it is:Committed to keeping audit process on “pace”Transparency – of protocols and results Will update the protocol as needed to reflect HITECH requirementsWould like Covered Entities and Business Associates to use the protocols for their own internal audits and assessments Will use Phase 2 audits to develop a permanent audit process Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditOCR Audits – Sample Based on:Size of the entityAffiliation with other healthcare organizations Type of entity and its relationship to individuals, whether an organization is public or privateGeographic factorsPresent enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or currently undergoing a compliance review. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditPotential Auditees Pre-questionnaire:SizeType Operations Identification of business associates and their contact information OCR will conduct a random sample of entities in the audit pool Selected auditees will then be notified of their participation If a covered entity or business associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit type:Initial set – desk audits Second set – desk auditsThird set – field audits (on site) Audits will include a covered entity and its business associatesA desk audit may be followed by a field audit Audits will be based on all HIPAA (HITECH) privacy, security, and breach notification requirements Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit process:Entities selected for an audit will be sent an e-mail notification Entities will be asked to provide documents and other data – online via a new secure audit portal on OCR’s website within 10 business days of the request Entities should be prepared for a site visitAuditors will review draft findings with the entityEntities will have the opportunity (10 days) to respond to these draft findings via written responses that will be included in the final report (approximately 30 days) The audit report will generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit Protocol – Current:“…analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate” Comprehensive – “contains the requirements to be assessed” “Organized around modules, representing separate elements of privacy, security, and breach notification”“Combination of these multiple requirements may vary based on the type of covered entity selected for review” Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit Protocol – Current protocol covers:Privacy Rule requirements for: Notice of privacy practices for PHIRights to request privacy protection for PHIAccess of individuals to PHIAdministrative requirementsUses and disclosures of PHIAmendment of PHIAccounting of disclosures Security Rule requirements for administrative, physical, and technical safeguardsBreach Notification Rule Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit Protocol – General Instructions:Where the document says "entity," it means both covered entities and business associates unless identified as one or the other ;Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards; The auditor will be provided certain documents and items for review; not necessarily all policies and procedures; Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit Protocol – General Instructions:4. Unless otherwise specified, all document requests are for versions in use as of date of the audit notification and document request;5. Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;If the requested number of documentations of implementation is not available, the entity must provide instances from previous years to complete the sample. If no documentation is available, the entity must provide a statement to that effect. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditAudit Protocol – General Instructions:Workforce members include entity employees, contractors, students, and volunteers; and,Information systems include hardware, software, information, data, applications, communications, and people. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditPost Audit:Audited entity: Final audit report will be shared with audited entity; howeverList of audited entities and final reports will not be made public (FOIA?) If a if a final reports indicates a compliance issue, OCR may initiate a compliance investigation Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditPost Audit:OCR will: Review and analyze information from the final reports Improve its understand compliance effortsUse the audit reports to determine:What types of technical assistance should be developed What types of corrective action would be most helpful What tools and guidance are necessary to assist the industry in compliance self-evaluation and in preventing breaches. Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – OCR AuditOCR Audit ProtocolsOCR Website: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html Be prepared:Audit nowSecurity AuditsImplementation Specifications Required v AddressableDOCUMENTATION Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment – SAMHSA Substance Abuse and Mental Health Services AdministrationNotice of Proposed Rule Making: February 8, 2016Federal Register 81FR6988 Confidentiality of Substance Use Disorder Patient RecordsProposal prompted by the need to update and modernize the regulations – last update was 1987Facilitating the electronic exchange of substance use disorder information for treatment and other legitimate health care purposesNew and revised definitions Addresses disclosure and redisclosure 37 pages Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment -- Security Integrity Required v Addressable Gap/Risk analysis – annual / periodic / other? Manual v Electronic Security tools, risks, and intelligence Hacking Ransomware Vigilance Privacy Officer InvolvementDan Rode & Associates © 2016VaHIA-Annual Conference 2016
Current Environment -- Training Workforce Training Should Covers: Workforce v Staff “At our last series of HIPAA privacy and training meetings, we…” Gap Analysis – what’s changed -- feedback Rule, procedure and policy changes General training v specifics Request for restrictions Access to records Mandatory training Sign-in or out. Dan Rode & Associates © 2016VaHIA-Annual Conference 2016
Current Environment and AtmosphereWhat’s happening now:Technology run-amuck Cell phones – tablets – laptops – memory devices Home monitoring equipmentPatient Portals and PHRs Hacking “Wrong Address”Merge of clinical, administrative, business, and BIG dataInformation governance Health Information ExchangeInformation in – information out – whose informationBreach Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Current Environment and AtmosphereWhat’s coming:More audits:Meaningful Use – Security (CMS/OIG) Privacy & Security (OCR)Consumer Demands: Patient PortalsInformation sharing Patient to system – system to patient et al. Patient Matching -- IdentifiersOther health information exchange including BIG dataData and Information Sequestering More technology Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
What should a privacy or security officer be doing now?Keep up with (watch and listen):Current regulations – ongoing check across the enterprise Watch/listen for pending changes or challenges in potential regulationNCVHS and HIT Privacy Workgroup Breach notices and storiesNIST releases [and simple security measures OCR audit information and other noticesMonitor work force actions and activates Monitor contracts and business associate agreementsDan Rode & Associates © 2016 VaHIA -Annual Conference 2016
What should a privacy or security officer be doing now?Keep up with:Actively participation in enterprise information governance Ongoing security auditing and risk analysis – all technology Planning:Breach strategic planning and workgroup – There will be a breach!Monitoring team Response team – who will do what, when, and how?Back-ups for teamBusiness associate breach Workforce training Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
What should a privacy or security officer be doing now?Keep up with training and education:Workforce orientation New hire / volunteer orientationOn-going reminders and annual retrainingSecurity related training Specialty training and awareness Patient training related to:Patient portal access and use Other technologyConsents and authorizationsDan Rode & Associates © 2016 VaHIA-Annual Conference 2016
What should a privacy or security officer be doing now?Keep up with new technology and exchange:Home-based technologies Entity based technologiesEnterprise patient portal or sponsored PHR HIE within and external to the enterpriseKeeping up with change: Physical plant Patient areasData and information sites Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
One last thought Dan Rode & Associates © 2016
Resources Office of Civil Rights (OCR-HHS)www.hhs.gov/ocr/privacy Office of the National Coordinator for Health Information Technology (ONC)www.healthit.gov Substance Abuse and Mental Health Services Administration www.samhsa.gov/Nation Institute for Standards and Technology - Healthcare www.healthcare.nist.gov Federal Register www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Resources American Health Information Management Association www.ahima.orgAmerican Hospital Association www.aha.org/advocacy-issues/cybersecurity.shtmlAmerican Records Management Association www.arma.orgHealth Care Compliance Association www.hcca-info.orgHealth Information Management and Systems Society (HIMSS) www.himss.orgDan Rode & Associates © 2016 VaHIA-Annual Conference 2016
Resources OCR Security Resourceswww.hhs.gov/hipaa/for-professionals/security/guidance/index.html OCR – NIST Cross Walk www.hhs.gov/sites/default/files/NIST%20CSF%20to%20HIPAA%20Security%20Rule%20Crosswalk%2002-22-2016%20Final.pdfOCR - Right to Accesswww.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html ONC - Treatment Exchange:www.hhs.gov/sites/default/files/exchange_treatment.pdf Dan Rode & Associates © 2016VaHIA -Annual Conference 2016
Resources e-Publications:EHR Intelligence www.ehrintelligence.com Government Security Enews www.govinfosecurity.com Healthcare Law Today (Foley & Lardner LLP www.healthcarelawtoday.comHealth HIT Smart Brief www.smartbrief.com Health IT News www.digital.halldata.com Dan Rode & Associates © 2016 VaHIA -Annual Conference 2016
Resources e-Publications (continued): Health Information Security www.healthcareinfosecurity.comHealthIT Security www.healthitsecurity.comInformation Management www.information-management.com Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
Resources OCR Audit:Audit Protocol www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.htmlAudit Pre-Screening Questionnaire www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.htmlBA Pre-Screening Questionnaire: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016
Questions and Comments Dan Rode, MBA, CHPS, FHFMA, FAHIMADan Rode & Associates 6405 Stonehaven Court Clifton, Virginia 20124T: 703-946-9388 E: danrode_associates@Verizon.net Dan Rode & Associates © 2016 VaHIA-Annual Conference 2016