Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Privacy Requirements Beyond HIPAA Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS.

Similar presentations


Presentation on theme: "Security and Privacy Requirements Beyond HIPAA Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS."— Presentation transcript:

1 Security and Privacy Requirements Beyond HIPAA Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS

2 Objectives Understand some of the potential impacts on information security and privacy as a result of the new ARRA or stimulus bill on covered entities and their business associates Gain awareness and an understanding of the requirements for: –FTCs Identity Theft Red Flags Rule –PCI Data Security Standards –Data breach disclosure laws 2Copyright © 2009, Tom Walsh Consulting, LLC

3 Objectives (cont.) Identify some potential sources of identity theft and data breaches Determine who in your organization needs to be included and the key departments for your organizations (renewed) compliance efforts Locate resources for additional information 3Copyright © 2009, Tom Walsh Consulting, LLC

4 a.k.a. Stimulus Bill

5 American Recovery and Reinvestment Act Other names or references –ARRA –Public Law –H.R. 1 –Stimulus Bill Date of enactment: February 17, 2009 –Key date for the timing of future deadlines Appropriations Provisions – 16 Titles –Title XIII – Health Information Technology Subtitle D - Privacy 5Copyright © 2009, Tom Walsh Consulting, LLC Implications and future changes have yet to be fully comprehended

6 Brief History (Why Privacy is in the Stimulus Bill?) 1996 – HIPAA is passed; Congress has three years to enact medical privacy protection standards; fails to do so; too busy trying to impeach Bill Clinton; by default DHHS creates Privacy standards 1998 (Aug) – Proposed HIPAA Security Rule is released for comment 1999 (Nov) – Proposed HIPAA Privacy Rule is released for comment 2002 – Final HIPAA Privacy Rule is released 2003 (Feb) – Final HIPAA Security Rule is released 2003 (Apr 14) – Deadline for compliance with HIPAA Privacy Rule 2005 (Apr 20) – Deadline for compliance with HIPAA Security Rule No changes to the rules since the final release What was the computing environment like back then versus now? Copyright © 2009, Tom Walsh Consulting, LLC6

7 Promotion of Health Information Technology Office of the National Coordinator (ONC) for Health Information Technology (HIT) (Section 3001) –Chief Privacy Officer Appointed by the Secretary of HHS To advise on privacy, security, and data stewardship –HIT Policy Committee (Section 3002) Appointed positions Make recommendations for nation-wide health information technology infrastructure –HIT Standards Committee (Section 3003) Appointed positions Make recommendations for electronic exchange and use of health information 7Copyright © 2009, Tom Walsh Consulting, LLC

8 Privacy – Subtitle D Section – Definitions of 18 terms Many have the same definition as found in HIPAA, but unique to ARRA are: Breach Unsecured Protected Health Information Electronic Health Record (EHR) Personal Health Record (PHR) Vendor of Personal Health Record 8Copyright © 2009, Tom Walsh Consulting, LLC

9 New Definitions Breach – In general terms means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information Unsecured Protected Health Information – protected health information (PHI) that is not secured through the use of a technology or methodology specified by the Secretary 9Copyright © 2009, Tom Walsh Consulting, LLC

10 Breach Covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach Notifications –Who? What? How? (based upon number of individuals) –When? Must be made without reasonable delay and no later than 60 days from discovery Discovery - Key concept, …should reasonably have been known… 10Copyright © 2009, Tom Walsh Consulting, LLC

11 Breach – Non Covered Entities Includes vendors of PHR Includes 3 rd parties that provide services to a vendor of PHR Requirements for reporting breaches same as covered entities except that the notification is made to the Federal Trade Commission (FTC) rather than the Secretary of HHS The FTC will also notify the Secretary of HHS 11Copyright © 2009, Tom Walsh Consulting, LLC

12 Business Associates Application of Security Provisions (Section 13401) HIPAA security applies to Business Associates –§ Administrative Safeguards –§ Physical Safeguards –§ Technical Safeguards –§ Policies and Procedures and Documentation Requirements 12Copyright © 2009, Tom Walsh Consulting, LLC

13 Business Associates Business Associate Agreement (BAA) will need to be updated to incorporate the new HIPAA Security Rule requirements into the agreement Must respond to Privacy noncompliance issues the same as a Covered Entity Business Associate will now also be subject to the civil and criminal penalties for violating any of the security provisions 13Copyright © 2009, Tom Walsh Consulting, LLC

14 Disclosures Secretary will issue guidance on minimum necessary Accounting of Disclosures – HIPAA revision –Old …except for TPO (Treatment, Payment, and healthcare Operations) –New – If the Covered Entity uses or maintains an electronic health record (EHR), then the exception for Accounting of Disclosures for TPO no longer applies (Note: Disclosure vs. Use) –Two deadlines: January 2014 or January 2011 based upon when the EHR was implemented 14Copyright © 2009, Tom Walsh Consulting, LLC

15 Enforcement Clarification of Application of Wrongful Disclosures Criminal Penalties (Section 13409) –Individuals can be prosecuted under HIPAA and ARRA Improved Enforcement (Section 13410) –Willful neglect by employees – now can be held liable –State Attorney Generals may bring civil action Audits (Section 13411) –Periodic audits to ensure that covered entities and business associates comply with HIPAA and ARRA 15Copyright © 2009, Tom Walsh Consulting, LLC

16

17 Identity Theft Red Flags Rule Implements sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Applies to financial institutions and creditors that hold any consumer account Applies if a healthcare provider: –Permits payment of services to be deferred –Allows payment in multiple installments Must comply by May 1, 2009

18 Things to Consider Types of patient billing accounts Methods used to allow installment payments (may be considered covered accounts) How a covered account is accessed –Example: Web portal for patient bill paying Previous incidents of identity theft Privacy safeguards and security controls currently in place to protect an individuals identity and personal information (i.e. HIPAA)

19

20 PCI Security Standards Council, LLC Responsible for the security standards Formed in September 2006 by the five major credit card companies: –Visa International –MasterCard Worldwide –American Express –Discover Financial Services –JCB (Europe)

21 PCI Data Security Standard 12 requirements that must be followed –State law in Minnesota; other states next? If the merchant lacks adequate controls: –May be fined (payments withheld) –May be held liable for credit card losses –Could lose merchant status – ability to accept credit cards Merchants fall into one of the four merchant levels based on transaction volume over a 12-month period –Regardless of level, all merchants must comply 21Copyright © 2009, Tom Walsh Consulting, LLC

22 PCI Terminologies Merchant – Any business that accepts credit cards for payment POS – Point of Sale terminal – used for swiping credit cards; usually connected to the bank via a modem PAN – Primary Account Number CVV – Card Verification Value – the last three digits printed on the signature panel on the back side of credit cards for transaction authorization when the payment is not made in person 22Copyright © 2009, Tom Walsh Consulting, LLC

23 Conducting a PCI Self-Assessment Determine the volume of transactions Inventory where credit card transactions occur Conduct a self-assessment Remediate identified issues Create a Credit Card Handling policy Create, deliver, and document user training on Credit Card Handling

24 Key Departments – Workflows Patient financial services (billing) Admitting, registration, or cashier Gift shop Cafeteria Outpatient services –Pharmacy –Durable medical equipment (DME) and other medical supplies –Urgent care centers 24Copyright © 2009, Tom Walsh Consulting, LLC

25

26 State Data Breach Disclosure Laws California – leading the way… 44 States now have some type of law Wisconsin –Act 138 requires notification in the event that personal information is lost or illegally accessed –Office of Privacy Protection Other Wisconsin resources: 26Copyright © 2009, Tom Walsh Consulting, LLC

27

28 Identity Theft in the Workplace Some possible sources : Carelessness – loss of mobile computing devices Stealing (and in some cases, selling) employee records from their employer Conning information out of employees Unsecured data – paper or electronic Rummaging through trash Improper disposal or resale of computing devices and/or media Hacking into computers 28Copyright © 2009, Tom Walsh Consulting, LLC

29 Preventing Identity Theft People, Processes, and Technology Background and clearance checks on key employees –System administrators –Patient Financial Services or Patient Accounting Proper handling and disposal of media Encrypt data at rest and while in transmission Auditing and monitoring 29Copyright © 2009, Tom Walsh Consulting, LLC

30

31 Renewed Compliance Efforts Corporate Compliance Officer Privacy and Information Security Officer Risk Management / Legal Counsel Patient Access (Registration / Admitting) Patient Financial Services (Accounting) Others? ______ 31Copyright © 2009, Tom Walsh Consulting, LLC

32 Governance, Risk, and Compliance (GRC) JCAHO Red Flags Rule SOX FISMA PCI DSS HIPAA = Governance framework for an information security program for __ consistency in satisfying multiple regulations and requirements ARRA

33

34 Resources An electronic copy of ARRA (PDF format) bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf PCI Security Standards Council, LLC PCI Frequently Asked Questions FTCs Identity Theft Site Identity Theft Resource Center 34Copyright © 2009, Tom Walsh Consulting, LLC

35

36 Summary During this session we discussed: Privacy and security highlights of the new ARRA or stimulus bill An awareness of: –FTCs Identity Theft Red Flags Rule –PCI Data Security Standards –Data breach disclosure laws Ideas for preventing identity theft Renewed involvement for compliance Resources for more information 36Copyright © 2009, Tom Walsh Consulting, LLC

37 Questions? 37Copyright © 2009, Tom Walsh Consulting, LLC

38 Tom Walsh, CISSP

39 Good News! Because of the current global economic crisis, hackers, creators of malicious code, spammers, and disgruntled former employees have all pledged to be compassionate to businesses and individuals by cutting back on their harmful and disruptive activities by at least 30%.

40 More Good News! Additionally, Congress has urged that all American employees who still have a job to temporarily suspend any of their unauthorized activities that could disrupt or significantly impact businesses until after the current economic crisis has passed.

41 Even More Good News! It was announced yesterday that the United Nations overwhelming passed a measure, which can only be described as an extraordinary act of reconciliation, that with Barack Obama now as president of the United States, all nations vow to no longer harbor any hostilities toward the United States government and its people.

42 Sad Reality While everything else in our economy is declining, threats to information security are on the rise Desperate times result in desperate measures –People are willing to do whatever it takes to ensure their own personal wellbeing –Employees on the verge of being laid off or former employees that recently lost their job represent a significant threat to security


Download ppt "Security and Privacy Requirements Beyond HIPAA Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS."

Similar presentations


Ads by Google