HIPAA Security Risk Assessment (SRA)

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

Health information security & compliance

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Company LOGO Data Privacy HIPAA Training. Progress Diagram Function in accordance Apply your knowledge Learn the Basics Orientation Evaluation Training.

Medicaid EHR Incentive Program For Eligible Professionals Overview of the Proposed 2015 Modification Rule Kim Davis-Allen Outreach Coordinator

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Meaningful Use Security Risk Assessment (SRA): Resources for Eligible Professionals (EPs) Kim Bell, MHA, FACHE, PCMH-CCE Executive Director Georgia Health.

© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.

Risk Management in the Built Environment Qualitative and Quantitative Risk Management By Professor Simon Burtonshaw-Gunn – licensed under the Creative.

Meaningful Use Security Risk Analysis Passing Your Audit.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

1 © CHC Healthcare Solutions 2004 All rights reserved HIPAA Issues for Counties – PHI, Prisoners, Disaster Preparedness and Homeland Security March 9,

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

HIPAA Guidance API Security Task Force February 22, 2016 Office for Civil Rights 1.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Community Health Center Security Risk Management

Moving Health Information In An Emergency

In-depth look at the security risk analysis

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

CHAPTER11 Project Risk Management

Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.

Paul T. Smith Davis Wright Tremaine LLP

Internal control - the IA perspective

Disability Services Agencies Briefing On HIPAA

Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.

The Practical Side of Meaningful Use:

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Security A Quantitative and Qualitative Risk Assessment

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

2019 MIPS Promoting Interoperability

Presentation transcript:

HIPAA Security Risk Assessment (SRA) Dan Friedrich, CISSP Director, Center for Advancement of Health IT Dakota State University

Objectives Discuss QPP and HIPAA Requirements for a SRA Define what constitutes a Risk Identify the elements of a SRA

SRA and the Quality Payment Program

Required by Promoting Interoperability https://qpp.cms.gov/docs/pi_specifications/Tran sition%20Measure%20Specifications/2018.MIPS %20ACI%20Transition%20Measure_Security%2 0Risk%20Analysis.pdf • Required for Base Score: Yes • Percentage of Performance Score: N/A • Eligible for Bonus Score: No Note: MIPS eligible clinicians must fulfill the requirements of base score measures to earn a base score in order to earn any score in the Advancing Care Information performance category. In addition to the base score, eligible clinicians have the opportunity to earn additional credit through the submission of performance measures and a bonus measure and/or activity.

Timing for QPP It is acceptable for the security risk analysis to be conducted outside the MIPS performance period; the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).

SRA and the Quality Payment Program Objective: Protect Patient Health Information Measure: Security Risk Analysis Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process. Measure ID: ACI_TRANS_PPHI_1

SRA and the Quality Payment Program Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT)

SRA and the Quality Payment Program in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), (iv)Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (3) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressableimplementation specifications, a covered entity or business associate must - (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and (ii) As applicable to the covered entity or business associate - (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate - $(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and $(2) Implement an equivalent alternative measure if reasonable and appropriate. Addressable Optional

SRA and the Quality Payment Program And finally implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

SRA and the Quality Payment Program Objective: Protect Patient Health Information Measure: Security Risk Analysis Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process. Measure ID: ACI_TRANS_PPHI_1

HIPAA SRA Requirements 164.308(a)(1)(ii)(A) Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Assessment VS Mitigation Identify assets Identify specific threats to those assets Provide some way of prioritizing Help determine residual risk Reduce Transfer Accept Reject Efforts to reduce or eliminate Probability Severity Of a threat HIPAA/HITECH Security Checklist NIST 800-53 Others

The Threat Relationship Can’t Control Can Control Must Understand Threat agent Threat Vulnerability Risk Asset Exposure Countermeasure

Qualitative vs Quantitative Quantitative Assessment Cons: Exhaustive, costly, time-consuming Pros: Identify greatest risk based on financial impact Qualitative Assessment Cons: Subjective, value of loss not quantified Pros: More common, quicker to complete, focus is on understanding the risk Hybrid

Qualitative & Quantitative tools Delphi Technique: risk brainstorming – identify, analyze, evaluate risk on individual and anonymous basis. Structured What-If Technique (SWIFT): team-based approach – uses “What If” considerations. Quantitative Less often used in Healthcare. Financial sector, chemical process industry, explosives industry

Security Risk Assessment Scope Includes potential risks and vulnerabilities to the confidentiality, availability and integrity of ALL EPHI that an organization creates, receives, maintains, or transmits. [164.306(a)] **REMEMBER** EPHI IS more than medical records Billing information Appointment information Insurance claims information Reports What am I forgetting?

Risk Assessment Perspective Administrative Controls Physical Controls Technical Controls Patient Information

Where to look for EPHI

Elements of a Security Risk Assessment Identify and Document Potential Threats and Vulnerabilities Identify and document reasonably anticipated threats to EPHI: Unique to circumstances of environment If exploited create risk of inappropriate access or disclosure

Elements of a Security Risk Assessment Assess Current Security Measures Assess and document security measures used to safeguard EPHI, whether already in place, and if configured and used properly. Will vary among organizations Small orgs – fewer variables to deal with Large orgs – many variables Workforce IT systems Locations

Document Business Associate Agreements Business Associates were (are) focus of OCR during Phase II audits OCR requested specific information 27 data elements Business Associate Name, type of service,

Questions?

THANK YOU Dan Friedrich, CISSP Director, Center for the Advancement of Health IT Dakota State University Dan.Friedrich@dsu.edu (605) 256 5555