Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Slides:

Advertisements

Similar presentations

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Advertisements

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

HIPAA Health Insurance Portability and Accountability Act.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Are you ready for HIPPO??? Welcome to HIPAA

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Provider Authentication Recommendations November 19, 2010.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

1 Meaningful Use Audits Sarah McIntee, Esq. David Main, Esq. Health TechNet Luncheon May 16, 2014.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,

Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Initial Impressions on November 29 Hearing December 5, 2012.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIPAA Security Final Rule Overview

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

 Health Insurance and Accountability Act Cornelius Villalon Jr.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

In-depth look at the security risk analysis

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.

Paul T. Smith Davis Wright Tremaine LLP

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.

The Practical Side of Meaningful Use:

HIPAA Security Standards Final Rule

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

Introduction to the PACS Security

Presentation transcript:

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013

MU3 RFC Subgroup Scope and Purpose: The subgroup will consider methods beyond attestation to call greater attention to existing HIPAA requirements, such as risk assessments, through the Meaningful Use program. It may also consider the effectiveness of the attestation process. Members: John Houston, Dixie Baker, Leslie Francis, Wes Rishel, Deven McGraw, Paul Egerman 2

PSTT04 Summary What, if any, security risk issues (or Health Insurance Portability and Accountability Act (HIPAA) Security Rule provisions) should be subject to Meaningful Use attestation in Stage 3? Question: Should this be in lieu of, or added to, the existing attestation requirements (completion of security risk assessment and addressing encryption of data at rest)? 3 PSTT04 Summary: MU Attestation for Security Risks

PSTT04 Summary CMS should provide additional education, such as FAQs, to the MU community on the expectations and importance of conducting and documenting security risk assessments. Specifically: Expand FAQs to discuss the availability/use/benefits of third- party assessment tools and services, and of risk assessment checklists, particularly those developed by the regulators. Highlight also (for larger entities) the option/value of having internal auditors leverage OCR’s audit plan to conduct substantive pre-audits. Such approaches could provide entities with a higher level of assurance that certification and HIPAA Security Rule requirements have been met. 4 Straw Responses (1 of 2)

Straw Responses (2 of 2) Add accountability measures, such as identifying the individual(s) who is/are responsible for the security risk assessment and requiring signature(s) from these individuals. Link attestation to specific MU objectives, rather than present as a single, stand-alone measure. Specifically: –Require attestation that a risk assessment has been performed on any new functionality provided as a result of deploying the 2014 MU criteria, which focus on exchange and interoperability between organizations, and consumer engagement. –This approach could increase the likelihood that risk assessments are performed and strengthen the focus on information exchange. 5

BACK-UP Query/Response 6

Overview of HIPAA Privacy & Security Rule Workforce Training Requirements & Findings of the HITECH Audit Program David Holtzman U.S. Department of Health and Human Services Office for Civil Rights

Privacy Rule Workforce Training Covered entities must train all members of workforce on the organization’s policies and procedures implemented to comply with Privacy Rule Scope/breadth of training commensurate with workforce functions or role Document workforce member training Additional training must be provided when material changes to covered entity’s policies & procedures U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 page 8

Security Rule Training Security Awareness and Training Standard requires covered entities and business associates to train each individual with access to e-PHI of the organization’s security measures to reduce the risk of improper access, uses, and disclosures Addressable implementation specifications require CE/BA to put into place reasonable and appropriate measures to implement – Periodic updates or security reminders – Procedures for guarding against malicious software – Monitoring log-in attempts and reporting discrepancies – Procedures for creating, changing and safeguarding passwords Scope/breadth/refresher training commensurate with functions or role U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 page 9

Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 10 Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims Some but not extensive use of HIT – mostly paper based workflows Revenues between $50 million and $300 million Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims Some but not extensive use of HIT – mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT – almost exclusively paper based workflows Revenues less than $50 million Summary of Entities Audited

Size/Type of Entities Audited U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 11 Level 1 Level 2 Level 3 Level 4Total Health Plans Healthcare Providers Healthcare Clearinghouses Total Data as of December 2012.

Overall Findings & Observations No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Security accounted for 60% of the findings and observations— although only 28% of potential total Providers had a greater proportion of findings & observations (65%) than reflected by their proportion of the total set (53%) Smaller, Level 4 entities struggle with all three areas NIST / OCR May 22,

Types of Privacy Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 13 Data as of December 2012.

Privacy Administrative Elements 14

Security Results 58 of 59 providers had at least one Security finding or observation No complete & accurate risk assessment in two thirds of entities 47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearinghouses Security addressable implementation specifications: Almost every entity without a finding or observation met by fully implementing the addressable specification. 15

Types of Security Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 16 Data as of December 2012.