Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Risk Assessment (SRA)

Published byAlan Leo Leonard Modified over 4 years ago

Similar presentations

Presentation on theme: "HIPAA Security Risk Assessment (SRA)"— Presentation transcript:

1 HIPAA Security Risk Assessment (SRA)
Dan Friedrich, CISSP Director, Center for Advancement of Health IT Dakota State University

2 Objectives Discuss QPP and HIPAA Requirements for a SRA Define what constitutes a Risk Identify the elements of a SRA

3 SRA and the Quality Payment Program

4 Required by Promoting Interoperability
sition%20Measure%20Specifications/2018.MIPS %20ACI%20Transition%20Measure_Security%2 0Risk%20Analysis.pdf • Required for Base Score: Yes • Percentage of Performance Score: N/A • Eligible for Bonus Score: No Note: MIPS eligible clinicians must fulfill the requirements of base score measures to earn a base score in order to earn any score in the Advancing Care Information performance category. In addition to the base score, eligible clinicians have the opportunity to earn additional credit through the submission of performance measures and a bonus measure and/or activity.

5 Timing for QPP It is acceptable for the security risk analysis to be conducted outside the MIPS performance period; the analysis must be unique for each MIPS performance period, the scope must include the full MIPS performance period, and must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).

6 SRA and the Quality Payment Program
Objective: Protect Patient Health Information Measure: Security Risk Analysis Conduct or review a security risk analysis in accordance with the requirements in 45 CFR (a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process. Measure ID: ACI_TRANS_PPHI_1

7 SRA and the Quality Payment Program
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR (a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT)

8 SRA and the Quality Payment Program
in accordance with requirements in 45 CFR (a)(2)(iv) and 45 CFR (d)(3), (iv)Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (3) When a standard adopted in § , § , § , § , or §  includes addressableimplementation specifications, a covered entity or business associate must - (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and (ii) As applicable to the covered entity or business associate - (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate - $(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and $(2) Implement an equivalent alternative measure if reasonable and appropriate. Addressable Optional

9 SRA and the Quality Payment Program
And finally implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.

10 SRA and the Quality Payment Program
Objective: Protect Patient Health Information Measure: Security Risk Analysis Conduct or review a security risk analysis in accordance with the requirements in 45 CFR (a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process. Measure ID: ACI_TRANS_PPHI_1

11 HIPAA SRA Requirements
(a)(1)(ii)(A) Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

12 Assessment VS Mitigation
Identify assets Identify specific threats to those assets Provide some way of prioritizing Help determine residual risk Reduce Transfer Accept Reject Efforts to reduce or eliminate Probability Severity Of a threat HIPAA/HITECH Security Checklist NIST Others

13 The Threat Relationship
Can’t Control Can Control Must Understand Threat agent Threat Vulnerability Risk Asset Exposure Countermeasure

14 Qualitative vs Quantitative
Quantitative Assessment Cons: Exhaustive, costly, time-consuming Pros: Identify greatest risk based on financial impact Qualitative Assessment Cons: Subjective, value of loss not quantified Pros: More common, quicker to complete, focus is on understanding the risk Hybrid

15 Qualitative & Quantitative tools
Delphi Technique: risk brainstorming – identify, analyze, evaluate risk on individual and anonymous basis. Structured What-If Technique (SWIFT): team-based approach – uses “What If” considerations. Quantitative Less often used in Healthcare. Financial sector, chemical process industry, explosives industry

16 Security Risk Assessment Scope
Includes potential risks and vulnerabilities to the confidentiality, availability and integrity of ALL EPHI that an organization creates, receives, maintains, or transmits. [ (a)] **REMEMBER** EPHI IS more than medical records Billing information Appointment information Insurance claims information Reports What am I forgetting?

17 Risk Assessment Perspective
Administrative Controls Physical Controls Technical Controls Patient Information

18 Where to look for EPHI

19 Elements of a Security Risk Assessment Identify and Document Potential Threats and Vulnerabilities
Identify and document reasonably anticipated threats to EPHI: Unique to circumstances of environment If exploited create risk of inappropriate access or disclosure

20 Elements of a Security Risk Assessment Assess Current Security Measures
Assess and document security measures used to safeguard EPHI, whether already in place, and if configured and used properly. Will vary among organizations Small orgs – fewer variables to deal with Large orgs – many variables Workforce IT systems Locations

21 Document Business Associate Agreements
Business Associates were (are) focus of OCR during Phase II audits OCR requested specific information 27 data elements Business Associate Name, type of service,

22 Questions?

23 THANK YOU Dan Friedrich, CISSP Director, Center for the Advancement of Health IT Dakota State University (605)

Download ppt "HIPAA Security Risk Assessment (SRA)"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Health information security & compliance

Health information security & compliance
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Company LOGO Data Privacy HIPAA Training. Progress Diagram Function in accordance Apply your knowledge Learn the Basics Orientation Evaluation Training.

Company LOGO Data Privacy HIPAA Training. Progress Diagram Function in accordance Apply your knowledge Learn the Basics Orientation Evaluation Training.

Similar presentations

Ads by Google