Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Published byPrimrose Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013."— Presentation transcript:

1 Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013

2 MU3 RFC Subgroup Scope and Purpose: The subgroup will consider methods beyond attestation to call greater attention to existing HIPAA requirements, such as risk assessments, through the Meaningful Use program. It may also consider the effectiveness of the attestation process. Members: John Houston, Dixie Baker, Leslie Francis, Wes Rishel, Deven McGraw, Paul Egerman 2

3 PSTT04 Summary What, if any, security risk issues (or Health Insurance Portability and Accountability Act (HIPAA) Security Rule provisions) should be subject to Meaningful Use attestation in Stage 3? Question: Should this be in lieu of, or added to, the existing attestation requirements (completion of security risk assessment and addressing encryption of data at rest)? 3 PSTT04 Summary: MU Attestation for Security Risks

4 PSTT04 Summary CMS should provide additional education, such as FAQs, to the MU community on the expectations and importance of conducting and documenting security risk assessments. Specifically: Expand FAQs to discuss the availability/use/benefits of third- party assessment tools and services, and of risk assessment checklists, particularly those developed by the regulators. Highlight also (for larger entities) the option/value of having internal auditors leverage OCR’s audit plan to conduct substantive pre-audits. Such approaches could provide entities with a higher level of assurance that certification and HIPAA Security Rule requirements have been met. 4 Straw Responses (1 of 2)

5 Straw Responses (2 of 2) Add accountability measures, such as identifying the individual(s) who is/are responsible for the security risk assessment and requiring signature(s) from these individuals. Link attestation to specific MU objectives, rather than present as a single, stand-alone measure. Specifically: –Require attestation that a risk assessment has been performed on any new functionality provided as a result of deploying the 2014 MU criteria, which focus on exchange and interoperability between organizations, and consumer engagement. –This approach could increase the likelihood that risk assessments are performed and strengthen the focus on information exchange. 5

6 BACK-UP Query/Response 6

7 Overview of HIPAA Privacy & Security Rule Workforce Training Requirements & Findings of the HITECH Audit Program David Holtzman U.S. Department of Health and Human Services Office for Civil Rights

8 Privacy Rule Workforce Training Covered entities must train all members of workforce on the organization’s policies and procedures implemented to comply with Privacy Rule Scope/breadth of training commensurate with workforce functions or role Document workforce member training Additional training must be provided when material changes to covered entity’s policies & procedures U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 page 8

9 Security Rule Training Security Awareness and Training Standard requires covered entities and business associates to train each individual with access to e-PHI of the organization’s security measures to reduce the risk of improper access, uses, and disclosures Addressable implementation specifications require CE/BA to put into place reasonable and appropriate measures to implement – Periodic updates or security reminders – Procedures for guarding against malicious software – Monitoring log-in attempts and reporting discrepancies – Procedures for creating, changing and safeguarding passwords Scope/breadth/refresher training commensurate with functions or role U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 page 9

10 Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 10 Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims Some but not extensive use of HIT – mostly paper based workflows Revenues between $50 million and $300 million Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims Some but not extensive use of HIT – mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT – almost exclusively paper based workflows Revenues less than $50 million Summary of Entities Audited

11 Size/Type of Entities Audited U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 11 Level 1 Level 2 Level 3 Level 4Total Health Plans131211 47 Healthcare Providers 1116102461 Healthcare Clearinghouses 23117 Total26312236115 Data as of December 2012.

12 Overall Findings & Observations No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Security accounted for 60% of the findings and observations— although only 28% of potential total Providers had a greater proportion of findings & observations (65%) than reflected by their proportion of the total set (53%) Smaller, Level 4 entities struggle with all three areas NIST / OCR May 22, 201312

13 Types of Privacy Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 13 Data as of December 2012.

14 Privacy Administrative Elements 14

15 Security Results 58 of 59 providers had at least one Security finding or observation No complete & accurate risk assessment in two thirds of entities 47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearinghouses Security addressable implementation specifications: Almost every entity without a finding or observation met by fully implementing the addressable specification. 15

16 Types of Security Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights May 8, 2013 | page 16 Data as of December 2012.

Download ppt "Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013."

Similar presentations

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Similar presentations

Ads by Google