1 / 15

Information Risk Management Key Component for HIPAA Security Compliance

Information Risk Management Key Component for HIPAA Security Compliance. Ann Geyer Tunitas Group 209-754-9130 ageyer@tunitas.com www.tunitas.com. Federal Law Mandates Security Controls for Health Information. HIPAA Statutory Requirement -- 1996 General requirement to safeguard all PHI

andren
Download Presentation

Information Risk Management Key Component for HIPAA Security Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Risk ManagementKey Component for HIPAA Security Compliance Ann GeyerTunitas Group209-754-9130ageyer@tunitas.comwww.tunitas.com

  2. Federal Law Mandates Security Controls for Health Information • HIPAA Statutory Requirement -- 1996 • General requirement to safeguard all PHI • Framework for security regulation • Privacy Rule -- 2003 • General requirement for admin, physical, and technical safeguards • Covers all PHI (paper, electronic, spoken) • Emphasis on Patient Rights and Appropriate Use • Security Rule -- 2005 • Specific standards and implementation specifications • Covers electronicPHI • Emphasis on Confidentiality, Integrity, and Availability

  3. Information Subject to Security Rule • Electronic Protected Health Information (EPHI) • Is PHI that is electronically maintained or transmitted by a Covered Entity • PHI is any individually identifiable information about a patient that is created, received, processed, or stored by a health plan, clearinghouse, or healthcare provider (or their business associates) • Not Included • Any PHI that is not stored electronically, and • Information that was not in electronic form prior to transmission (e.g. oral communications, telephone conversations, paper faxes, film images)

  4. HIPAA Security Purpose • Ensure Confidentiality, Integrity (Authenticity) and Availability • Information security is now a patient safety requirement • Elevate Information Risk Management to the level of other compliance areas

  5. HIPAA Security Rule • General Rule §164.306(a) Covered Entities must: 1. Ensure the confidentiality, integrity [authenticity], and availability of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits 2. Protectagainst any reasonably anticipatedthreats or hazards to the security or integrity [authenticity] of EPHI 3. Protect against any reasonably anticipated uses or disclosures of EPHI that are prohibited by the HIPAA Privacy Rule 4. Ensure compliance by the workforce

  6. General Rule Significance • Congress intends the Rule to set a high standard • Ensure means to “Make Inevitable” • But Rule also permits Flexibility §164.306(b) • CE may use any measures that implement the Rule requirements, and • CE must take into account certain factors: • Size, complexity, and capabilities • Technical infrastructure, hardware and software security capabilities • Costs of security measures • Probability and criticality of potential risks

  7. Acceptable Level of Risk • CE must use formal risk analysis methodology to determine the acceptable level of risk • CE can live within the limits of existing IS capabilities, or • Current limitations that permit undue risks must be changed • The risk mitigation costs too much, or • The CE didn’t allocate sufficient budget to address the risk • CE can reject security measures that are too complex, or • CE must develop the skills and experience to apply best available measures

  8. Security Compliance • Compliance means a well designed and integrated Information Risk Management program • Necessary to demonstrate understanding of risks to the EPHI • CE must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities” §164.308 (a)(1)(ii)(A) • Non-compliant if • Not thorough -- failure to consider all significant threats • Not accurate -- failure to adequately estimate the likelihood or impact of a threat • Not responsive – failure to mitigate risk to an acceptable level

  9. Information Risk Management Risk Analysis • Program Components • Risk Assessment • Determine the risk level • Risk Mitigation • Identify how risk will be reduced to an acceptable level • Information Management Policy and Procedures • Combination of privacy and security policy that accomplishes the following: • Prevents PHI use or disclosure without authorization • Prevents PHI modification or tampering that could result in integrity/authenticity or availability issues • Ensures workforce is trained, supervised, monitored, and appropriately sanctioned; • Ensures organization is able to monitor PHI activity to determine when and how a compromise has occurred; and • Ensures known risks are appropriately addressed

  10. Information Risk Management • Program Components • Standards • Establish minimum security control sets based on risk classification • Develop process for requesting and approving deviation from a required control set 5. Audit and/or Re-assessment • Periodically evaluate whether safeguards and minimum controls sets are still effective • Determine whether a new risk assessment is warranted • Audit high risk areas, known problem areas, new technology, new applications • Management Review • Objective and conflict-free • Focused on acceptable risk • Clearly considers patient safety and confidentiality factors

  11. Information Risk Management • What’s Acceptable Risk • Rule says acceptable risk is that which satisfies the General Rule §164.306(a) • No objective standard; organization must rely on industry best practices and its own determination of risk and consequences • Key Organizational Requirements • Understand how information security failures impact the organization • Patient care and safety • Revenue lifecycle • Management and financial functions • Operations and workflow • Compliance, risk management, legal

  12. Risk-based Business Decisions • Would you manage differently if you knew that PHI would be compromised? • HIPAA expects PHI to be treated as securely as financial or tax information • Healthcare organizations will be evaluated on the basis of how well they manage their fiduciary responsibilities to protect patient information • Electronic PHI is becoming the norm • Email and data transfer • EMR, CPOE, E-prescriptions, PAMF online for patients, Sutter’s virtual ICU • Securing EPHI has to become as important as paper-based records management

  13. Conducting a Risk Analysis • Risk Assessment • Impact Analysis (Business Manager) • What is the business impact of a loss of confidentiality, integrity, availability • Exposure and Controls (Technical Manager) • Where is the system located • What are the big picture exposures • What security controls are in place

  14. Conducting a Risk Analysis • Risk Mitigation • Risk Characterization (Security, Compliance, Risk Management or Other Management) • Greatest impact determines the required security level • Security level determines the required control set • Risk is mitigated by the implementation of a control • Missing controls create unaddressed risk • Organizational risk decisions • Accept the risk (not implement a control) • Mitigate the risk (fix a missing control) • Reduce the exposure (isolate the system) • Reduce the impact (reduce dependency)

  15. Conclusion • Information Risk Management • Represent the basic set of responsibilities for addressing information security • Permit each organization to determine specific details for how to best achieve an acceptable security level • Important to take security seriously; integrate security requirements into all aspects of information use within the organization • Business functions must learn how to make risk-based operational decisions • Using PHI without due regard for its security is no longer an option

More Related