1 / 25

HITECH/HIPAA – Are you in Compliance?

HITECH/HIPAA – Are you in Compliance?. Pamela Hill Managing Director Hyperion Global Partners. Thad Hymel Director of Information Services McGlinchey Stafford PLLC. Agenda. HIPAA/HITECH explanation and definitions Why should you care? Implementation standards (non-tech)

rue
Download Presentation

HITECH/HIPAA – Are you in Compliance?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HITECH/HIPAA – Are you in Compliance? Pamela Hill Managing Director Hyperion Global Partners Thad Hymel Director of Information Services McGlinchey Stafford PLLC

  2. Agenda • HIPAA/HITECH explanation and definitions • Why should you care? • Implementation standards (non-tech) • Technical safeguards

  3. Definitions • Protected Health Information (PHI) • Any oral or recorded information in any form or medium that is • Created or received by the covered entity/BA –AND- • Relates to past, present or future condition of an individual • Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable basis to believe information can be used to identify an individual • Includes any data transmitted or maintained in any form

  4. Definitions • Privacy Rule • Relates to privacy of any protected health information (PHI) • Security Rule • Relates specifically to electronic PHI (ePHI) at rest or in transit

  5. Why Should you Care? HITECH Impact for Law Firms • Casts a much wider net of entities that must comply with HIPAA regulations, primarily those not originally considered under the original regulations • Requires Business Associates “BA’s” to comply with most HIPAA Privacy and all Security Rules • Law firms are BA’s to their clients (called “covered entities”) • Your vendors/service providers are BA’s to you

  6. Why Should you Care? • HITECH Impact for Law Firms • Significantly expands formal Federal enforcement group • Allows State Attorneys General to enforce compliance • Imposes new data breach notification by BAs to clients, and imposes strict guidelines for subsequent client notification to OCR/HHS and/or the media • Doesn’t matter if you knew about the breach or not, you will be held liable if it happens on your watch • Expands/allows for both criminal and civil penalties of up to $1.5M/year

  7. Why Should you Care? • The Privacy and Security Rules consist of implementation standards • Implementation standards outline what your Firm should do to get into compliance, but they don’t state how • They are intentionally vague in order to be flexible to allow for compliance regardless of the size of your organization • Good news – you have flexibility in choosing what to/or not to implement • Bad news - they are intentionally vague. That means the government gets to decide if you were using basic standards of care in safeguarding your PHI

  8. Items of Note • State vs. Federal laws • 40 states now have privacy and/or security laws covering both personally identifiable information and/or PHI • That which is more stringent, wins • California and Illinois laws are more stringent than federal laws for breach notification • Massachusetts have the strictest PII privacy and security laws • Make sure to familiarize yourself with both • Biggest News… • Penalties and fines are paid back to the enforcement agencies, effectively making them self-funded • Money = enforcement, enforcement, enforcement

  9. Allow me a Minute on the Soapbox… • Soapbox points that most experts agree on • Compliance will take time and effort to implement and new guidelines and rules are rolling out each year – time to get started • Need to show a “good faith effort “ that the Firm is working towards compliance • “Gross negligence” or “willful misconduct” (i.e., not doing anything to secure sensitive information) can result in criminal charges at a maximum, and serious reputation and/or client relationship issues at a minimum (large civil penalties coming in 2011) • Document everything so when the finger pointing begins, it doesn’t end up pointed at you

  10. HITECH/HIPAA in a Nutshell

  11. Blatant Oversimplification of the Safeguards and Implementation Standards • All the rules can be summarized in a few bullets • Know what PHI is out there and understand the associated risks of its disclosure or loss (risk assessment and mitigation) • Access control for PHI (define who can see it, then lock it down) • Protect it (encryption, media reuse policies, information security, portable or removable media) • Make sure you can get to it (BC/DR) • Document until your eyes roll back in your head (policies, procedures, BA agreements, assign responsibility)

  12. Blatant Oversimplification of the Safeguards and Implementation Standards • Before finalizing what to implement, consider: • The size, complexity and capabilities of the Firm • What risk the firm is at for unauthorized access and disclosure • Current technical infrastructure, hardware and software security capabilities • How much the implementation(s) will cost in money and resources • Ultimately its up to legal interpretation - your Firm must decide what to implement (or not)

  13. A Few Seemingly Non-Techy Highlights • Administrative Safeguards • Comprise half of the Security Rule requirements • Risk assessment and management (R) • Sanction policy against employees who fail to comply with security policies (R) • Information security activity review (audit logs, access reports, security incident reports) (R) • Identify a Privacy and Security Official (R) • Workforce security (access control) (R) • Contingency plan (R) • Business Associate contracts (R) • Physical Safeguards • Facility access (A) • Workstation use and security (A) • Device and media reuse (R)

  14. A Few Seemingly Non-Techy Highlights • Organizational, Policies and Procedure Safeguards • Policies • Privacy • Media reuse • Use (or not) of mobile devices (flash drives, PDAs) • Standardized BA agreements • Security and Privacy training for employees • Procedures • Data security breach notification and escalation • Use of BA agreements with clients • Compliance documentation (R)

  15. Technology Safeguards • Technology safeguards relate to “The technology and the policy and procedures for its use that protect ePHI and control access to it” • Safeguards do not require specific technical solutions • New technical specifications coming out in November, 2010

  16. Technology Safeguards • Access control • Unique user ID • Emergency access • Automatic logoff • Encryption/decryption • Integrity • Ensure data are not altered or destroyed • Audit control • Record and examine who is looking at ePHI • Person or entity authentication • Make sure the person looking at ePHI is who they claim to be • Transmission security • Protect it in transit (as well as at rest) • Remote use security • Removable or portable devices

  17. Getting Started • Form a Compliance Team • Risk Partner, COO/DofA/Executive Director, HR Director, IT Director • Complete a formal risk assessment • Address risks, policies and processes for the following: • Storage • Address removable or mobile media and all sources of data inside the office or that may be taken outside the office • Transmission • Addresses the integrity and safety of ePHI transported over the network, internet, portals, intranets, extranets, collocation facilities, WAN, remote access, email, PDA’s, home computers • Access • Limit users access to ePHI to authorized personnel only • Access should be based upon a users role in the organization

  18. Getting Started • Risk Assessment • Figure out where your data are • Interview all related practices • Document data flow into/out of the Firm • Be realistic about the use of removable or mobile media • Baseline current security protocols and practices for all sources of ePHI • Evaluate access, storage and transmission security for ePHI on each device type and/or transmission method • Develop a mitigation plan for each security issue • Document everything to show you are making a good faith effort to safeguard ePHI

  19. Risk Assessment Specifics • Access control • Does each user have a unique ID and can we track what they look at? • Have we limited who can see ePHI? • Have we implemented encryption/decryption protocols where feasible to control access outside the Firm? • Do we have disaster recovery in place for all sources of ePHI? • Do we have formal password policies for all devices? • Integrity • Do we have processes in place to ensure data are not altered or destroyed? Would we know if it was? • Audit control • Do we monitor who is looking at ePHI? • Do we have technologies and processes in place that allow us to audit this?

  20. Risk Assessment Specifics • Person or entity authentication • Is the person looking at ePHI I who they claim to be? • Transmission security • What protocols are in place to secure data in transit? • Remote use security • Do you have policies and processes to address ePHI on removable or portable devices?

  21. Technical Implementation Complexities • Being comprehensive in defining where the data are • Healthcare, product liability, med mal, mass/toxic torte, labor/employment, environmental, litigation, aviation, insurance defense • Lack of standardized encryption/decryption tools or protocols to cover all clients • Providing security for removable or mobile media • PDAs • Flash drives • Laptops • CD’s • DVDs

  22. Technical Implementation Complexities • Access control • Practice groups have to define who can see what • Then the logic must be built into systems • Expense of securing ePHI in all its various sources • Email • DM • Records systems • Litigation databases • Practice support databases • EMR systems • Copy machines (that cache information) • Fax machines • Monitoring who is looking at what • Complex disaster recovery issues for all sources of ePHI

  23. Technical Implementation Complexities • Defining standards and practices for data security breach notification and mitigation • Includes policies, processes, monitoring tools, escalation protocols • Assisting the Firm in understanding ALL outside entities that may require a Business Associate agreement, such as • Document production vendors • Collocation facilities • Managed services or ASP providers • Extranet providers

  24. Final Thoughts • The most important things to remember • Complete a formal risk assessment to get a good handle on the extent of the problem • Get your risk partner involved right away to establish the Firm’s legal position on the issues (before you spend too much time or resources) • Eat the elephant one bite at a time

  25. Thanks for Coming! • Questions? • Pamela Hill • phill@hyperiongp.com • www.hgplive.com • 217.778.6976 • Thad Hymel • Thymel@mcglinchey.com

More Related