Learning Center
Plans & pricing Sign in
Sign Out



									I T P R O J E C T M A N A G E M E N T, A U D I T S & C O N T R O L S

   HIPAA-HITECH Gap Assessments
     Why all the changes?

“To improve the health of individuals
and communities, health information
must be available to those making
critical     decisions,     including
individuals and their caregivers.
While health information technology
will help America move its healthcare
system forward, the privacy and
security of personal health data is at
the core of all our work.“

                 Kathleen Sebelius,
Health and Human Services Secretary
    Medical Identity Theft
Health identity theft may cost the victim $20,000 and
  over a year to fix.
     "If I steal a credit card number, I can create a fake
     card and use it a few times. If I can get your full
     identity, I can open up many accounts, max out
     your credit and use it for a number of malicious
     activities. And it's much harder to shut that down;
     it's not as simple as canceling a credit card."
                 Matt Marshall, vice president of security at Redspin Inc., a Carpinteria, Calif.-based consulting firm.
    Medical Identity Theft

 5.8% of Americans have been victims of identity
 Average cost to the victim $20,160
 In 2009 more than 300,000 Americans were victims
                              Ponemon Institute
     H I PA A – W h a t ’s N e w ?
 Proposed changes as of July 14 for privacy,
  security and enforcement
   Business Associates must comply
      No “reasonable and appropriate safeguards”
   Business Associate subcontractors must comply
   “Willful negligence”
     H I PA A – W h a t ’s N e w ?
 What is willful negligence?
   Examples:
      Throwing computer hard drives containing PHI in the
       trash and no policy to prevent this
      Declining to provide required breach notification due to
       worries about reputation or bad press
   Automatic fine of $10,000 - $50,000
HITECH Changes the Landscape
HITECH = Health Information Technology for
  Economic and Clinical Health
    Part of the American Recovery and
     Reinvestment Act (ARRA)
        aka Title XIII of ARRA
   Effective February 22, 2010
   Tougher data security and privacy
         Harm Standard
Interim Final Rule on Breach Notification has
been in effect since September 2009 and has
now been withheld.
In the event a breach, a risk assessment may
indicate the loss is not significant. Opponents
want this dropped so all breaches are
HITECH – Major Data Security
Business Associates
   Rules and penalties spread beyond service
      Banks
      Claims clearinghouses
      Billing firms
      Health information exchanges
      Software companies
HITECH – Business Associates
  BA contracts are not enough
    Inventory of all the PHI they process
    Independent assessment of the PHI risks within the
    Controls to keep external attackers and rogue insiders from
     taking advantage of any vulnerabilities
    Proactively manage information security to ensure – and
     demonstrate – that PHI is kept secure on a periodic and
     consistent basis
HITECH – Major Data Security

 Breach notification rule
    60 days notice
      To HHS and local news media
 Annual report
   To HHS for all data security breaches
Have you seen this site?
 As of October 7, 2010:
     181 reported breaches
     Site has only been up about 8 months
     Over 5M individuals are impacted
     All types of organizations
          Private practice
          Physicians clinics
          Hospitals
          Insurance
          State agencies
 Comparison to financial institution breaches
   41 = breaches in 2010 – more technical in nature
 Not limited by size of organization
 Not limited in geography
 Majority of breaches – loss or theft of
  media/hardware/paper (roughly 57%)
   Preventable losses
 20% involve Business Associates
Nebraska Data Breach Law
 Statutes 87-801 through 87-807
   Applies to all Nebraska Businesses
   First name or first initial and last name in combination with
        Social Security number;
        drivers license or identification card number;
        account number, credit card number or debit card number in combination with any
         required security code, access code, or password that would permit access to an
         individual financial account;
        unique electronic identification card number or routing code, in combination with
         any required security code, access code, or password; or
        unique biometric data
   Attorney General may issue subpoenas and seek and recover direct
    economic damages for each affected Nebraska resident injured by a
    violation of the act.
     HITECH Requirements
 Audits by federal regulators of healthcare
  organizations and business associates
 OCR has enforcement authority
 State attorneys general can bring civil action in
  federal court
 Penalties against individuals
 Civil penalties up to $1.5M
       Distinct from any criminal penalties
HITECH Strategies to Improve

 Encryption
   No requirement to report breaches if data is
   Use a proven product
      Scrambling of data is no longer accepted – even if it
       was approved in the past
HITECH Strategies to Improve

 Information Security Plan (Program)
     Risk assessments
     Plans
     Training
     Updates
     Continuous Monitoring
HITECH Strategies to Improve

 Breach Notification Plans
   Comprehensive incident response plan
   Agreements with Business Associates
  Being proactive is your best
opportunity to mitigate risk and
   protect your reputation!
  I T PA C G a p A s s e s s m e n t f o r
           H I PA A / H I T E C H
 Common Security Framework (CSF)
   Sixty-nine (69) control objectives
 Best practices
   Information security program
 Scalable (Organizations/Systems)
 Considers multiple regulations
 Supports HITRUST certification process in the
  future, if desired
    The Assessment Approach
    Assessments are based on interviews and
    policy/procedures reviews. Limited testing
    may be done in some areas (based on risk).

   HIPAA/HITECH Compliance
   Summary of findings
   Prioritized recommendations
   Controls Maturity Model (CoMM)
Each control is assessed on a scale of 1-5
1) Initial (ad-hoc, chaotic, process undefined)
2) Repeatable (basics defined, evidence of discipline)
3) Defined (documented, implemented, repeatable)
4) Managed (measured and monitored)
5) Optimizing (continuous improvement)
Improving information security and
compliance starts with identification and
documentation of what is expected.
   Do policies/procedures meet requirements?
   Do policies reflect your environment/processes?
   Could they use some best practices updates?
   Do you have the resources to dedicate to this?
   How will you communicate the information?
             Risk Assessment
Risk assessments are required by HITECH.
 Are you doing a detailed assessment?
 Do you solicit perspectives from different roles in the
 Is there a clear understanding of the risks and how to
 Is your risk assessment a guide for areas to work on?
          Incident Response
  Breach response and reporting requirements
  may be defined, but is the plan integrated
  with your information security program?
 How do you know there’s been a breach?
 Training on when to initiate breach response – and who’s
 Consider how to minimize reputation damage
 Business Associate Reviews
  You may outsource services, however
  accountability remains with your organization.
 Develop a BA management program
 BAs and their subcontractors must be compliant
 Effective way to increase awareness of third-party risks and
  mitigate them
 BAs can proactively report to covered entities if they have
  their own assessment
                     Tr a i n i n g
  Do all employees understand information
  security responsibilities – and the penalties?
 Improve communication channels
 Increase understanding on an individual level
 On-going training or security awareness program keeps
  information relevant
 A b o u t I T PA C C o n s u l t i n g

Working in the local market area strengthens
the community by providing diverse services
and the ability to build stronger relationships
with clients.

Quality and personalized service are critical to
our success.
     Competitive Advantage
         Experience and customized service at
                  competitive rates.
   Experience in many industries, frameworks,
   Scalable methodology
   Low or no travel expenses
   Decision making authority lies with the
    delivery professional
                  Te s t i m o n i a l
“All hospitals are required by the HIPAA security regulations to conduct a
security audit every year. We had been completing an internal audit for
the last five years and thought we had things under control. We recently
contracted with Denise Mainquist with ITPAC to conduct an external
security audit. The audit she conducted was very thorough and yet non-
threatening or confrontational. We found some areas that need more
attention as well as confirmation that we are doing many things right. The
audit that Denise conducted will also prepare us to better meet the new
HITECH standards as they become effective. I highly recommend the
services of Denise Mainquist and ITPAC.”
                                        Marty Fattig, CEO
                                        Nemaha County Hospital
                                        Auburn, NE
             Denise Mainquist
5111 Union Hill Rd. W (402) 420-1556
Lincoln, NE 68516    C (402) 617-5417

To top