The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

Similar documents
Meaningful Use Requirement for HIPAA Security Risk Assessment

RISK ANALYSIS VERSUS RISK ASSESSMENT:

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA Compliance Guide

ARE YOU HIP WITH HIPAA?

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

LEGAL ISSUES IN HEALTH IT SECURITY

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Determining Whether You Are a Business Associate

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Future of Healthcare in Washington April 2, Christiansen IT Law

4/15/2016. What we strive for. Reality

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

1 Security 101 for Covered Entities

HIPAA and Lawyers: Your stakes have just been raised

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Leveraging the CSF to Assess HIPAA Privacy Nadia Fahim-Koster Director, IT Risk Management Meditology Services April 2016

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA The Health Insurance Portability and Accountability Act of 1996

How to Cut Down on Security Risks:

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

March 29, 2018 Key Principles in HIPAA Compliance

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA, Privacy, and Security Oh My!

The Audits are coming!

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

HIPAA & The Medical Practice

503 SURVIVING A HIPAA BREACH INVESTIGATION

March 1. HIPAA Privacy Policy

HIPAA Background and History

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

AFTER THE OMNIBUS RULE

HEALTHCARE BREACH TRIAGE

HIPAA SECURITY RISK ANALYSIS

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Final Omnibus Rule Playbook

The Privacy Rule. Health insurance Portability & Accountability Act

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Eastern Iowa Mental Health and Disability Services. HIPAA Policies and Procedures Manual

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Effective Date: 4/3/17

HIPAA PRIVACY AND SECURITY AWARENESS

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

In this course, we will cover the following topics: The structure and purpose of Navicent Health s Compliance Program The requirements of the

"HIPAA RULES AND COMPLIANCE"

Brought to you by Physicians Insurance A Mutual Company April 24, 2012 Presented by: Chris Apgar, CISSP

New HIPAA Rules Meeting Requirements for New Patient Rights and New Restrictions on Disclosures

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Basic Training for Health & Welfare Plan Administrators

PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA Security How secure and compliant are you from this 5 letter word?

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Service Description

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Fifth National HIPAA Summit West

Privacy Rule - Complaint Investigations

HIPAA Privacy and Security Rules

HITRUST CSF and CSF Assurance Program Requirements for Health Information Exchanges Version 1.1

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

To Notify Or Not To Notify Is No Longer The Question Robin Campbell Chandra Westergaard

HIPAA Data Breach ITPC

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

PRIVACY AND SECURITY GUIDELINES

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Transcription:

The Security Risk Analysis Requirement for MIPS August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

Today s Speaker Peter Mercuri Peter Mercuri, MBA, HCISPP, CHSA,CMQP,CEHR,CHTS,CHWP Practice Transformation Specialist Healthcare Information Security & Privacy Practitioner Certified HIPAA Security Administrator Responsible for conducting & reviewing Security Risk Analysis Member: ISC2, HIMSS, DVHIMSS Board Member, AHIMA 2

Agenda 1. The HIPAA Security Rule 2. Conducting a Security Risk Analysis 3. Security Areas to Consider Physical Safeguards Administrative Safeguards Technical Safeguards 4. Policies & Procedures 5. The Security Risk Assessment Tool 6. Resources Available 7. Questions 3

HIPAA Security Rule Requirement for MIPS To conduct or review a Security Risk Analysis in accordance with the requirements in 45 CFR164.308(a)(1), including addressing the security (to include encryption) of ephi created or maintained by CERT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ephi) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional reasonable and appropriate steps to reduce the identified risks to reasonable and appropriate levels. 45 CFR 164.308(a)(1)(ii) 4

How to Conduct a Bona Fide HIPAA Security Risk Analysis There is no single method or best practice that guarantees compliance, but most risk analysis and risk management processes have steps in common Common question: Do I have to outsource the security risk analysis? NO. It is possible for small practices to perform a risk analysis themselves using self-help tools; however, the risk analysis must be thorough to pass a CMS audit. 5

Points to Ponder There is a right way, but there are also many wrong ways The first security analysis requires a lot of work The analysis is not once and done It is one of the single biggest audit and investigation findings Always requested in OCR Enforcement Action 6

Performing a Security Risk Analysis 7

Important First Steps Establish a comprehensive information security program Designate an accountable Security Officer Develop privacy & security policies and procedures Distribute and update policies and procedures Document authorized access to ephi 8

Additional Security Analysis Tasks Document process for responding to security incidents Implement training and sanctions for noncompliance Conduct a risk analysis/establish risk management process Implement reasonable safeguards to control risks Develop a Disaster Recovery Plan 9

Additional Security Analysis Tasks (cont.) Regularly review records of information system activity Implement reasonable steps to select service providers Test and monitor security controls following changes Obtain assessments from qualified independent third parties 10

Three Important Terms 1. Reasonable diligence: The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. 2. Reasonable cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. (NEW) 11

Three Important Terms (cont.) 3. Willful neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 145 CFR 160.401 Definitions 18 12

Fines 1,000 records, $50,000 per violation = $50,000,000 per violation, capped at $1,500,000 for identical violations during a calendar year. 13

Security Management Process 45 C.F.R. 164.308(a)(1)(i) Standard: Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 14

What a Risk Analysis IS The process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, and other organizations resulting from the operation of an information system Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. 1NIST SP800-30 15

What a Risk Analysis IS NOT A network vulnerability scan A penetration test A social engineering test A configuration audit A network diagram review Information system activity review SOC 2 or SOC 3 Report 16

ONC Guide to Privacy and Security of Electronic Health Information Risk Analysis is the process of identifying, prioritizing, and estimating risks considers mitigations provided by security controls planned or in place NIST SP800-30 Guide to Privacy and Security of Electronic Health Information: https://www.healthit.gov/sites/default/files/pdf/privacy/privacyand-security-guide.pdf 17

Establishing a Risk Value Think Likelihood * Impact 52 Critical 25 High 15-24 Medium 8-14 Low 0-7 18

Results If Done Properly Avoid security incidents and/or breaches Preparation for HITECH mandatory audits Preparation for OCR investigation Solid educational foundation Completion of 45 CFR 164.308(a)(1)(ii)(A) - Risk Analysis 19

Results If Done Properly (cont.) Completion of foundational security program step Creation of sound basis for risk management decisions Development of remediation plan Risk analysis/remediation report Basis for ongoing risk management 20

Performing a Security Risk Analysis Define the scope of the risk analysis and collect data regarding the ephi Identify potential threats and vulnerabilities to patient privacy and to the security of your practice s ephi Assess the effectiveness of implemented security measures in protecting against the identified threats and vulnerabilities Determine the likelihood that a particular threat will occur and the impact it would have to the ephi 21

Performing a Security Risk Analysis, cont d Determine and assign risk levels based on the likelihood and impact of a threat occurrence Prioritize the remediation or mitigation of identified risks based on the severity of their impact on your patients and practice Document your risk analysis including information from the steps you have taken as well as the risk analysis results Review and update your risk analysis on a periodic basis 22

Protecting Patients Electronic Health Information The SECURITY RULE requires that you put into place REASONABLE and APPROPRIATE: Physical safeguards Administrative safeguards Technical safeguards 23

Physical Safeguards Your practice and other places where patient data is accessed Computer equipment Portable devices Examples: Building alarm systems Locked offices Screens shielded from secondary viewers 24

Administrative Safeguards Designated security officer Workforce training and oversight Controlling information access Periodic security reassessment Examples: Staff training Monthly review of user activities Policy enforcement 25

Technical Safeguards Controls access to EHR Use of audit logs to monitor users and other EHR activities Measures that keep electronic patient data from improper changes Secure authorized electronic exchanges of patient information Examples: Secure passwords Back up data Virus checks Data encryption 26

Policies and Procedures Written policies and procedures to ensure HIPAA security compliance Documentation of security measures Examples: Written protocols on authorizing users Record retention 27

Organizational Requirements Business Associate Agreements Examples: Plan for identifying and managing vendors who access, create or store PHI Documented agreements Review and update 28

Demonstrate Good Faith Effort Exercise Reasonable Diligence 29

The Security Management Process Standard Is one of the requirements in the HIPAA Security Rule Conducting a risk analysis is one of the requirements that provides instructions to implement the security management process ONC worked with OCR to create a tool to help guide health care providers from small practices through the risk assessment process 30

The Security Management Process Standard Use of this tool is not required by the HIPAA Security Rule but is meant to provide helpful assistance Security Risk Assessment (SRA) Tool: https://www.healthit.gov/provider s-professionals/security-riskassessment-tool 31

The Security Risk Assessment Tool 32

Download the Security Risk Assessment Tool 33

Download the SRA Tool User Guide 34

Security Risk Assessment Tutorial 35

Select Security Risk Assessment 36

Security Risk Assessment Tool Home Page 37

Threats and Vulnerabilities 38

Examples of Safeguards 39

Security Risk Assessment Options Next Question Report Glossary Navigator Related Info Export 40

Security Risk Assessment Summary 41

Security Risk Assessment Table View 42

Security Risk Analysis Report 43

START NOW! Don t Wait 44

Don t Forget About the SRA 45

What Happens After Its Finished? 46

Asset Inventory List Remember: Demonstrate good faith effort Exercise reasonable diligence 47

HealthIT.gov Website 48

Privacy and Security Tab in Header 49

Health IT Privacy and Security Resources 50

HealthIT.gov Links Health Information Privacy, Security, and Your EHR https://www.healthit.gov/providers-professionals/ehrprivacy-security Information Security Policy Template https://www.healthit.gov/providersprofessionals/implementation-resources/informationsecurity-policy-template Security Risk Assessment Tool https://www.healthit.gov/providersprofessionals/security-risk-assessment-tool 51

HealthIT.gov Links (cont.) Guide to Privacy and Security of Electronic Health Information https://www.healthit.gov/sites/default/files/pdf/privacy/pri vacy-and-security-guide.pdf Health Information Privacy, Security, and Your EHR https://www.healthit.gov/providers-professionals/ehrprivacy-securitycy/privacy-and-security-guide.pdf 52

More Online Resources Security Risk Analysis Tip Sheet https://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/ Downloads/2016_SecurityRiskAnalysis.pdf Summary of the HIPAA Security Rule https://www.hhs.gov/hipaa/for-professionals/security/lawsregulations/index.html Healthcare Information and Management Systems Society www.himss.org National Cyber Security Alliance www.staysafeonline.org 53

Quality Insights Can Help Quality Insights QPP Support Center For practices with 15 or fewer eligible providers Email: qpp-support@qualityinsights.org Phone: 877.497.5065 Website: www.qppsupport.org Quality Insights Quality Innovation Network (QIN) For practices with 16 or more eligible providers Email: kwild@qualityinsights.org Phone: 877.987.4687, Ext. 108 Website: www.qualityinsights-qin.org 54

Questions 55

56 This material was prepared by Quality Insights, the Medicare Quality Innovation Network-Quality Improvement Organization for West Virginia, Pennsylvania, Delaware, New Jersey and Louisiana under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy. Publication number QI-D1M-080817

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback