first hipaa privacy-security officerclearwatercompliance.com/wp-content/uploads/2011...60.secure...
TRANSCRIPT
© 2010-11 Clearwater Compliance LLC | All Rights Reserved1
"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."
- Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance
First HIPAA Privacy-Security Officer
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
How to Develop Your HIPAA Security Policies
and Procedures
WEBINAR Bob Chaput615-656-4299 or [email protected] Compliance LLC
…Welcome to …
2
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
So there!
3
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED: 1. http://AboutHIPAA.com/about-hipaa/resources/2. http://AboutHIPAA.com/webinars/
4
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Requirements2. Learn How to Do It3. Get Started With Practical, Actionable Next
Steps
Session Objectives
5
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Mega Session Objective
Policies and Procedures are a crucial part of HIPAA HITECH compliance!
6
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
• Actual OCR Letter
• Word document with Data Request
7
OCR Data Requests…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved8
1. Huge Project; Get Started Now
Two-Minute Executive Summary
2. Policies and Procedures are an important part, but only part of a balanced Security Program
3. Large or Small: Consider Getting Help (Tools, Experts, etc)
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Who’s this guy talking?Bob Chaput, MA, CHP, CHSS, MCSE
9
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Legal
• Member: HIMSS, HCCA, ACHE, AHIMA, NTC, Chambers, Boards
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Our Passion
10
… And, keeping those same organizations off the Wall of Shame…!
…we’re helping organizations safeguard the very personal and private healthcare information of millions of fellow Americans…
We’re excited about what we do because…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Why Should You Care?
1. It’s the law…
11
3. You want to stay in business
2. Your stakeholders trust you to do this
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Meet the ‘Wall of Shame’
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
12
Wyoming District of Columbia Vermont North Dakota Alaska South Dakota Delaware Montana Rhode Island Hawaii Maine New Hampshire
10.78 MIL
06/22/2011•288 CEs
•57 Named BAs•10.99M Individuals
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Requirements2. Learn How to Do It3. Get Started With Practical, Actionable Next
Steps
Session Objectives
13
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Meet the Three Pillars of HIPAA-HITECH Compliance…
14
Priv
acy
Secu
rity
Dat
a B
reac
hN
otifi
catio
n
……
HITECHHIPAA
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Health Information Technology for Economic and Clinical Health Act
HITECH = Hey It’s Time to End your Compliance Holiday
15
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement2) Bigger fines3) Wider Net Cast
16
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
It’s the Law45 C.F.R. §164.316(a)Standard: Policies and Procedures. (a) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in Sec. 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
17
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.316(b)(1)Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by
paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
(ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
(iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
18
It’s the Law
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Forget the law… why PnPs?
19
1. Articulate your values and behavior as an organization
2. Set the stage for needed tools, processes and defense
3. Key components of a Balanced Security Program
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Key Parts of A Balanced Security Program
Policy defines an organization’s values.
People must include talented technical staff, supportive management and trained/aware end-users.
Procedures or process provide the actions
required to deliver on company values.
Technology includes the various families of technical security controls
including encryption, firewalls, antivirus, intrusion
detection, etc, etc.
Balanced Security Program
Today’s Focus: Policies and Procedures
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Requirements2. Learn How to Do It3. Get Started With Practical, Actionable Next
Steps
Session Objectives
21
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
DemoShow Policies & Procedures List
and How They Fit Into HIPAA Security Final Rule
22
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Policies and Procedures for… Administrative Safeguards
23
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Policies for… Physical Safeguards
24
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Policies and Procedures for… Technical Safeguards, Policies and Procedures and Documentation
25
Total: 53 Core Policies and Procedures
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Additional Policies and Procedures for…
26
Total: 4 Additional Policies and Procedures
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
DemoShow Policies & Procedure
Content / Outline
27
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Essential Elements of Good
Policies & Procedures
28
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Requirements2. Learn How to Do It3. Get Started With Practical, Actionable
Next Steps
Session Objectives
29
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
11 Steps to Develop HIPAA SecurityPolicies and Procedures
30
1. Form a Cross-Functional Policy Development Task Force
2. Set Business Risk Management Goals3. Get Educated – Learn the Regulatory
Requirements / and the Consequences4. Design your Outline / Standard Template5. Determine Specific Policies That Are Required 6. Evaluate Alternatives: “Build vs. Buy”7. Create a Project Plan for Development / Divide and Conquer8. Build a Change Management / Communications Subproject9. Create Review-Revise-Approve-Communication Process10.Integrate into Colleague On-Boarding and Ongoing Training11.Establish Maintenance Process to Stay Current
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
How Our HIPAA Security Policy and Procedure Templates Were Designed
31
1. Detailed readings of the HIPAA Security Final Rule
2. Used HIPAA Security Final Rule and NIST SP 800-66
3. Empowered you to edit, combine and tailor
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
HIPAA Security Policy ToolKit™ Demo
32
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Contents of the HIPAA Security Policy and Procedure ToolKit™
Comprehensive HIPAA-HITECH Security Policy and Procedure template set (plus: Instructions, Glossary of Terms, Policies Checklist, Resources & References)
33
1. Over fifty (50) comprehensive HIPAA Security Policies and Procedures templates
2. Comprehensive HIPAA Security & Privacy Glossary of Terms
3. 60 minutes of complimentary email, telephone or web-meeting support
4. And, more…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Policy & Procedure ToolKit™ Available“Do-It-Yourselfers” May Purchase the ToolKit™ and
Receive a Discount
SIMPLY VISIT:http://ClearwaterCompliance.com/eStore/
34
Regularly $1,987.00
Enter WEBINAR623 as Promotion Code to receive
$300 Discount to $1,687.00 for Complete
ToolKit™
Purchase by June 30, 2011
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
HIPAA Security Policy Development WorkShop™
I. PREPARATIONA. Plan / GatherB. Read AheadC. Complete QuickScreen™
35
II. ONSITE ASSESSMENTA. FacilitateB. EducateC. Develop
III. FOLLOW UP SUPPORTA. ReviewB. ReviseC. Recommend
½ Day
½ Day
1 Day
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Makes Decision to Move Forward A No-Brainer…
1. Save Thousands of Dollars in Consulting Fees
2. Jump Start Development Project
3. Take Strategic High Road on Critical Risk Management Issue
Clear Return on Investment…
36
Peace of Mind
© 2010-11 Clearwater Compliance LLC | All Rights Reserved37
1. Huge Project; Get Started Now
Summary
2. Policies and Procedures are an important part, but only part of a balanced Security Program
3. Large or Small: Consider Getting Help (Tools, Experts, etc)
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Register Now! … at: http://abouthipaa.com/webinars/upc
oming-live-webinars/
38
Upcoming HIPAA HITECH Webinars
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput
http://[email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
39
Contact
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Additional Information
40
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Additional Policies and Procedures for…
41
58.Acceptable Use Policy 59.Network Security Policy60.Secure Application Development & Maintenance Policy61.Database Security Policy62.Remote Access Policy63.Change Control Policy64.Vulnerability Management Policy 65.Social Media Security Policy66.Vendor Management (Security) Policy67.Data Breach Notification Policy
Total: 4 Additional Policies and Procedures
Others: in our development pipeline
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” –outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
42
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
An overwhelming amount of patients wanted the following:• EHRs (69%) • Making it possible for EHRs to be shared between physicians, hospitals, and
ancillary providers (74%) • Email access to their doctor so they can ask questions and discuss their health
via electronic mail (71%) • Electronic prescription processing to allow health care providers and
pharmacies to communicate without paper (76%)
But the patients also worried about the security of their electronic patient records. They are concerned with:• Their health data being safely and securely stored (69%) • Their health data being transmitted over the internet (66%) • Hospitals and providers adhering to privacy laws (such as HIPAA) (66%)
69% of patients wanted EHRs AND 69% also worried about their records being safely and securely storedThe Dell Executive and Patient Survey
Dell Executive & Patient Survey
43
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
A second survey sponsored by the National Opinion Research Center (NORC) at the University of Chicago shows similar desires and concerns:Despite the fact that 48% of Americans are concerned about the privacy of medical records, fully 64% said that the benefits of EMRs outweigh privacy concernsSo it is clear that patients want doctors to use EHRs but they are also very concerned with the privacy and security of their records. Many medical practices and health organizations are pushing forward with the use of EHRs so understanding and realizing patient’s concerns is really important. But what if medical practices and health organizations were to use patient’s concerns as a competitive advantage over other health organizations?What if instead of looking at HIPAA Security regulations as something that is mandatory and required by the government, a medical practice sees HIPAA and patient security as a way of addressing patient concerns?
National Opinion Research Center Survey
44
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Policies & Procedures Study• Majority of respondents admit to serious non-compliant workplace
behaviors that place their companies at risk. (E.G., insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings, etc.
• 69% of employees said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
• 61% admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
• Over 50% said that they download personal Internet software to their company computers, increasing the risk of introducing viruses, worms and other malware into an organization's network.
• 58% said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
• About 50% said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
• Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.
45
Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies is a survey of U.S.-based end-users of corporate information technologies. Results were derived from 967 responses from a sampling frame of 17,021 (5.7% response rate).
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
“69% of patients want EHRs AND69% also worried about their records being safely and securely stored…”The Dell Executive and Patient Survey
“Despite the fact that 48% of Americans are concerned about the privacy of medical records, fully 64% said that the benefits of EMRs outweigh privacy concerns…”National Opinion Research Center (NORC) at the University of Chicago
Good News – Bad News
46