hipaa and security management for physician practices
TRANSCRIPT
HIPAA & HIPAA & HIPAA & HIPAA & Security Security Security Security ManagementManagementManagementManagement
How to get started with practical security management in a physician practice
Security Management FrameworkSecurity Management FrameworkSecurity Management FrameworkSecurity Management Framework
• A map to organize security efforts to create:
• A process of continual improvement
• Shared understanding of everyone’s role
• Ability to demonstrate the consistent use of appropriate controls to management and third parties
Security Management
Documentation
Procedures
Policies
Laws and Regulations
Laws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and Accreditations
• Define the obligations and provide motivation for security. Determine the laws, regulations and accreditations that apply to your organization.
• HIPAA1
• Original 1996 law has been amended twice to add security, breach reporting and stronger enforcement mechanisms.
• State Breach Reporting Laws
• California, New York, Massachusetts and others have laws covering unauthorized access to computer data compromises security, privacy or integrity of private information
• Several other laws do not generally apply to physician’s practices.
• Sarbannes-Oxley (Public companies)
• Gramm-Leach-Bliely (Financial Firms)
• PCI-DSS (Payment Card Industry)
1 www.hhs.gov/hipaahipaahipaahipaa/2 http://www.ag.ny.gov/internet/data-breach
Security Management
Documentation
Procedures
Policies
Laws and Regulations
A1
PoliciesPoliciesPoliciesPolicies
• Define what the practice will do to address security requirements
• Provide guidance to employees and staff. Ensure everyone has the same playbook.
• Policies are often organized to correspond to HIPAA regulations structure
• Administrative Safeguards – business practices followed to protect information such as employee training, audits and risk assessments
• Physical Safeguards – locks, cameras, screen protectors, etc.
• Technical Safeguards - passwords, virus protection, encryption, backups, etc.
Security Management
Documentation
Procedures
Policies
Laws and Regulations
ProceduresProceduresProceduresProcedures
• Detailed instructions for each policy requirement.
• Procedures include:
• Responsibility – The person or role that is responsible.
• Methods – The techniques to be used.
• Process – The steps to complete the procedure.
• Timing - When and how often will the procedure be used.
• Record Keeping – The content and format of information that is required to document that the procedure has been followed correctly.
Security Management
Documentation
Procedures
Policies
Laws and Regulations
DocumentationDocumentationDocumentationDocumentation
• Information to demonstrate that policies and procedures are followed.
• The most important aspect of security management
• Allows practice to demonstrate compliance to 3rd parties
• Supports continual improvement
• Provides confidence that the environment maintains the same level of security.
• Examples are:
• System logs
• Completed Checklists
• Inventories and Lists
• Notes
Security Management
Documentation
Procedures
Policies
Laws and Regulations
Security ManagementSecurity ManagementSecurity ManagementSecurity Management
• Security Management provides oversight to:
• Ensure that procedures and policies are being followed
• Assess changes in policies and procedures regularly and after change.
• Prioritize investments to mitigate the highest security risks.
• Security Management activities include:
• Audits – review of access logs to ensure patient records are not viewed outside the requirement of a job function
• Risk Assessments – review of all locations of patient data to consider vulnerabilities and threats and the likelihood and impact of an security event.
• Risk Management Plans – Remediation actions identified and planned in response to Risk Assessments.
• Incident Management – Effective response and review to limit damage, recover from an event, address legal requirements and improve security.
Security Management
Documentation
Procedures
Policies
Laws and Regulations
Example Example Example Example
• Workforce Security Policy requires
• CareNet Medical Group, PC will use a Minimum Necessary Minimum Necessary Minimum Necessary Minimum Necessary PolicyPolicyPolicyPolicy … as the basis for the type and extent of authorized access to ePHI.
• CareNet Medical Group, PC will implement procedures to ensure that only workforce members with a need to access ePHI are granted access to ePHI.
• Procedures
• Map staff roles to required permission/access in each system.
• Document staff role assignment and set system permissions appropriately
• Track changes in roles and update system permissions
• Audit
• Periodically review system permissions to ensure compliance with role assignment. Document findings.
Implementation TimelineImplementation TimelineImplementation TimelineImplementation Timeline
Management and Oversight
Policy Development
Procedure/Documentation Development
Implementation and Staff Training
Execution
Required PoliciesRequired PoliciesRequired PoliciesRequired Policies
PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription
Security Management Administrative Prescribes actions to manage
security risk
Security Officer Administrative Names and defines duties of
HIPAA security officer
Workforce Security Administrative Prescribes steps to ensure staff
are not security risks.
Information Access
Management
Administrative Prescribes steps to ensure staff
has access to only the
information needed for their
job.
Security Awareness Administrative Prescribes security and
education programs for staff
Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4)
PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription
Incident Response Administrative Prescribes how responses to
security incidents will be
managed
Contingency Planning Administrative Prescribes actions required to
ensure practice continues to
operate in event of failure or
disaster
Evaluation Administrative
Business Associates Administrative Prescribes how business
associates are managed.
Required Policies (3 of 4)Required Policies (3 of 4)Required Policies (3 of 4)Required Policies (3 of 4)
PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription
Facility Access Physical Prescribes steps to protect against
physical threats – fire, theft, etc.
Workstation Use Physical Prescribes proper use of workstations
Workstation Security Physical Prescribes methods to protect
workstations
Device and Media Physical Prescribes how devices and
removeable media may used and how
they are manaed
Required Policies (4 of 4)Required Policies (4 of 4)Required Policies (4 of 4)Required Policies (4 of 4)
PolicyPolicyPolicyPolicy SectionSectionSectionSection
Access Control Technical Technical methods to control access to
electronic data
Integrity Policy Technical Defines mechanism to ensure data is
not altered or destroyed
Audit Controls Technical Methods required to ensure systems
can be auditted
Authentication Technical Prescribes methods to manage
authentication
Transmission Technical Prescribes methods to protect data
while it is being transmitted.
Implementing Security ManagementImplementing Security ManagementImplementing Security ManagementImplementing Security Management
1. Review, Revise and Approve Policies
2. Document procedures and record keeping artifacts to implement policies
3. Assign activities to responsible parties to execute
4. Management review of record keeping to ensure compliance with policies and procedures
5. Regular risk assessments leading to management approved risk management plans.
About CTAAbout CTAAbout CTAAbout CTA
• Clinical Technology Advisors providers management and technology consulting services to healthcare providers covering:
• Medical Technology Systems Integration including EMR, PM, Patient Portal and Imaging Systems
• Compliance with HIPAA, MACRA, Meaningful Use, PQRS.
• Technology Infrastructure including networking, systems, office applciations, cloud computing.
• Contact CTA at:
• 518-595-9246