hipaa and security management for physician practices

HIPAA & HIPAA & HIPAA & HIPAA & Security Security Security Security ManagementManagementManagementManagement

How to get started with practical security management in a physician practice

Security Management FrameworkSecurity Management FrameworkSecurity Management FrameworkSecurity Management Framework

• A map to organize security efforts to create:

• A process of continual improvement

• Shared understanding of everyone’s role

• Ability to demonstrate the consistent use of appropriate controls to management and third parties

Security Management

Documentation

Procedures

Policies

Laws and Regulations

Laws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and AccreditationsLaws, Regulations and Accreditations

• Define the obligations and provide motivation for security. Determine the laws, regulations and accreditations that apply to your organization.

• HIPAA1

• Original 1996 law has been amended twice to add security, breach reporting and stronger enforcement mechanisms.

• State Breach Reporting Laws

• California, New York, Massachusetts and others have laws covering unauthorized access to computer data compromises security, privacy or integrity of private information

• Several other laws do not generally apply to physician’s practices.

• Sarbannes-Oxley (Public companies)

• Gramm-Leach-Bliely (Financial Firms)

• PCI-DSS (Payment Card Industry)

1 www.hhs.gov/hipaahipaahipaahipaa/2 http://www.ag.ny.gov/internet/data-breach

Security Management

Documentation

Procedures

Policies


A1

A1 Author, 9/1/2016

PoliciesPoliciesPoliciesPolicies

• Define what the practice will do to address security requirements

• Provide guidance to employees and staff. Ensure everyone has the same playbook.

• Policies are often organized to correspond to HIPAA regulations structure

• Administrative Safeguards – business practices followed to protect information such as employee training, audits and risk assessments

• Physical Safeguards – locks, cameras, screen protectors, etc.

• Technical Safeguards - passwords, virus protection, encryption, backups, etc.

Security Management

Documentation

Procedures

Policies


ProceduresProceduresProceduresProcedures

• Detailed instructions for each policy requirement.

• Procedures include:

• Responsibility – The person or role that is responsible.

• Methods – The techniques to be used.

• Process – The steps to complete the procedure.

• Timing - When and how often will the procedure be used.

• Record Keeping – The content and format of information that is required to document that the procedure has been followed correctly.

Security Management

Documentation

Procedures

Policies


DocumentationDocumentationDocumentationDocumentation

• Information to demonstrate that policies and procedures are followed.

• The most important aspect of security management

• Allows practice to demonstrate compliance to 3rd parties

• Supports continual improvement

• Provides confidence that the environment maintains the same level of security.

• Examples are:

• System logs

• Completed Checklists

• Inventories and Lists

• Notes

Security Management

Documentation

Procedures

Policies


Security ManagementSecurity ManagementSecurity ManagementSecurity Management

• Security Management provides oversight to:

• Ensure that procedures and policies are being followed

• Assess changes in policies and procedures regularly and after change.

• Prioritize investments to mitigate the highest security risks.

• Security Management activities include:

• Audits – review of access logs to ensure patient records are not viewed outside the requirement of a job function

• Risk Assessments – review of all locations of patient data to consider vulnerabilities and threats and the likelihood and impact of an security event.

• Risk Management Plans – Remediation actions identified and planned in response to Risk Assessments.

• Incident Management – Effective response and review to limit damage, recover from an event, address legal requirements and improve security.

Security Management

Documentation

Procedures

Policies


Example Example Example Example

• Workforce Security Policy requires

• CareNet Medical Group, PC will use a Minimum Necessary Minimum Necessary Minimum Necessary Minimum Necessary PolicyPolicyPolicyPolicy … as the basis for the type and extent of authorized access to ePHI.

• CareNet Medical Group, PC will implement procedures to ensure that only workforce members with a need to access ePHI are granted access to ePHI.

• Procedures

• Map staff roles to required permission/access in each system.

• Document staff role assignment and set system permissions appropriately

• Track changes in roles and update system permissions

• Audit

• Periodically review system permissions to ensure compliance with role assignment. Document findings.

Implementation TimelineImplementation TimelineImplementation TimelineImplementation Timeline

Management and Oversight

Policy Development

Procedure/Documentation Development

Implementation and Staff Training

Execution

Required PoliciesRequired PoliciesRequired PoliciesRequired Policies

PolicyPolicyPolicyPolicy SectionSectionSectionSection DescriptionDescriptionDescriptionDescription

Security Management Administrative Prescribes actions to manage

security risk

Security Officer Administrative Names and defines duties of

HIPAA security officer

Workforce Security Administrative Prescribes steps to ensure staff

are not security risks.

Information Access

Management

Administrative Prescribes steps to ensure staff

has access to only the

information needed for their

job.

Security Awareness Administrative Prescribes security and

education programs for staff

Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4)Required Policies (2 of 4)


Incident Response Administrative Prescribes how responses to

security incidents will be

managed

Contingency Planning Administrative Prescribes actions required to

ensure practice continues to

operate in event of failure or

disaster

Evaluation Administrative

Business Associates Administrative Prescribes how business

associates are managed.



Facility Access Physical Prescribes steps to protect against

physical threats – fire, theft, etc.

Workstation Use Physical Prescribes proper use of workstations

Workstation Security Physical Prescribes methods to protect

workstations

Device and Media Physical Prescribes how devices and

removeable media may used and how

they are manaed


PolicyPolicyPolicyPolicy SectionSectionSectionSection

Access Control Technical Technical methods to control access to

electronic data

Integrity Policy Technical Defines mechanism to ensure data is

not altered or destroyed

Audit Controls Technical Methods required to ensure systems

can be auditted

Authentication Technical Prescribes methods to manage

authentication

Transmission Technical Prescribes methods to protect data

while it is being transmitted.

Implementing Security ManagementImplementing Security ManagementImplementing Security ManagementImplementing Security Management

1. Review, Revise and Approve Policies

2. Document procedures and record keeping artifacts to implement policies

3. Assign activities to responsible parties to execute

4. Management review of record keeping to ensure compliance with policies and procedures

5. Regular risk assessments leading to management approved risk management plans.

About CTAAbout CTAAbout CTAAbout CTA

• Clinical Technology Advisors providers management and technology consulting services to healthcare providers covering:

• Medical Technology Systems Integration including EMR, PM, Patient Portal and Imaging Systems

• Compliance with HIPAA, MACRA, Meaningful Use, PQRS.

• Technology Infrastructure including networking, systems, office applciations, cloud computing.

• Contact CTA at:

• [email protected]

• 518-595-9246

hipaa and security management for physician practices

Healthcare