The document discusses HIPAA compliance requirements and how organizations can demonstrate compliance through HITRUST certification. It provides an overview of HIPAA, HITECH, and Omnibus Rule regulations regarding privacy, security, breach notification and business associate responsibilities. It then outlines the mission and objectives of HITRUST to establish trust in healthcare information sharing through a certifiable compliance framework. The document explains how organizations can address HIPAA compliance gaps and demonstrate compliance to auditors by pursuing HITRUST certification.
2. Agenda
⢠About HIPAA
⢠HIPAA, HITECH and the Omni-bus Rule
⢠Fines and Penalties
⢠HIPAA Requirements
⢠HITRUST Mission and Objective
⢠Key Components of CSF Assurance Program
⢠Demonstrating compliance to HIPAA through
HITRUST
⢠Key takeaways
⢠Q&A
2/ 19
3. What is HIPAA today?
Health Insurance Portability & Accountability Act of 1996
& HIPAA Omnibus Rule:
⢠Establishes administrative, physical and technical
security and privacy standards
⢠Applies to both healthcare providers and business
associates (3rd parties)
⢠Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare
providers
⢠Assessment of compliance of business associates due
09/23/13
3/ 19
4. HIPAA, HITECH and the Omni-bus Rule
4 / 19
HITECH
⢠Specifically extends security, privacy
and breach notification requirements
to Business Associates (BA)
⢠Establishes mandatory penalties for
âwillful neglectâ
⢠Imposes data breach notification
requirements for unauthorized uses
and disclosures of "unsecured PHI.â
⢠Institutes third party management
and monitoring as âdue diligences
and âdue careâ provisions
⢠Establishes the right for patients to
obtain their PHI in an electronic
format (i.e. ePHI)
Omni-bus Rule
⢠Finalization of interim rules outlined
in the HITECH act
⢠Formalizes enforcement provisions
for breaches
⢠Expands definition of BA to include
subcontractors of BA (BA of BA)
⢠Clarifies that HHS will determine the
actual maximum for penalties
⢠Covered Entities (CE) and BA are
liable for the acts of BA and their
subcontractors
⢠Requires a on-going monitoring
process for the organizationâs
security programs and processes.
5. Fines/Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable diligence
would not have known) that he/she
violated HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations (Note: maximum that can
be imposed by State Attorneys
General regardless of the type of
violation)
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to reasonable
cause and not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat
violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to willful neglect
but violation is corrected within the
required time period
$10,000 per violation, with an
annual maximum of $250,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
5 / 19
Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-
accountability-act/hipaa-violations-enforcement.page
6. HIPAA Requirements â Privacy Rule
Privacy Rule Main Points:
⢠Requires appropriate safeguards to protect the privacy of personal health
information
⢠Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization
⢠Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
⢠Requires compliance with the Security Rule
For BAs
⢠Requires breach notification to the Covered Entity
⢠Requires either the individual or the Covered Entity access to PHI
⢠Requires reporting the disclosure of PHI to the Secretary of HHS
⢠Provide an accounting of disclosures.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
6/ 19
7. HIPAA Requirements â Security Rule
Administrative Safeguards:
Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required),
Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce
Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required)
and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection
Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security
Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required);
Business Associate Agreements (required)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Technical Safeguards:
Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff
(addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to
Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls
(addressable), Encryption (addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Physical Safeguards:
Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access
Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security
(required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage
(addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
7/ 19
8. HIPAA Requirements â Breach Notification
8/ 19
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the
security or privacy of the protected health information.
Unsecure PHI
Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or
Federal Information Processing Standards (FIPS) 140-2 validated
Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88
Breach Notification
Methods: By email or first class mail, to the media, posting the notice on the home page of its web site
for at least 90 days, If BA, to the CE, within 60 days of determination
Notification Thresholds
> 500 records: notify HHS, to individuals and media, within 60 days
< 500 records: notify HHS, annually consolidated listing
Burden of Proof
CEs/BAs required to prove that they have notified the affected parties within the time periods specified
or face penalties
9. HIPAA Requirements â BAs and subcontractors
⢠Comply directly with the HIPAA Regulation
⢠Business associates must identify, assess and monitor their
supporting business associates (BAs of BAs) and provide
regular updates to the respective CE
⢠BAs must establish and define (contractually) security
requirements, right to audit, incident reporting clauses with
their service providers
⢠BAs must implement an effective monitoring/assessment
process based on the nature of the data exchanged with
service providers
⢠Be able to show due diligence/due care with respect to
monitoring their supplierâs security compliance
9/ 19
10. HITRUST Mission and Objectives
In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned
healthcare organizations out of the belief improvements in the state of information security and privacy
in the industry are critical to the broad adoption, utilization and confidence in health information
systems, medical technologies and electronic exchanges of health information, all of which are
necessary to improve the quality of patient care while lowering the cost of healthcare delivery.
Key focus:
⢠Increase the protection of protected health and other sensitive information
⢠Mitigate and aid in the management of risk associated with health information
⢠Contain and manage costs associated with appropriately protecting sensitive information
⢠Increase consumer and governmentsâ confidence in the industry's ability to safeguard health
information
⢠Address increasing concerns associated with business associate and 3rd party privacy, security and
compliance
⢠Work with federal and state governments and agencies and other oversight bodies to collaborate
with industry on information protection
⢠Facilitate sharing and collaboration relating to information protection amongst and between
healthcare organizations of varying types and sizes
⢠Enhance and mature the knowledge and competency of health information protection professionals
10 / 19
11. HITRUST Overview
⢠Exists to ensure that information security becomes a core pillar of, rather
than an obstacle to, the broad adoption of health information systems and
exchanges.
⢠Was born out of the belief that information security is critical to the broad
adoption, utilization and confidence in health information systems,
medical technologies and electronic exchanges of health information.
⢠Is collaborating with healthcare, business, technology and information
security leaders, all of whom are united by the belief that adopting a
higher level of standard security practices will build greater trust in the
electronic flow of information through the healthcare system.
⢠Has established a certifiable framework that any and all organizations in
the healthcare industry that create, access, store or exchange personal
health and financial information can implement and be certified against.
11 / 19
12. Strategic Objectives of HITRUST
Establish a fundamental and holistic change in the way the healthcare industry
manages information security risks:
⢠Rationalize regulations and standards into a single overarching framework tailored
for the industry
⢠Deliver a prescriptive, scalable and certifiable process
⢠Address inconsistent approaches to certification, risk acceptance and adoption of
compensating controls to eliminate ambiguity in the process
⢠Enable ability to cost-effectively monitor compliance of organizational, business
partner and governmental requirements
⢠Provide support and facilitate sharing of ideas, feedback and experiences within
the industry
Establish trust between organizations within the healthcare industry that exchanged
information is protected
Develop an approach for the practical, efficient and consistent adoption of security by
the healthcare industry
12 / 19
13. Standardized tools and processes
⢠Questionnaire
âş Focus assurance dollars to efficiently assess risk exposure
âş Measured approach based on risk and compliance
âş Ability to escalate assurance level based on risk
⢠Report
âş Output that is consistently interpreted across the industry
Cost effective and rigorous assurance
⢠Multiple assurance options based on risk
⢠Quality control processes to ensure consistent quality and output across
HITRUST CSF Assessors
⢠Streamlined and measurable process within MyCSF tool
⢠End User support
13 / 19
Key Components of CSF Assurance Program
14. HITRUST Report
⢠Certified/validated report issued by HITRUST based on work of
independent third-party assessors
âş Business/functional/organizational units that meet the
associated criteria
⢠Assessment context and scope of systems included in
assessment
⢠Breakdown of CSF control areas with a comparison to industry
âş Includes maturity scores
⢠Testing summary, corrective action plans, and completed
questionnaire
14 / 19
15. Demonstrating Compliance to HIPAA through HITRUST
15 / 19
⢠Risk Assessments
â Not performed/not updated or
documented
â Limited scope: facilities,
processing environment,
personnel, software, personnel
â Not aligned with controls or
monitoring
⢠Inventories (Asset Management)
â Out of date/not documented
hardware, software, interfaces,
dataflow diagrams/process
descriptions, removable media,
teleworkers (remote), BAs and
subcontractors
⢠No BA/Vendor Management
program
⢠Policies, procedures and
standards (Governance)
⢠Hardening and patch
management
â None or not implemented
â Not monitored/No follow-up
â End-of-life
⢠Vulnerability Management
â Inconsistent/incomplete
internal vulnerability and
penetration testing for
networks and applications
â Remediation gaps
â No Internet content restrictions
16. Lessons Learned
16 / 19
⢠System Logging and
Monitoring
â Not implemented/inconsistent
â Not retained or analyzed
â Lack of oversight and approval
⢠None or inconsistent
encryption of data in
transmission or storage
⢠Media management and
tracking gaps
⢠Untested incident and
breach response processes
for PHI related disclosures
⢠User Provisioning
â Excessive privileges/accesses
â No formal documentation of
rationale
â Lack of oversight and approval
⢠Training and awareness
â Not HIPAA oriented
â No refresh
â Lack of evidence of attendance
⢠Inadequate business
continuity and disaster
recover
⢠Failure to monitor external
maintenance personnel
17. To Learn More âŚ
17 / 19
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content
Spotlight
18. To Learn More âŚ
18/ 19
Visit www.controlcase.com
Email us at contact@controlcase.com
This is a short summary of what HIPAA means today âŚ. We will dig a little deeper in later slides.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act or "The Act") is part of the American Recovery and Reinvestment Act of 2009 (ARRA).
"willful neglect" means will be determined on a case-by-case basis, but speaking in the parlance of this guide, we believe that a provider with "no story" regarding compliance (or so minimal a story as to portray a cavalier attitude toward compliance) will likely be at significant risk.
Under the HITECH Act "unsecured PHI" essentially means "unencrypted PHI.â
Under the HITECH Act, business associates are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the HIPAA Security Rule (SR). The HITECH Act does not speak directly to the rationale, but even casual observers understand that a potentially massive
Omni-bus Rule â HHS will determine the actual maximum for penalties â the established maximum for a specific violation 1.5M USD, assorted violations (3, 4, 10) could each be treated separately and fined up to a maximum of 1.5M USD
This table summarizes the minimum and maximum penalties that can be levied by HHS for non-compliance. Please note that regardless of the reason behind the causes of the breach/disclosure of PHI, minimum and maximum penalties are defined.
The amounts listed are for each violation. For example, if an organization fails to perform or remediation issues stemming from a RA, fails to patch and harden systems that process PHI and fails to train their staff, the theoretical maximum penalty could reach 4.5 M USD.
In short, privacy rules require that PHI be protected using defined, implemeneted and monitored security controls. It also specifies requirements for breach notifications to HHS, CE
The nature and requirements of the Hipaa Security rule havenât changes since before 2009, so Iâm not going to go into detail regarding specific safeguards mentioned, however detailed descriptions and expectations are readily available on-line. I have included links to official resources and would encourage you to review and ensure that you are familiar with specific rules.
The take away regarding HIPAA security is that it mirror many of the same requirements found in PCI DSS, ISO 27001/2, NIST 800-53, etc.,
âPROOFâshould maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required:
(1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or
(2) the application of any other exceptions to the definition of âbreach.â
Waiting until the organization is under investigation or being audited is not the appropriate time to think about how to demonstrate compliance with HIPAA. By that time, it is too late.
The following lessons learned were observed during a number of HIPAA compliance assessments