MU and HIPAA Compliance 101

MU and HIPAA Compliance 101

Robert MorrisVP Business ServicesIon IT Group, Inc

www.IonITGroup.com

Agenda:

2www.IonITGroup.com

3

Sometimes we have to do things even when we don’t want to…

Odie 12/15/2011

www.IonITGroup.com

4

HIPAAComponents

Title 1Portabil

ity

Title IIAdmin

Simplification

Title IIIMed

Savings Account

Title IVGroup Health

Plan Provisions

Title VRevenue Offset

Provision

Privacysince 4/03

EDI

SecurityCompliant since

4/05

Transactions

Code Sets

Identifiers

Use/Disclosure

of PHI

Individual Rights

Administrative

Requirements

AdminProcedures

Physical Safeguards

Organizational

Requirements

Technical Safeguards

HIPAAComponents(est. 1996)

www.IonITGroup.com

5

HIPAAComponents(est. 1996)

Title 1Portabil

ity

Title IIAdmin

Simplification

Title IIIMed

Savings Account

Title IVGroup Health

Plan Provisions

Title VRevenue Offset

Provision

PrivacyComplian

t since 4/03

EDI

SecurityCompliant since

4/05

Transactions

Code Sets

Identifiers

Use/Disclosure

of PHI

Individual Rights

Administrative

Requirements

AdminProcedures

Physical Safeguards

Technical Security

Mechanisms

Technical Security Service

www.IonITGroup.com

Why Should We Care about Network Security?

Potential for downtime and impact on patient careIt’s both a State and Federal lawThe dreaded blank check scenarioPossible fines for security breachesHIPAA requires we implement security measures to protect PHI on paper and electronically!Damage to reputation for security breaches (newspaper headlines)

6www.IonITGroup.com

HeadlinesJuly 07, 2010

Conn. AG, Health Net Reach Settlement Over Medical Data Breach• On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. The hard drive contained medical and financial information on about 500,000 members from the state.

(Solsman, Dow Jones/Wall Street Journal, 7/6).7

HeadlinesJune 2, 2010

“Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.”

Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala.

8

Agenda:

9www.IonITGroup.com

10

Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Meaningful Use Core Set verbiage says…

www.IonITGroup.com

11

Aaaannd that means what??…..164.308 - Administrative Safeguards

1.You must have a Security Management Process -a) Implement Policies and procedures to prevent, detect contain and correct security violations.

2.Risk Analysis -a) Conduct and accurate and thorough assessment of the potential risks and vulnerabilities to

the confidentiality, integrity and availability of ePHI held by the covered entity. 3.Risk Management -

a) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).

4.Sanction Policy – a) Apply appropriate sanctions against workforce members who fail to comply with the security

policies of the covered entity.5.Information System Activity Review –

a) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

PS. Breach notification was effective 9/2009

Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.

www.IonITGroup.com

How You Can Help Your Organization Keep the

Network Secure

12www.IonITGroup.com

User Access Control and Password Guidance

Unique User IDAll system access with your ID is YOUR responsibility.

Password GuidelinesPasswords must be a combination of upper and lower case letters, number and special characters.

13

Automatic LogoffYour EHR session should terminate after 15 minutes of inactivity. Always save your work before leaving your

workstation!

www.IonITGroup.com

Accounting for DisclosuresAccounting for Disclosures

Always indicate why treatment, payment, or authorization information is being disclosed.Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.”


Tasks for the IT DeptRole-Based Access: Manage who gets access to what.

Firewall Review: Make sure that communication with the outside world is secure.

Wireless Security: Manage who gets WiFi access.

Antivirus: Manage software to keep viruses and malware at bay.

Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems.


Tasks for the IT DeptBackup: Keep a backup of all data, just in case!Backup Encryption: Make backup data unreadable to snoopers.Recovery: Have a plan in case disaster strikes!


SummaryProtecting data is everyone’s responsibility.Understand HIPAA.Hold each other accountable.


18

Thank you for your time today!

Robert Morris

[email protected]

www.IonITGroup.com

MU and HIPAA Compliance 101

Documents

Transcript of MU and HIPAA Compliance 101