Psychological Contract Conference 2016: Your Breach is My Breach
OCR’s Privacy, Security, and Breach Notification … · May 4, 2016 3 Introduction (2/4) • On...
-
Upload
truongkhue -
Category
Documents
-
view
225 -
download
2
Transcript of OCR’s Privacy, Security, and Breach Notification … · May 4, 2016 3 Introduction (2/4) • On...
OCR’s Privacy, Security, and Breach Notification Compliance Audits are Underway: Is Your Organization Prepared?
by
Edward D. Jones III
CEO, Cornichon Healthcare Select, LLC
May 4, 2016
Presented In HIPAA Integrity Webinar sponsored by WEDI
May 4, 2016 www.HIPAAIntegrity.com 1
May 4, 2016 www.HIPAAIntegrity.com 2
Introduction (1/4)
– On March 21, 2016, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Resources (HHS) initiated its long-awaited HIPAA Privacy and Security and HITECH Act Breach Notification Rule compliance audits authorized under the February 17, 2009, HITECH Act enacted as part of the American Recovery and Reinvestment Act on February 17, 2009.
– Compliance desk audits follow an earlier compliance audit program in 2012 that found only 11% compliance from covered entities audited.
– In the current audit round, all covered entities and business associates not currently being investigated for a complaint or breach are subject to selection for a compliance desk audit.
– Following several initial information inquiries, the compliance desk audits are expected to begin early this summer, with electronic responses to OCR due within 10 days after date on notice of audit.
May 4, 2016 www.HIPAAIntegrity.com 3
Introduction (2/4)
• On April 1, 2016, OCR published on its Website the long-awaitedAudit Protocol-Current, an update of OCR‘s earlier audit protocolsreleased in June 2012.
• The 2012 audit protocols were more tailored to guiding design and implementation of policies and procedures whereas the 2016 audit protocols are more suited to OCR’s desk audit sample design.– Example: Breach Notification
• That being said, the 2016 audit protocols provide more detail in some instances for guiding design and implementation of policiesand procedures, as examples in the Webinar will illustrate.
• HIPAA Integrity has built an easy-to-understand comparative table of 2012 and 2016 audit protocols and has linked each protocol set to the pertinent policies and procedures in HIPAA Integrity‘sCompliance Tool Package.
May 4, 2016 www.HIPAAIntegrity.com 4
Introduction (3/4)
• Two Key Definitions (Merriam-Webster’s Collegiate Dictionary, Eleventh Edition, 2003)
– Policy• “a definite course or method of action selected from among
alternatives and in light of given conditions to guide and determine present and future decisions.”
• “a high level overall plan embracing the general goals and acceptable procedures especially of a government body.”
– Procedure• “a series of steps followed in a regular definite order.”
– Note. HIPAA and HITECH Act Safeguard Rules require policies and procedures to be in writing, which can be in electronic form, and be accessible to all covered entity and business associate workforce members, including management.
May 4, 2016 www.HIPAAIntegrity.com 5
Introduction (4/4)
• This Webinar will: – Explain the 2016 compliance desk audit process.– Show examples of how the 2016 OCR audit protocols differ from OCR’s
2012 audit protocols– Explain how audit protocols are just one of several guides needed to
establish robust safeguard policies and procedures.– Describe how you can achieve and demonstrate timely compliance using
the HIPAA Integrity Compliance Tool Package.• Valuable tools for covered entities and business associates to validate existing
compliance efforts.• Valuable tools for covered entities and business associates just starting their compliance
efforts.• Think of compliance as an investment in your business future, not an expense.
– Provide a special HIPAA Integrity offer at the end of the Webinar fortoday‘s Webinar participants.
May 4, 2016 www.HIPAAIntegrity.com 6
Let’s Get Started–Current Compliance Audit Process
• Scope of the Current Compliance Audits– Provisions of the HIPAA Privacy Rule, HIPAA Security
Rule, HITECH Act Breach Notification Rule
– Covered Entities and Business Associates
• “OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating the compliance efforts of the HIPAA regulated industry.”
• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
May 4, 2016 www.HIPAAIntegrity.com 7
Compliance Audit Process
• Objective of the Current Compliance Audits– “The audit program is an important part of OCR’s overall
health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
May 4, 2016 www.HIPAAIntegrity.com 8
Compliance Audit Process
• Timeline of the Current Compliance Audits (1/3)
– “OCR’s HIPAA audit program is currently underway.”• Obtain and verify via email request covered entity contact
information.
• Obtain via email audit pre-screening questionnaire of organization characteristics (“size, type, and operations”) from health care providers, health plans, healthcare clearinghouses, and business associates.– http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/questionnaire/index.html.
– Covered entities will be asked to identify their business associates.
» http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html.
– Data will be used to “develop pools of potential auditees” for random sampling of the audit pool(s): initially auditees covered entities, then business associates.
May 4, 2016 www.HIPAAIntegrity.com 9
Compliance Audit Process• Timeline of the Current Compliance Audits (2/3)
– “OCR’s HIPAA audit program is currently underway.”• Selected auditees will be notified by email of their selection and
“asked to provide documents and other data in response to a document request letter, online via a new secure audit portal on OCR’s Website” within 10 business days of the information request. [emphasis added]
• OCR auditors will “review documentation and then develop and share draft findings with the entity.”
– If necessary, a site visit of three to five days could ensue “when OCR deems it appropriate”.
• Auditees will have an opportunity to review draft findings and provide written response(s) for inclusion in final audit report, completed 30 days after auditee’s response.
• OCR expects to conclude these compliance audits by end of 2016.
May 4, 2016 www.HIPAAIntegrity.com 10
Compliance Audit Process
• Timeline of the Current Compliance Audits (3/3)
– “OCR’s HIPAA audit program is currently underway.”
• Note. ”An entity that does not respond to OCR may
still be selected for an audit or subject to a
compliance review.”
– In this event, OCR will rely on publicly available
sources to identify the potential auditee.
– “Onsite audits will be more comprehensive than
desk audits and cover a wider range of requirements
from the HIPAA Rules.”
May 4, 2016 www.HIPAAIntegrity.com 11
• OCR Compliance Enforcement– Covered entities and business associates retain the burden of
proof under HHS compliance enforcement actions and must submit written records to HHS in an audit or investigation.
– Cooperation. HHS will seek cooperation of covered entities and business associates in obtaining compliance with Administrative Simplification provisions.
– Assistance. HHS, as part of its enforcement activities, may provide technical assistance to covered entities and business associates to help them comply voluntarily.
– Resolution Agreement and Corrective Action Plan if determination of willful neglect-not corrected as result of compliance audit or investigation related to a complaint or a breach. Examples at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.
May 4, 2016 www.HIPAAIntegrity.com 12
Compliance Audit Process
• From Compliance Audit -> Compliance Review (1/2)
– “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, we will abide by the FOIA regulations.”
May 4, 2016 www.HIPAAIntegrity.com 13
Compliance Audit Process• From Compliance Audit -> Compliance Review (2/2)
• What are Compliance Reviews?– HHS will conduct a compliance review to determine if a covered entity or
business associate is complying with Administrative Simplification provisions if there is preliminary evidence indicating a potential violation due to willful neglect.
» HHS Office for Civil Rights (OCR) has enforcement authority for HIPAA Privacy and Security Rules, and HITECH Act Breach Notification Rule.
– HHS may conduct a compliance review to determine if a covered entity or business associate is complying with Administrative Simplification provisions in any other circumstance.
– A covered entity or business associate must permit access to HHS during normal business hours to review records pertaining to compliance, or at any time and without notice if there is evidence of exigent circumstances.
May 4, 2016 www.HIPAAIntegrity.com 14
Compliance Audit Process
• How OCR will use compliance audit results– “Audits are primarily a compliance improvement activity. OCR
will review and analyze information from the final reports. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”
May 4, 2016 www.HIPAAIntegrity.com 15
• BreachFrom September 23, 2009, HITECH Act Breach Reporting Date –December 31, 2015:– 1,437 “large” breaches (affecting 500 or more individuals)
impacting 154,368,781 individuals’ patient health records.From January 1-December 31, 2015:– 258 large breaches impacting 113,208,516 individuals’ patient
health records.– In 2015, 258 large breaches represented 18% of total large
breaches since September 2009 reporting date, but 73% of patient records breached since that date.
Redspin, Breach Report 2015: Protected Health Information (PHI), February 2016. www.redspin.com.
May 4, 2016 www.HIPAAIntegrity.com 16
• BreachFrom September 23, 2009, HITECH Act Breach Reporting Date – December 31, 2015:
– Breached Organization• Covered Entity—79.8%
• Business Associate—20.2%
– Breached Record Type• Electronic—73.7%
• Hard Copy (Paper and Film)—26.3%
Redspin, Breach Report 2015: Protected Health Information (PHI), February 2016. www.redspin.com.
May 4, 2016 www.HIPAAIntegrity.com 17
• Breach
– “From 2009-2013, the primary cause of PHI breach was the loss or theft of unencrypted portable computing devices.”
– In 2015, “[nine] of the top 10 incidents and 98.1% of records breached were the result of hacking attacks/IT incidents.”
– “Because phishing attacks exploit human vulnerabilities rather than technical, healthcare organizations must step up their security awareness education efforts for all employees. They need to be better trained to recognize phishing schemes through social engineering testing and security awareness training. Policies may also need to be tightened.”
www.Redspin.com
May 4, 2016 www.HIPAAIntegrity.com 18
• Breach– Costs
• “The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”
• “If a healthcare organization has a breach, the average cost could be as high as $363.”
• Costs include remediating the harm, notification of breach to affected individuals, and lost business.– Ponemon Institute 2015 Annual Survey (sponsored by IBM),
available at:
http://www.ponemon.org/blog/cost-of-data-breach-grows-as-does-frequency-of-attacks.
May 4, 2016 www.HIPAAIntegrity.com 19
• “The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data as a result of distributed denial of service (DDoS) attacks, and three-quarters of organizations suffering a breach in 2015.”
--David Weldon, “Most organizations hit by data breaches in 2015,” Health Data Management, May 3, 2016.
• “The most difficult part of implementing information protection is people. Security is ultimately a ‘people problem,’ not a technology issue…. People do not always understand the value of the healthcare data they access, but healthcare organizations can remedy this issue by educating and training the people who collect, use, store, and share that information. In doing this, healthcare IT can ensure that employees are aware of the value of their data, and therefore more inclined to take the extra steps to protect that data and ensure adversaries are not able to intercept it…. Training is crucial.” [emphasis added]
--David Finn, Health IT Officer, Symantec, “Cybersecurity: Playing by the rules and defending your network,” Health Management Technology, March 2016.
May 4, 2016 www.HIPAAIntegrity.com 20
• Three fundamental safeguard principles:– Confidentiality. Data or information are not made available or
disclosed to unauthorized persons or processes.– Integrity. Data or information have not been altered or destroyed in
an unauthorized manner.– Availability. Data or information are accessible and useable upon
demand by an authorized person.• These principles also are the foundation for rules and responsibilities of
workforce members under the HIPAA Privacy Rule and HITECH Act Breach Notification Rule for safeguarding protected health information (PHI) when we broaden the definition of PHI and its identifiers to include information in hard copy and conveyed orally.
• These principles are achieved primarily through six implementations for demonstrating compliance.
May 4, 2016 www.HIPAAIntegrity.com 21
• Six Key Compliance Implementations1. Designating Privacy and Security Officials to manage safeguard efforts
and ensure ongoing vigilance.
2. Conducting and periodically reviewing and updating an analysis of risks (threats and vulnerabilities) pertaining to creation, receipt, maintenance, and transmission of PHI to ensure that it is not impermissibly accessed, disclosed, or used by unauthorized persons or processes.
3. Identifying risk mitigation strategies and shaping safeguard policies and procedures based on risk analysis findings.
4. Training workforce members on “awareness and understanding” of safeguard policies and procedures.
5. Having in place and applying sanctions for safeguard violations.
6. Documenting all safeguard activities, actions, and assessments.
May 4, 2016 www.HIPAAIntegrity.com 22
April 2016 Audit Protocols• “The Phase 2 HIPAA Audit Program reviews the policies and
procedures adopted and employed by covered entities and
business associates to meet selected standards and
implementation specifications of the Privacy, Security, and Breach
Notification Rules. These analyses are conducted using a
comprehensive audit protocol that has been updated to reflect the
Omnibus Final Rule. The audit protocol is organized by Rule and
regulatory provision and addresses separately the elements of
privacy, security, and breach notification. The audits performed
assess entity compliance with selected requirements and may vary
based on the type of covered entity or business associate selected
for review.”
• There are 365 pages of April 2016 Audit Protocols.
May 4, 2016 www.HIPAAIntegrity.com 23
Enabling Rules (1/3)
• Privacy
– Standards for Privacy of Individually Identifiable Health Information: Final Rule. 67 FR 53182-53273, August 14, 2002. Compliance for covered entities: August 14, 2003.
• Security
– Security Standards: Final Rule. 68 FR 8334-8381, February 20, 2003. Compliance for covered entities: April 20, 2005.
• Breach Notification
– Breach Notification for Unsecured Protected Health Information: Interim Final Rule. 74 FR 42740-42770, August 24, 2009. Compliance for covered entities and business associates: September 23, 2009 (effective date for reporting breaches of PHI occurring on or after that date, with enforcement commencing for breaches occurring on or after February 22, 2010).
• Modifications Final Rule
– Modifications to HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and Genetic Information Nondiscrimination Act (GINA); Other Modifications to the HIPAA Rules: Final Rule. 78 FR 5566-5702, January 25, 2013. Compliance for covered entities and business associates: September 23, 2013.
May 4, 2016 www.HIPAAIntegrity.com 24
Enabling Rules (2/3)
• Privacy
– Compliance for covered entities: August 14, 2003.
• Security
– Compliance for covered entities: April 20, 2005.
• Breach Notification
– Compliance for covered entities and business associates: September 23, 2009
(effective date for reporting breaches of PHI occurring on or after that date, with
enforcement commencing for breaches occurring on or after February 22, 2010).
• Modifications Final Rule
– Compliance for covered entities and business associates: September 23, 2013.
– Note. If your organization has been in business since the
compliance dates above, you may need to demonstrate that you
have archived policies and procedures for the six years from
creation or last action according to the Documentation Standard.
May 4, 2016 www.HIPAAIntegrity.com 25
Enabling Rules (3/3)
• Each of these enabling regulations is accessible at: http://www.hhs.gov/hipaa/for-professionals/index.html or http://www.ecfr.gov/cgi-bin/text-idx?SID=d7016c224c7c49489e98a2394c19b404&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl.
May 4, 2016 www.HIPAAIntegrity.com 26
OCR’s 2012 Audit Protocol45 CFR 164.530(j) PR, AR.10.1Documentation
OCR’s April 2016 Audit Protocol 45 CFR 164.530(j) PR, AR.10.1Documentation
164.520 Notice of Privacy practices for protected health information. Inquire of management as to whether the documentation of privacy practices must be maintained in electronic or written form and retained for a period of six years.
Obtain and review documentation to determine if (1) the notice of privacy practices, and (2) acknowledgements for health care providers with direct patient relationships are maintained in electronic or written form and retained for a period of six years.
Does the entity maintain all required policies and procedures, written communication, and documentation in written or electronic form?
Are such documentations retained for the required time period?
May 4, 2016 www.HIPAAIntegrity.com 27
OCR’s 2012 Audit Protocol45 CFR 164.312(a)(2)(i) SR, TS.1.1Access Control – Unique User Identification
OCR’s April 2016 Audit Protocol 45 CFR 164.312(a)(2)(i) SR, TS.1.1Access Control – Unique User Identification
System Users Have Been Assigned a Unique Identifier.Inquire of management as to how users are assigned unique user IDs. Obtain and review policies and/or procedures and evaluate the content in relation to the specified criteria to determine how user IDs are to be established and assigned and evaluate the content in relation to the specified criteria. Obtain and review user access lists for each in- scope application to determine if users are assigned a unique ID and evaluate the content in relation to the specified criteria for attributing IDs. For selected days, obtain and review user access logs to determine if user activity is tracked and reviewed on a periodic basis, and evaluate the content of the logs in relation to the specified criteria for access reviews.
Does the entity have policies and procedures regarding the assignment of unique user IDs to track user identity?Does the entity assign unique user IDs to track user identity?Obtain and review policies and procedures regarding the assignment of unique user IDs. Evaluate the content of the policies and procedures in relation to the specified performance criteria to determine how user IDs are to be established and assigned.Obtain and review documentation demonstrating the assignment, creation, and use of unique user IDs in electronic information systems for user. Evaluate and determine if users are assigned a unique ID in accordance with the entity's policies and procedures for attributing new user IDs.
May 4, 2016 www.HIPAAIntegrity.com 28
OCR’s 2012 Audit Protocol45 CFR 164.410BN, N.4.1 BN, N.4.2 BN, N.4.3Notification by a Business Associate
OCR’s April 2016 Audit Protocol 45 CFR 164.410BN, N.4.1 BN, N.4.2 BN, N.4.3Notification by a Business Associate
Notification by a Business Associate.Timeliness of Notification.Content of Notification.Inquire of management as to whether there have been any breaches of unsecured PHI for a business associate and verify that the covered entity was notified. Obtain the standard business associate agreement to verify that the breach and notification elements are included in the agreement.
164.410 - Notification by a Business Associate. Did the business associate or subcontractor determine that there were any breaches of unsecured PHI within the specified period?If yes, obtain copies of the notification(s) sent by the business associate (or subcontractor) to the covered entity (or business associate for breaches by subcontractors). Evaluate whether the business associate or subcontractor sent the notifications consistent with the requirements at 164.410. Use sampling methodologies to select notifications to be reviewed and verify that the notices include the elements required by 164.410.
May 4, 2016 www.HIPAAIntegrity.com 29
OCR’s 2012 Audit Protocol45 CFR 164.316(b)(1) SR, CP.2.0Documentation
OCR’s April 2016 Audit Protocol 45 CFR 164.316(b)(1) SR, CP.2.0Documentation
Does the entity have policies and procedures to maintain written policies and procedures related to the security rule and written documents of (if any) actions, activities, or assessments required of the security rule?
Obtain and review policies and procedures regarding the maintenance of policies and procedures.
Obtain and review documentation demonstrating that policies and procedures are being maintained.
Obtain and review written documentation demonstrating the entity's action, activity or assessment that is required by the Security Rule. Evaluate and determine if such implementation is in accordance with related policies and procedures.
May 4, 2016 www.HIPAAIntegrity.com 30
OCR’s 2012 Audit Protocol45 CFR 164.316(b)(2)(i) SR, CP.2.1Documentation-Time Limit
OCR’s April 2016 Audit Protocol 45 CFR 164.316(b)(2)(i) SR, CP.2.1Documentation-Time Limit
Does the entity have policies and procedures in place regarding the retention of required documentation for six (6) years from the date of its creation or the date when it last was in effect?
Obtain and review documentation of policies and procedures for compliance with retention requirements.
Obtain and review documentation demonstrating that policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect.
Obtain and review documentation demonstrating that an action, activity, or assessment is being maintained for six (6) years from the date of its creation or the date when it last was in effect. Evaluate and determine if such implementation is in accordance with related policies and procedures.
May 4, 2016 www.HIPAAIntegrity.com 31
Sample Policy Related to OCR’s April 2016 Audit Protocol (1/2)
45 CFR 164.316(b)(2)(i) SR, CP.2.1 Documentation-Time Limit
Sample Policy: Cornichon HC Select has implemented the required Time Limit implementation specification of the Documentation standard. Our organization retains all documentation pertaining to administrative, physical, and technical safeguard policies and procedures, and any related records of action, activity, or assessment related thereto, for 6 years from its creation or last record action, activity, or assessment. Our workforce members are required to be trained on and to comply with our Time Limit implementation specification of the Documentation standard, and are subject to sanctions for noncompliance. Our Security Official is responsible for documenting these policies and procedures and for evaluating their effectiveness as part of our ongoing risk analysis process.
May 4, 2016 www.HIPAAIntegrity.com 32
Sample Procedures Related to OCR’s April 2016 Audit Protocol (2/2)
45 CFR 164.316(b)(2)(i) SR, CP.2.1 Documentation-Time Limit
Sample Procedures: Cornichon HC Select has implemented the required Time Limit implementation specification of the Documentation standard. Our organization retains all current and archived documentation pertaining to administrative, physical, and technical safeguard policies and procedures, and any related records of action, activity, or assessment related thereto, for 6 years from its creation or last record action, activity, or assessment. Our organization uses online storage of and backs up all current and archived documentation. The Security Official is responsible for training all workforce members on accessing current read-only policy and procedure documentation based on Security Official assigned username/password authentication and permissions to each workforce member. Our Security Official is responsible for managing the Documentation standard and its Time Limit implementation specification.
May 4, 2016 www.HIPAAIntegrity.com 33
OCR’s April 2016 Audit Protocol (1/4)
45 CFR 164.310(a)(2)(iv) SR, PS.1.4Facility Access Controls – Maintain Maintenance Records (1/4)
Does the entity have policies and procedures in place to document repairs and modifications to the physical components of a facility which are related to security?Does the entity document repairs and modifications to the physical components of a facility which are related to security?Obtain and review such policies and procedures related to maintaining maintenance records. Evaluate the content in relation to the specified performance criteria for documenting repairs and modifications to the physical components of a facility related to security.Elements to review but are not limited to:• Workforce members’ roles and responsibilities in repairs and modification to the physical components• Record keeping process of repairs and modification to the physical components• Specification of when repairs or modification of physical security components are required• Authorization process of repairs or modification of physical security components.Obtain and review documentation demonstrating records of repairs and modifications to physical security components. Evaluate and determine if records of repairs and modifications are being tracked and reviewed on periodic basis by authorized personnel.Has the entity chosen to implement an alternative measure?If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
May 4, 2016 www.HIPAAIntegrity.com 34
OCR’s April 2016 Audit Protocol (2/4)
45 CFR 164.310(a)(2)(iv) SR, PS.1.4 Facility Access Controls – Maintain Maintenance Records (2/4)
Does the entity have policies and procedures in place to document repairs and modifications to the physical components of a facility which are related to security?
Does the entity document repairs and modifications to the physical components of a facility which are related to security?
May 4, 2016 www.HIPAAIntegrity.com 35
OCR’s April 2016 Audit Protocol (3/4)
45 CFR 164.310(a)(2)(iv) SR, PS.1.4 Facility Access Controls – Maintain Maintenance Records (3/4)
Obtain and review such policies and procedures related to maintaining maintenance records. Evaluate the content in relation to the specified performance criteria for documenting repairs and modifications to the physical components of a facility related to security.
Elements to review but are not limited to:• Workforce members’ roles and responsibilities in repairs and modification to the physical components• Record keeping process of repairs and modification to the physical components• Specification of when repairs or modification of physical security components are required• Authorization process of repairs or modification of physical security components.
Obtain and review documentation demonstrating records of repairs and modifications to physical security components. Evaluate and determine if records of repairs and modifications are being tracked and reviewed on periodic basis by authorized personnel.
May 4, 2016 www.HIPAAIntegrity.com 36
April 2016 OCR Audit Protocol (4/4)
45 CFR 164.310(a)(2)(iv) SR, PS.1.4 Facility Access Controls – Maintain Maintenance Records (4/4)
Has the entity chosen to implement an alternative measure?If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
May 4, 2016 www.HIPAAIntegrity.com 37
OCR’s 2012 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis
Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that
contain, process, or transmit ePHI.
May 4, 2016 www.HIPAAIntegrity.com 38
OCR’s April 2016 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis (1/3)
Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
Determine how the entity has implemented the requirements.
Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.
May 4, 2016 www.HIPAAIntegrity.com 39
OCR’s April 2016 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis (2/3)
Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:• A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ePHI• Details of identified threats and vulnerabilities• Assessment of current security measures• Impact and likelihood analysis• Risk rating
May 4, 2016 www.HIPAAIntegrity.com 40
OCR’s April 2016 Audit Protocol 45 CFR 164.308(a)(1)(ii)(B) SR, AS.1.1 Security Management Process—Risk Analysis (3/3)
Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any. Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any. If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.
May 4, 2016 www.HIPAAIntegrity.com 41
HIPAA Integrity Privacy Rule
Codes
Privacy Rule Administrative
Requirements Standards
Privacy Rule Administrative Requirements
Implementation Specifications
Exhibits:HIPAA Integrity
Privacy Rule Administrative
Requirements Forms
Privacy Rule (PR) Administrative Requirements (AR)
PR AR 0
Introduction to Administrative Requirements
PR AR 1.1 Personnel Designations Personnel Designations
PR AR 2.1 Training Training Privacy Safeguard Training for Workforce Members Log
PR AR 3.1 Safeguards Safeguards
PR AR 4.1 Complaints to the Covered Entity
Documentation of Complaints
Privacy Safeguard Complaint Log
PR AR 5.1 Sanctions Documentation
PR AR 6.1 Mitigation
PR AR 7.1 Refraining from Intimidating or Retaliatory Acts
PR AR 8.1 Waiver of Rights
PR AR 9.1 Policies and Procedures
PR AR 9.2.1 Changes to Policies and Procedures
Changes in Law
PR AR 9.2.2 Changes to Privacy Practices Stated in the Notice
PR AR 9.2.3 Changes to Other Policies or Procedures
PR AR 10.1 Documentation Retention Period
PR AR 11.1 Group Health Plans
May 4, 2016 www.HIPAAIntegrity.com 42
HIPAA Safeguard Security Rule Codes
Security RuleSafeguard Standards
and Requirements
Security Rule Safeguard
Implementation Specifications
Exhibits:HIPAA Safeguard
Security Rule Forms
Security Rule (SR)Administrative Safeguards (AS)45 CFR 164.308(a)
SR AS 0
Introduction to Administrative Safeguard Standards
SR AS 1.0 Security Management Process
SR AS 1.1 Risk Analysis (R) HIPAA Safeguard Risk Analysis Template
SR AS 1.2 Risk Management (R) Risk Analysis Report Log
SR AS 1.3 Sanction Policy (R) Workforce Member Sanctions Policy Acknowledgement
SR AS 1.4 Information System Activity Review (R)
SR AS 2.0 Assigned Security Responsibility
Security Safeguard Complaint Log
SR AS 3.0 Workforce SecuritySR AS 3.1 Authorization and/or
Supervision (A)1. Workforce Member Authorization Acknowledgement;2. Stationary Hardware Assignment and Encryption Log
SR AS 3.2 Workforce Clearance Procedure (A)
Workforce Member Background Check Log
SR AS 3.3 Termination Procedures (A)
1. Workforce Member Exit Checklist;2. Workforce Member Exit Interview Acknowledgement
SR AS 4.0 Information Access Management
SR AS 4.1 Isolating Health Care Clearinghouse Functions (R)
SR AS 4.2 Access Authorization (A)
SR AS 4.3 Access Establishment and Modification (A)
1. Workforce Member Right of Access Authorization Modification Acknowledgement;2. Workforce Member Right of Access Authorization Modification Log
May 4, 2016 www.HIPAAIntegrity.com 43
HIPAA Safeguard Security Rule Codes
Security RuleSafeguard Standards
and Requirements
Security Rule Safeguard
Implementation Specifications
Exhibits:HIPAA Safeguard
Security Rule Forms
SR AS 5.0 Security Awareness and Training
Security Safeguard Training for Workforce Members Log
SR AS 5.1 Security Reminders (A)
SR AS 5.2 Protection from Malicious Software (A)
SR AS 5.3 Log-in Monitoring (A)SR AS 5.4 Password
Management (A) SR AS 6.0 Security Incident
ProceduresSR AS 6.1 Response and
Reporting (R)Security Incident Report Log
SR AS 7.0 Contingency PlanSR AS 7.1 Data Backup Plan (R)SR AS 7.2 Disaster Recovery Plan
(R)SR AS 7.3 Emergency Mode
Operation Plan (R)SR AS 7.4 Testing and Revision
Procedures (A)SR AS 7.5 Applications and Data
Criticality Analysis (A)
SR AS 8.0 Evaluation
Security Rule (SR)Business Associate (BA)45 CFR 164.308(b)
SR BA 0
Introduction to Requirements for Business Associate Contracts or Other Arrangements for Contractors and Subcontractors
SR BA 1.0 Written Contract or Other Arrangement
Business Associate Agreement Status Tracking Log
Security Rule (SR)PhysicalSafeguards (PS)45 CFR 164.310
SR PS 0
Introduction to Physical Safeguard Standards
SR PS 1.0 Facility Access Controls
SR PS 1.1 Contingency Operations (A)
SR PS 1.2 Facility Security Plan (A)
SR PS 1.3 Access Control and Validation Procedures (A)
SR PS 1.4 Maintenance Records (A)
Maintenance Records Log
May 4, 2016 www.HIPAAIntegrity.com 44
HIPAA Safeguard Security Rule Codes
Security RuleSafeguard Standards
and Requirements
Security Rule Safeguard
Implementation Specifications
Exhibits:HIPAA Safeguard
Security Rule Forms
SR PS 2.0 Workstation UseSR PS 3.0 Workstation SecuritySR PS 4.0 Device and Media
ControlsSR PS 4.1 Disposal (R) Log for Disposal of
Hard Copy and Electronic Media Containing Protected Health Information (PHI)
SR PS 4.2 Media Re-use (R) Log for Removal of Electronic Protected Health Information on Electronic Media Before Re-use
SR PS 4.3 Accountability (A) 1. Log of Movements of Stationary Information Systems and Electronic Media; 2. Log of Use of Portable Electronic Media Outside of the Facility: Assignment and Encryption
SR PS 4.4 Data Backup and Storage (A)
Security Rule (SR)TechnicalSafeguards (TS)45 CFR 164.312
SR TS 0
Introduction to Technical Safeguard Standards
SR TS 1.0 Access ControlSR TS 1.1 Unique User
Identification (R)SR TS 1.2 Emergency Access
Procedure (R)Emergency Access Log
SR TS 1.3 Automatic Log-off (A)SR TS 1.4 Encryption and
Decryption (Data at Rest) (A)
Data at Rest Encryption Log
SR TS 2.0 Audit ControlsSR TS 3.0 IntegritySR TS 3.1 Mechanism to
Authenticate Electronic Protected Health Information (A)
SR TS 4.0 Person or Entity Authentication
SR TS 5.0 Transmission Security
SR TS 5.1 Integrity Controls (A)SR TS 5.2 Encryption (Data in
Motion) (A)Data in Motion Encryption Log
May 4, 2016 www.HIPAAIntegrity.com 45
HIPAA IntegritySecurity Rule Codes
Security RuleSafeguards:
Table of Contents,Introductions &
Standards
Security Rule Safeguard
Implementation Specifications
Exhibits:HIPAA Integrity
Security Rule Forms
Security Rule (SR)Compliance Protocols (CP)45 CFR 164.316
SR CP 0
Introduction to Policies and Procedures, and Documentation Standards
SR CP 1.0 Policies and ProceduresSR CP 2.0 DocumentationSR CP 2.1 Time Limit (R)SR CP 2.2 Availability (R)SR CP 2.3 Updates (R)
May 4, 2016 www.HIPAAIntegrity.com 46
• HIPAA Integrity … (1/2)
– Each HIPAA Integrity Compliance Tool Package is designed to facilitate compliance by a single physical facility of a covered entity or business associate that creates, receives, maintains, or transmits protected health information to achieve compliance.
– HIPAA Integrity embeds a single physical facility purchaser’s designated corporate name in each safeguard compliance tool as part of the purchase fulfillment process. If you have multiple physical facilities, purchase additional HIPAA Integrity packages, but it is important in doing so that you differentiate corporate facility names during this process to distinguish one physical facility’s risk analysis and physical safeguards from those of another physical facility within the organization.
– HIPAA Integrity in Version 3.1 includes implementation guidance, comparison of 2012 and April 2016 OCR Audit Protocols—with links to pertinent policies and procedures—and online access to latest versions of authoritative reference material from the National Institute of Standards and Technology (NIST); HHS, including OCR, Centers for Medicare & Medicaid Services (CMS), and the Office of the National Coordinator of Health Information Technology (ONC); and other sources.
May 4, 2016 www.HIPAAIntegrity.com 47
• HIPAA Integrity … (2/2)
– HIPAA Integrity Compliance Tool Package includes access via app for smart technology devices after download at no additional cost. Just login on a smart device with your username and password and download the Package to the device.
– HIPAA Integrity also includes online practicums to help clients use the tools for implementing safeguard policies and procedures.
– HIPAA Integrity provides download regeneration for updates and version changes during the initial purchase year for $499 and annually thereafter at the purchaser’s option for an annual renewal fee of $99 per facility. HIPAA Integrity notifies your organization via email at renewal time.
– Today’s Webinar participants who purchase HIPAA Integrity initial year membership by 11:59 PM Friday, May 6, 2016, will receive the second year free.
May 4, 2016 www.HIPAAIntegrity.com 48
• Just to Recap before QUESTIONS…
– HIPAA Integrity includes..» Risk Analysis Template» 92 Policies and Procedures for Privacy Rule Administrative Requirements,
Security Rule, and Breach Notification Rule» 22 Authorization and Maintenance Forms» Concordance Linking Meaningful Use Stage 1 and 2 Security Measures with
Pertinent HIPAA Security Rule standards» Safeguard Training Curriculum in 5 Lessons and Test Questions for
Administration by Privacy and Security Officials.– This Summer, HIPAA Integrity Version 3.1 will launch, providing additional Privacy
Rule policies and procedures pertaining to use and disclosure, PHI minimum use, and patient right of access to PHI, and integration of the April 2016 OCR Audit Protocols with their pertinent policies and procedures.
– HIPAA Integrity has been designed for self-assessment, but Cornichon Healthcare also conducts for healthcare clients on a consulting basis HIPAA/HITECH Act compliance gap analysis, risk assessment, and preparation for ISO/IEC 27001: 2013 information security management system (ISMS) control audit.
May 4, 2016 www.HIPAAIntegrity.com 49
• For further information on HIPAA Integrity, please contact Craig D. Maynard at [email protected].
• For further information on Cornichon consulting on HIPAA/HITECH or ISO/IEC 27001: 2013, please contact Ed Jones at [email protected] or at 843-412-0425.