The Industry Radar - Turnkey HIPAA/HITECH Solutions For ......HIPAA HITECH Is The Tip of the Spear...

Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates

8/25/2010

Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550

Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com

HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]

mailto:[email protected]


callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

http://www.compliancehelper.com/

HIPAA HITECH Is The Tip of the Spear for Healthcare Reform

“Our Nation is poised to harness the power of information technology to improve health care. Transforming our health care system into a 21st century model is a bold agenda. As we enter into a new age of electronic health information exchange, it is more important than ever to ensure consumer trust in the privacy and security of their health information and in the industry’s use of new

technology.” HHS – 7/8/2010

• EHR

• Healthcare Reform

• True Cost Reduction

• States Attorney General

• Systemic Responsibility

• 47 State HIPAA/Breach Laws

• Gramm Leach Billey Privacy

• “Red Flag” i.e. Identity Theft Protection

• Data Encryption/Privacy Laws (MA, NV et al)

Emerging Standards for Protecting Personal Information

What HITECH Really Means to Brokers and Consultants

• Equality with Insurers and Covered Entities

• Lack of Compliance Endangers Your Clients

• Signed Carrier BA Agreements

• “Compliance Expected” - HHS

• Legally and Financially Accountable –Civil & Criminal

X

Agents/Brokers are not only part of the problem but are as BA’s now a key part of the solution.

Five Steps to HIPAA HITECH Compliance

• Risk Assessment

• Document Policy/Procedures

• Secure PHI / Encryption

• Training/Awareness - Ongoing

• Monitoring / Updating

Compliance/ Encryption is a Risk Management, Business Reputation & Client Service, Not a Technology or Short Term Financially Driven Decision


8/25/2010






callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709


© Rebecca Herold. All rights reserved.

Agenda

• HIPAA / HITECH NPRM Quick Overview

• Experiences

• Common risks and problems


HIPAA is…

• On August 21, 1996, the U.S. Congress enacted the

Health Insurance Portability and Accountability Act (HIPAA).

• The HIPAA Privacy Rule went into effect in April

2001, and gave covered entities (CEs) two years to

meet compliance.

• The HIPAA Security Rule went into effect in April

2003 and CEs had until April 2005 to get into

compliance.


HITECH is…

• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.

• HIPAA now applies to CE business associates (BAs) directly.

• HITECH includes a statutory obligation for BAs to comply with HIPAA.

• HITECH also increased the penalties for HIPAA violations of HIPAA.

• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.

• See my discussion of breach notification, along with the 18 items considered to be PHI at:

http://privacyguidance.com/blog/2009/07/29/hitech-act-breach-notification-is-necessary-based-upon-items-used-in-de-identification/


All BAs Must Comply!

• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements

• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity

• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract


July 2010 NPRM Changes

• Definition of “business associate” expanded

• BAs must ensure subcontractors are also in compliance

• Definition of “electronic media” was updated

• More info to include in Notice of Privacy Practices

• More requirements for limiting use and disclosure

• Providing access to PHI

• More marketing limitations

• Penalties and fines more substantial

• HHS clearly stated entities must be in compliance with their BA agreements now


Experiences

• As an information security and privacy officer for a

large healthcare insurer / financial organization, big problems with brokers and agents

• ~200 business partner information security and

privacy program reviews, big problems during

business associate, partner and vendor reviews


Common Risks & Problems (1)

No documented assigned

responsibilities



No documented policies, procedures,

forms



No training or awareness

communications



No compliance monitoring



Non-compliance with contractual

obligations



Un-secure disposal



Inappropriate sharing and

subcontracting



No documented incident or breach

response plans

See my discussion of breach notification, along with the 18 items considered to be PHI at:

http://privacyguidance.com/blog/2009/07/29/hitech-act-breach-notification-is-necessary-based-upon-items-used-in-de-identification/



Lack of logs and documentation



No mobile computing controls



No use of encryption



No Business Continuity / Disaster

Recovery Plans


Word To The Wise…Compliance is not a one-time event…

All CEs *AND* BAs must meet, and continuously stay in, compliance with all HIPAA and HITECH

requirements or face stiff noncompliance remediation requirements, penalties, fines or even

jail time!

Don’t be Don’t be Don’t be Don’t be foolish, maintain foolish, maintain foolish, maintain foolish, maintain

compliance!compliance!compliance!compliance!

Contact Information

Rebecca Herold & Associates, LLC“The Privacy Professor”®

1408 Quail Ridge Avenue

Van Meter, Iowa 50261

Phone 515-996-2199

Web sites: www.theprivacyprofessor.com

www.compliancehelper.com

Blog: www.realtime-itcompliance.com

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI

[email protected]

TwitterID: http://twitter.com/PrivacyProf


8/25/2010






callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709


HIPAA HITECH The New Rules

Notice of Proposed Rule Making (NPRM)

July 8, 2010

Covered Entity

Business Associate

Sub-Contractor

Chain of Responsibility

Prepare-Care

CO-OP

Health and Human Services

Standards

Compliance Helper

Business Associate

Window into BA

P&P, Forms, Helper

Covered Entity

Window into BA

Supporting Compliance: Linking Business Associates

Co-op Model

BA

BA

BA

BA

BA

Helper

Compliance CO-OP

Pre-Edited P&P

Start on Care

$125 Setup-$35/month

Monthly Attestations

Compliance Metertm

Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the PHI under their control. HHS NPRM July 8, 2010

Timeline


8/25/2010






callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709


ePHI Threats and Encryption Under HIPAA HITECH

PHI needs to be Protected “in motion” “in process” and “at rest”

The Same Rules Apply to “Covered Entities” as they do to “Business Associates”

Photocopiers – Hard Drives

Six Evaluation Criteria for Email Encryption

The Top Criteria Needs to Be How Effective a Solution is in preventing a data breach in the first place from both outbound and inbound email as defined by all federal and state privacy laws

• Provide Best Security

• Least Disruptive to Workflow

• Outbound/Inbound Protection

• Flexible Solutions

• Easy to Implement

• Marketplace Acceptance

Who Is

Carriers et al

For Smaller customers, outside

entities Recipients Retrieve and Respond Only

Non -Exchange Server

Customers

• Auto Encryption • Transparent to user • Policies/Rules applied • Create secure “client network” • Marketing value of portal • On Zix Network

Managed Service, Outsourced or Self Hosted Encryption Device

ZixCorp’s Best Method Of Delivery

ZixCorp’s best Method Of Delivery Offers:

• Multiple Encryption Alternatives To Meet Any Size Organization’s Needs

• Secure Inbound Communication for Clients and Optional Rules based Filtering

• Delivery tracking, logging, audit trail

Policy Based Encryption Solution

Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers 12

ZixDirectory Connecting Transparently to your Business Partners

No Password Needed

Rules Scan Email and Attachments and encrypt

as needed

No Software or Plugin to Install

To

Reply Message Directly to Inbox

Delivery/Open Receipt

• Auto Encryption • Transparent to user • Policies/Rules applied • On Zix Network

One Click Access

When “Remember Me” is enabled

by the client an encrypted email is

delivered via ZixPort, the user

receives a notification email that

links directly into the secure

messaging portal, no login required.

One Click Access


Rules Scan Email and Attachments and encrypt as

needed


Rules Scan Email and

Attachments and encrypt as

needed


Even with no Portal a

recipient can login

and retrieve and

respond to emails

securely in the Zix

Message Center

No Portal


Email Recipient Experience, Options & Tools

Clients can:

• Retrieve Email • Respond to Email and add attachments (up to 50MB) • Compose New Emails w/ attachments(up to 50MB) • Have receive and send logs • Keep an address book • Store draft messages Mobile Access

Rules Scan Email and Attachments and encrypt

as needed


To



One Click Access

When “Remember Me” is enabled

by the client an encrypted email is

delivered via ZixMail, the user

receives a notification email that

links directly into the secure

messaging portal, no login required.

User Retrieves, Responds ,

Attaches files etc. here in the message center

Automatic, Rules Based Encryption

The message in their inbox has a link to your Portal

“ Click here” takes user to secure portal embedded in

your Website reinforcing your Brand and web tools

Encrypted Email Service for HIPAA HITECH Best Protection - Outbound & Inbound

Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service

Branded with your logo and

accessible from your website

Clients also login in to initiate communication, securely send files etc. eliminating the risk of

breach via normal email

Encrypted Responses go right to your team or Zix

Network member’s inbox

transparently

Blackberry Encryption Built In

Non Zix User gets Email like the one to the right

Inbox to Inbox Encryption to

any Zix Member Network user

18

RadarMail 360 for Email Encryption

HIPAA HITECH Compliance Is A…

• Risk Management

• Business Reputation

• Client Service

• Livelihood

Not a Technology Decision


8/25/2010






callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709

callto:+1866-984-3573 ext 709


The Industry Radar - Turnkey HIPAA/HITECH Solutions For ......HIPAA HITECH Is The Tip of the Spear...

Documents

Transcript of The Industry Radar - Turnkey HIPAA/HITECH Solutions For ......HIPAA HITECH Is The Tip of the Spear...