The Industry Radar - Turnkey HIPAA/HITECH Solutions For ......HIPAA HITECH Is The Tip of the Spear...
Transcript of The Industry Radar - Turnkey HIPAA/HITECH Solutions For ......HIPAA HITECH Is The Tip of the Spear...
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]
HIPAA HITECH Is The Tip of the Spear for Healthcare Reform
“Our Nation is poised to harness the power of information technology to improve health care. Transforming our health care system into a 21st century model is a bold agenda. As we enter into a new age of electronic health information exchange, it is more important than ever to ensure consumer trust in the privacy and security of their health information and in the industry’s use of new
technology.” HHS – 7/8/2010
• EHR
• Healthcare Reform
• True Cost Reduction
• States Attorney General
• Systemic Responsibility
• 47 State HIPAA/Breach Laws
• Gramm Leach Billey Privacy
• “Red Flag” i.e. Identity Theft Protection
• Data Encryption/Privacy Laws (MA, NV et al)
Emerging Standards for Protecting Personal Information
What HITECH Really Means to Brokers and Consultants
• Equality with Insurers and Covered Entities
• Lack of Compliance Endangers Your Clients
• Signed Carrier BA Agreements
• “Compliance Expected” - HHS
• Legally and Financially Accountable –Civil & Criminal
X
Agents/Brokers are not only part of the problem but are as BA’s now a key part of the solution.
Five Steps to HIPAA HITECH Compliance
• Risk Assessment
• Document Policy/Procedures
• Secure PHI / Encryption
• Training/Awareness - Ongoing
• Monitoring / Updating
Compliance/ Encryption is a Risk Management, Business Reputation & Client Service, Not a Technology or Short Term Financially Driven Decision
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]
Page 1© Rebecca Herold. All rights reserved.
Agenda
• HIPAA / HITECH NPRM Quick Overview
• Experiences
• Common risks and problems
Page 2© Rebecca Herold. All rights reserved.
HIPAA is…
• On August 21, 1996, the U.S. Congress enacted the
Health Insurance Portability and Accountability Act (HIPAA).
• The HIPAA Privacy Rule went into effect in April
2001, and gave covered entities (CEs) two years to
meet compliance.
• The HIPAA Security Rule went into effect in April
2003 and CEs had until April 2005 to get into
compliance.
Page 3© Rebecca Herold. All rights reserved.
HITECH is…
• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
• HIPAA now applies to CE business associates (BAs) directly.
• HITECH includes a statutory obligation for BAs to comply with HIPAA.
• HITECH also increased the penalties for HIPAA violations of HIPAA.
• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
• See my discussion of breach notification, along with the 18 items considered to be PHI at:
http://privacyguidance.com/blog/2009/07/29/hitech-act-breach-notification-is-necessary-based-upon-items-used-in-de-identification/
Page 4© Rebecca Herold. All rights reserved.
All BAs Must Comply!
• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements
• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity
• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract
Page 5© Rebecca Herold. All rights reserved.
July 2010 NPRM Changes
• Definition of “business associate” expanded
• BAs must ensure subcontractors are also in compliance
• Definition of “electronic media” was updated
• More info to include in Notice of Privacy Practices
• More requirements for limiting use and disclosure
• Providing access to PHI
• More marketing limitations
• Penalties and fines more substantial
• HHS clearly stated entities must be in compliance with their BA agreements now
Page 6© Rebecca Herold. All rights reserved.
Experiences
• As an information security and privacy officer for a
large healthcare insurer / financial organization, big problems with brokers and agents
• ~200 business partner information security and
privacy program reviews, big problems during
business associate, partner and vendor reviews
Page 7© Rebecca Herold. All rights reserved.
Common Risks & Problems (1)
No documented assigned
responsibilities
Page 8© Rebecca Herold. All rights reserved.
Common Risks & Problems (2)
No documented policies, procedures,
forms
Page 9© Rebecca Herold. All rights reserved.
Common Risks & Problems (3)
No training or awareness
communications
Page 10© Rebecca Herold. All rights reserved.
Common Risks & Problems (4)
No compliance monitoring
Page 11© Rebecca Herold. All rights reserved.
Common Risks & Problems (5)
Non-compliance with contractual
obligations
Page 12© Rebecca Herold. All rights reserved.
Common Risks & Problems (6)
Un-secure disposal
Page 13© Rebecca Herold. All rights reserved.
Common Risks & Problems (7)
Inappropriate sharing and
subcontracting
Page 14© Rebecca Herold. All rights reserved.
Common Risks & Problems (8)
No documented incident or breach
response plans
See my discussion of breach notification, along with the 18 items considered to be PHI at:
http://privacyguidance.com/blog/2009/07/29/hitech-act-breach-notification-is-necessary-based-upon-items-used-in-de-identification/
Page 15© Rebecca Herold. All rights reserved.
Common Risks & Problems (9)
Lack of logs and documentation
Page 16© Rebecca Herold. All rights reserved.
Common Risks & Problems (10)
No mobile computing controls
Page 17© Rebecca Herold. All rights reserved.
Common Risks & Problems (11)
No use of encryption
Page 18© Rebecca Herold. All rights reserved.
Common Risks & Problems (12)
No Business Continuity / Disaster
Recovery Plans
Page 19© Rebecca Herold. All rights reserved.
Word To The Wise…Compliance is not a one-time event…
All CEs *AND* BAs must meet, and continuously stay in, compliance with all HIPAA and HITECH
requirements or face stiff noncompliance remediation requirements, penalties, fines or even
jail time!
Don’t be Don’t be Don’t be Don’t be foolish, maintain foolish, maintain foolish, maintain foolish, maintain
compliance!compliance!compliance!compliance!
Contact Information
Rebecca Herold & Associates, LLC“The Privacy Professor”®
1408 Quail Ridge Avenue
Van Meter, Iowa 50261
Phone 515-996-2199
Web sites: www.theprivacyprofessor.com
www.compliancehelper.com
Blog: www.realtime-itcompliance.com
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
TwitterID: http://twitter.com/PrivacyProf
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]
HIPAA HITECH The New Rules
Notice of Proposed Rule Making (NPRM)
July 8, 2010
Covered Entity
Business Associate
Sub-Contractor
Chain of Responsibility
Prepare-Care
CO-OP
Health and Human Services
Standards
Compliance Helper
Business Associate
Window into BA
P&P, Forms, Helper
Covered Entity
Window into BA
Supporting Compliance: Linking Business Associates
Co-op Model
BA
BA
BA
BA
BA
Helper
Compliance CO-OP
Pre-Edited P&P
Start on Care
$125 Setup-$35/month
Monthly Attestations
Compliance Metertm
Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the PHI under their control. HHS NPRM July 8, 2010
Timeline
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]
ePHI Threats and Encryption Under HIPAA HITECH
PHI needs to be Protected “in motion” “in process” and “at rest”
The Same Rules Apply to “Covered Entities” as they do to “Business Associates”
Photocopiers – Hard Drives
Six Evaluation Criteria for Email Encryption
The Top Criteria Needs to Be How Effective a Solution is in preventing a data breach in the first place from both outbound and inbound email as defined by all federal and state privacy laws
• Provide Best Security
• Least Disruptive to Workflow
• Outbound/Inbound Protection
• Flexible Solutions
• Easy to Implement
• Marketplace Acceptance
Who Is
Carriers et al
For Smaller customers, outside
entities Recipients Retrieve and Respond Only
Non -Exchange Server
Customers
• Auto Encryption • Transparent to user • Policies/Rules applied • Create secure “client network” • Marketing value of portal • On Zix Network
Managed Service, Outsourced or Self Hosted Encryption Device
ZixCorp’s Best Method Of Delivery
ZixCorp’s best Method Of Delivery Offers:
• Multiple Encryption Alternatives To Meet Any Size Organization’s Needs
• Secure Inbound Communication for Clients and Optional Rules based Filtering
• Delivery tracking, logging, audit trail
Policy Based Encryption Solution
Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers 12
ZixDirectory Connecting Transparently to your Business Partners
No Password Needed
Rules Scan Email and Attachments and encrypt
as needed
No Software or Plugin to Install
To
Reply Message Directly to Inbox
Delivery/Open Receipt
• Auto Encryption • Transparent to user • Policies/Rules applied • On Zix Network
One Click Access
When “Remember Me” is enabled
by the client an encrypted email is
delivered via ZixPort, the user
receives a notification email that
links directly into the secure
messaging portal, no login required.
One Click Access
Reply Message Directly to Inbox
Rules Scan Email and Attachments and encrypt as
needed
Delivery/Open Receipt
Rules Scan Email and
Attachments and encrypt as
needed
No Software or Plugin to Install
Even with no Portal a
recipient can login
and retrieve and
respond to emails
securely in the Zix
Message Center
No Portal
Reply Message Directly to Inbox
Email Recipient Experience, Options & Tools
Clients can:
• Retrieve Email • Respond to Email and add attachments (up to 50MB) • Compose New Emails w/ attachments(up to 50MB) • Have receive and send logs • Keep an address book • Store draft messages Mobile Access
Rules Scan Email and Attachments and encrypt
as needed
No Software or Plugin to Install
To
Reply Message Directly to Inbox
Delivery/Open Receipt
One Click Access
When “Remember Me” is enabled
by the client an encrypted email is
delivered via ZixMail, the user
receives a notification email that
links directly into the secure
messaging portal, no login required.
User Retrieves, Responds ,
Attaches files etc. here in the message center
Automatic, Rules Based Encryption
The message in their inbox has a link to your Portal
“ Click here” takes user to secure portal embedded in
your Website reinforcing your Brand and web tools
Encrypted Email Service for HIPAA HITECH Best Protection - Outbound & Inbound
Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service
Branded with your logo and
accessible from your website
Clients also login in to initiate communication, securely send files etc. eliminating the risk of
breach via normal email
Encrypted Responses go right to your team or Zix
Network member’s inbox
transparently
Blackberry Encryption Built In
Non Zix User gets Email like the one to the right
Inbox to Inbox Encryption to
any Zix Member Network user
18
RadarMail 360 for Email Encryption
HIPAA HITECH Compliance Is A…
• Risk Management
• Business Reputation
• Client Service
• Livelihood
Not a Technology Decision
Turnkey HIPAA/HITECH Solutions For Brokers, Consultants & Business Associates
8/25/2010
Securing ePHI as a “Safe Harbor” John J. Nail CLU, Principal The Industry Radar www.radarmail360.com [email protected] 404-418-5550
Get Compliant, Stay Compliant Jack Anderson, CEO Compliance Helper [email protected] 866-984-3573 ext 709 www.compliancehelper.com
HIPAA and HITECH “NPRM” Update Rebecca Herold CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold Associates [email protected]