10 simple steps to be hipaa compliant
TRANSCRIPT
10 Simple steps for Business Associate(BPO/ITes) to be HIPAA Compliant www.sisainfosec.com SIS
A Web
inar
www.sisainfosec.com
Disclaimer The names of organizations mentioned during the course of the webinar are only for example purposes. They should not be construed to indicate anything positive or negative on their reference.
SISA W
ebina
r
www.sisainfosec.com
Agenda About SISA
What is HIPAA
Who are the Business Associate(BA)
Challenges for BPO/ITes to be HIPAA compliant
HIPAA for Business Associate(BA): After Omnibus Rule
10 Simple steps for Business Associate to be HIPAA Compliant
Critical success factor for achieving HIPAA compliance
Q&A
SISA W
ebina
r
www.sisainfosec.com
About SISA SISA Information Security is a global Information Security Governance Risk Compliance Company.
We have Best of Breed Customers
We certify the who’s who of the payment card industry including one of the leading payment brands.
Affordable Security
SISA Information security Inc. a pioneer in Information Security audit and consultancy and has over the last few years expanded its services horizon and has emerged as a leading Information Security Specialist company. With a footprint in nearly 30 countries and over 300 best of class customers, SISA is one of the fastest growing companies in the information security space.
SISA W
ebina
r
www.sisainfosec.com
SISA
SYNERGISTIC SECURITY FRAMEWORK SISA W
ebina
r
www.sisainfosec.com
About Speaker Swati Sharma - Privacy Practice-In-Charge
CISSP, CISM, ISO27001 LA , PCI QSA
Dedicatedly handling Information Security projects for more than 7 years, for various compliance standards
such as HIPAA, ISO 27001, PCI DSS. Conducted more than 25 workshops and training sessions on
compliance and Information security standards including Risk Assessment , HIPAA and PCI DSS
Written for prestigious Information Security magazines like PenTest, SearchSecurity, has been featured on
cover page on PenTest May-13 edition
in.linkedin.com/in/swatisharmasisarahipaapcidss/
SISA W
ebina
r
www.sisainfosec.com
What Is HIPAA • HIPAA is the Federal Health Insurance Portability and Accountability Act of 1996.
• The Office for Civil Rights(OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information
SISA W
ebina
r
www.sisainfosec.com
BA(Business Associate) A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
“business associate” at 45 CFR 160.103.
Fourth Annual Benchmark Study on Patient Privacy & Data Security-March 2014
Business associates that present the greatest risk to privacy and security
SISA W
ebina
r
www.sisainfosec.com
Challenges for BPO/ITes to be HIPAA compliant
•Technical and Legal component of HIPAA
•How to identify what to protect
•Limited data exposure
•What is applicable and what is not
•There is no dedicate resource
•How HIPAA covers latest Technologies like cloud, BYOD
•There is no direct controls mentioned in HIPAA Security Rule
•We have Information Security but How to prove that “We are HIPAA Compliant”
SISA W
ebina
r
www.sisainfosec.com
HIPAA for Business Associate(BA): After Omnibus Final Rule
Omnibus Final Rule makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
How the Final Rule changed patient data privacy and security programs
SISA W
ebina
r
www.sisainfosec.com
HIPAA for Business Associate(BA) and HIPAA Breach
Business Associate Troubles
The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program.
• A September 2011 breach affecting 4.9 million individuals involving Science Applications International Corp., a business associate of TRICARE, the military health program;
• A December 2010 incident affecting 1.7 million patients involving New York City Health and Hospitals Corp. and it business associate, GRM Information Management;
• A March 2012 breach that compromised data of 780,000 individuals and involved the Utah Department of Health and its business associate, the Utah Department of Technology
SISA W
ebina
r
www.sisainfosec.com
10 Simple steps for Business Associate to be HIPAA Compliant
1. Identify who you are ?
• Do you “receive, create, maintain or transmit” protected health information on behalf a covered entity?
• Are you a “Business Associate” or a “Subcontractor”
• HIPAA is applicable to Covered entities, Business associates and Subcontractors
• Even if you have not received a Business Associate Agreement
2. Have a BAA – Business Associate Agreement
• Get an agreement signed with your CE
• Update old Agreement if any. Omnibus has arrived.
3. Gather Information and Plan
• Check your readiness
• Check if you have pre-requisite documents to start engagement –E.g.- Network diagram, Data flow diagram, Inventory of hardware and software, Policies and procedure
SISA W
ebina
r
www.sisainfosec.com
10 Simple steps for Business Associate to be HIPAA Compliant
4. Identify critical assets
• Review Business processes dealing with PHI
• People, Process and Technology
5. Risk Assessment
• Risk centric approach
• Align IT investment in line with findings of Risk assessment
• ‘Addressable’ and ‘Required’ Control
6. Policy and Procedure
• HIPAA demands extensive set of policies and procedures
• Proper documentation – is the first thing OCR will be interested to check in case of audit SIS
A Web
inar
www.sisainfosec.com
10 Simple steps for Business Associate to be HIPAA Compliant
7. Conduct Interview
• Identify the people involved
• Understand their perspective of security and what exactly needs to be protected
8. HIPAA Gap Assessment and analysis of findings
• Evaluate where you stand
• How much effort is required to be there
• Categorize findings of assessment by key activities
SISA W
ebina
r
www.sisainfosec.com
10 Simple steps for Business Associate to be HIPAA Compliant
9. Remediate findings of assessment
• Customized remediation roadmap
• Phased approach
• Keep security in forefront than just compliance
10. Maintain compliance
• Keep policies and procedures updated
• Conduct training and awareness annually
• Have a vulnerability management plan to protect systems from latest threats
• Check with your CE for updates in BAA
• Perform Risk Assessment in accordance with HIPAA annually and upon major change in environment SISA W
ebina
r
www.sisainfosec.com
Critical Success factor for achieving HIPAA compliance
• Formal Risk Analysis, Assess and Manage Risks • Minimize the PHI data exposure as much as possible
• Avoid storage of ePHI in local environment
• Retain the ePHI as per legal agreement with CE, not beyond that • Be Proactive, Learn From the Mistakes, Experience of Others
• Training and educating workplace on compliance changes, Educate—Don’t just Train
• Business Associate agreement , keep it updated and follow it • Revising breach assessment and notification procedures and Modifying notices of privacy practices
• Don’t Skimp on the Compliance Program Documentation
• Revising policies related to PHI and keep the documented proof of compliance • Don’t just achieve the HIPAA compliance , Maintain HIPAA Compliance
•Take Incident Management / Investigations Seriously
SISA W
ebina
r
www.sisainfosec.com
Case Study •Example of Business Associate –
-One of the leading collection agency handles ePHI (Protected Health Information) data shared by a covered entity for debt collection process. A collection agent calls end users to collect debt for any healthcare services availed from the covered entity. An agent may have access to the end user's health information such as the Healthcare service provider name, diagnosis and treatment details, bank details, address, phone number, SSN, email address, full name etc for business needs. Also, QA team, Team Leaders, system administrators may also have privileged access to sensitive personal data.
Which of the above parameters are utmost necessary for an agent to have access to ?
Remember the "Minimum Necessary" standard.
Disclose only that is needed to perform one's job responsibilities. SISA W
ebina
r
www.sisainfosec.com
Key focus areas from privacy and security perspective Formal risk assessment
As per Section §164.308(a)(1)(ii)(a) of HIPAA Identify the potential risk to CIA of ePHI
Access control - logical as well as physical
Ensure integrity of data while transfer and during
storage
Masking of sensitive information during display
Policy and procedures
Training and awareness
Incident reporting and responding Check your BAA- notification of breach
Assigning a security officer the responsibility of HIPAA
Evaluation. Can be internal and periodic.
Specifically for BPOs Limiting call conferencing, call transfer, call
barging Limiting screen capture, voice recording, call
backup SIS
A Web
inar
Q&A SIS
A Web
inar
www.sisainfosec.com
Thank You!
Swati Sharma
Himanshu Shewale
Ajith Kumar
SISA W
ebina
r