2014-10-30 how to conduct a hipaa security compliance self ... · “q&a” to pose any ......

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.


Frame

Monitor

RespondAssess

Clearwater HIPAA Business Risk Management Life Cycle™Privacy

AssessmentSecurity Assessment

Today’s Topics

ePHI Discovery

Risk Response

Remediation

Risk StrategyGovernance

AuditingTechnical Testing

WorkforceTraining

Risk Analysis

© Clearwater Compliance LLC | All Rights Reserved4

Welcome to today’s Live Event… we will begin shortly…

Please feel free to use “Chat” or “Q&A” to pose any ‘burning’ questions you may have in advance…


Wes Morris, CHPS, CIPM615‐823‐3084

[email protected] Compliance LLC

How to Conduct A HIPAA Security Rule Compliance Self Audit

October 30, 2014


Some Ground Rules

6

1. Slide materials… will be provided2. Questions in “Question Area” on GTW Control

Panel3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave

session6. Recorded version and final slides within 48

hours


Poll #1 – What type of organization?

7


Wes Morris, CHPS, CIPMHIPAA Consultant•20 years in Clinical Care / Social Services

•11 years in HIPAA Privacy and Security

•Experienced Hospital Privacy and Security Officer, Team Lead and Subject Matter Expert

•Certified in Healthcare Privacy and Security (CHPS)

•Examination Development Committee Member for AHIMA CHPS Exam

•Certified Information Privacy Manager (CIPM)

•Mentor to HIM students and new Privacy Officers

[email protected]


Our Passion

10

… And, keeping those same organizations off the Wall of

Shame…!

We’re excited about what we do because… …we’re helping organizations provide better care by safeguarding the very personal and intimate healthcare information of millions of fellow Americans…


Here’s What We Do For a Living…

• Since 2010• 350+ Customers• Compliance Assessments |

Risk Analyses | Technical Testing | Policies & Procedures | Training | Remediation | Executive Coaching | BootCamps

• 20 OCR or CMS Audits & Investigations to date

• Raving Fan customers!Key Differentiator: SaaS

Platforms for Operationalizing Your Compliance Programs


Mega Session ObjectiveHelp You Understand and

Address Two Very Specific HIPAA Rule Security Compliance Evaluation Requirements…and, perform a self-audit!

12


Big Points about Compliance Self‐Audit• Must cover entire Regulation• First Time – Lots of Work• Not Once and Done• Often Requested in OCR Investigation

Data Request• Risk Analysis ≠ Security Assessment

(Evaluation) = Compliance Self‐Audit• Addresses TWO (2) Dimensions of HIPAA

Security Risk Management• Consider Doing Same for Privacy and

Breach Notification13


2. Security45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance45 CFR 164.308(a)(8)

14

3. Test & Audit

45 CFR 164.308(a)(8) & OCR Audit Protocol


Related Webinars to View• The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis

• How To Conduct a Bona Fide HIPAA Security Risk Analysis

15

• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

Blog Post


Session Objectives

16

1. Understand Evaluation Requirements

2. Learn How to Evaluate Your Compliance

3. View a Demonstration of Our Evaluation Process / SaaS Solution


Three Pillars of HIPAA‐HITECH Compliance…

17

Priv

acy

Secu

rity

Bre

ach

Not

ifica

tion

……

HITECHHIPAA

Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs

Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense” Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation Specs

OMNIBUS FINAL RULE


Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

18

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

≠


OCR Investigation Data Request

19

© 2013-14 Clearwater Compliance LLC | All Rights Reserved

HIPAA Phase 2 Audits: A Revised Game Plan

• “Very Targeted Audits”o CEs: specific compliance areas, such as security risk assessments,

privacy and breach notification, copies of periodic risk analysis and other evidence

o BAs: security risk assessment and providing breach notification to CEso Will not include CEs or BAs under a current OCR investigation

• Audit Change: From 400 remote desk to <200 more comprehensive

• Prescreening surveys to be sent “in near future” to CEs and BAs

o Surveys will determine “in or out” - not “are you compliant?”o CEs will be asked “for a list and contacts for all your business

associates”o BAs will be selected from the lists provided by CEs

• Delayed to finish roll-out of Web portal for document submissionNo date given for completion


Executive Summary

21

Established Performance Criteria§164.308(a)(8) Evaluation - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

MUST DO:1. Have comprehensive documented policies and procedures2. If external resources, ensure qualified3. Cover ALL standards and implementation specs4. Ensure criteria is established (standards and measures)5. Gather all necessary documentation to evaluate6. Complete both technical and nontechnical evaluations7. Document findings, observations and remediation plan8. Demonstrate evaluation is completed periodically


1. Reasonable diligencemeans the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!

3. Willful neglectmeans conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

22

Three Terms to Memorize1

145 CFR 160.401 Definitions

Give Your CEO and Outside Counsel

Something to Work With!


(C)(ii) Willful Neglect – Not Corrected

$50,000 $1,500,000

Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach

Enforcement: Amount of CMP ‐ 45 CFR § 160.404

Violation Category‐ Section 1176(a)(1)

Penalty Range for Each Violation

All Such Violations of an Identical Provision in a

Calendar Year

(A) Reasonable Diligence (Did Not Know)

$100 ‐ $50,000 $1,500,000(B) Reasonable Cause $1,000 ‐ $50,000 $1,500,000(C)(i) Willful Neglect – Corrected $10,000 ‐ $50,000 $1,500,000

23


10 Actions to Take Now

24

4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR §164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))

7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)

9. Document and act upon a remediation plan10. Assess current insurance coverage

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Demonstrate Good Faith Effort!


Policy defines an organization’s values & expected behaviors; establishes “good faith” intent

Peoplemust include talented privacy &

security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or processes – documented ‐provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,

intrusion detection, incident management tools, etc.)

BalancedCompliance

Program

Four Critical Dimensions

Clearwater Compliance Compass™25


Session Objectives

26

1. Understand Evaluation Requirements

2. Learn How to Evaluate Your Compliance

3. View a Demonstration of Our Evaluation Process / SaaS Solution


27

Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program

Ongoing Support and Guidance

• Re-Assessments • Corrective Action Plans• Policies & Procedures Review• Training• Technical Testing

Think Program, Not Project!

Start Year 1 Year 2• Oversight• Assessments • Corrective Action Plans• Policies & Procedures• Training• Technical Testing

• Re-Assessments • Corrective Action Plans• Policies & Procedures Review• Training• Technical Testing

How to Do It Right


2. Security45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance45 CFR 164.308(a)(8)

28

3. Test & Audit

45 CFR 164.308(a)(8) & OCR Audit Protocol


Steps to Complete A SecurityCompliance Assessment

29

1. Form a Cross-Functional Task Force2. Set Business Risk Management Goals3. Use as an Opportunity to Get Educated –

Learn the Requirements and the Consequences

4. Create an Assessment Checklist or Software Tool Based on the Regulations and OCR Audit Protocol

5. Set a Scoring Methodology6. Assess Your HIPAA Security Compliance7. Document Gaps8. Develop a Preliminary Remediation Plan


HIPAA Security Nontechnical Evaluation

1. Is it documented?• Policies, Procedures and

Documentation

30

3. Is it Reasonable and Appropriate?• Comply with the implementation

specification

2. Are you doing it?• Using, Applying, Practicing,

Enforcing


Poll #2 ‐ Security Non‐Technical Evaluation

31


ALL IMPORTANT ‐‐ AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS

HIPAA Security Technical Evaluation

• External Network Vulnerability Assessment• Internal Network Vulnerability Assessment• External Penetration Testing• Internal Penetration Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans


Reference NIST SP 800‐53A

33

http://clearwatercompliance.com/wp‐content/uploads/2014/01/NIST‐SP800‐53A‐rev1‐final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations‐Building_Effective_SAPs.pdf

“Security control assessments are not about checklists, simple pass‐fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800‐53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”


Resource

34

“The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly.


Reference NIST SP 800‐115

35

http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

• Basis of Technical Evaluations– Pen Testing– Vulnerability Scans– Post Testing Activities


Poll #3 – Security Technical Evaluation

36


Clearwater HIPAA Security Assessment™

37

Methodology and Software is…• Proactive• Adaptable• Consistent• Predictable• Measurable• Controlled• CPI‐based• Standards‐based

Science & Engineering

Monitoring and Auditing Maturity

Arts & Crafts


Major Benefits of Clearwater Process

38

MarketFeedbackInvaluable

Insights from Executives, Staff and Regulators

3Proven ModelThought‐,

Methodology‐and Software‐Leadership

1Deep

ExperienceMillions of Lives Under

Our Processes, Safeguards and Protection

2

Become Self‐Sufficient | Operationalize Risk Management


Essential Information at Your Fingertips

“Yes, it’s time for a change.”“Yes, it’s time for a change.”“Yes, it’s time for a change.”


High Value ‐High Impact

Assessment WorkShop™ ProcessI. PREPARATION (t‐4 weeks)

A. Plan / Gather / ScheduleB. Read Ahead / Review MaterialsC. Provide SaaS Subscription/TrainD. Administer Surveys

II. ONSITE ASSESSMENT (t=0)A. FacilitateB. Educate & EquipC. EvaluateD. Populate SaaS

III. WRITTEN REPORT (t+2 weeks)A. Findings B. ObservationsC. RecommendationsD. Presentation and Sign Off 40


Key WorkShop™ Deliverables1. Preparation for Mandatory Audits

2. Objective, Independent 3rd Party Review

3. Solid Educational Foundation

4. Completion of 45 CFR 164.308(a)(8) - Evaluation

5. Revitalize Security Compliance Program

6. Baseline/Benchmark Score

7. Preliminary Remediation Plan

8. Findings, Observation & Recommendations Report

41Demonstrate Good Faith Effort


Summary and Next Steps

42

1. Consider Assessing the Forest First, Then Get Into the Trees/Weeds (Risk Analysis)

2. Stay Business Risk Management-Focused

3. Operationalize Compliance (Think: Plan-Do-Check-Act)

4. Large or Small: Consider Help (Tools, Experts, etc)


Register For Upcoming Live HIPAA‐HITECH Webinars at:

http://abouthipaa.com/webinars/upcoming‐live‐webinars/

43

Get more info…

View pre‐recorded Webinars at:http://abouthipaa.com/webinars/on‐

demand‐webinars/


Clearwater CE Omnibus ReadinessCheck™:

http://clearwatercompliance.com/covered-entity-omnibus-readinesscheck/

44

Two Specific Helpful DocumentsClearwater BA Omnibus

ReadinessCheck™: http://clearwatercompliance.com/business‐associate‐omnibus‐

readinesscheck/


Upcoming Clearwater Events

November 5,12,19Virtual Session

Information Risk Management BootCamp™

December 5In Person Classroom SessionInformation Risk Management

BootCamp™Tampa, FL

November 4,2014Complimentary Webinar

HIPAA‐HITECH 101


How to Calculate the Cost of a Data Breach and How to Get the Budget for Your HIPAA HITECH Compliance

Program


How to Develop Your HIPAA‐HITECH Policies and Procedures

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster … Earn CPE Credits!


David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation

Bob Chaput, CISSP, CIPP/US CHP, CHSSCEO | Clearwater Compliance

Expert Instructors

Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance

Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System

Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel | Idaho State University

Michelle Caswell, JDSenior Director, Legal and ComplianceClearwater Compliance


Clearwater Designated (ISC)2 Official Training Partner

47

Upcoming Training Courses• Dec 1 - 3, 2014 HCISPP CBK Training, Nashville• Feb 9-11, 2015 – Miami• Apr 6-8, 2015 – Nashville

7

HCISPP Description • HCISPP is a foundational credential – confirming a foundational level of

performance tasks, knowledge, and abilities relating to the security and privacy of healthcare

• As a foundational credential, the experience requirement is two years (2), as follows: – Minimum two years of experience in one knowledge area of the

credential that includes security, compliance & privacy: – Legal experience may be substituted for compliance

– Information management experience may be substituted for privacy

– At least one year of the two-year experience must be in the healthcare industry

• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally

7

HCISPP Description • HCISPP is a foundational credential – confirming a foundational level of

performance tasks, knowledge, and abilities relating to the security and privacy of healthcare

• As a foundational credential, the experience requirement is two years (2), as follows: – Minimum two years of experience in one knowledge area of the

credential that includes security, compliance & privacy: – Legal experience may be substituted for compliance

– Information management experience may be substituted for privacy

– At least one year of the two-year experience must be in the healthcare industry

• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally


Wes Morris, CHPS, CIPMHIPAA Consultant

http://[email protected]

Phone: 615‐823‐3084Clearwater Compliance LLC

48

Contact

Exit Survey, Please