HIPAA Risk Assessment

Presented By:

This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: customerservice@lorman.com • website: www.lorman.com • seminar id: 401897

Nathan A. KottkampMcGuireWoods, LLP

Take advantage of this special offer for $50 off of a Lorman

live webinar!

C O N V E N I E N T:Lorman offers a wide variety of live webinars covering current issues affecting numerous industries. Learn the latest on legal compliance, cost savings and strategies, and business trends.

E X P E R I E N C E D :Learn about today’s hot topics presented by our expert speakers who represent prominent firms and have years of industry experience and knowledge.

C U R R E N T :In today’s business world, staying current of the ever-changing regulations is absolutely necessary in order to advance in your field. Earn continuing education credits, educate your entire team and ask questions of the speakers. For a complete listing of upcoming live webinars visit www.lorman.com.

SPECIAL OFFER

$50 OFFYOUR NEXT Discount Code Y1719669This offer can not be used in combination with other discounts.

LIVE WEBINAR

HIPAA Risk Assessment

©2018 Lorman Education Services. All Rights Reserved.

All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.

Full terms and conditions available at www.lorman.com/terms.php.

This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were

prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional

advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.

This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by

the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: customerservice@lorman.com • website: www.lorman.com • seminar id: 401897

Prepared By:Nathan A. KottkampMcGuireWoods, LLP

Learn What You Want, When You Want From Our Entire

Course Library

UNLIMITED ACCESS

ON-THE-GO LEARNING

We Offer Accredited Training Including CLE, CPE, HRCI, ENG and Many More

A L L - A C C E S S P A S SLORMAN EDUCATION SERVICES

Learn at Your Own Pace From Your Computer,

Tablet or Mobile Device

lorman.com/pass

GET CERTIFIED

Want to learn more? Contact a Lorman

All-Access Pass Specialist:

benefitsdirector@lorman.com or call 1-877-296-2169

www.mcguirewoods.com

Click to edit Master title style

www.mcguirewoods.com

HIPAA Security Rule Risk Assessments

Presented by:

Nathan A. Kottkamp, McGuireWoods

1

2

McGuireWoods | 2

OMNIBUS FINAL RULE

• On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act

• Effective date: March 26, 2013• Compliance date: September 23, 2013• Revision date for certain existing business

associate agreements: September 22, 2014

McGuireWoods | 3

After the Omnibus Final Rule, Who is Requiredto Protect PHI?

HIPAA

• Covered Entity: health care provider, health plan, or health care clearinghouse (billing services).

• Business Associate: An individual or entity that provides services on behalf of the Covered Entity or another Business Associate that require the entity to create, receive, maintain, or transmit protected health information (PHI).– Includes subcontractors

3

McGuireWoods | 4

CORE ELEMENTS OF HIPAA—UNCHANGED BY THE OMNIBUS FINAL RULE

• The Privacy Rule – establishes individuals’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates

• The Security Rule – establishes requirements for protecting electronic PHI

• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI

• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA

McGuireWoods | 5

• Access Controls

• Audit Controls

• Integrity

• Person or Entity Authentication

• Transmission Security

• Facility Access Controls

• Workstation Use

• Workstation Security

• Device and Media Controls

• Security Management

• Assigned Security Responsibility

• Workforce Security

• Information Access Management

• Security Awareness and Training

• Security Incident Procedures

• Contingency Plan

• Evaluation

• BA Contracts and Other Arrangements

Privacy Rule

Reasonable safeguards for all PHI

Administrative Safeguards for ePHI

Physical Safeguards for ePHI

Technical Safeguards

for ePHI

HIPAA in a NutshellT

rain

ing

Breach Notification

Policies and Procedures

4

McGuireWoods | 6

PENALTIES FOR HIPAA VIOLATIONS

Civil Penalties

$100-$50,000 per violation

Tiered Penalties Based on Culpability

• Unknowing ($100 per violation/ $25K max)

• Reasonable Cause ($1K per violation /$100 K max)

• Willful neglect ($10K per violation/$250K max)

• Uncorrected willful neglect ($50K per violation/$1.5M max)

Criminal Penalties up to $250,000

Imprisonment up to 10 years

McGuireWoods | 7

HIPAA Audits Pilot Program

• KPMG LLP conducted a pilot program involving audits of 115 covered entities

• Conducted audits from November 2011-December 2012• Only covered entities

• Auditee selection criteria:– Public v. Private– Entity’s size, e.g., level of revenues/assets, number patients or

employees, use of health information technology– Affiliation with other health care organizations– Geographic location– Type of entity and relationship to patient care

• Results of pilot program:– Smaller entities had more issues than larger entities– Security Rule compliance issues predominated (65%)

5

McGuireWoods | 8

Security Rule Top Issues

McGuireWoods | 9

Security Rule Risk Analysis

• A repeatable methodology that addresses the entity’s understanding of the flow of HIPAA processes and systems and is updated as major business events occur

• Scope of the flow of PHI within your organization as well as externally to vendors, affiliates and business associates and mapping of related processes to applications, databases, systems, and data centers

• Implementation of effective administrative, technical and physical safeguards over PHI and alignment to authoritative sources including ISO and NIST

• Identification of required safeguards not addressed and associated risk mitigation plans

• Progress on corrective actions to remediation gaps identified

2/3rds of entities audited during the pilot phase had not performed an adequate risk analysis

6

McGuireWoods | 10

Self-Reviews/Self-Audits

• Utilize audit protocol from HITECH Act Audit Pilot Program

– available on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

– Updated as of April 2016 to reflect Omnibus Final Rule

• The Audit Program Protocol covers:

– Privacy Rule requirements

– Security Rule requirements

– Breach Notification Rule requirements

• Recommended at least annually

• New audit protocol to be released

McGuireWoods | 11

Security Rule History

• Final Rule issued February 20, 2003

7

McGuireWoods | 12

Security Rule Risk Assessments

• Required “periodically” by HIPAA – 45 CFR § 164.316(b)(2)(iii)

• “Periodically” is not defined.– Ask OCR—you’ll probably hear that it means

“annually”

– Look around—you’ll see HUGE variance

McGuireWoods | 13

How are your self-assessment skills?

8

McGuireWoods | 14

Good News!

• “Flexibility of approach” 45 CFR § 164.306

McGuireWoods | 15

Bad News!

• “Flexibility of approach”

9

McGuireWoods | 16

IDENTIFY WHERE YOUR PHI LIVES, THREATS, GAPS, AND RESPONSES

PHI Location Threats Gaps/Vulnerabilities Analysis/Action

McGuireWoods | 17

ADMINISTRATIVE SAFEGUARDS MATRIX

Standards Implementation Specifications (R)- Required; (A)- As needed

Rule

Security Management Process

•Risk Analysis (R)- Thorough assessment of potential vulnerabilities to PHI confidentiality, integrity, and availability•Risk Management (R)- Measures to reduce risks to reasonable levels•Sanction Policy (R)- Actions against workforce who fail to comply with security policies and procedures•Information Security Activity Review (R)- Audit, logs, access, & incident tracking reports

164.308(a)(1)

Assigned Security Responsibility

Identify an entity’s Security Official 164.308(a)(2)

Workforce Security

Authorization and/or Supervision (A)- Authorization of employees who work with ePHIWorkforce Clearance Procedure (A)- Determine employee access to ePHI is appropriateTermination Procedures (A) for access to ePHI when employee ends employment

164.308(a)(3)

Information Access Management

Isolating Healthcare Clearinghouse Functions (R)- Protect ePHI from unauthorized access by a parent groupAccess Authorization (A)- Policies for ePHI access through workstationsAccess Establishment and Modification (A)- Policies of user's right of access to a workstation

164.308(a)(4)

Security Awareness and Training

Security Reminders/Updates (A)Protection from Malicious SoftwareLog-in MonitoringPassword Management

164.308(a)(5)

10

McGuireWoods | 18

ADMINISTRATIVE SAFEGUARDS MATRIX cont.

Standards Implementation Specifications (R)- Required; (A)- As needed

Rule

Security Incident Procedures

Response and Reporting (R)- Security incidents, mitigation, and outcome 164.308(a)(6)

Contingency Plan

Data Backup Plan (R)Disaster Recovery Plan Emergency Mode Operation Plan (R)Testing and Revision Procedure (A)- For testing contingency plansApplications and Data Criticality Analysis (A)- Assess specific data relative criticality in support of other contingency components

164.308(a)(7)

Evaluation (R) Perform periodic evaluation in response to environmental and operational changes 164.308(a)(8)

BA Agreements

Written Contract (R) to protect ePHI while using it to perform an activity for a covered entity 164.308(b)(1)

McGuireWoods | 19

PHYSICAL SAFEGUARDS MATRIX

Standards Implementation Specifications(R)- Required; (A)- As needed

Rule

Facility Access Controls

•Contingency Operations (A)- Procedures that allow facility access to restore lost data under disaster recovery/in case of emergency•Facility Security Plan (A)- Procedures to safeguard building and equipment from unauthorized access•Access Control and Validation Procedures (A)- To verify access to building, software, data, based on a person’s functions•Maintenance Records (A)- To document repairs modifications to building related to security, eg. change in locks

164.310(a)(1)

Workstation Use

Procedures for proper workstation uses and physical attributes of surroundings of work station that accesses PHI

164.310(b)

Workstation Security

Physical safeguards for workstations that acess ePHI and restric access to authorized users 164.310(c)

Device and Media Control

Disposal (R)- Procedures on how to dispose of ePHI and hardware or electronic media on which it is storedMedia Re-Use (R)- Procedures for PHI removal from hardware and electronic media before it can be re-usedAccountability (A)- Record hardware and electronic media movements and any person responsible for electronic mediaData Backup and Storage (A)- Create retrievable copies of ePHI before equipment is moved

164.310(d)(1)

11

McGuireWoods | 20

TECHNICAL SAFEGUARDS MATRIX

Standards Implementation Specifications(R)- Required; (A)- As needed

Rule

Access Controls •Unique User Identification (R)-•Emergency Access Procedure (R)-•Automatic Logoff (A)- Procedures that end electronic session after predetermined time of inactivity•Encryption and Decryption (A)- Mechanism to lock/unlock ePHI

164.312(a)(1)

Audit Controls Hardware, software mechanism that record, examine activity in IT systems that contain or use PHI 164.312(b)

Integrity Mechanism to authenticate ePHI (A)- Corroborates that PHI has not been altered or destroyed in an unauthorized manner

164.312(c)(1)

Person or Entity Authentication

Verifies that person, entity seeking ePHI access is the one claimed 164.312(d)

Transmission Security

Integrity Controls (A)- Measures to ensure ePHI not improperly modified without detection until disposed ofEncryption (A)- Mechanisms to safeguard ePHI in transmission from unintended recipients

164.312(e)(1)

McGuireWoods | 21

NIST!!!!

• NIST ≠ HIPAA

• Lots of overlap, though.

• HHS published HIPAA/NIST Crosswalk in 2016– https://www.hhs.gov/hipaa/for-

professionals/security/nist-security-hipaa-crosswalk/index.html

12

McGuireWoods | 22

ISO 27001

• ISO 27001 ≠ HIPAA

• Overlap, though.

McGuireWoods | 23

HITRUST

• HITRUST ≠ HIPAA

• Proprietary.

13

McGuireWoods | 24

CONTINUOUS COMPLIANCE

• Establish a mechanism and schedule for self-monitoring and auditing

• Annual training should be supplemented by regular HIPAA teaching moments

• Focus on high risk areas– Mobile devices

– High profile patients and members

– Improper disclosures

– Disposal of records

• Follow up promptly when problems are found

• Invite staff to provide comments and raise concerns at any time about any HIPAA-related issue

24

McGuireWoods | 2525

ALWAYS

Use or disclose PHI only as needed to perform your job

Keep documents containing PHI secure and out of sight

Secure your workstation if it contains PHI

Encrypt any PHI held on a laptop or portable device

Follow all documentation and recordkeeping procedures

Verify the identity of anyone who requests PHI from you

Notify the Privacy Officer (or designee) if you see any improper activity

Ask the Privacy Officer (or designee) for guidance if you are unsure about the appropriateness of any activity

ALWAYS:

HIPAA Training Summary

14

McGuireWoods | 2626

NEVER

HIPAA Training Summary

Leave your laptop alone and unsecured

Leave your computer when logged on to accessible PHI

View PHI when not necessary to do your job

Discuss PHI unless necessary to do your job

Leave PHI out where others could see them

Disclose or give PHI to anyone who does not have authorization to receive it

Participate in conversations in which you think PHI is being discussed improperly – Speak up about your concerns to the others involved!

Make exceptions to policies for safeguarding health information privacy

NEVER:

Questions?

McGuireWoods | 27

A Few Technology Recommendations

Smartphones

• Always use a password—no “swiping” only

• Smartphones have password protection.

• Have plans in place for lost smartphones, including remote data removal.

Saving data

• Use access and other privacy controls.

• Sensitive data should not be stored on removable media, such as USB thumb drives, CD/DVD, portable hard drives, etc.

• Sensitive data should not be sent to personal email if at all possible.

Emailing data• Use a secure file transfer system which will allow for off-site file

transfer with encryption.

15

McGuireWoods | 28

More Compliance Tips

Considerations:• Minimize the circumstances under which you receive PHI from

clients; receive the minimum necessary.

• Do not discuss PHI with or in front of unauthorized persons.

• Remove all PHI from plain view.

• Do not remove PHI from your workplace, if possible.

• Report potential unauthorized disclosures promptly.

• As a Business Associate, coordinate with Covered Entity partners and subcontractors involved in a breach.

McGuireWoods | 29

HIPAA Resources

Federal Register 45 C.F.R. Part 160 and Subparts A and E of Part 164.

Office for Civil Rights (“OCR”) Website: http://www.hhs.gov/ocr/office/index.html

OCR FAQ: http://www.hhs.gov/ocr/office/faq/index.html

HIPAA List Serve: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/listserv.html

Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

16

McGuireWoods | 30

The McGuireWoods Approach

McGuireWoods | 31McGuireWoods | 31

INFORMATION ASSURANCE

PROTECTING information while ensuring the functionality and resiliency of operating systems.

WHY IT MATTERS

The information environment is replete with technical vulnerabilities and legal and reputational risks. Information assurance focuses limited resources on the most challenging problems and mitigates risk.

17

McGuireWoods | 32McGuireWoods | 32

WHY IT MATTERS

INFORMATION GOVERNANCE

MANAGING information through plans and procedures, data inventories and mapping for compliance.

Information is a company’s most valuable asset. Information governance helps to maximize the value of information while minimizing risks and costs.

McGuireWoods | 33McGuireWoods | 33

WHAT WE DO ABOUT IT

WHY IT MATTERS

INCIDENT RESPONSE & REMEDIATION

RESPONDING to events that place a business or its customers at risk and executing long-term resolutions.

The worst time to make a decision is during a crisis. Deliberate contingency planning ensures that companies act decisively in their best interests.

• Incident response plan• Breach notification counseling• Backup and disaster recovery policy• Legal hold policy and procedures• Forensic investigation and public relations oversight• Internal investigations• Regulatory investigations• Law enforcement interaction• Litigation – individual and class action

18

McGuireWoods | 34

Questions or Comments?

Nathan A. KottkampMcGuireWoods804.775.1092nkottkamp@mcguirewoods.com

www.mcguirewoods.com©2013 McGuireWoods LLP

19

20

Notes