LeToia Crozier, Esq., CHC

Vice President, Compliance & Regulatory Affairs

Corey Wilson

Director of Technical Services & Security Officer

Interactive Think Tank: Securely Deploying Mobile Technologies

& Services

• The Health Insurance Portability and Accountability Act (HIPAA) is a national law that establishes standards for the privacy and security of protected health information (PHI)

• PHI includes any individually identifiable health information (health information that identifies a person and relates to his/her physical or mental health or condition) that is transmitted electronically

• Privacy: The requirement to protect ALL forms of Protected Health Information (PHI)

• Security: Applies to ELECTRONIC forms of PHI and includes directives regarding physical and technical security measures.

2

HIPAA

HIPAA Security Regulations• The security regulations are a set of standards that provide directives on how

to protect electronic protected health information (ePHI)

• The security regulation includes physical safeguards administrative safeguards, technical safeguards, organizational requirements and policies & procedures

• Information Security refers to all the protections in place to ensure that electronic PHI is (1) kept confidential, (2) not improperly altered or destroyed, and (3) is readily accessible to authorized individuals

“Confidentiality-Integrity-Availability”

Examples of Security Protections Include:Hardware & Software Protections Personnel Policies

Physical Security Awareness Information PracticesDisaster Preparedness Oversight Of All These Areas

HITECH ACTHEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL

HEALTH ACT (HITECH)-Title 13

• Contained within the American Recovery and Reinvestment Act of 2009 (ARRA) “The Stimulus Bill”

• Signed into law February 17, 2009 (most changes effective in 2010)

• Subtitle D: Privacy (Expanded scope of HIPAA privacy and security laws)

• Increased penalties for violating privacy and security laws-includes criminal provisions which apply to any person, including employees, and it creates a State’s right of action for Attorney General(s)

Impact on Covered Entities and Business Associates

• Mandatory Breach Notification

• Heightened Enforcement Scheme

• New rules for Accounting of Disclosures

Privacy and Security Checklist1.    Have you formally designated people or positions as your organization’s privacy and security officers?

2.    Do you have documented privacy and information security policies and procedures?

 

3.    Have they been reviewed and updated, where appropriate, in the last six months?

 

4.    Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?

5.    Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?

 

6.    Have you done a formal information security risk assessment in the last 12 months?

7.  Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?

 

8. Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?

 

9. Do you require information, in all forms, to be disposed of using secure methods?

 

10.  Do you have a documented breach response and notification plan, and a team to support the plan?

5

INTERACTIVE THINK TANK….

OPERATIONAL IMPACT

• IT Infrastructure

• Service Lines

• Strategic Objectives

• Financial Analysis

DUE DILIGENCE

• Board Approval

• Market Analysis

• Value – Will they use it for it’s purpose– What mobile applications do we have?

• BYOD

• Outsource vs. Internal Support

SECURITY

• What steps has your organization taken to assess security in establishing a mobility platform?– Regulatory– Management– Risk

PRIVACY

• What processes has your organization implemented to enforce privacy practices and how will those transition or integrate into a mobility platform? – Regulatory– Policies– Access

INTEROPERABILITY

• Has your company conducted research to establish what solutions are available to successfully deliver applications and/or data of value to a mobile platform?– Build vs. Buy– Connectivity

WORKFLOW CONCERNS

• Has your company reviewed existing workflow and resources to understand the benefits and value of mobility?– Internal Communications– Confidential / Patient Information– Physicians

CHALLENGES• Deployment

• Repairs

• Support

• Standardization of Policies

• Adaptation

• User Autonomy / Physician Control

• Reporting Capabilities

• Innovation