2015 BluePrint Healthcare IT. All rights reserved. Privacy

 2015 BluePrint Healthcare IT. All rights reserved. Privacy

2015 BluePrint Healthcare IT. All rights reserved. Privacy & Security Risk Analysis Webinar Introduction: What We Do Matters 2 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Massachusetts eHealth Institute (MeHI) Support healthcare providers in achieving Meaningful Use of EHR technology Meaningful Use Gap Analysis Registration and Attestation support Secure document storage and audit preparation Support providers with Physician Quality Reporting System (PQRS) reporting Qualified registry for submitting PQRS measures Collaborate with external partners to offer Patient engagement resources Privacy and security tools BluePrint SecurityConnect Other HealthIT resources

Engage in thought leadership Educational outreach, informational webinars and training courses Subject matter expertise on topics of interest to provider organizations 3 Massachusetts eHealth Institute Disclaimer MeHI does not take any responsibility for the actions of physicians and their staff. MeHI acts as your trusted advisor for meaningful use and Health IT, and while MeHI will provide direction and connect you to appropriate privacy and security organizations and other services, physicians and their staff are solely responsible to take the steps necessary to protect the privacy and security of protected health information.

4 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. BluePrint Healthcare IT BluePrint Healthcare IT is a recognized leader in healthcare IT security, privacy, audit readiness, and compliance (S-PAC). Our Security services provide a disciplined, standards-based approach to patient and business-centered IT security and privacy risk management. BluePrint Healthcare IT is a firm dedicated solely to the healthcare industry, hospitals, health Systems, ACOs, payers, and the business associate community. We have been able to anticipate the needs and trends for healthcare IT security, privacy and compliance to build solutions and services that are anticipatory and relevant. We have been leaders, nationally and locally, contributing thought

leadership and practical tools for the industry, and contribute to national and regional working groups within HIMSS, HITRUST and eHealth Initiative. 5 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Bio Ryan Patrick Ryan Patrick is the Principal Security Consultant for BluePrint Healthcare ITs Security, Privacy, Audit Readiness and Compliance services. With 14 years of experience in all facets of security and information technology for both the public and private sectors, Ryan brings an innovative perspective in protecting information and organizational resources. Prior to joining BluePrint, Ryan served as the Deputy Chief Information Officer for the New York State Division of Military and Naval Affairs. In that position, he led an effort to prepare for the Defense Information Systems Agencys (DISA) Command Cyber Readiness Inspection which includes assessing several key areas: the entitys overall information security program, the classified and unclassified networks and the digital and physical assets used to support them. Working as a security analyst with organizations such as Metlife and Memorial Sloan-Kettering Cancer Center, Ryan has gained a wealth of experience

conducting risk assessments against HIPAA, ISO 27001, NIST 800-53 and PCI-DSS. He currently holds an MBA from Norwich University and the Certified Information Systems Security Professional (CISSP) certificate. Ryan is also a Major in the New York Army National Guard serving as the Chief Information Officer for the 42nd Infantry Division. He is combat veteran of Operation Iraqi Freedom where he received a Bronze Star Medal, Global War on Terrorism Expeditionary Medal and the Global War on Terrorism Service Medal. 6 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Agenda 7 Introductions

Workshop Goals Introduction BluePrint & Healthcare Landscape Regulatory/Compliance Landscape The Hard Truth! Security Rule Security Risk Analysis & Management

Meaningful Use Myths about Security Rule and Meaningful Use MU Risk Analysis/Demo Q&A 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Our Philosophy: 8

2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Learning Objectives After this session you will be able to: Understand the applicable state and federal laws/regulations Learn how to implement the HIPAA Security Rule and Meaningful Use (MU) in your organization Learn how to utilize BluePrint Healthcare ITs Security Connect for compliance with Security Rule/Meaningful Use 9 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Healthcare Landscape

10 Transition to electronic medical records Exchange of health information Meaningful Use ICD-10 Affordable Care Organizations

OCR (HIPAA) and CMS (Meaningful Use) Audits State and Federal Laws/Regulations (including penalties) 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Massachusetts 201CMR17.00 This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are: to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards

protect against anticipated threats or hazards to the security or integrity of such information protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer 11 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Not only Protected Health Information (PHI) Paper or Electronic forms

Is not a breach unless used in unauthorized manner First Initial AND Last Name, PLUS: Social Security Number State-Issued ID (Drivers License, Photo ID) Account Number (even without PIN) Massachusetts 201CMR17.00

Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards. The comprehensive security program must include: Designating one or more employees to maintain the program Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises. 12 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Massachusetts 201CMR17.00 The comprehensive security program must include (cont): Imposing disciplinary measures for violations of the program rules. Preventing terminated employees from accessing records containing personal

information Third-party service providers that are capable of maintaining appropriate security measures to protect such personal information Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers. Regular monitoring to ensure that the program to prevent unauthorized access to or unauthorized use of personal information Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices Mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. 13 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. 201CMR17.00 17.04 The comprehensive information security program must ensure the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

User authentication Access control Encryption (Network) System Monitoring Encryption (Media) Patch Management (Internet-facing) Malware Education 14 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Massachusetts 201CMR17.00 Breach Notification A person who owns or licenses personal information knows or has reason to know of (1) a security breach, or (2) that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or for an unauthorized purpose, that person

must notify the Attorney General and the Office of Consumer Affairs and Business Regulation. * Consumer Affairs and Business Regulation website: http://www.mass.gov/ocabr/data-privacy-and-security/ data/requirements-for-security-breach-notifications.ht ml 15 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. The notifications to the Office of Consumer Affairs and Business Regulation and to the Attorney General must include: A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information; The number of Massachusetts residents

affected as of the time of notification; The steps already taken relative to the incident; Any steps intended to be taken relative to the incident subsequent to notification; and Information regarding whether law enforcement is engaged investigating the incident. Knowledge Check What types of information are considered personal information according to Massachusetts 201CMR17.00? First Initial AND Last Name, PLUS: 16 Social Security Number State-Issued ID (Drivers License, Photo ID)

Account Number (even without PIN) 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Federal Law/Regulations Applicable Federal Law and/or Regulations include: HIPAA HITECH OMNIBUS *Systems and controls should comply with most stringent requirements 17 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA & HITECH Background HITECH (Health Information Technology for Economic and Clinical Health): enacted on February 17, 2009.

Part of the American Recovery & Reinvestment Act (ARRA) Revised HIPAA (Health Insurance Portability and Accountability Act) rule: tougher provisions for security, privacy and enforcement. Increased maximum penalties: $50,000 per incident $1.5M for the year (willful neglect concept) Reporting requirements for security breaches

Media outlets, US Department of Health and Human Services, victims Ability for state Attorney General to bring legal action against physicians and hospitals for non-compliance 18 Individual Liability for criminal violations 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Violations = Penalties Violation Category Per Violation

Maximum Penalty Per Year $100 - $50,000 $1.5 M $1,000 - $50,000 $1.5 M Violation due to willful neglect but corrected within 30 days of discovery of the violation. $10,000 - $50,000 $1.5 M Violation due to willful neglect and not corrected within 30 days of discovery.

$50,000 $1.5 M Violation was not known and the organization would not have known by exercising reasonable diligence. Violations due to reasonable cause but not willful neglect. 19 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HITECH New Provisions Business Associates and subcontractors are now subject to HIPAA requirements (Chain of Trust) Restrictions on Research, Marketing, Fundraising, Sale of patient information Increased patient rights to restrict disclosure of PHI Business Associate Agreements must be revised to include

language that covers HITECH & OMNIBUS Length of time information is considered PHI Accounting of Disclosures to include TPO (Treatment, Payment and Operations) 20 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. OMNIBUS New Provisions Expanded Business Associate (BA) definition Third-Party Risk Assessments Strengthened harm provision Assumption of harm unless proven otherwise Genetic Information Nondiscrimination Act (GINA) Genetic information is protected under the HIPAA Privacy Rule 21 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential.

The Hard Truth! You may be wondering Why are you telling me all of this? What does this mean to me? Why are we here? 22 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis 23 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis THIS is is why why we

we are are here here THIS 24 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis 25 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis 26 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HHS Breach Notification Site

There have been 1,142 reported breaches of 500 records or more since October 21, 2009 https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 27 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Settlements Reached with HHS 28 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Settlements Reached with HHS 29 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Goal Privacy and security is the

responsibility of physicians and their staff. 30 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Risk Analysis General Categories ADMINISTRATIVE SAFEGUARDS 31 Security Management Process

Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. PHYSICAL SAFEGUARDS Facility Access Control Workstation Use Workstation Security Device and Media Controls

TECHNICAL SAFEGUARDS Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security HIPAA Security Risk Analysis General Categories ORGANIZATIONAL REQUIREMENTS Business associate contracts or other arrangements Requirements for Group Health Plans

POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS 32 Written policies and procedures to assure HIPAA security compliance Documentation of security measures 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Rule Risk Management Under the Administrative safeguards, a covered entity must: Establish and maintain a Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Implementation specifications: Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and

availability of electronic protected health information held by the covered entity. Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 33 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Rule Risk Analysis Guidance Health and Human Services issued guidance for conducting the required risk analysis:

Scope Data Collection Identify and document threats and vulnerabilities Assess current security measures Determine likelihood of threat occurrence Determine potential impact of threat occurrence Determine level of risk Finalize documentation Periodic review and updates to the risk analysis *http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf 34 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Rule Risk Management Process Inventory Inventory PHI PHI and and ID

ID critical critical processes processes and/or and/or assets assets Implement Implement security security controls controls to to mitigate mitigate risk risk Determine Determine security security controls controls and

and weaknesses weaknesses Rate Rate and and prioritize prioritize risks risks based based on on business business objectives objectives Take-aways Know how and where your organization is at risk and determine the appropriate strategy Implement continuous risk management process 35

2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. HIPAA Security Rule and Meaningful Use In order to qualify under the Centers for Medicare and Medicaid Services (CMS) EHR incentive program, providers have to show that they are meaningfully using their EHRs by meeting thresholds for a number of objectives. The EHR Incentive Programs are phased in three stages* with increasing requirements. Each phase includes the standards of conducting a Security Risk Analysis in accordance with the HIPAA Security Rule. 36 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Meaningful Use Stage 1 Stage 1 of the CMS EHR Incentive Program began in 2011. It sets the basic functionalities for EHRs. The requirements are focused on providers capturing patient data and sharing that data either with the patient or with other healthcare professionals.

37 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Meaningful Use Stage 2 Stage 2 of the CMS EHR Incentive Program began in 2014. It uses advanced clinical processes. The requirements are focused on health information exchange between providers and promote patient engagement by giving patients secure online access to their health information. 38 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Meaningful Use Stage 3 Stage 3 of the CMS EHR Incentive Program is scheduled to begin in 2016 but the rule has not been finalized. Policy and Standards committees are developing recommendations to

continue to expand meaningful use objectives to improve health care outcomes. 39 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. 10 Myths of Security Rule and Meaningful Use Myth 40 Fact The security risk analysis is optional for small providers False. All providers who are covered entities under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments

must conduct a risk analysis Installing a certified EHR fulfills the security risk analysis MU requirement False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR My EHR vendor took care of everything I need to do about privacy and security False. EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted

2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. 10 Myths of Security Rule and Meaningful Use Myth 41 Fact I have to outsource the security risk analysis False. It is possible for small practices to do risk analysis themselves. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge. A checklist will suffice for the risk analysis requirement False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of

performing a systematic security risk analysis or documenting that one has been performed. There is a specific risk analysis method that I must follow False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. 10 Myths of Security Rule and Meaningful Use Myth 42 Fact My security risk analysis only needs to look at my EHR

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet, your mobile phone, etc) I only need to do a risk analysis once False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. 10 Myths of Security Rule and Meaningful Use Myth 43 Fact

Before I attest for an EHR incentive program, I must fully mitigate all risks False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process Each year, Ill have to completely redo my security risk analysis False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. Knowledge Check

How often should I complete my Security Risk Analysis? A full security risk analysis should be performed when you adopt an EHR. Thereafter, you should update the prior analysis for changes in risks every year, or whenever changes to your practice or electronic systems occur. To comply with HIPAA, you must continue to review, correct, modify, and update security protections. Under the Meaningful Use Programs, Eligible Professionals must conduct a security risk analysis prior to or during their EHR reporting period. A new review must be completed for each subsequent EHR reporting period. A security update is required if any security deficiencies were identified during the risk analysis. 44 Massachusetts eHealth Institute Knowledge Check My EHR vendor conducted a Security Risk Review. Is this sufficient to meet the Meaningful Use Core Measure? Your EHR vendor may be able to provide assistance and training on the privacy and security aspects of the EHR. However, for Meaningful Use, it is your responsibility to complete a thorough security risk analysis, and to

implement a plan to mitigate any security risks. Be sure to review not only your EHR hardware and software, but all electronic devices that store, capture, or modify electronic Protected Health Information (PHI). In addition, while your mitigation plan could include updates to your EHR software, it should also include changes in workflow processes or storage methods, and any other corrective action necessary to eliminate the security deficiencies identified in the risk analysis. 45 Massachusetts eHealth Institute Knowledge Check My organization has multiple locations. Do we need to conduct a separate Security Risk Analysis for each location? A thorough Security Risk Analysis should take into account all of the electronic devices that store, capture, or modify electronic Protected Health Information (PHI). Because this may vary by location, a generic, organization-wide SRA may be insufficient. Your SRA should take into account all the variables that may impact the security of PHI for each specific location.

46 Massachusetts eHealth Institute Risk Analysis SecurityConnect Demo MeHIs instance of SecurityConnect can be found at the following link: https://securityconnect.bphitapps.com/mehi 47 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential. MeHI Membership Type of Service # Providers Pricing per Provider

Pricing per Practice Remote MU Support 1 to 10 $699 NA Remote MU Support 11 to 49 Remote MU Support 50+ Premium Services NA

Type of Service Privacy and Security Workshop (includes access to SecurityConnect Tool) SecurityConnect Tool 48 Massachusetts eHealth Institute $629 (10% discount) $559 (20% discount) NA NA NA $500

MeHI Members Non-members Free $499/Provider Free - Join our Upcoming Workshop The #1 reason providers are failing Meaningful Use audits is due to inadequate Security Risk Analysis Get on track with your Security Risk Assessment and attest to Meaningful Use with MeHIs support & solutions: Assess your practices privacy and security status Develop remediation plans to resolve gaps Communicate resolution steps

to the providers involved Track progress in addressing outstanding issues Demonstrate compliance 49 2015assachusetts eHealth Institute. All Rights Reserved. Confidential. Privacy & Security Workshop Wednesday April 22, 2015 Cost: Free to MeHI Members $499 for non-members Q&A Questions? 50 2015 Massachusetts eHealth Institute. All Rights Reserved. Confidential.

Contact Us MeHI eHealth Services and Support 1-855-MASS-EHR [email protected] mehi.masstech.org Thomas Bennett Client Services Relationship Manager (508) 870-0312 ext. 403 [email protected]

Recently Viewed Presentations

  • U.S. History Vocabulary Week 4

    U.S. History Vocabulary Week 4

    Attribute. noun. Definition: to consider as a quality or characteristic of the person, thing, or group. Synonym: characteristic. Antonym: n/a
  • Taphonomic Analysis of A Late Cretaceous Oyster Bed at The ...

    Taphonomic Analysis of A Late Cretaceous Oyster Bed at The ...

    TAPHONOMY. DISCUSSION. Preliminary results indicate that the Cretaceous Atlantic Coastal Plain experienced a eustatic sea level change during the late Campanian/early Maastrichtian, expressed as a long-term transgressive lag deposit. ... the original definition of which is very wide. Both groups...
  • Types of Poems

    Types of Poems

    Short, witty poems that make a pithy pronouncement about something. Usually a couplet or quatrain. Bruce Bennett, "Ironist" I mean the opposite of what I say. You've got it now? No, it's the other way. Alexander Pope . Blessed is...
  • Preparing Your Students For The SAT - UB Math 2015

    Preparing Your Students For The SAT - UB Math 2015

    Sr. SAT Math Important Questions What is the SAT? What is the College Admissions Portfolio? How is the SAT used? How is the SAT scored? Should students guess? What is the College Admissions Portfolio? GPA Course load Application with essay...
  • Shaping The Entrepreneurial University Founded in 2004 with

    Shaping The Entrepreneurial University Founded in 2004 with

    Shaping The Entrepreneurial University Founded in 2004 with a grant from the Kauffman Foundation, Kansas City, Missouri Main purpose is to stimulate entrepreneurship across the en
  • Building College Readiness in Middle School & High

    Building College Readiness in Middle School & High

    Building College Readiness in Middle School & High School AVID Texas Coordinator/Elective Teacher Conference Spring Meeting, 2008
  • Unit Readings: Journey Into a New Landscape Zo

    Unit Readings: Journey Into a New Landscape Zo

    Digitised content and cloud-based application used to manage and deliver unit reading lists. C. opyright compliant system. Owned by UK based company. Currently used by 84 institutions, including the following Australian universities: Southern Cross University (NSW) Griffith University (QLD) The...
  • Fair Housing Act - mpnahro.org

    Fair Housing Act - mpnahro.org

    Under the Fair Housing Act and Section 504, individuals with disabilities may request reasonable accommodations for assistance animals , including all animals, not just dogs or miniature horses. Housing providers must meet broader Fair Housing Act/Section 504 standard