HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

Transcription

1 HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan Chris Apgar, CISSP Ron Moser, CISA, CRISC

2 Overview The Culture of Compliance First Steps What are the risks? Making a plan Whatever You do Document! Don t Forget to Test

3 Culture of Compliance OCR Culture of Compliance road show where enforcement and penalties begin Investigations and audits will begin with the top 5 areas of compliance OCR focused on

4 Culture of Compliance The top 5 Risk analysis Policies and procedures Workforce training Audit controls Security incident response and breach notification

5 Culture of Compliance OCR enforcement activities have added tasks to the list Mobile device management and encryption Portable media encryption Web security

6 First Steps What are the risks? Assess level of compliance and make a plan Compliance plan or mitigation plan needs to focus on: Privacy Security Breach notification Enforcement

7 First Steps What are the risks? Covered entities focus on full HIPAA Privacy Rule, other federal privacy laws and state privacy laws Business associate focus on use and disclosure provisions of the HIPAA Privacy Rule, other federal privacy laws and state privacy laws Don t forget contractual obligations more stringent than HIPAA

8 First Steps What are the risks? Covered entities and business associates focus on full Security Rule, state breach notification laws Again, don t forget contractual obligations (especially if you re a business associate)

9 First Steps What are the risks? After assessing regulatory and contractual requirements look for gaps Start with high level assessment focusing on areas of high risk Document, assign responsibility, assign resources and assign a completion date Documentation represents due diligence

10 Making a Plan Start with the basics privacy high level risks Individual privacy rights Use and disclosure of PHI Minimum necessary Standard safeguards (securing that paper)

11 Making a Plan Start with the basics security high level risks Risk analysis and risk management program Policies and procedures Workforce training Audit program Security incident response and breach notification

12 Making a Plan Start with the basics security high level risks (continued) Secure Mobile devices/byod Document maintenance Disaster recovery and business continuity planning Social media

13 Making a Plan Review Sample Compliance Planning Agenda Review Compliance Planning Checklist

14 Whatever You do Document! Compliance plans need to be documented Issue to be mitigated Owner Resources (staff and financial investment) Time line for completion It doesn t all need to be fixed today but plan needs to be reasonable

15 Whatever You do Document! Keep the plan up to date if time lines change, make sure it s documented Store documentation centrally for operational purposes and compliance reasons Investigations Audits Civil actions

16 Whatever You do Document! Document mitigation and make sure to document activities such as audit log monitoring, security incident investigations, etc. Retain documentation for only as long as legally required unless there is a sound business reason to retain longer

17 Don t Forget to Test Plans usually don t work if they re not tested ahead of time Security incident response Disaster recovery plan Business continuity plan Tests need to occur more than once plan tests more than once a year and update as needed

18 Summary If you have gaps, the time to start addressing is now Compliance is not a one time event Your biggest risk is people make sure your workforce is fully trained and trained again Make sure you can respond quickly if OCR calls

19 Resources OCR privacy compliance for covered entities and business associates: tanding/coveredentities/index.html#top OCR security compliance: strative/securityrule/securityruleguidance.html

20 Resources OCR model Notice of Privacy Practices: notices.html ONC risk assessment tool:

21 Question & Answer Chris Apgar, CISSP Ron Moser, CISA, CRISC