HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan Chris Apgar, CISSP Ron Moser, CISA, CRISC
Overview The Culture of Compliance First Steps What are the risks? Making a plan Whatever You do Document! Don t Forget to Test
Culture of Compliance OCR 2010-2011 Culture of Compliance road show where enforcement and penalties begin Investigations and audits will begin with the top 5 areas of compliance OCR focused on
Culture of Compliance The top 5 Risk analysis Policies and procedures Workforce training Audit controls Security incident response and breach notification
Culture of Compliance OCR enforcement activities have added tasks to the list Mobile device management and encryption Portable media encryption Web security
First Steps What are the risks? Assess level of compliance and make a plan Compliance plan or mitigation plan needs to focus on: Privacy Security Breach notification Enforcement
First Steps What are the risks? Covered entities focus on full HIPAA Privacy Rule, other federal privacy laws and state privacy laws Business associate focus on use and disclosure provisions of the HIPAA Privacy Rule, other federal privacy laws and state privacy laws Don t forget contractual obligations more stringent than HIPAA
First Steps What are the risks? Covered entities and business associates focus on full Security Rule, state breach notification laws Again, don t forget contractual obligations (especially if you re a business associate)
First Steps What are the risks? After assessing regulatory and contractual requirements look for gaps Start with high level assessment focusing on areas of high risk Document, assign responsibility, assign resources and assign a completion date Documentation represents due diligence
Making a Plan Start with the basics privacy high level risks Individual privacy rights Use and disclosure of PHI Minimum necessary Standard safeguards (securing that paper)
Making a Plan Start with the basics security high level risks Risk analysis and risk management program Policies and procedures Workforce training Audit program Security incident response and breach notification
Making a Plan Start with the basics security high level risks (continued) Secure email Mobile devices/byod Document maintenance Disaster recovery and business continuity planning Social media
Making a Plan Review Sample Compliance Planning Agenda Review Compliance Planning Checklist
Whatever You do Document! Compliance plans need to be documented Issue to be mitigated Owner Resources (staff and financial investment) Time line for completion It doesn t all need to be fixed today but plan needs to be reasonable
Whatever You do Document! Keep the plan up to date if time lines change, make sure it s documented Store documentation centrally for operational purposes and compliance reasons Investigations Audits Civil actions
Whatever You do Document! Document mitigation and make sure to document activities such as audit log monitoring, security incident investigations, etc. Retain documentation for only as long as legally required unless there is a sound business reason to retain longer
Don t Forget to Test Plans usually don t work if they re not tested ahead of time Security incident response Disaster recovery plan Business continuity plan Tests need to occur more than once plan tests more than once a year and update as needed
Summary If you have gaps, the time to start addressing is now Compliance is not a one time event Your biggest risk is people make sure your workforce is fully trained and trained again Make sure you can respond quickly if OCR calls
Resources OCR privacy compliance for covered entities and business associates: http://www.hhs.gov/ocr/privacy/hipaa/unders tanding/coveredentities/index.html#top OCR security compliance: http://www.hhs.gov/ocr/privacy/hipaa/admini strative/securityrule/securityruleguidance.html
Resources OCR model Notice of Privacy Practices: http://www.hhs.gov/ocr/privacy/hipaa/model notices.html ONC risk assessment tool: http://www.healthit.gov/providersprofessionals/security-risk-assessment
Question & Answer Chris Apgar, CISSP Ron Moser, CISA, CRISC capgar@apgarandassoc.com Ron@Moserhaus.com