1 / 54

Startel’s Contributions to your hipaa compliance

Startel’s Contributions to your hipaa compliance. Bill lane and Margaret Lally. Agenda. Overview of HIPAA Startel’s HIPAA/HITECH Assessment Report Findings & Recommendations HIPAA /HITECH Compliance Program Assessment Report

arissa
Download Presentation

Startel’s Contributions to your hipaa compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Startel’s Contributions to your hipaa compliance Bill lane and Margaret Lally

  2. Agenda • Overview of HIPAA • Startel’s HIPAA/HITECH Assessment • Report Findings & Recommendations • HIPAA/HITECH Compliance Program Assessment Report • HIPAA Security Rule - Technical Safeguards Application Assessment Report for ePHI Compliance • HIPAA Security Best Practices • Summary

  3. Overview of HIPAA

  4. HIPAA – What is it? • The Health Insurance Portability & Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information

  5. HIPAA – What is it? Continued • HHS published what are commonly known as the HIPAA Privacy Rule &HIPAA Security Rule • Help to protect the privacy of a individual’s health information • Allow covered entities to adopt new technologies to improve the quality and efficiency of patient care

  6. HIPAA Security rule • The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI) • Addresses the administrative, physical & technical safeguards that covered entities must put in place to secure ePHI • Technical safeguards include access control, audit controls, integrity controls and transmission security • Each of these technical safeguards can be addressed with software solutions, like encryption technology

  7. Covered entity vs. business associate

  8. Covered entity vs. business associate • Business Associate (BA):A person or organization that performs a function on behalf of a CE. • Examples include: • Software Vendors (such as STARTEL) • Third-party Billing Companies • Claims Processors • Collections Agencies • Outsourced Contact Centers/Telephone answering services

  9. Business associate Requirements • Ensure the confidentiality, integrityand availability of all ePHI that is created, received, maintained or transmitted • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule • Ensure compliance by workforce

  10. Startel’shipaa/HITECH assessment

  11. overview • Auditing Firm: Hired Coalfire Systems • Annual, 3-year engagement • Objective: To perform an assessment of the controls in place to satisfy requirements of the HIPAA Security Rule, HITECH & Omnibus Rule • Assessment Period: September – December • Locations Assessed: Startel HQ & Colo (Latisys)

  12. Project activities 1. Performed an environment characterization to understand the uses/flows of ePHIthroughout Startel 2. Reviewed policies/proceduresto identify compliance gaps 3. Reviewed the controls in place to satisfy the IT security-related requirements of HIPAA, HITECH and Omnibus Rule 4. Performed control analysis and testing for the purpose of understanding the level of operating effectiveness 5. Provided detailed assessment results outlining Startel’s HIPAA compliance posture, as well as recommendations

  13. Startel’s activities • Performed a risk analysis • Implemented information system policies & procedures • Named a security official • Defined workforce clearance/termination procedures • Implemented user access rights • Performed (annual) training and periodic security updates • Protection from malicious software

  14. Startel’s activities Continued • Log-in monitoring and audit controls • Password management • Data back-up plan • Tested Startel applications in CoalfireLab • Acquired secure shredding bins • Created breach notification procedures • Modified ATSI Sample BA agreements for users to sign

  15. Report findingsHIPAA/HITECH Compliance Program Assessment Report

  16. Report key • Full compliance for a given requirement is based on two objectives: • Assess whether or not the Startel has defined policies/procedures to meet the requirement • Determine if appropriate controls have been implemented • If requirements are not fully met, the compliance status is identified as “Partially Compliant” • Standards and implementation specifications that don’t apply to Startel are identified as “Not Applicable” (N/A)

  17. Startel’sHipaa compliance scorecard

  18. Startel’sHipaa compliance posture

  19. Administrative safeguards

  20. Administrative safeguards Cont.

  21. Physical safeguards

  22. technical safeguards

  23. organizational safeguards

  24. Polices, procedures & documentation requirements

  25. Hitech act & omnibus rule – it security provisions

  26. Recommendations WORKFORCE SECURITY: • Workforce Clearance Procedure (A) • Create procedures for obtaining appropriate sign-offs to grant or terminate access to ePHI • Modify Company policies to require that background checks be performed on all potential employees prior to hire

  27. Recommendations INFORMATION ACCESS MANAGEMENT: • Access Establishment and Modification (A) • Ensure that documented review is performed monthly of user access and privileges

  28. Recommendations SECURITY INCIDENT PROCEDURES: • Testing and Revision Procedure (A) • Review and test BCDR Plan on an annual basis • Document results and implement improvements

  29. Recommendations ACCESS CONTROL: • Encryption & Decryption (A) • Ensure that ePHI is encrypted at rest. This includes managed clients’ CMC databases but also Startel Appointment Scheduler and Startel Secure Messaging databases.

  30. Recommendations AUDIT CONTROLS: • Change Management (R) • Ensure that all changes to hardware and software in ePHI environment require formal Change Management policy and strategy for production systems

  31. Recommendations POLICIES, PROCEDURES AND DOCUMENTATION: • Updates (R) • Review Company’s IT policies and procedures annually • Document changes to environment and any potential risks

  32. Report findingsHIPAA security rule – technical safeguards application assessment report for ephi compliance

  33. overview • Objectives: • To determine if the HIPAA Security Rule for ePHIappliesto Startel’s Application Suite • To determineifStartel’s Application Suite iscompliant with HIPAA’s Technical Safeguards via Lab Testing • Assessment Period: December 10-14, 2013 • Testing Access: Remote

  34. Project scope

  35. Project scope continued

  36. Project activities 1. Testing of Startel’s Application Suite in Coalfire’slab environment including: a. Lab set-up and application implementation following vendor guidance b. Technical testing of the application in the lab environment c. Review of all relevant documentation d. Interview of vendor personnel 2. Completion of the HIPAA Security Rule – Technical Safeguards Assessment Report

  37. Summary results On January 3, 2014, Coalfirecomplete the fullassessmenttestingprocess and found the Startel Application Suite to be fullycompliantwith allapplicablerequirements of HIPAA’s Technical Safeguards (Part 164.312)

  38. Key Features of startel’shipaa-compliant application suite • Unique User Identification (R) • Emergency Access Procedures (R) • Automatic Log Off (A) • Encryption and Decryption (A) • Audit Controls (R) • Mechanism to Authenticate ePHI(A) • Person or Entity Authentication (R) • Integrity Controls (A) • Encryption of Transmitted ePHI(A)

  39. Recommendations • Unique User Identification (R) • Develop & maintain access control documentation of the applications access controls in relation to establishing unique user IDs • Emergency Access Procedure (R) • Application users should develop & maintain a BCDR plan; include how to restore application and access to ePHI data

  40. Recommendations • Automatic Log Off (A) • Develop & maintain access control documentation in relation to how the application enforces automatic log off of sessions • Changing log-off for period of inactivity from 30 mins to 15 mins

  41. Recommendations • Encryption/Decryption (A) • Develop & maintain encryption documentation which describes how the application implements requirements for encrypting/decrypting ePHIat rest • Encrypt ePHI stored by the application (data at rest) using strong encryption algorithms and key lengths

  42. Recommendations • Audit Controls (R) • Develop and maintain audit control documentation which describes how the application implements requirements for audit and logging of access to ePHI • Maintain a log of all activity in application

  43. Recommendations • Mechanism to Authenticate ePHI(A) • Develop & maintain documentation which describes how the application implements requirements to protect ePHI from improper alteration of destruction • Employ encryption technology/integrity-checking controls to detect a change to ePHI made outside the application

  44. Recommendations • Person or Entity Authentication (R) • Develop & maintain encryption documentation which describes how the application implements requirements for verifying access to ePHI is limited to the one claiming access • Authenticate each user or entity for each device they are permitted to use to access ePHI

  45. Recommendations • Integrity Controls (A) • Develop & maintain encryption documentation which describes how the application implements ePHI requirements for integrity of transmission of ePHI • Employ electronic mechanisms to ensure that ePHI transmitted across networks is not improperly modified without detection until disposed of

  46. Recommendations • Encryption of Transmitted ePHI(A) • Develop & maintain documentation which describes how the application implements ePHI requirements for encryption of transmitted ePHI • Encrypt ePHI using strong algorithms & key lengths (SSL/TLS) • Certificates should be signed by a Certificate Authority, not self-signed

  47. Hipaa Security best practices

  48. Safeguard your organization • Perform a risk assessment of your environment • Implement/update IT policies to include HIPAA • Name a security official • Ensure user IDs are unique; review user access rights • Monitor log-ins • Create/update workforce clearance and termination procedures to ensure it addresses HIPAA

  49. Safeguard your organization Cont. • Perform annual training and periodic security updates • Install protection from malicious software • Update passwords following HIPAA recommendations • Implement/update/test BCDR plan • Issue/Sign BA agreements with CE/BA/sub-contractors • Create breach notification procedures

  50. What You can do to protect PHI/ephi • Lock computer workstation when not at desk • Lock up portable devices and documents that may contain sensitive information at the end of each work day • Don’t forward work emails with sensitive info to personal email accounts • Don’t upload sensitive info to unauthorized websites

More Related