540 likes | 755 Vues
Startel’s Contributions to your hipaa compliance. Bill lane and Margaret Lally. Agenda. Overview of HIPAA Startel’s HIPAA/HITECH Assessment Report Findings & Recommendations HIPAA /HITECH Compliance Program Assessment Report
E N D
Startel’s Contributions to your hipaa compliance Bill lane and Margaret Lally
Agenda • Overview of HIPAA • Startel’s HIPAA/HITECH Assessment • Report Findings & Recommendations • HIPAA/HITECH Compliance Program Assessment Report • HIPAA Security Rule - Technical Safeguards Application Assessment Report for ePHI Compliance • HIPAA Security Best Practices • Summary
HIPAA – What is it? • The Health Insurance Portability & Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information
HIPAA – What is it? Continued • HHS published what are commonly known as the HIPAA Privacy Rule &HIPAA Security Rule • Help to protect the privacy of a individual’s health information • Allow covered entities to adopt new technologies to improve the quality and efficiency of patient care
HIPAA Security rule • The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI) • Addresses the administrative, physical & technical safeguards that covered entities must put in place to secure ePHI • Technical safeguards include access control, audit controls, integrity controls and transmission security • Each of these technical safeguards can be addressed with software solutions, like encryption technology
Covered entity vs. business associate • Business Associate (BA):A person or organization that performs a function on behalf of a CE. • Examples include: • Software Vendors (such as STARTEL) • Third-party Billing Companies • Claims Processors • Collections Agencies • Outsourced Contact Centers/Telephone answering services
Business associate Requirements • Ensure the confidentiality, integrityand availability of all ePHI that is created, received, maintained or transmitted • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule • Ensure compliance by workforce
overview • Auditing Firm: Hired Coalfire Systems • Annual, 3-year engagement • Objective: To perform an assessment of the controls in place to satisfy requirements of the HIPAA Security Rule, HITECH & Omnibus Rule • Assessment Period: September – December • Locations Assessed: Startel HQ & Colo (Latisys)
Project activities 1. Performed an environment characterization to understand the uses/flows of ePHIthroughout Startel 2. Reviewed policies/proceduresto identify compliance gaps 3. Reviewed the controls in place to satisfy the IT security-related requirements of HIPAA, HITECH and Omnibus Rule 4. Performed control analysis and testing for the purpose of understanding the level of operating effectiveness 5. Provided detailed assessment results outlining Startel’s HIPAA compliance posture, as well as recommendations
Startel’s activities • Performed a risk analysis • Implemented information system policies & procedures • Named a security official • Defined workforce clearance/termination procedures • Implemented user access rights • Performed (annual) training and periodic security updates • Protection from malicious software
Startel’s activities Continued • Log-in monitoring and audit controls • Password management • Data back-up plan • Tested Startel applications in CoalfireLab • Acquired secure shredding bins • Created breach notification procedures • Modified ATSI Sample BA agreements for users to sign
Report findingsHIPAA/HITECH Compliance Program Assessment Report
Report key • Full compliance for a given requirement is based on two objectives: • Assess whether or not the Startel has defined policies/procedures to meet the requirement • Determine if appropriate controls have been implemented • If requirements are not fully met, the compliance status is identified as “Partially Compliant” • Standards and implementation specifications that don’t apply to Startel are identified as “Not Applicable” (N/A)
Recommendations WORKFORCE SECURITY: • Workforce Clearance Procedure (A) • Create procedures for obtaining appropriate sign-offs to grant or terminate access to ePHI • Modify Company policies to require that background checks be performed on all potential employees prior to hire
Recommendations INFORMATION ACCESS MANAGEMENT: • Access Establishment and Modification (A) • Ensure that documented review is performed monthly of user access and privileges
Recommendations SECURITY INCIDENT PROCEDURES: • Testing and Revision Procedure (A) • Review and test BCDR Plan on an annual basis • Document results and implement improvements
Recommendations ACCESS CONTROL: • Encryption & Decryption (A) • Ensure that ePHI is encrypted at rest. This includes managed clients’ CMC databases but also Startel Appointment Scheduler and Startel Secure Messaging databases.
Recommendations AUDIT CONTROLS: • Change Management (R) • Ensure that all changes to hardware and software in ePHI environment require formal Change Management policy and strategy for production systems
Recommendations POLICIES, PROCEDURES AND DOCUMENTATION: • Updates (R) • Review Company’s IT policies and procedures annually • Document changes to environment and any potential risks
Report findingsHIPAA security rule – technical safeguards application assessment report for ephi compliance
overview • Objectives: • To determine if the HIPAA Security Rule for ePHIappliesto Startel’s Application Suite • To determineifStartel’s Application Suite iscompliant with HIPAA’s Technical Safeguards via Lab Testing • Assessment Period: December 10-14, 2013 • Testing Access: Remote
Project activities 1. Testing of Startel’s Application Suite in Coalfire’slab environment including: a. Lab set-up and application implementation following vendor guidance b. Technical testing of the application in the lab environment c. Review of all relevant documentation d. Interview of vendor personnel 2. Completion of the HIPAA Security Rule – Technical Safeguards Assessment Report
Summary results On January 3, 2014, Coalfirecomplete the fullassessmenttestingprocess and found the Startel Application Suite to be fullycompliantwith allapplicablerequirements of HIPAA’s Technical Safeguards (Part 164.312)
Key Features of startel’shipaa-compliant application suite • Unique User Identification (R) • Emergency Access Procedures (R) • Automatic Log Off (A) • Encryption and Decryption (A) • Audit Controls (R) • Mechanism to Authenticate ePHI(A) • Person or Entity Authentication (R) • Integrity Controls (A) • Encryption of Transmitted ePHI(A)
Recommendations • Unique User Identification (R) • Develop & maintain access control documentation of the applications access controls in relation to establishing unique user IDs • Emergency Access Procedure (R) • Application users should develop & maintain a BCDR plan; include how to restore application and access to ePHI data
Recommendations • Automatic Log Off (A) • Develop & maintain access control documentation in relation to how the application enforces automatic log off of sessions • Changing log-off for period of inactivity from 30 mins to 15 mins
Recommendations • Encryption/Decryption (A) • Develop & maintain encryption documentation which describes how the application implements requirements for encrypting/decrypting ePHIat rest • Encrypt ePHI stored by the application (data at rest) using strong encryption algorithms and key lengths
Recommendations • Audit Controls (R) • Develop and maintain audit control documentation which describes how the application implements requirements for audit and logging of access to ePHI • Maintain a log of all activity in application
Recommendations • Mechanism to Authenticate ePHI(A) • Develop & maintain documentation which describes how the application implements requirements to protect ePHI from improper alteration of destruction • Employ encryption technology/integrity-checking controls to detect a change to ePHI made outside the application
Recommendations • Person or Entity Authentication (R) • Develop & maintain encryption documentation which describes how the application implements requirements for verifying access to ePHI is limited to the one claiming access • Authenticate each user or entity for each device they are permitted to use to access ePHI
Recommendations • Integrity Controls (A) • Develop & maintain encryption documentation which describes how the application implements ePHI requirements for integrity of transmission of ePHI • Employ electronic mechanisms to ensure that ePHI transmitted across networks is not improperly modified without detection until disposed of
Recommendations • Encryption of Transmitted ePHI(A) • Develop & maintain documentation which describes how the application implements ePHI requirements for encryption of transmitted ePHI • Encrypt ePHI using strong algorithms & key lengths (SSL/TLS) • Certificates should be signed by a Certificate Authority, not self-signed
Safeguard your organization • Perform a risk assessment of your environment • Implement/update IT policies to include HIPAA • Name a security official • Ensure user IDs are unique; review user access rights • Monitor log-ins • Create/update workforce clearance and termination procedures to ensure it addresses HIPAA
Safeguard your organization Cont. • Perform annual training and periodic security updates • Install protection from malicious software • Update passwords following HIPAA recommendations • Implement/update/test BCDR plan • Issue/Sign BA agreements with CE/BA/sub-contractors • Create breach notification procedures
What You can do to protect PHI/ephi • Lock computer workstation when not at desk • Lock up portable devices and documents that may contain sensitive information at the end of each work day • Don’t forward work emails with sensitive info to personal email accounts • Don’t upload sensitive info to unauthorized websites