360 likes | 477 Vues
How much HIPAA is enough?. Session 2: What to Do - HIPAA-compliance with Datto. “We Untangle Healthcare Technology”. Focus on physician practices, hospitals and Business Associates Regulatory Compliance Experts on staff, HIT experts on-staff
E N D
How much HIPAA is enough? Session 2: What to Do - HIPAA-compliance with Datto
“We Untangle Healthcare Technology” • Focus on physician practices, hospitals and Business Associates • Regulatory Compliance Experts on staff, HIT experts on-staff • Privacy and Security Analysis (Meaningful Use, HIPAA) • EHR Consulting – Emphasis on workflow efficiencies
Why do HIPAA at all? Because Datto feels it is critical for their channel partners to understand how the backup and restore process impacts HIPAA compliance. Because Datto feels it is critical for their channel partners to understand the relationship between Datto products and HIPAA requirements. Because you must be able to do 3 compliance-critical things, and this ability starts by learning what is in this session.
Enforcement Countdown Business Associates must comply with the final rule by September 23, 2013. However, there is a special one-year transition period for implementing business associate agreements to comply with the final rule. What this doesn’t say is September 23, 2014 enforcement and settlement agreements begin.
The 3 Compliance-critical things to do with Datto The Datto solution must be HIPAA-Compliant The Datto solution must be installed in HIPAA-Compliant Fashion Must be Installed by HIPAA-Compliant Datto Solution Providers
Compliance-critical thing #1: You Must Have a HIPAA-Compliant Solution Datto Appliance SIRIS or ALTO 2 Cross walk that Maps Datto to HIPAA security rule HITECH? Is the Datto Solution non-compliant with any of the following applicable security rule safeguards: -Administrative -Physical -Technical
Drilldown – HIPAA-Compliant Solutions HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
A HIPAA-Compliant solution: Do a safeguard review Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Compliance-critical thing #2: It Must-Be Installed in a HIPAA-Compliant Fashion HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
Drilldown – Installed in HIPAA-Compliant Fashion Datto Appliance SIRIS or ALTO 2 Map to HIPAA Citations -Administrative -Physical -Technical
A HIPAA-Compliant Installation: Do a safeguard review Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Compliance-critical thing #3: It Must-Be Installed By HIPAA-Compliant Solution Providers We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.
Drilldown – By HIPAA-Compliant Solution Providers We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored. BA Assurance Evergreen Program
A HIPAA-Compliant Business Associate: Do a safeguard review Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
How can you give assurances? Security Rule has 18 Standards defines 18 Standards Safeguards to Implement Safeguards to Implement 36 Specifications have
Administrative example Column 1 shows the standards (9) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (21 specifications for 9 standards)
Physical example Column 1 shows the standards (4) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (8 specifications for 4 standards)
Technical example Column 1 shows the standards (5) Column 2 shows the security rule citation Column 3 shows the specifications for implementing the standards (7 specifications for 5 standards)
Wrap up: Doing The 3 Compliance-critical things with Datto Profile of a HIPAA-Compliant Datto solution Repeatable process for installing Datto solutions in a HIPAA-Compliant Fashion According to a compliance management system adopted by HIPAA-Compliant Datto Solution Provider
Datto meets HIPAA key takeaways Start Now– CEs have been subject to the HIPAA OMNIBUS Rule since September 2013. BAs are now subject to enforcement under the same rule on September 23, 2014.
Datto meets HIPAA key takeaways Secure Backups and Restores are both required ‐‐ Covered Entities and Business Associates must backup “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)) and be able “to restore any loss of data.” (CFR 164.308(7)(ii) (B))
Datto meets HIPAA key takeaways Security Requirements are in effect during emergencies ‐‐ compliance requires the “protection of thesecurity of electronic protected health information while operating in emergency mode”. (CFR 164.308(7)(ii) (C))
Datto meets HIPAA key takeaways A Backup policy is not a procedure, a backup procedure is not a backup plan, a backup plan is not a contingency plan (neither is it a disaster recovery plan) - Policies, procedures and plans (CFR 164.312(b)(1)) are not interchangeable forms of documentation (CFR 164.312(b)(2)(i))is a huge part of HIPAA. “Ask me about our HIPAA Book of Evidence Tool”
How to use this slide deck as a workbook Step 1 Review CE/BA client solution stacks by following slides 9-12 Step 2 Review Completed CE/BA client implementations by following slides 15-18 Step 3 Create a repeatable CE/BA new client implementation procedure from slides 15-18 Step 4 Do a self-Assessment by following slides 21-24 Step 5 Provide Assurances to each CE/BA client by describing how you implement the standards according to the specifications on slides 26-28 (email me for PDF of the safeguards in these slides)
Ask Me About these WebinarsAsk Me About HIPAA Evergreen for BAs Chris Johnson is CEO and founder of Untangled Solutions, his motto, “We untangle healthcare technology” has catapulted his company on to the go to short list for healthcare providers across the United States. With more than fifteen years of experience in IT services and web development, he specializes in helping medical practices make strategic HIT decisions that improve how providers safely treat their patients, productively run their practice and profitably manage their business. A thought leader in his industry and a desire to “give back”, Chris is the current Vice Chair for CompTIA’s IT Security Community, an active CompTIA Ambassador and is the former chairperson of the Healthcare IT Community. Email chris@untangledsolutions.com Phone (909) 563-8578 x2101
Ask Me About these WebinarsAsk Me About HIPAA Evergreen for BAs Upcoming events: HIPAA Resources http://Dattobackup.com/hipaa User Conference ww.Dattopartnerconference.com/ Email chris@untangledsolutions.com Phone (909) 563-8578 x2101