MU and HIPAA Compliance 101

1. MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com

2. Agenda: What does it all mean and why is security important? InfoSec Meaningful Use Compliance How You Can Help Keep Your Network Secure www.IonITGroup.com

3. Sometimes we have to do things even when we don’t want to… Odie 12/15/2011 www.IonITGroup.com

4. HIPAA Components (est. 1996) HIPAA Components Title 1 Portability Title II Admin Simplification Title III Med Savings Account Title IV Group Health Plan Provisions Title V Revenue Offset Provision EDI Privacy since 4/03 Security Compliant since 4/05 Transactions Use/Disclosure of PHI Admin Procedures Code Sets Individual Rights Physical Safeguards Identifiers Administrative Requirements Technical Safeguards Organizational Requirements www.IonITGroup.com

5. HIPAA Components (est. 1996) Title 1 Portability Title II Admin Simplification Title III Med Savings Account Title IV Group Health Plan Provisions Title V Revenue Offset Provision EDI Privacy Compliant since 4/03 Security Compliant since 4/05 Transactions Use/Disclosure of PHI Admin Procedures Code Sets Individual Rights Physical Safeguards Identifiers Administrative Requirements Technical Security Service Technical Security Mechanisms www.IonITGroup.com

6. Why Should We Care about Network Security? • Potential for downtime and impact on patient care • It’s both a State and Federal law • The dreaded blank check scenario • Possible fines for security breaches • HIPAA requires we implement security measures to protect PHI on paper and electronically! • Damage to reputation for security breaches (newspaper headlines) www.IonITGroup.com

7. Headlines • July 07, 2010 • Conn. AG, Health Net Reach Settlement Over Medical Data Breach • On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. • The hard drive contained medical and financial information on about 500,000 members from the state. • (Solsman, Dow Jones/Wall Street Journal, 7/6).

8. Headlines June 2, 2010 “Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.” Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala.

9. Agenda: What does it all mean and why is security important? InfoSec Meaningful Use Compliance How You Can Help Keep the Network Secure www.IonITGroup.com

10. Meaningful Use Core Set verbiage says… Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. www.IonITGroup.com

11. Aaaannd that means what??….. • 164.308 - Administrative Safeguards • You must have a Security Management Process - • Implement Policies and procedures to prevent, detect contain and correct security violations. • Risk Analysis - • Conduct and accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the covered entity. • Risk Management - • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). • Sanction Policy – • Apply appropriate sanctions against workforce members who fail to comply with the security policies of the covered entity. • Information System Activity Review – • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. • PS. Breach notification was effective 9/2009 Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification. www.IonITGroup.com

12. How You Can Help Your Organization Keep the Network Secure www.IonITGroup.com

13. User Access Control and Password Guidance Unique User ID • All system access with your ID is YOUR responsibility. • Password Guidelines • Passwords must be a combination of upper and lower case letters, number and special characters. Automatic Logoff • Your EHR session should terminate after 15 minutes of inactivity. • Always save your work before leaving your workstation! www.IonITGroup.com

14. Accounting for Disclosures • Accounting for Disclosures • Always indicate why treatment, payment, or authorization information is being disclosed. • Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” www.IonITGroup.com

15. Tasks for the IT Dept • Role-Based Access: Manage who gets access to what. • Firewall Review: Make sure that communication with the outside world is secure. • Wireless Security: Manage who gets WiFi access. • Antivirus: Manage software to keep viruses and malware at bay. • Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems. www.IonITGroup.com

16. Tasks for the IT Dept • Backup: Keep a backup of all data, just in case! • Backup Encryption: Make backup data unreadable to snoopers. • Recovery: Have a plan in case disaster strikes! www.IonITGroup.com

17. Summary Protecting data is everyone’s responsibility. Understand HIPAA. Hold each other accountable. www.IonITGroup.com

18. Thank you for your time today! Robert Morris RMorris@IonITGroup.com 615.351.4796 www.IonITGroup.com