Webcast:Webcast:Webcast: Webcast:

C l i ith HIPAA P i dC l i ith HIPAA P i dComplying with HIPAA Privacy and Complying with HIPAA Privacy and Security StandardsSecurity Standards

Agenda:Agenda:

••Healthcare IT Trends Healthcare IT Trends Jim Hietala, Compliance Research GroupJim Hietala, Compliance Research Group

•• Recovery Act of 2009, and HITECH Act, Security  Recovery Act of 2009, and HITECH Act, Security  and Compliance Implications and Compliance Implications 

Karl Muenzinger Janus AssociatesKarl Muenzinger Janus AssociatesKarl Muenzinger, Janus AssociatesKarl Muenzinger, Janus Associates

••Overview of Avior Computing SolutionsOverview of Avior Computing SolutionsBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, Avior

•• Demonstration: Converged privacy/security Demonstration: Converged privacy/security assessments for healthcare organizationsassessments for healthcare organizationsgg

Jeri TellerJeri Teller‐‐Kanzler, President RiskKanzler, President Risk‐‐MappMapp

••Q&AQ&A

Trends in IT and HealthcareTrends in IT and HealthcareGovernment:Government:•• Electronic Health Record adoption pushElectronic Health Record adoption pushElectronic Health Record adoption pushElectronic Health Record adoption push••Health Information Networks (HIE’s, RHIN’s, Health Information Networks (HIE’s, RHIN’s, NHIN)NHIN)NHIN)NHIN)

IT Access and Network Changes:IT Access and Network Changes:••Growth in wireless network adoption mobilityGrowth in wireless network adoption mobility••Growth in wireless network adoption, mobilityGrowth in wireless network adoption, mobility••Guest network accessGuest network access•• I te i i of IT a d li i al de i e iI te i i of IT a d li i al de i e i•• Intermixing of IT and clinical devices in Intermixing of IT and clinical devices in healthcare networkshealthcare networks

2009 Stimulus Bill 2009 Stimulus Bill Brings New HIPAA RequirementsBrings New HIPAA Requirements

The Health Information Technology for Economic The Health Information Technology for Economic and Clinical Health (HITECH) Actand Clinical Health (HITECH) Act

I l d d i th A i R d R i t t A t f 2009 (ARRA)I l d d i th A i R d R i t t A t f 2009 (ARRA)•• Included in the American Recovery and Reinvestment Act of 2009 (ARRA)Included in the American Recovery and Reinvestment Act of 2009 (ARRA)

Data Breach ProtectionsData Breach Protections•• Prevent Data Breaches of Protected Health Records (PHR)Prevent Data Breaches of Protected Health Records (PHR)•• Prevent Data Breaches of Protected Health Records (PHR)Prevent Data Breaches of Protected Health Records (PHR)•• Increase penaltiesIncrease penalties

August 2009:  Guidance from HHS and FTCAugust 2009:  Guidance from HHS and FTC•• HHS Office of Civil Rights takes over HIPAA enforcementHHS Office of Civil Rights takes over HIPAA enforcement•• Interim final rule for Breach Notification for Unsecured Protected Health Interim final rule for Breach Notification for Unsecured Protected Health 

Information (45 CFR Parts 160 and 164)Information (45 CFR Parts 160 and 164)•• The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part ((

318) and Notice of Breach of Health Information (procedure)318) and Notice of Breach of Health Information (procedure)

The Impact on HIPAA ComplianceThe Impact on HIPAA ComplianceAn increase in SCOPEAn increase in SCOPE

‐‐ More organizations are subject to HIPAAMore organizations are subject to HIPAA

An Increase in DEPTHAn Increase in DEPTH‐‐ HIPAA compliance programs require greater dueHIPAA compliance programs require greater due‐‐diligencediligence

A i i ENFORCEMENTA i i ENFORCEMENTAn increase in ENFORCEMENTAn increase in ENFORCEMENT::‐‐ More government oversight, higher penaltiesMore government oversight, higher penalties

PENALTIES FOR HIPAA VIOLATIONS Prior penalties

ARRA / HITECH

Amount per violation $100 $100 ‐ $50,000

Maximum per year $25,000 $5,000,000

Data BreachData Breach“the unauthorized acquisition access use or disclosure of PHI”“the unauthorized acquisition access use or disclosure of PHI”“the unauthorized acquisition, access, use or disclosure of PHI”“the unauthorized acquisition, access, use or disclosure of PHI”Data Breach Notification Law: Protect PHI Data Breach Notification Law: Protect PHI ‐‐ Encryption during TransmissionEncryption during Transmission‐‐ Encryption during StorageEncryption during Storage‐‐ Secure Disposal of PHI on paper, film, or diskSecure Disposal of PHI on paper, film, or disk

Public Notification of Data Breaches Public Notification of Data Breaches starting in September 2009 starting in September 2009 ‐‐ Covered Entities andCovered Entities and Business Associates will be required toBusiness Associates will be required to‐‐ Covered Entities and Covered Entities and Business Associates will be required to Business Associates will be required to 

notify the publicnotify the public‐‐ HHS will post a public list of major data breaches: increase in HHS will post a public list of major data breaches: increase in 

reputational riskreputational riskpp‐‐ The FTC must be notified, for organizations not otherwise The FTC must be notified, for organizations not otherwise 

covered by HIPAAcovered by HIPAA

The Increased Oversight of Business The Increased Oversight of Business AssociatesAssociatesAssociatesAssociates

Business Associates must comply with HIPAABusiness Associates must comply with HIPAABusiness Associates must comply with HIPAA Business Associates must comply with HIPAA Privacy and Security rules (sec 13401.(a))Privacy and Security rules (sec 13401.(a))‐‐ Civil and criminal penalties (sec 13401)Civil and criminal penalties (sec 13401)‐‐ Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)

Covered Entities are accountable for their Covered Entities are accountable for their Business AssociatesBusiness Associates‐‐ Data Breach Notification rules for Covered Entities include data Data Breach Notification rules for Covered Entities include data 

breaches of their Business Associates (sec 13402)breaches of their Business Associates (sec 13402)‐‐ Business Associate Agreements must be revised by February 17, Business Associate Agreements must be revised by February 17, 

2010201020102010‐‐ Best Practices: require Business Associates to agree to Best Practices: require Business Associates to agree to 

independent inspection of security controlsindependent inspection of security controls

Compliance and Risk AssessmentsCompliance and Risk Assessmentsof Bu i e A o iateof Bu i e A o iateof Business Associatesof Business Associates

Locate and document all PHI sent to third partiesLocate and document all PHI sent to third parties

Assign the controls required for each Business AssociateAssign the controls required for each Business Associate•• Specify all dataSpecify all data‐‐handling requirements in Business Associate Agreementshandling requirements in Business Associate Agreements

Collect Evidence of Controls for each Business AssociateCollect Evidence of Controls for each Business Associate

Assess the evidence identify risks take actionAssess the evidence identify risks take actionAssess the evidence, identify risks, take action   Assess the evidence, identify risks, take action   

Strategies for Covered Entities and Strategies for Covered Entities and Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates

Covered Entities:Covered Entities:•• Used a Tiered Approach: Categorize your Business AssociatesUsed a Tiered Approach: Categorize your Business Associates

‐‐ based on the PHI being handled, and other risk factorsbased on the PHI being handled, and other risk factors•• Tailor the Assessment methodology for each Tier Tailor the Assessment methodology for each Tier 

‐‐ Efficiently expending resources on the tiers of highest risk.Efficiently expending resources on the tiers of highest risk.•• Use Risk Assessments to Reduce Business Associate risks Use Risk Assessments to Reduce Business Associate risks 

‐‐ Leverage the results during negotiations for future outsourced servicesLeverage the results during negotiations for future outsourced services

Business Associates:Business Associates:•• Establish a HIPAA Compliance Program: Establish a HIPAA Compliance Program: p gp g

‐‐ Conduct a HIPAA Risk Assessment and Gap AnalysisConduct a HIPAA Risk Assessment and Gap Analysis•• Coordinate with the Compliance teams of your customersCoordinate with the Compliance teams of your customers

‐‐ Align your policies and procedures proactivelyAlign your policies and procedures proactively

B th Y t ill b ki b t itB th Y t ill b ki b t itBoth: Your customers will be asking more about your securityBoth: Your customers will be asking more about your security•• Honesty Builds Trust Honesty Builds Trust –– Trust Leads to Investment  Trust Leads to Investment  

About JANUS Associates:About JANUS Associates:JJFocused on Information Security and Business Focused on Information Security and Business Continuity consulting for two decadesContinuity consulting for two decades•• St f d Alb B t B lti Sil S i MDSt f d Alb B t B lti Sil S i MD•• Stamford, Albany, Boston, Baltimore, Silver Spring MD Stamford, Albany, Boston, Baltimore, Silver Spring MD •• Privately held, independent, womanPrivately held, independent, woman‐‐owned businessowned businessConsulting Services:Consulting Services:•• Information Security & PrivacyInformation Security & Privacy•• Information Security & PrivacyInformation Security & Privacy•• Business Continuity/Pandemic/DR PlanningBusiness Continuity/Pandemic/DR Planning•• Regulatory Compliance, including PCIRegulatory Compliance, including PCI•• Security Awareness TrainingSecurity Awareness Training•• Breach Response and Computer ForensicsBreach Response and Computer Forensics•• Electronic DiscoveryElectronic DiscoveryAvior business partnerAvior business partner

www.JANUSassociates.comwww.JANUSassociates.com 203203‐‐251251‐‐02000200

Bruce Beck, VP Business DevelopmentBruce Beck, VP Business Development

Compliance… Know it Now!Compliance… Know it Now!

www.aviorcomputing.com

Compliance… Know it Now!Compliance… Know it Now!

Risk & Compliance ProcessRisk & Compliance Process

RiskRiskAssessment Assessment

ScopeScope

DistributeDistributeReview andReview andPeoplePeople

AssessmentAssessmentQuestionnairesQuestionnaires

Review andReview andRemediationRemediation

ProcessProcess TechnologyTechnology

Manage Manage ReportingReportingCollection ProcessCollection ProcessAnd AnalysisAnd Analysis

Risk & Compliance ChaosRisk & Compliance Chaos

Adding to the ChallengeAdding to the Challenge

Many overlapping compliance Many overlapping compliance requirementsrequirementsF t d li j tF t d li j tFragmented compliance projects Fragmented compliance projects spread over many regulations, spread over many regulations, business units & third party business units & third party 

id ilid ilproviders…silos providers…silos 

“70% of organizations are treating each compliance regulation“70% of organizations are treating each compliance regulation70% of organizations are treating each compliance regulation 70% of organizations are treating each compliance regulation as a silo; Inefficient, expensive, Can’t leverage common controls as a silo; Inefficient, expensive, Can’t leverage common controls and assessments, Annoying to business owners and vendors”and assessments, Annoying to business owners and vendors”

–– Compliance Marketing GroupCompliance Marketing Group

Survey FatigueSurvey Fatigue

“Assessment is the cornerstone of any GRC methodology; you “Assessment is the cornerstone of any GRC methodology; you h t k h ith i k t k h dh t k h ith i k t k h dhave to know where you are with risk to know where you need have to know where you are with risk to know where you need to go.to go. Avior provides a platform to make this process easy, Avior provides a platform to make this process easy, repeatable and sustainrepeatable and sustain‐‐able across your entire enterprise.”able across your entire enterprise.”pp y py p‐‐ Steve Katz, Fmr. CISO, Steve Katz, Fmr. CISO, Citigroup and JP Morgan Citigroup and JP Morgan 

Overlapping regulations & standards  Overlapping regulations & standards  create “survey fatigue” for business create “survey fatigue” for business y gy gowners and suppliersowners and suppliers

Bring order to ChaosBring order to Chaos

Optimize Control Framework Optimize Control Framework PrePre‐‐configured, Dynamic configured, Dynamic mapping of Regulations, mapping of Regulations, Standards, Frameworks and Standards, Frameworks and P li iP li iPoliciesPoliciesMappings & content are kept Mappings & content are kept current for you by Aviorcurrent for you by AviorAdvanced scoring and Advanced scoring and weighting rubricweighting rubricAssess Once, comply many Assess Once, comply many times, to many thingstimes, to many things

Avior’s SolutionAvior’s Solution

DynamicDynamicAssessment & RemediationAssessment & Remediation Executive DashboardsExecutive Dashboards Reporting Reporting  Repurposing  Repurposing  

•• Visibility,  Reporting & AnalysisVisibility,  Reporting & AnalysisManaging Assessment and RemediationManaging Assessment and Remediation•• Managing Assessment and Remediation Managing Assessment and Remediation ProcessProcess

•• Creating, Weighting & Scoring AssessmentsCreating, Weighting & Scoring Assessments

Assessment DesignerAssessment Designer Associator  Associator  ‐‐ Avior ClearViewAvior ClearView

Map & AssociateMap & Associate

•• Subscription Based OfferingSubscription Based Offering

•• Updated quarterlyUpdated quarterly•• Updated quarterly Updated quarterly 

•• Custom Configured Custom Configured authoritative sourcesauthoritative sourcesauthoritative sourcesauthoritative sources

•• Easily integrate your policies Easily integrate your policies and corporate objectivesand corporate objectivesp jp j

Enhanced Assessment ExperienceEnhanced Assessment Experience

••Easy to use assessment editorEasy to use assessment editorEasy to use assess e t editoEasy to use assess e t edito

•• Incorporate notes and attachmentsIncorporate notes and attachments

••Weight the response to questionsWeight the response to questions••Weight the response to questionsWeight the response to questions

••User Friendly WorkflowUser Friendly Workflow

•• Intuitive responder interfaceIntuitive responder interface•• Intuitive responder interface Intuitive responder interface 

RemediationRemediation

•• Classifying & Tracking  the Classifying & Tracking  the Remediation  ProcessRemediation  Process

•• Full Reporting CapabilitiesFull Reporting Capabilities

•• Allocate Remediation ResourcesAllocate Remediation Resources

Visibility Visibility ‐‐ Reporting & Dashboards Reporting & Dashboards 

•• Executive Level User InterfaceExecutive Level User Interface

D i D t R d iD i D t R d i•• Dynamic Data Rendering Dynamic Data Rendering 

•• Standard Suite of ReportsStandard Suite of Reports

•• Role Based ReportingRole Based Reporting•• Role Based Reporting Role Based Reporting 

•• PDF, excel & GraphicalPDF, excel & Graphical

AviorAvior automated risk & compliance workflowautomated risk & compliance workflow

• Develop assessments • Set Frequency • Determine scoring

Risk process lifecycle support

RiskRiskAssessment Assessment

ScopeScope

•Determine business owners

• Ensure completion• Determine risks to

Prebuilt assessment libraryDynamic mapping

Risk process lifecycle supportLinked to remediation management

DistributeDistributeAssessmentAssessmentReview andReview and

R di tiR di ti business owners•Manage distribution

remediate• Manage remediation

workflow

Workflow managementForced evidence collection

Automated review, scoring, and reporting

QuestionnairesQuestionnairesRemediationRemediation

• Manage Reminders• Escalate as necessary• Review for completeness

• Score results• Determine key risks • Report to management

Response weighting

Manage Manage Collection ProcessCollection Process

ReportingReportingAnd AnalysisAnd Analysis

Review for completeness• Report to management

Achieve better resultsAchieve better results

••Significant reduction in governance, Significant reduction in governance, risk and compliance costs risk and compliance costs pp

••Improve control of risk management Improve control of risk management and compliance and compliance 

= Improved = Improved managementmanagement

pp

••Increase  executive visibility of Increase  executive visibility of enterprise  risks enterprise  risks pp

••Organize compliance with a Organize compliance with a repeatable and sustainable processrepeatable and sustainable processp pp p

Risk & ComplianceRisk & Compliance Know it Now!Know it Now!Risk & Compliance Risk & Compliance ‐‐ Know it Now!Know it Now!

Jeri TellerJeri Teller‐‐KanzlerKanzlerPresident of RiskPresident of Risk MappMappPresident of RiskPresident of Risk‐‐MappMapp

Demonstration of ClearView andDemonstration of ClearView andDemonstration of ClearView and Demonstration of ClearView and BenchMarkBenchMarkH l h dd i HIPAAH l h dd i HIPAAHealthcare assessment addressing HIPAA, Healthcare assessment addressing HIPAA, and new healthcare guidanceand new healthcare guidanceMapping of HIPAA, NIST 800Mapping of HIPAA, NIST 800‐‐66, and other 66, and other standards and regulationsstandards and regulations

Questions & AnswersQuestions & AnswersQuestions & AnswersQuestions & Answers

For Additional Information:For Additional Information:For Additional Information:For Additional Information:

Avior ComputingAvior Computing•• Bruce BeckBruce Beck•• Bruce BeckBruce Beck

BBeck@Aviorcomputing.comBBeck@Aviorcomputing.com603603‐‐964964‐‐80408040

Janus AssociatesJanus Associates•• James AdamsJames Adams

ja e a@ja u a o iate oja e a@ja u a o iate o2626

jamesa@janusassociates.comjamesa@janusassociates.com203203‐‐251251‐‐02000200