Privacy and Information Security ppt - HCCA's Official Site · 9/9/2014 1 HCCA Boston Conference...

9/9/2014

1

HCCA Boston Conference

Managing HIPAA Compliance

September 12, 2014

Private and Confidential

PwC

Current State Update

Threats, Breaches and Enforcement Actions

(oh my!)

12

PwC

Why are we discussing?

o $50 billion estimated annual losses to business from data and identity theft

o Audits of security / privacy requirements are coming have been here

o In 2013, the average cost per one lost or stolen record was $188; the average cost of data breaches for healthcare organizations over the past two years was approximately $2 million1.

o Ninety percent of healthcare organizations have had at least one data breach in the past two years1.

o 669 large breaches of over 500 affected individuals were reported to HHS over the past 3 years2.

o 41% of healthcare data breaches are due to business associates/3rd parties1.

Breaches and non-compliance can lead to significant impacts : brand, reputation, fines, lost revenue and/or regulatory sanctions

Companies often face direct financial impacts: investigations, legal fees, credit monitoring services for victims, reissuance of credit cards, government fines, and regulatory sanctions

3

1 Source: Ponemon Institute Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 20142 Source: U.S. Department of Health & Human Services, HHS.gov, March 2014

9/9/2014

2

PwC

Causes of large* breaches (by # of breaches) January 2013 – March 2014

4

Theft47%

Improper Disposal5%

Hacking/IT Incident6%

Loss11%

Unauthorized Access/Disclosure

16%

Other/Unknown15%

Theft

Improper Disposal

Hacking/IT Incident

Loss

UnauthorizedAccess/DisclosureOther/Unknown

* Breaches involving 500 records or greater

PwC

Source of large* breach (by # of breaches) January 2013 – March 2014

5

Desktop Computer14%

Email 10%

Electronic Medical record2%

Laptop29%

Network Server6%

Paper20%

Other19%

Desktop Computer

Email

Electronic Medical record

Laptop

Network Server

Paper

Other

* Breaches involving 500 records or greater

PwC

2013 Enforcement Spotlight

Continued Activity Around Security Rule Compliance

Affinity Health Plan – over $1.2 million

-ePHI left on photocopier drives

Wellpoint ‐ $1.7 million

-Faulty testing of programming updates left information accessible on web

portal

Idaho State University ‐‐ $400,000

-Disabled firewall exposed ePHI to breach

Adult & Pediatric Dermatology ‐‐ $150,000

-Stolen unencrypted thumb drive; lacked risk analysis, and

policies/procedures for breach notification

Privacy Was Also a Focus

Shasta Regional Medical Center ‐‐ $275,000

-Patient medical records shared with media

6

9/9/2014

3

PwC

Enforcement Action Lessons Learned

• Covered entities and their business associates must undertake a careful risk analysis to understand the threats and vulnerabilities

to individuals’ data, and have appropriate safeguards in place to

protect this information.

• Take caution when implementing changes to information systems, especially when those changes involve updates to

Web‐based applications or portals that are used to provide access to

consumers’ health data using the Internet.

• Senior leadership helps define the culture of an organization

and is responsible for knowing and complying with the HIPAA

privacy, security and breach notification requirements to ensure patients’ rights, as well as the confidentiality of their health data, are

fully protected.

7

PwC

Enforcement Action Lessons Learned

• Evaluate the risk to e‐‐‐‐PHI when at rest on removable media, mobile devices and computer hard drives (and printers!)

• Take reasonable & appropriate measures to safeguard e-PHI

- Store e‐PHI to a network versus on laptops, desktops or mobile

devices

- Encrypt data on portable/movable devices & media

- Employ a remote device wipe solution to remove data when device

is lost or stolen

- Train workforce members on how to effectively safeguard data and timely report security incidents

• Choose and implement an appropriate control framework

to ensure compliance

8

PwC

Developments with the Final Rule Changes

• Business Associates - Now directly liable for compliance with requirements of HIPAA Privacy and Security Rules.

◦ Business Associate Agreements (BAAs) must be updated by September 22, 2014

• Increased Civil Penalties - HIPAA Enforcement Rule changes increase

and tier civil money penalties provided under HITECH.

• HITECH established tiers of increasing penalty amounts, based on levels of

culpability.

• NOW, Categories include:

VIOLATION (Sect. 11769(a)(1) EACH VIOLATION CAP PER CALENDAR YEAR

a) Did not know Penalty: $100-$50,000 Cap: $1.5 million

b) Reasonable Cause Penalty: $1,000-$50,000 Cap: $1.5 million

c) (i) Willful Neglect-corrected $10,000-$50,000 Cap: $1.5 million

d) (ii) Willful Neglect-not corrected $50,000 - $1.5 million Cap: $1.5 million

9

9/9/2014

4

PwC

Looking Forward to 2015 and Beyond

Preparing for the Next Phases of OCR Audits

210

PwC

OCR Audit Program – Phase 1 and 2

• Given the large number of breaches of Protected Health Information (PHI) and the requirements for auditing within the HIPAA/HITECH

legislation, the U.S. Department of Health & Human Services’ Office

of Civil Rights (OCR) has increased its focus on conducting audits and investigations of Healthcare organizations.

• The OCR piloted its first Phase of audits in 2012 and used the

information gained from that first phase to enhance the focus areas

for Phase 2, which will include audits of 350 organizations in 2014.

• The following slides offer a recap of key data from Phase 1 findings

as well as a preview of the upcoming Phase 2 program.

11

PwC

OCR Audit: Phase 1Audit Protocol consisted of 11 Modules

12

The information above is from the US Department of Health & Human Services Presentation: OCR Audits of HIPAA Privacy, Security and Breach

Notification, Phase 2 (Linda Sanches, March 2014)

9/9/2014

5

PwC

OCR Audit: Phase 1Privacy: Percentage of Findings by Areas of Focus

13



PwC

OCR Audit: Phase 1 Security: Percentage of Findings by Area of Focus

14



PwC

OCR Audit Phase 1:Cause Analysis – Top Elements

15

Privacy

• Notice of Privacy Practices

• Access of Individuals

• Minimum Necessary

• Authorizations

Security

• Risk Analysis

• Media Movement and Disposal

• Audit Controls Monitoring

• Access Control



9/9/2014

6

PwC

OCR Audit: Phase 2 Set to Begin

• Federal auditors this summer are set to expand the number of privacy and security audits that were previously part of a HIPAA pilot program that wrapped up last year.

• The OCR plans to audit hundreds of providers, insurers and data warehouses, including business associates, to ensure they comply with new risk assessment and notification requirements.

• While the first phase focused primarily on the implementation of security and privacy protocols, the second phase focuses on enforcement of those measures.

• The OCR will conduct “desk audits” rather than on-site ones

• The audits will also focus on regulatory provisions that were the source of a high number of compliance failures during the pilot program, such as:

- the lack of a complete and accurate risk assessment

- access to protected health information

- authorizations for the disclosure of protected health information

- privacy notices and breach notification protocols.

16

PwC

OCR Audit: Phase 2Timing

17

Period Activity

Spring 2014 Covered Entity Address Verification

Summer 2014 Pre-audit Surveys Sent to Covered Entity Pool

Fall 2014 Notification and Data Request Letters Sent to Selected Entities

Two Weeks Period for Entity Response

October 2014 – June 2015 Covered Entity Audit Reviews

2015 Business Associates



PwC

OCR Phase 2:Who Can Be Audited?

18



9/9/2014

7

PwC

OCR Audit: Phase 2Pre Audit Survey

• OCR entity databases lack data for entity stratification

• Survey currently going through the Paperwork Reduction Act clearance process

• Questions address size, location, service types, contacts

• OCR will conduct address verification with entities this Spring

• Entities will receive link to on-line screening pre-survey this summer

• OCR expects to reach out to 550 - 800 entities

• OCR will use results of survey to select a projected 350 covered

entities to audit

19



PwC

OCR Audit Phase 2:Approach

• Wide range (e.g., group health plans, physicians and group practices, behavioral health, dental, hospitals, laboratories)

• Primarily internally staffed by OCR auditors

• Selected entities will receive notification and data requests in Fall

2014

• Entities will be asked to identify their business associates and

provide their current contact information

• OCR will select business associate audit subjects for 2015

first wave from among the BAs identified by covered entities

• Comprehensive on site audits will be performed as resources allow

20



PwC

OCR Audit Phase 2:Desk Audit Expectations

21



• Data requests will specify content & file organization, file names, and any other document submission requirements.

• Only requested data submitted on time will be assessed.

• All documentation must be current as of the date of the request.

• Auditors will not have opportunity to contact the entity for clarifications or

to ask for additional information, so it is critical that the documents accurately reflect the program.

• Submitting extraneous information may increase difficulty for auditor to find and assess the required items.

• Failure to submit response to requests may lead to referral for more detailed compliance review.

9/9/2014

8

PwC

• Covered Entities• Security – Risk Analysis and Risk Management• Breach – Content and Timeliness of Notifications

• Round 1 - Business Associates• Security – Risk Analysis and Risk Management• Breach – Breach Reporting to CE

• Round 2 - Covered Entities• Security – Device and Media Controls, Transmission

Security

• Privacy – Safeguards, Training to Policies and Procedures

• (Projected)• Security: Encryption and Decryption, Facility

Access Control (Physical);

• Other Areas of High Risk as Identified by 2014 Audits, Breach Reports and Complaints

OCR Audit Phase 2: Audit Focus

22

2014

2015

2016

PwC

Preparing for an Audit

23

PwC

1. Regular and thorough risk assessments

2. Refresh Policies and Procedures (and ensure process = policy)

3. Refresh and give training where needed

4. Conduct a self assessment of policy compliance

5. Conduct a risk assessment and execute risk management strategy

(document decisions on risks and controls) – including vendors, BAAs, and the ‘cloud’

6. Document controls, gaps, and action plans to remediate basic HIPAA violations / inconsistencies

7. Conduct a pre-audit against HIPAA***

24

Advice from the OCR

Key #1: It’s always better to be telling OCR what your issues are rather than being told by OCR what they are.

Key #2: Maintain an “Audit Ready Culture and Program”

9/9/2014

9

PwC

PwC’s View on 5 Key Steps to Readiness

25

#1. Develop HIPAA Control Framework (i.e., Based on OCR Protocol)

#2. Inventory Systems and Data Flow/Storage

#3. Conduct HIPAA Privacy/Security Risk Assessment(s)

#4. Implement Controls based on deltas

#5. Ongoing Monitoring and Control

PwC

Comparison of Third Party Reporting Options

Consideration FinancialReporting

Trust Services Principles & Criteria NIST / HIPAA

HITRUST

Relevantreporting standard

AT801 - aka SOC1, aka SSAE 16

AT101 – SOC2 AT101 – SOC3 AT101 – Custom Proprietary –CSF Assurance Program

What it reports on

Internal Controls over Financial Reporting– must related to processing of financial information (e.g., revenue & receivables)

Security,availability, processing integrity, confidentiality, and/or privacy controls

Security,availability, processing integrity, confidentiality, and/or privacy controls

NIST’s Resource Guide for Implementing the Health Insurance Portability and Accountability Act - HIPAA Security Rule

Common Security Framework (CSF), a certifiable overarching framework incorporating security requirements at federal (HIPAA/HITECH), state, 3rd party (PCI, COBIT), and other (NIST, FTC, CMS) levels

Who uses it Limited distribution –parties knowledgeable of the service org

Limiteddistribution –parties knowledgeable of the service org

Widely available –general public

Depends on nature of report and criteria reporting against

Limited distribution–specified parties

Resulting report

Attest Opinion with description of systems and auditor tests/results

Attest Opinion with description of systems and auditor tests/results

Branded Report (e.g. SysTrust or WebTrustcertificate)

Attest Opinion with reference to relevant criteria(can include tests/results)

Certificate,with background, mgmt rep, scope, test results, et al.

Report issued by

Independent CPAs Independent CPAs Independent CPAs Independent CPAs HITRUST, basedon approval by CSF Assessor (incl PwC)

26

PwC

Presenter

Michael Parisi – Hartford, CTTel: (860) 241-7194

Email: [email protected]

9/9/2014

10

PwC

Questions

28

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United States) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Privacy and Information Security: Be OCR ReadyMass. Eye and Ear Case Study

Heather Fowles, CISSP, CISA

Director of Information Security and ISO

Mass. Eye and Ear

HCCA Boston Regional Conference

September 12, 2014

30

A Little Background and

History….

9/9/2014

11

Massachusetts Eye and Ear

� Independent 41-bed nonprofit specialty

hospital located in Boston focused on

treatment of eye, ear, nose and throat

conditions

� Principally ambulatory – over 90% of

surgical cases performed on an

outpatient basis

� Close clinical affiliation with

Massachusetts General Hospital

� Harvard Medical School teaching affiliate

for Ophthalmology and Otolaryngology

31

Incident and Investigation

� Feb. 2010: unencrypted laptop stolen from Mass. Eye and Ear

physician travelling overseas

– Database with Protected Health Information for >3500 patients and

research subjects

� Apr. 2010: Mass. Eye and Ear reported the theft under the

HITECH breach reporting rules

� Oct. 2010: US Dept. HHS OCR initiated investigation of Mass.

Eye and Ear’s compliance with HIPAA Privacy, Security and

Breach Notification rules

– Broad investigation, not limited to circumstances of theft

32

Resolution Agreement and

Corrective Action Plan

� Sept. 2012: Mass. Eye and

Ear and the OCR sign

Resolution Agreement (RA)

– No admission / no

concession

– 3-year Corrective Action Plan

(CAP)

– Six areas of “Covered

Conduct”

– Pay $1.5M settlement to

OCR

33

9/9/2014

12

Resolution Agreement and Corrective

Action Plan (cont.)

Sept. 2012: CAP requirements

� Revise information security policies and procedures

(subject to OCR approval)

– 10 minimum content requirements

� Re-train workforce

� Engage independent monitor to oversee compliance

for three years

� Implement additional controls particularly around

portable devices

34

Monitor and Monitor Plan

� Jan 2013: OCR approves Mass. Eye and Ear’s selection of PwC as

its Monitor

� February-April 2013: PwC develops Monitor Plan

– Subject to OCR approval

– Validates Mass. Eye and Ear compliance with CAP

• Procedures to test specific CAP obligations regarding policies and procedures,

risk analysis, training, incident management and workforce compliance

• 4 unannounced visits - main campus and 3 satellite facilities - every six months

in addition to planned audit procedures

• Workforce Compliance tests based on HITRUST CSF controls - shared standard

for internal risk analysis and Monitor reviews

– PwC to issue opinion to OCR every 6 months on Mass. Eye and Ear’s

compliance for duration of CAP

35

Monitor Plan Development

36

Mapping exercise – CAP “Minimum Content” requirements to

one or more HITRUST CSF controls

Twenty-five key CSF controls selected

Test procedures defined for each

Acce

ss C

on

tro

l

01.a Access Control Policy

01.e Review of User Access Rights

01.f Password Use

01.g Unattended User Equipment

01.j User Authentication for External Connections

01.n Network Connection Control

01.q User Identification and Authentication

01.t Session Time-out

01.x Mobile Computing and Communications

01.y Teleworking

Co

mm

un

ica

tion

s a

nd

O

pe

ratio

ns M

an

ag

em

en

t

09.aa Audit Logging

09.ab Monitoring System Use

09.o Management of Removable Media

09.s Information Exchange Policies and Procedures

09.u Physical Media in Transit

HR

Se

cu

rity

02.f Disciplinary Process

02.i Removal of Access Rights

Asse

t M

an

ag

em

en

t

07.a Inventory of Assets

07.b Ownership of Assets

Info

rma

tion

Sys

tem

s,

Acq

uis

itio

n,

De

velo

pm

en

t, a

nd

Ma

inte

na

nce

10.f Policy on the Use of Cryptographic Controls

IS P

olic

y

04.a Information Security Policy Document

04.b Review of the Information Security Policy

Info

rma

tion

Se

cu

rity

Incid

en

t M

an

ag

em

en

t

11.a Reporting Information Security Events

Org

an

iza

tion

of

Info

rma

tion

Se

cu

rity

05.b Information Security Coordination

Ris

k M

an

ag

em

en

t

03.b Performing Risk Assessments

9/9/2014

13

Processes & Technology

� 2012-2014: Implement policies, procedures, enhanced

processes and technology

– Information Security Policies and Procedures

– Information Security Training and Policy Certification

– Access Controls

• Enforce training and certification completion – disable network access

for non-completion

• Automated daily checks – e.g. training completion, terminations

• Quarterly system access recertification

• Access request forms only able to be submitted for active workforce

members in HR or credentialing system

37

Processes & Technology (cont.)

� 2012-2014: Implement policies, procedures, enhanced

processes and technology

– HITRUST framework for annual risk analysis

– Outsourced IPS, log monitoring and vulnerability scanning

– Encryption

• Laptop – Bitlocker, Checkpoint, (TrueCrypt)

• Native smartphone encryption

• Encrypted USBs, external drives

– Inventory – electronic and manual• Red/green sticker process for manual inventory

– Network Access Control– in process

38

Halfway through… CAP overview

39

MONITOR PERIOD 1 (COMPLETE) MONITOR PERIOD 2 (COMPLETE)

MONITOR PERIOD 3 (IN PROGRESS) MONITOR PERIOD 4 (FUTURE)

MONITOR PERIOD 6 (FUTURE)MONITOR PERIOD 5 (FUTURE)

MAY 2013 NOVEMBER 2013



MAY 2014

MAY 2015

MAY 2016

POLICY COMPLIANCE CERTIFICATION AND TRAINING

POLICY COMPLIANCE CERTIFICATION AND TRAINING

ANNUAL REPORT

ANNUAL REPORT

ANNUAL REPORT

TRAININGPOLICY COMPLIANCE CERTIFICATION

IMPLEMENTATIONREPORT

ANNUAL REVIEW OF POLICIES

TRAINING UPDATE

TRAINING UPDATE


TRAINING UPDATE


POLICY UPDATEDISTRIBUTION

POLICY UPDATEDISTRIBUTION

MEE COMPLETED DELIVERABLE

MEE FUTURE DELIVERABLE

MANUAL INVENTORY RECONCILIATION

MANUAL INVENTORY RECONCILIATION

POLICY/PROCEDURE IMPLEMENTATION

UNANNOUNCED MONITOR VISIT

FUTURE UNANNOUNCED MONITOR VISITS

MONITOR COMPLETED DELIVERABLE

MONITOR FUTURE DELIVERABLE

MONITOR PERIOD 2 REPORT






RISK ANALYSIS

RISK ANALYSIS

RISK ANALYSIS

?

X X X X

X

XX XX

? ? ? ?? ? ? ?

? ? ? ?? ? ? ?

9/9/2014

14

40

Lessons Learned…

Lessons Learned: Investigation and Response

� Reported breaches of over 500 records are a

common trigger for OCR investigation

� Don’t expect an investigation to focus narrowly on the

circumstances of a breach

� If you must report a large breach, prioritize addressing known

information security/compliance weaknesses immediately– Policies and procedures addressing HIPAA compliance requirements

– Risk analysis

– Workforce training and awareness

– Incident identification and response

– Portable device encryption

– Remediating specific weaknesses identified in risk analysis

– Clearly documenting rationale for risk acceptance decisions

41

Lessons Learned: Investigation and Response (cont.)

� Take the long view

– Collect documentation of HIPAA compliance from initial

compliance dates forward, e.g.

• Policy and procedure adoption and review

• Risk analysis, risk remediation and risk acceptance decisions

• Implementation of physical, administrative and technical safeguards

– “If it wasn’t documented, it never happened.”

� If investigated, put best effort into initial response

– Ability to amplify responses later in process may be limited

42

9/9/2014

15

Lessons Learned Living with a CAP/Monitoring Arrangement

Monitor Selection:

� Better the devil you know

– Choose Monitor and team you know and can work with

� Other musts: independent, experienced with regulator, healthcare

audit expertise, acceptable to OCR

� Agree up-front on standards

− Standards/risk framework-based approach (NIST, HITRUST etc.) can

help identify, prevent issues

− Common language and “yardstick” for Monitor and internal risk

analysis

− Not required by OCR, but various frameworks recommended/cited in

guidance on risk analysis

43

Lessons Learned Living with a CAP/Monitoring Arrangement (cont.)

Monitor Plan Development:

� CAP will dictate high-level Monitor Plan requirements, but

negotiate the details

– Be realistic about organizational capabilities

– Align plan with organization’s policies, procedures, and information

security/privacy/compliance priorities

– Align plan with current or planned technology and processes

� Monitor opinion on compliance vs. report of issues

– Consider audit rigor vs. audit process transparency trade-offs

44

Lessons Learned: Living with a CAP/Monitoring Arrangement (cont.)

Processes and Technology:

� Know the organization’s limits

� Save internal resources for tasks requiring knowledge of the

organization and culture

� Go outside for commodity services

� Be realistic about resources needed

� Don’t underestimate effort for process changes

� Communicate

� Make lemonade!

� A CAP will focus the organization’s attention

� Opportunity to drive needed information security/compliance

investments and improvements

45

9/9/2014

16

Questions?

46

Privacy and Information Security:

Be OCR-Ready

Lessons Learned from the 3-year

Corrective Action Plan:

Deborah Adair

Director, Health Information Services/Privacy Officer

September 12, 2014

Questions: [email protected]

Physical Removal and Transport of Protected Health Information (PHI) &

Personal Information (PI)

9/9/2014

17

Official Terms of the CAP

� III. Term of CAP: “The period of compliance obligations assumed by MGH under this CAP shall begin on the Effective Date [2/14/2011] and conclude 3 years from the Monitor Plan Approval Date [7/11/2011] [ i.e., CAP concludes 7/11/2014]…except that after this period MGH shall be obligated to: (a) submit the Annual Report for the final Reporting Period.[2/14/2014 – 7/10/2014] and (b) comply with the document retention requirement [VII Document Retention…The office(s) responsible…shall maintain…all non-privileged documents and records relating to compliance with this CAP for 6 years from the Effective Date [i.e. retain through 2/14/2017].

� V. E.2.c Semi-Annual Monitor Reports: “Within 180 days of the Monitor Plan Approval Date, and once every 6 month period thereafter, the Monitor shall prepare a written report….MGH shall prepare a response to the Monitor Report…within 30 days of MGH’s receipt of the Monitor Report.”

� VI. B. Annual Reports: The one-year period after the Effective Date and each subsequent one-year period or portion thereof during the course of the period of compliance obligations shall be known as a “Reporting Period”. MGH shall submit Annual Reports to the Monitor…Such Annual Reports shall be incorporated into the Monitor Reports to HHS. MGH shall submit each Annual Report… no later than 60 days after the end of each corresponding Reporting Period.

� What does ‘conclude’ mean?

� New hires with hire date up through July 10 were expected to take CAP training.

� Weekly Policy Violations reporting continued through Aug 8.

� The Monitor’s Semi-Annual report was due due July 9; our response to the Monitor report was due Aug 8.

� Our final Annual Report was due Sept 10.

� Hardcopy and electronic documents must be maintained through 2/14/2017.�

50

Other Significant Dates - 2011

� Monitor Plan submitted March 30th with final

approval by OCR on July 6th

� Three policies submitted to OCR on May 13th and

approved on June 7th

� Health Stream CAP training opened up on June

20th.

� MGH had trained approximately 97% of our

workforce by July 20th

51

Monitor Plan

� Privacy Office will report all policy violations to

Monitor within 30 days of determination

� Monitor will start unannounced site visits

� Main Campus and offsite

� Will identify themselves to site management

� Will need a list of all workforce members

� May ask any workforce member about policies

� May inspect laptops, and portable USBs

9/9/2014

18

Workforce Definition

� Defining and identifying > 30,000 workforce

� Non employees in PeopleSoft

� Nursing Students with new preceptor processes

� Clean up of reporting structures

� Verification of credentialing and privileges

� Accountability of Research increased

Implementation

� Privacy Office met every deadline for completion of

training, reporting to the monitor and response to

OCR

� No CAP violations during the three-year period

� No major HHS reportable incidents

� Policies and processes developed at MGH adopted

by PHS and other sites

Training

� Negotiated HealthStream licenses for all workforce, now use consistent platform

� CAP training taken and documented in HealthStream

� More consistency in Privacy and Security training

� Sanctions applied more evenly across weekly and professional staff

� Policy violation consequences include turning off access

9/9/2014

19

Questions: [email protected] (617) 726-6360

What Will be Covered in this Training:

Policy: Removal and Transport of PHI and PI

Take reasonable precautions to safeguard and secure the information at all times.

If you are not directly involved with patient care must have supervisor approval before removing PHI or PI.

Policy: Laptop Encryption

Encrypt Laptops used for any business purposes, even personally owned Laptops.

Policy: Portable USB Drive Encryption

Encrypted USB drives must be used when storing confidential data on USB drives.

Encryption and Applications

� Attestation database allows prompt identification

of unencrypted use

� Changed attestation language for more clarity

� Run weekly reports and contact workforce directly

� Implemented Active Sync for phones, Bit Locker for

PCs, and SyncPlicity for cloud storage

57

Laptop Encryption

Policy Violations

� MGH requires attestation signed by workforce on first day stating they will not use an unencrypted laptop for business purposes

� MGH requires electronic attestation every 90 days in conjunction with password change

� If individual attests ‘yes’ to use of laptop and ‘no’ to it being encrypted, immediate flag to Privacy and Security & individual contacted

� If attestation done in error, then corrected

� If no error, then policy violation reported to HR

9/9/2014

20

Relationships

� Work done outside of silos, and gained cross-functional respect

� HR took on additional responsibilities for non employee documentation

� MGPO compensation supported new professional staff processes

� Police and Security agreed to new Badge ID process

� Shared best practices across Partners

Culture Shift

� MGH shifted to higher awareness and support of

privacy and security of PHI

� Workforce are self reporting incidents:

� Calling concerned, wanting to do the right thing

� PHI brought to Privacy Office, very clean hospital

� Protecting Our Patients Privacy (POPP) program

engaging staff in a positive way

Questions?

Time flies when you’re having fun!

Privacy and Information Security ppt - HCCA's Official Site · 9/9/2014 1 HCCA Boston Conference...

Documents

Transcript of Privacy and Information Security ppt - HCCA's Official Site · 9/9/2014 1 HCCA Boston Conference...