1 / 53

EAGLE ACCREDITATION

EAGLE ACCREDITATION. THE ROAD TO ORGANIZATIONAL EXCELLENCE. Matt Obert , MSW, LCSW Director of Quality Assurance and Facilities Quincy, Illinois mobert@chaddock.org Debi Armstrong, MS, LCPC Vice President of Quality and Information Systems Normal, Illinois

moeshe
Download Presentation

EAGLE ACCREDITATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAGLE ACCREDITATION THE ROAD TO ORGANIZATIONAL EXCELLENCE

  2. Matt Obert, MSW, LCSW Director of Quality Assurance and Facilities Quincy, Illinois mobert@chaddock.org Debi Armstrong, MS, LCPC Vice President of Quality and Information Systems Normal, Illinois darmstrong@thebabyfold.org

  3. MOST COMMON CHALLENGES • QUALITY IMPROVEMENT and SERVICE EXCELLENCE • CORPORATE COMPLIANCE • RISK MANAGEMENT • TECHNOLOGY SECURITY and DISASTER RECOVERY

  4. EAGLE Principle 9: Information Management and Security 9.1. Privacy and Confidentiality • Determine applicable security or privacy laws & regulations • Ensure compliance with applicable laws & regulations • Address access authentication and intrusion protection • Address record storage in paper and electronic form

  5. EAGLE Principle 9: Information Management and Security 9.2. Use of Information • Ensure the accuracy of data and information • Ensure the quality and availability of information while protecting privacy • Continued access to information in the event of emergency or disaster

  6. EAGLE Principle 9: Information Management and Security 9.3. Processes • Ensure timely access to authorized persons • Hardware and software is current, reliable, secure, and user-friendly • Document, maintain, and distribute policies, processes, and procedures • Business continuity planning • Evaluate and improve IT and security processes

  7. HIPAAFinal Security Rule • 45 CFR Part 160 and Part 164, Subparts A and C • Known as “HIPAA Security Rule” • Different from HIPAA Privacy Rule • Compliance deadline April 20, 2005 • HIPAA audits beginning in 2012 • http://www.cms.gov/HIPAAGenInfo/

  8. Applicability • HIPAA covered entities • Protected Health Information (PHI) that is • maintained in an electronic system or data repository; OR • transmitted in electronic format

  9. Categories of Security Requirements • General Rules • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  10. General Rules • Ensure Confidentiality • Ensure Integrity • Ensure Availability • Protection from • Any reasonably anticipated threat or hazard to the security of EPHI

  11. General Rules • Protect against • Anticipated use or disclosure not permitted by Privacy Rule • Ensure workforce compliance • Applies to EPHI regardless of format, internal or external communications

  12. Approach • Security measures that are: • Reasonable • Appropriate • Specific • No mandates regarding particular firewall, encryption package, or password system • No standards regarding electronic signatures

  13. Required versus Addressable • Required (R) must be implemented • Addressable (A) based on “necessary reasonable and appropriate safeguard” • Possible Options for addressable • Implementation of the specification • Implementation of a substitute security measure • Decision not to implement because no measure is necessary

  14. Factors to Consider • Size, complexity and capabilities of the agency • Technical infrastructure, hardware, and software security capabilities • Cost of security measures • Probability and critical nature of potential threats and risks

  15. Main Components • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  16. Administrative Procedures • 75% of HIPAA Security compliance is operational • Security management process • Assigned security responsibility • Workforce security • Information access management • Security awareness and training • Security incident procedures • Contingency planning • Evaluation • Business associate contracts & arrangements

  17. Security Management Process • Policies and procedures to prevent, detect, contain, correct any security violations • Risk Analysis is conducted (R) • Risk Management of vulnerabilities to a reasonable and appropriate level (R) • Sanction policy for failure to comply (R) • Information system reviews (R) • Identification of Security Officer (R)

  18. Workforce Security • Policies and procedures to limit staff to appropriate access to information • Authorization or supervision of staff who have access to information (A) • Determining clearance of staff to have access to information (A) • Terminating access (A)

  19. Information Access Management • Policies and procedures for authorizing access to information • Procedures to grant access (A) • Procedures to establish, document, review, and modify user’s right of access (A)

  20. Security Awareness and Training • Training Program components • Periodic security updates and reminders (A) • Procedures for guarding against, detecting, and reporting malicious software (A) • Log-in monitoring (A) • Password creation, change, and safeguards (A)

  21. Security Incident Reporting • Procedures to identify, report and respond (R) • Contain breach/implement corrective action (R) • Document incidents and outcomes (R)

  22. Contingency Planning • Data back up plan (R) • Disaster recovery plan (R) • Emergency mode operation plan (R) • Testing and revision procedure (A) • Applications and data criticality analysis (A)

  23. Evaluation • Periodic and non-technical evaluation (R) • Respond to environmental or operational changes that affect security of PHI • Changes in technology hardware or infrastructure • Changes in applications • Changes in business operations • Changes in risks

  24. Business Associate Contracts • Written contract or other arrangement (R) • Contract specifications (R) • Implement all HIPAA safeguards • Protect confidentiality, integrity, and availability of PHI • Report any security incident made aware of • Authorizes termination of contact if breach or violation occurs • Covered entity must terminate contract if known breach occurs UNLESS • Reasonable steps taken to cure breach or violation

  25. Physical Safeguards • Development of written policies and procedures regarding the physical safeguards in place to protect their data. • Limits the physical access to PHI systems and the facilities that house the systems while ensuring properly authorized access is allowed

  26. Physical Safeguards –Facility Access Controls • Access control and validation (A) • Maintenance records related to physical security (A)

  27. Physical Safeguards – Workstation Use and Security • Workstation Use (R) • Workstation Security (R)

  28. Physical Safeguards – Device and Media Controls • Data Backup and Storage (A) • Disposal (R) • Media re-use (R) • Accountability (A)

  29. Technical Safeguards • Implement technical policy and procedures for information systems that maintain PHI to allow access only to those persons or software programs that have been granted access rights

  30. Technical Safeguards – Access Control • Unique User Identification (R) • Emergency Access Procedure (R) • Encryption and decryption (A) • Automatic Logoff (A)

  31. Technical Safeguards – Audit Controls • Procedure for conducting technical audits (R) • Mechanisms to record and examine activity of systems

  32. Technical Safeguards – Integrity • Mechanism to authenticate electronic PHI (A) • Policy and procedure to ensure that PHI has not been altered or destroyed in an unauthorized manner

  33. Technical Safeguards – Authentication • Implement procedures to verify each person accessing PHI is the one claimed to be (R)

  34. Technical Safeguards – Transmission Security • Technical security measures to guard against unauthorized access to PHI that is being transmitted electronically • Integrity Controls (A) • Encryption (A)

  35. Questions?

  36. Disaster Recovery

  37. What do we do now? • The pictures you have seen are real • On May 22, 2011 a tornado hit Joplin, MO • 30% of a town of 50,000 was destroyed • The path of destruction was six miles long and 1 mile wide • More than 100 people were killed • What if it happened to you…..

  38. The Good News • Crisis management planning • Risk management processes • Insurance policies • Backup systems • Disaster recovery planning • “The Wicked Witch is Dead! “ • - The Wizard of OZ

  39. What is Disaster Recovery? • Differs from Technology Contingency Plans • Differs from Business Continuity Plans • Scope • Purpose • Type of “disaster” • Level of response

  40. IT Contingency Plan Restore Applications • Hardware and Software • Connectivity/Network access • Smaller in scale • Integrity of site may not affected • Primarily technology staff involved

  41. Disaster Recovery Plan Restore Array of Technology Resources • Larger in scale than contingency plan • Integrity of location or infrastructure • Alternate site for technology hardware may be needed • Primarily technology staff responsible for plan

  42. Business Continuity Plan Restore Major Business Operations • Largest in scope • Likely to include alternate site • Goal is immediate recovery of business processes • Business processes are largely dependent on technology resources • Involves wider aspects of agency

  43. Scope Comparison

  44. Steps in Disaster Planning • Formal Business Impact Analysis • Formal Risk Analysis • Technology recovery strategies • Back up planning and options • Determine hot, warm and cold site alternatives

  45. Business Impact Analysis • Identify critical technology resources needed to continue work • Rate the impact of a disruption in technology on work processes • Determine “tolerable down time” and “recovery time objectives” • Prioritize recovery of applications

  46. How to rate business impact

  47. Risk Analysis • Identify types of threats • Natural disasters • System failures • Cyber crime • How likely is the threat to occur? • What is the degree of impact? • What steps can be taken to prevent or minimize risks?

  48. How to rate risk

  49. Critical Nature of Back Up • Options • Back up media – tape, hard drive or both • Use of Virtualized Servers • Off site data storage services • Redundant systems at other sites

  50. Planning Site Alternatives • HOT - Ready in a few hours • Systems and communications ready • Applications available • WARM – Ready in days • Functions present but not ready • COLD – Ready in weeks • Functions absent and must be installed

More Related