1 / 41

Iowa State Association of Counties

Iowa State Association of Counties. Risk Assessment-what, why and how October 21, 2016. Midwest Compliance Associates. Full service health care compliance consulting firm HIPAA compliance and training Gary Jones, JD, CHC, CHPC. Does HIPAA even apply to counties?.

jtrahan
Download Presentation

Iowa State Association of Counties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Iowa State Association of Counties Risk Assessment-what, why and how October 21, 2016

  2. Midwest Compliance Associates • Full service health care compliance consulting firm • HIPAA compliance and training • Gary Jones, JD, CHC, CHPC

  3. Does HIPAA even apply to counties? • Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health plan, employer, or health care clearinghouse that • Relates to the past, present, or future physical or mental health or condition of an individual; • Relates to the provision of health care to an individual • The past, present or future payment for the provision of health care to an individual.

  4. All PHI created, received, stored or transmitted by an organization is subject to the Security Rule • There is no, “we don’t do enough to be covered by HIPAA” exception

  5. Essential to look at phi in all forms: e-mail, hard drives, laptops, work stations, servers, backup tapes, smart cards, mobile devices, copiers, etc. • Complete protection is not possible, looking for reasonable

  6. What is required since we have PHI? • Implement policies and procedures to prevent, detect, contain and correct security violations • Risk Assessment is just one part of the puzzle

  7. Generally Accepted Compliance Principles Expectations Regulations, Ethical Behavior, Policies Prevention Education Ethical Culture Code of Conduct Controls Look for Problems Auditing Monitoring Reporting Issues Risk Assessment Evaluate Investigation Measure Effectiveness Fix and Follow Up Corrective Action Enforce and Discipline Report Report to Board Issues/Compliance Activities Disclosure Program

  8. North Memorial Health Care of Minnesota Business Associate lost a laptop from a locked car Laptop was not encrypted No Business Associate Contract in Place No Risk Assessment had been conducted $1.55 million settlement

  9. Risk Assessment • Risk Assessment is the first step in building a Security Management Plan • What is Risk Assessment? • Risk Identification Process • Risk Assessment Process • Rick Vulnerability/Impact • Risk Mitigation

  10. We all conduct risk assessments each and every day • Joe wakes up to his alarm clock • “should I get up and go to work or should I sleep in?” • He asks himself: What is on my schedule? What really has to be done today? What would happen if I slept in today?

  11. Once Joe considers the impact of sleeping in he consider how vulnerable he is to the impact How often has he slept in? Would anyone notice if he was late to work? Can he hit snooze and still get everything done without being noticed?

  12. Risk Assessments can take many forms • From the simple evaluation Joe did to a complicated underwriting evaluation • Formal – once a year • Informal – occur much more frequently • Simply a way to identify and evaluate exposures/vulnerabilities and establish a plan to mitigate that risk

  13. Definitions • Risks – events or conditions that may occur and, if they do, would have a harmful impact on the organization • Inherent risk • Residual risk

  14. A risk assessment is a snapshot of the organization from a compliance perspective • OIG (Office of Inspector General) suggests the snapshot becomes the baseline against which progress is judged

  15. A bit of history… • Federal Sentencing Guidelines (1998) set forth the 7 elements of an effective compliance program • Sarbanes-Oxley (2002) introduced the “internal control report” that includes performance of a fraud risk assessment

  16. FSG revised in 2004. “organizations should evaluate the nature and seriousness of potential criminal conduct, the likelihood that conduct may occur because of the nature of the organization’s business and the prior history of the organization”

  17. HIPAA • 45 CFR 164.308(a)(1)(ii)(A) • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI held by the organization –Required Specification • Find the soft spots!

  18. According to HHS, risk assessment is foundational; the first step in identifying and implementing safeguards that comply with the Security rule • RA is not a one time event, rather something that happens on a regular on-going basis • One size does not fit all

  19. To be a valid process, the Privacy Officer must engage leadership in: Identification of compliance risks Establishing “risk appetite” Buy-in and approval of risk mitigation process, and Ongoing monitoring of the risk mitigation plan

  20. Risk Identification Process • First step in RA is to identify what the risks are that impact the organization • Potential risks can come from many different directions: regulations and laws, litigation, former employees, etc. • Important to consider as many sources of risk as possible

  21. Risk Identification Process • Not a solo act. Requires input from all aspects of the organization • More input will result in more risks being identified • Important to consider which process will be most effective based on the organization

  22. 3 Primary Approaches • Using written, open-ended questions in a survey of key personnel • Personal interview or small group meetings • Pre-defined list of potential risks

  23. Open ended survey questions • Somewhat generic in nature • Rely on the expertise of the person being surveyed • Allows the Privacy Officer to “know what they don’t know” • Very important to also include potential risk areas raised by trade and governmental publications, prior audit results, litigation, etc.

  24. Examples • In your opinion, what are the top 10 compliance risks for this organization? • Are there any aspects of your job with which you are uncomfortable from a legal or regulatory standpoint? • What should be the number one focus for compliance?

  25. May result in a large volume of potential risks being identified • Difficult to prioritize and develop a plan for mitigation of each risk • High “wild goose chase” potential

  26. Personal Interviews • Utilize same type of open ended questions • Allows interviewer to probe deeper and gain more understanding of the risks • Explore possible avenues for mitigation

  27. Time consuming • Resource intensive • Increased expense • Tend to use a smaller sample size

  28. Pre-defined list of risks • Much more structured approach • Sent to key stakeholders and internal process experts • Asked to identify potential for risk realization

  29. List sources • Office of Inspector General (OIG) • Office for Civil Rights (OCR) • NIST • HIPAA-COW • DOJ

  30. Additional sources • Prior history of non-compliance • Audit reports – internal and external • Risk management cases • Quality assurance reviews • Compliance hotline reports • Employee exit interviews

  31. Risk Assessment Process • Next step is to assess and score the identified risks • Integrity of the process depends on well defined scoring criteria • Without well defined criteria, it is impossible to effectively evaluate and prioritize

  32. Risk Assessment Process • Each identified risk is assigned a score (numerical, HML, etc.) • Looking at the likelihood of that particular risk actually occurring • Consider current security measures in place when looking at likelihood

  33. Vulnerability • With the security measures in place, how likely is it: • Someone can compromise the confidentiality of ePHI? • Someone might inappropriately alter or delete ePHI which impacts integrity • ephi might not be available when you need it

  34. Determining vulnerability can be a moving target • Inherent risk • Residual risk • Technical – holes in the system • Non-technical – policies, procedures, standards

  35. Impact • Basically, how much will it hurt? • Scored on same type of scale (numerical or HML) • Each rating should have a specific criteria to ensure consistency • Impact to: finances, reputation, legal or regulatory obligation

  36. Risk identification, assessment for vulnerability and impact information can be used to prioritize • Heat Map

  37. Based on the heat map, organization can allocate, or re-allocate, resources • Prioritize mitigation efforts • Be careful of risk shifting

  38. Risk Mitigation • Policies and procedures • Training • Physical interventions • Electronic/hardware interventions

  39. Summary • No prescribed method for risk assessment • One size does not fit all • Risk assessment is a required specification under HIPAA • Whether you use an outside consultant or conduct the assessment in house keeping a record of what is done is essential

  40. Questions? Gary N. Jones J.D. CHC, CHPC Gary.jones@mwcompliance.com Midwest Compliance Associates, LLC 721 W. 1st Street Cedar Falls, Iowa 50613

More Related