Planning for HIPAA Compliance

1
Planning for HIPAA Compliance
Ken M. Shaurette, CISSP, CISA, IAM

• Winter 2003 Meeting of the HIPAA Collaborative of
  Wisconsin

Sandy Butters
2
HOW DO YOU TACKLE A MAJOR INITIATIVE LIKE HIPAA?

• PLANNING
• PLANNING
• PLANNING
• DOCUMENT
• DOCUMENT
• DOCUMENT

3
Privacy and Security of PHI
Its all about Common Sense
Treat all PHI data like it is data about yourself!
4
Key Issues
Rules RBAC Reasonable Signature State
GLBA Minimum necessary Access Amend Restrict

• How do you effect change?
• What is your level of risk tolerance?
• Do you have the resources
• to become compliant?
• to stay compliant?
• to mitigate risk?
• Current Status/Efforts
• What have you done so far?
• April 03 Privacy compliance

5
HIPAA COMPLIANCE PLANNING
Understanding HIPPA
Baselining the Organization
Planning Compliance Strategies
Remediating the Organization
Validating Compliance
Maintaining Compliance

• What is HIPPA?
• HIPPA requirements?

• Security Status
• What needs to be done?

• Plan how to eliminate gaps?

• Making Steps Toward Compliance

• Assessing security measures.
• Compliance?

• Assessments of compliance.
• Staying compliant?

• Key considerations
• Who needs what information?
• Develop Experts on HIPAA
• Compliance plans needed
• Who is doing what?

• Key considerations
• Whos covered?
• Which policies?
• Which procedures?
• Which tools and systems?
• Which people?

• Key considerations
• Enterprise vs.. local fixes
• Risk Management and best practices.
• Proper Budgeting

• Key considerations
• Enterprise strategies
• Implementing reasonable risk management measures
• Deadlines

• Key considerations
• Certification techniques
• Security certifications

• Key considerations
• Ongoing training
• Educating future employees, vendors
• Auditing certification practices

• Process and Tools
• Master Plan
• Roles Responsibilities
• Privacy Assessments
• Security Assessments

• Process and Tools
• Compliance Strategies
• Technical, admin, physical infrastructure
• Roles responsibilities
• Compliance matrix
• Detailed Work-plans

• Process and Tools
• HIPAA Web Sites
• Awareness training
• External orgs
• Budget
• Strategic Plan

• Process and Tools
• Self-certification Techniques
• 3rd party certifications
• Quality assurance reviews

• Process and Tools
• Testing Strategies
• Privacy related business templates
• Enterprise privacy security policies/proc
• Privacy security related policy/proc templates

• Process and Tools
• Security/privacy maintenance plans
• Enterprise Awareness Training Plans
• External Organizations

6
Reasonable Steps to HIPAA Compliance
7
"Where Do We Need to Be?"
"Where Are We Today?"
"What Are The Short Falls?
Periodic Re-evaluation
"Experience Feedback"
Compliance Reporting
Dynamic Security Infrastructure
Deploy Solutions
Strategy Definition
"Implement!"
"What Is Our Security Policy?
Security Architecture
"How Do We Get There?"
8
Tips and Traps

• Engage wide support
• Conduct interactive communications
• Develop policies
• Relate to common incidents
• Build champions
• Educate train build awareness

• Avoid perpetuating myths dont use fear tactics
• Policies guide decision making, they cannot
  address every situation
• Dont intermix Policy with Procedure
• Avoid looking for only minimum security measures

9
STRATEGIC PLAN

• OBJECTIVES
• Plan and manage activities necessary to bring the
  organization into HIPAA compliance.
• Ensure that HIPAA requirements are consistently
  communicated to appropriate internal and external
  parties.
• Assess impact of HIPAA regulations on all
  divisions and departments.
• Identify ballpark budget estimates and rough
  timelines.

10
STRATEGIC PLAN

• OBJECTIVES
• Determine and plan appropriate implementation and
  transition strategies.
• Implement HIPAA compliance plans.
• Monitor HIPAA compliance through audit, quality
  assurance, and certification programs.
• Transition HIPAA regulations and solutions into
  ongoing departmental operations.

11
BASELINING THE ORGANIZATION
Where Do We Stand vs. These Requirements (i.e.,
What Needs Fixing)?

• Key Considerations
• Which policies?
• Which procedures?
• Which tools and systems?
• Which people?

• Process and Tools
• Master Plan
• Roles Responsibilities
• Security/Privacy assessments
• Write and Review Policy

12
GAP ANALYSIS AND RISK ASSESSMENT

• Gap Analysis
• Gaps in Current Practice, Policies, Procedures,
  Systems, etc. causing non-compliance with
  reasonable security.
• Risk Assessment
• Evaluation of vulnerabilities and threats to PHI
  to establish where security weakness exists and
  establish prioritization of compliance measures.

13
PLANNING COMPLIANCE STRATEGIES
Close the Gaps?

• Key Considerations
• Enterprise vs. Local Fixes
• Risk and Prioritization
• Budget

• Process and Tools
• Enterprise Individual Compliance Strategies
• Technical Infrastructure
• Change Management Process Procedures
• Roles Responsibilities
• Detailed Workplans

14
PROJECT PLANNING

• HIPAA security compliance is a major project that
  doesnt end with certification of compliance.
• Develop a rough high level project plan with
  timeline estimates and budget expectations.
• Involve all major players in the planning process
  - dont plan in a vacuum

15
Remediation
Getting Compliant

• Key Considerations
• Enterprise Strategies
• Establishing Reasonable Measures
• Mandated Deadlines

• Process and Tools
• Security Assessments
• Security Matrix
• Enterprise Privacy Security Policies/Procedures

16
Validating Compliance
How To Know Were Complaint?

• Process and Tools
• Self-Certification Techniques
• 3rd Party Certifications
• Risk Assessments

• Key Considerations
• Certification Techniques
• Certification to Security Standards
• Privacy Certification

17
MAINTAINING COMPLIANCE
How to Remain Complaint?

• Key Considerations
• Awareness
• Educating New Employees Vendors
• Ongoing Auditing Certification Practices
• Change Management

• Process and Tools
• Periodic Security Checkups
• Periodic Privacy Checkups
• Enterprise Training plans
• Documentation
• Continued Security Assessments

18
Information Security Operations Plan

• Executive Overview
• Baseline - Status
• Policy, Standards and Procedures
• Architecture and Processes

19
Information Security Operations Plan

• Awareness and Training
• Assessment and Monitoring
• Technologies and Products
• Compliance Reviews

20
Summary

• Planning is Important
• Its not to early to start.
• Doing nothing increases liability
• Compliance Certification does not end the
  security efforts.
• Outside Organizations are important, Hipaa-Cow

21
Discussion
Planning is the prescription for compliance.