How much HIPAA is enough? Session 2: What to Do - HIPAA-compliance with Datto.

How much HIPAA is enough?

Session 2: What to Do - HIPAA-compliance with Datto

• Focus on physician practices, hospitals and Business

Associates

• Regulatory Compliance Experts on staff, HIT experts on-

staff

• Privacy and Security Analysis (Meaningful Use, HIPAA)

• EHR Consulting – Emphasis on workflow efficiencies

“We Untangle Healthcare

Technology”

Why do HIPAA at all?

Because Datto feels it is critical for their channel partners to understand how the backup and restore process impacts HIPAA compliance.

Because Datto feels it is critical for their channel partners to understand the relationship between Datto products and HIPAA requirements.

Because you must be able to do 3 compliance-critical things, and this ability starts by learning what is in this session.

Things that are backed up that are ePHI…

Enforcement Countdown

Business Associates must comply with the final rule by September 23, 2013. However, there is a special one-year transition period for implementing business associate agreements to comply with the final rule.

What this doesn’t say is September 23, 2014 enforcement and settlement agreements begin.

The 3 Compliance-critical things to do with Datto

The Datto solution must be HIPAA-Compliant

The Datto solution must be installed in HIPAA-Compliant Fashion

Must be Installed by HIPAA-Compliant Datto Solution Providers

Compliance-critical thing #1: You Must Have a HIPAA-Compliant Solution

Datto Appliance SIRIS or ALTO 2Cross walk that Maps Datto to HIPAA security rule HITECH?Is the Datto Solution non-compliant with any of the following applicable security rule safeguards:-Administrative-Physical-Technical

Drilldown – HIPAA-Compliant Solutions

HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products

A HIPAA-Compliant solution: Do a safeguard review

Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?

Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?

Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?

Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?

Compliance-critical thing #2: It Must-Be Installed in a HIPAA-Compliant Fashion

HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products

Drilldown – Installed in HIPAA-Compliant FashionDatto Appliance SIRIS or ALTO 2Map to HIPAA Citations-Administrative-Physical-Technical

A HIPAA-Compliant Installation: Do a safeguard review

Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?

Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?

Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?

Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?

Compliance-critical thing #3: It Must-Be Installed By HIPAA-Compliant Solution Providers

We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.

Drilldown – By HIPAA-Compliant Solution ProvidersWe are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.

BA Assurance Evergreen Program

A HIPAA-Compliant Business Associate: Do a safeguard review

Can you give assurances to every client about how your company meets every single one of these compliance safeguards?

Can you give assurances to every client about how your company meets every single one of these compliance safeguards?

Can you give assurances to every client about how your company meets every single one of these compliance safeguards?

Can you give assurances to every client about how your company meets every single one of these compliance safeguards?

How can you give assurances?

Security Rule 18 Standardshas

18 Standards Safeguards to Implement

defines

Safeguards to Implement

36 Specifications

have

Administrative example

Column 1 shows the standards (9)Column 2 shows the security rule citation

Column 3 shows the specifications for implementing the standards (21 specifications for 9 standards)

Physical example

Column 1 shows the standards (4)Column 2 shows the security rule citation

Column 3 shows the specifications for implementing the standards (8 specifications for 4 standards)

Technical example

Column 1 shows the standards (5)Column 2 shows the security rule citation

Column 3 shows the specifications for implementing the standards (7 specifications for 5 standards)

Wrap up: Doing The 3 Compliance-critical things with Datto

Profile of a HIPAA-Compliant Datto solution

Repeatable process for installing Datto solutions in a HIPAA-Compliant Fashion

According to a compliance management system adopted by HIPAA-Compliant Datto Solution Provider

Datto meets HIPAA key takeaways

Start Now– CEs have been subject to the HIPAA OMNIBUS Rule since September 2013. BAs are now subject to enforcement under the same rule on September 23, 2014.

Datto meets HIPAA key takeaways

Secure Backups and Restores are both required ‐‐Covered Entities and Business Associates must backup “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)) and be able “to restore any loss of data.” (CFR 164.308(7)(ii) (B))

Datto meets HIPAA key takeaways

Security Requirements are in effect during emergencies compliance requires the “protection ‐‐of the security of electronic protected health information while operating in emergency mode”. (CFR 164.308(7)(ii) (C))

Datto meets HIPAA key takeawaysA Backup policy is not a procedure, a backup procedure is not a backup plan, a backup plan is not a contingency plan (neither is it a disaster recovery plan) - Policies, procedures and plans (CFR 164.312(b)(1)) are not interchangeable forms of documentation (CFR 164.312(b)(2)(i))is a huge part of HIPAA. “Ask me about our HIPAA Book of Evidence Tool”

How to use this slide deck as a workbookStep 1 Review CE/BA client solution stacks by following slides 9-12

Step 2 Review Completed CE/BA client implementations by following slides 15-18

Step 3 Create a repeatable CE/BA new client implementation procedure from slides 15-18

Step 4 Do a self-Assessment by following slides 21-24

Step 5 Provide Assurances to each CE/BA client by describing how you implement the standards according to the specifications on slides 26-28 (email me for PDF of the safeguards in these slides)

Ask Me About these Webinars

Ask Me About HIPAA Evergreen for BAs

Email [email protected] (909) 563-8578 x2101

Chris Johnson is CEO and founder of Untangled Solutions, his motto, “We untangle

healthcare technology” has catapulted his company on to the go to short list for healthcare

providers across the United States. With more than fifteen years of experience in IT services and

web development, he specializes in helping medical practices make strategic HIT decisions that

improve how providers safely treat their patients, productively run their practice and profitably

manage their business.

A thought leader in his industry and a desire to “give back”, Chris is the current Vice Chair for

CompTIA’s IT Security Community, an active CompTIA Ambassador and is the former chairperson

of the Healthcare IT Community. 

Ask Me About these Webinars

Ask Me About HIPAA Evergreen for BAs

Upcoming events:HIPAA Resources http://Dattobackup.com/hipaaUser Conference ww.Dattopartnerconference.com/

Email [email protected] (909) 563-8578 x2101