How much HIPAA is enough? Session 2: What to Do - HIPAA- compliance with Datto
Mar 29, 2015
How much HIPAA is enough?
Session 2: What to Do - HIPAA-compliance with Datto
• Focus on physician practices, hospitals and Business
Associates
• Regulatory Compliance Experts on staff, HIT experts on-
staff
• Privacy and Security Analysis (Meaningful Use, HIPAA)
• EHR Consulting – Emphasis on workflow efficiencies
“We Untangle Healthcare
Technology”
Why do HIPAA at all?
Because Datto feels it is critical for their channel partners to understand how the backup and restore process impacts HIPAA compliance.
Because Datto feels it is critical for their channel partners to understand the relationship between Datto products and HIPAA requirements.
Because you must be able to do 3 compliance-critical things, and this ability starts by learning what is in this session.
Things that are backed up that are ePHI…
Enforcement Countdown
Business Associates must comply with the final rule by September 23, 2013. However, there is a special one-year transition period for implementing business associate agreements to comply with the final rule.
What this doesn’t say is September 23, 2014 enforcement and settlement agreements begin.
The 3 Compliance-critical things to do with Datto
The Datto solution must be HIPAA-Compliant
The Datto solution must be installed in HIPAA-Compliant Fashion
Must be Installed by HIPAA-Compliant Datto Solution Providers
Compliance-critical thing #1: You Must Have a HIPAA-Compliant Solution
Datto Appliance SIRIS or ALTO 2Cross walk that Maps Datto to HIPAA security rule HITECH?Is the Datto Solution non-compliant with any of the following applicable security rule safeguards:-Administrative-Physical-Technical
Drilldown – HIPAA-Compliant Solutions
HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
A HIPAA-Compliant solution: Do a safeguard review
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Ask this for every client Does the presence of the Datto Solution cause non-compliance with this safeguard?
Compliance-critical thing #2: It Must-Be Installed in a HIPAA-Compliant Fashion
HIPAA Security Rule, ePHI, Safeguards and Controls that you implement when you install Datto products
Drilldown – Installed in HIPAA-Compliant FashionDatto Appliance SIRIS or ALTO 2Map to HIPAA Citations-Administrative-Physical-Technical
A HIPAA-Compliant Installation: Do a safeguard review
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Ask this for every client Does the usage of the Datto Solution cause non-compliance with these safeguards?
Compliance-critical thing #3: It Must-Be Installed By HIPAA-Compliant Solution Providers
We are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.
Drilldown – By HIPAA-Compliant Solution ProvidersWe are all BAs whether we like it or not as it pertains to implementing, managing and supporting Datto solutions in environments where ePHI is maintained or stored.
BA Assurance Evergreen Program
A HIPAA-Compliant Business Associate: Do a safeguard review
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
Can you give assurances to every client about how your company meets every single one of these compliance safeguards?
How can you give assurances?
Security Rule 18 Standardshas
18 Standards Safeguards to Implement
defines
Safeguards to Implement
36 Specifications
have
Administrative example
Column 1 shows the standards (9)Column 2 shows the security rule citation
Column 3 shows the specifications for implementing the standards (21 specifications for 9 standards)
Physical example
Column 1 shows the standards (4)Column 2 shows the security rule citation
Column 3 shows the specifications for implementing the standards (8 specifications for 4 standards)
Technical example
Column 1 shows the standards (5)Column 2 shows the security rule citation
Column 3 shows the specifications for implementing the standards (7 specifications for 5 standards)
Wrap up: Doing The 3 Compliance-critical things with Datto
Profile of a HIPAA-Compliant Datto solution
Repeatable process for installing Datto solutions in a HIPAA-Compliant Fashion
According to a compliance management system adopted by HIPAA-Compliant Datto Solution Provider
Datto meets HIPAA key takeaways
Start Now– CEs have been subject to the HIPAA OMNIBUS Rule since September 2013. BAs are now subject to enforcement under the same rule on September 23, 2014.
Datto meets HIPAA key takeaways
Secure Backups and Restores are both required ‐‐Covered Entities and Business Associates must backup “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)) and be able “to restore any loss of data.” (CFR 164.308(7)(ii) (B))
Datto meets HIPAA key takeaways
Security Requirements are in effect during emergencies compliance requires the “protection ‐‐of the security of electronic protected health information while operating in emergency mode”. (CFR 164.308(7)(ii) (C))
Datto meets HIPAA key takeawaysA Backup policy is not a procedure, a backup procedure is not a backup plan, a backup plan is not a contingency plan (neither is it a disaster recovery plan) - Policies, procedures and plans (CFR 164.312(b)(1)) are not interchangeable forms of documentation (CFR 164.312(b)(2)(i))is a huge part of HIPAA. “Ask me about our HIPAA Book of Evidence Tool”
How to use this slide deck as a workbookStep 1 Review CE/BA client solution stacks by following slides 9-12
Step 2 Review Completed CE/BA client implementations by following slides 15-18
Step 3 Create a repeatable CE/BA new client implementation procedure from slides 15-18
Step 4 Do a self-Assessment by following slides 21-24
Step 5 Provide Assurances to each CE/BA client by describing how you implement the standards according to the specifications on slides 26-28 (email me for PDF of the safeguards in these slides)
Ask Me About these Webinars
Ask Me About HIPAA Evergreen for BAs
Email [email protected] (909) 563-8578 x2101
Chris Johnson is CEO and founder of Untangled Solutions, his motto, “We untangle
healthcare technology” has catapulted his company on to the go to short list for healthcare
providers across the United States. With more than fifteen years of experience in IT services and
web development, he specializes in helping medical practices make strategic HIT decisions that
improve how providers safely treat their patients, productively run their practice and profitably
manage their business.
A thought leader in his industry and a desire to “give back”, Chris is the current Vice Chair for
CompTIA’s IT Security Community, an active CompTIA Ambassador and is the former chairperson
of the Healthcare IT Community.
Ask Me About these Webinars
Ask Me About HIPAA Evergreen for BAs
Upcoming events:HIPAA Resources http://Dattobackup.com/hipaaUser Conference ww.Dattopartnerconference.com/
Email [email protected] (909) 563-8578 x2101