B I L L L A N E A N D M A R G A R E T L A L LY

STARTEL’S CONTRIBUTIONS TO YOUR HIPAA COMPLIANCE

AGENDA

Overview of HIPAA Startel’s HIPAA/HITECH Assessment Report Findings & Recommendations

HIPAA/HITECH Compliance Program Assessment Report HIPAA Security Rule - Technical Safeguards Application

Assessment Report for ePHI Compliance HIPAA Security Best Practices Summary

OVERVIEW OF HIPAA

HIPAA – WHAT IS IT?

The Health Insurance Portability & Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information

HIPAA – WHAT IS IT? CONTINUED

HHS published what are commonly known as the HIPAA Privacy Rule & HIPAA Security Rule Help to protect the privacy of a individual’s health

information Allow covered entities to adopt new technologies to improve

the quality and efficiency of patient care

HIPAA SECURITY RULE

The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI) Addresses the administrative, physical & technical

safeguards that covered entities must put in place to secure ePHI Technical safeguards include access control, audit controls,

integrity controls and transmission security Each of these technical safeguards can be addressed with software

solutions, like encryption technology

COVERED ENTITY VS. BUSINESS ASSOCIATE

COVERED ENTITY VS. BUSINESS ASSOCIATE Business Associate (BA): A person or organization

that performs a function on behalf of a CE.

Examples include: Software Vendors (such as STARTEL) Third-party Billing Companies Claims Processors Collections Agencies Outsourced Contact Centers/Telephone answering

services

BUSINESS ASSOCIATE REQUIREMENTS Ensure the confidentiality, integrity and availability of all

ePHI that is created, received, maintained or transmitted

Protect against any reasonably anticipated threats or hazards to the security or integrity of such information

Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule

Ensure compliance by workforce

STARTEL’S HIPAA/HITECH ASSESSMENT

OVERVIEW

Auditing Firm: Hired Coalfire Systems Annual, 3-year engagement

Objective: To perform an assessment of the controls in place to satisfy requirements of the HIPAA Security Rule, HITECH & Omnibus Rule

Assessment Period: September – December Locations Assessed: Startel HQ & Colo (Latisys)

PROJECT ACTIVITIES

1. Performed an environment characterization to understand the uses/flows of ePHI throughout Startel2. Reviewed policies/procedures to identify compliance gaps3. Reviewed the controls in place to satisfy the IT security-related requirements of HIPAA, HITECH and Omnibus Rule4. Performed control analysis and testing for the purpose of understanding the level of operating effectiveness5. Provided detailed assessment results outlining Startel’s HIPAA compliance posture, as well as recommendations

STARTEL’S ACTIVITIES

Performed a risk analysis Implemented information system policies & procedures Named a security official Defined workforce clearance/termination procedures Implemented user access rights Performed (annual) training and periodic security updates Protection from malicious software

STARTEL’S ACTIVITIES CONTINUED

Log-in monitoring and audit controls Password management Data back-up plan Tested Startel applications in Coalfire Lab Acquired secure shredding bins Created breach notification procedures Modified ATSI Sample BA agreements for users to sign

REPORT FINDINGSHIPAA/HITECH COMPLIANCE PROGRAM ASSESSMENT REPORT

REPORT KEY

Full compliance for a given requirement is based on two objectives: Assess whether or not the Startel has defined

policies/procedures to meet the requirement Determine if appropriate controls have been implemented

If requirements are not fully met, the compliance status is identified as “Partially Compliant”

Standards and implementation specifications that don’t apply to Startel are identified as “Not Applicable” (N/A)

STARTEL’S HIPAA COMPLIANCE SCORECARD

STARTEL’S HIPAA COMPLIANCE POSTURE

ADMINISTRATIVE SAFEGUARDS

ADMINISTRATIVE SAFEGUARDS CONT.

PHYSICAL SAFEGUARDS

TECHNICAL SAFEGUARDS

ORGANIZATIONAL SAFEGUARDS

POLICES, PROCEDURES & DOCUMENTATION REQUIREMENTS

HITECH ACT & OMNIBUS RULE – IT SECURITY PROVISIONS

RECOMMENDATIONS

WORKFORCE SECURITY: Workforce Clearance Procedure (A)

Create procedures for obtaining appropriate sign-offs to grant or terminate access to ePHI

Modify Company policies to require that background checks be performed on all potential employees prior to hire

RECOMMENDATIONS

INFORMATION ACCESS MANAGEMENT: Access Establishment and Modification (A)

Ensure that documented review is performed monthly of user access and privileges

RECOMMENDATIONS

SECURITY INCIDENT PROCEDURES: Testing and Revision Procedure (A)

Review and test BCDR Plan on an annual basis Document results and implement improvements

RECOMMENDATIONS

ACCESS CONTROL: Encryption & Decryption (A)

Ensure that ePHI is encrypted at rest. This includes managed clients’ CMC databases but also Startel Appointment Scheduler and Startel Secure Messaging databases.

RECOMMENDATIONS

AUDIT CONTROLS: Change Management (R)

Ensure that all changes to hardware and software in ePHI environment require formal Change Management policy and strategy for production systems

RECOMMENDATIONS

POLICIES, PROCEDURES AND DOCUMENTATION: Updates (R)

Review Company’s IT policies and procedures annually Document changes to environment and any potential risks

REPORT FINDINGSHIPAA SECURITY RULE – TECHNICAL SAFEGUARDS APPLICATION ASSESSMENT REPORT FOR EPHI COMPLIANCE

OVERVIEW

Objectives: To determine if the HIPAA Security Rule for ePHI applies to

Startel’s Application Suite To determine if Startel’s Application Suite is compliant with

HIPAA’s Technical Safeguards via Lab Testing Assessment Period: December 10-14, 2013 Testing Access: Remote

PROJECT SCOPE

PROJECT SCOPE CONTINUED

PROJECT ACTIVITIES

1. Testing of Startel’s Application Suite in Coalfire’s lab environment including:

a. Lab set-up and application implementation following vendor guidanceb. Technical testing of the application in the lab environmentc. Review of all relevant documentationd. Interview of vendor personnel

2. Completion of the HIPAA Security Rule – Technical Safeguards Assessment Report

SUMMARY RESULTS

On January 3, 2014, Coalfire complete the full assessment testing process and found the Startel Application Suite to be fully compliant with all applicable requirements of HIPAA’s Technical Safeguards (Part 164.312)

KEY FEATURES OF STARTEL’S HIPAA-COMPLIANT APPLICATION SUITE Unique User Identification (R) Emergency Access Procedures (R) Automatic Log Off (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate ePHI (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption of Transmitted ePHI (A)

RECOMMENDATIONS

Unique User Identification (R) Develop & maintain access control documentation of the

applications access controls in relation to establishing unique user IDs

Emergency Access Procedure (R) Application users should develop & maintain a BCDR

plan; include how to restore application and access to ePHI data

RECOMMENDATIONS

Automatic Log Off (A) Develop & maintain access control documentation in

relation to how the application enforces automatic log off of sessions Changing log-off for period of inactivity from 30 mins to 15 mins

RECOMMENDATIONS

Encryption/Decryption (A) Develop & maintain encryption documentation which

describes how the application implements requirements for encrypting/decrypting ePHI at rest

Encrypt ePHI stored by the application (data at rest) using strong encryption algorithms and key lengths

RECOMMENDATIONS

Audit Controls (R) Develop and maintain audit control documentation which

describes how the application implements requirements for audit and logging of access to ePHI

Maintain a log of all activity in application

RECOMMENDATIONS

Mechanism to Authenticate ePHI (A) Develop & maintain documentation which describes how

the application implements requirements to protect ePHI from improper alteration of destruction

Employ encryption technology/integrity-checking controls to detect a change to ePHI made outside the application

RECOMMENDATIONS

Person or Entity Authentication (R) Develop & maintain encryption documentation which

describes how the application implements requirements for verifying access to ePHI is limited to the one claiming access

Authenticate each user or entity for each device they are permitted to use to access ePHI

RECOMMENDATIONS

Integrity Controls (A) Develop & maintain encryption documentation which

describes how the application implements ePHI requirements for integrity of transmission of ePHI

Employ electronic mechanisms to ensure that ePHI transmitted across networks is not improperly modified without detection until disposed of

RECOMMENDATIONS

Encryption of Transmitted ePHI (A) Develop & maintain documentation which describes how

the application implements ePHI requirements for encryption of transmitted ePHI

Encrypt ePHI using strong algorithms & key lengths (SSL/TLS)

Certificates should be signed by a Certificate Authority, not self-signed

HIPAA SECURITY BEST PRACTICES

SAFEGUARD YOUR ORGANIZATION

Perform a risk assessment of your environment Implement/update IT policies to include HIPAA Name a security official Ensure user IDs are unique; review user access

rights Monitor log-ins Create/update workforce clearance and

termination procedures to ensure it addresses HIPAA

SAFEGUARD YOUR ORGANIZATION CONT. Perform annual training and periodic security

updates Install protection from malicious software Update passwords following HIPAA

recommendations Implement/update/test BCDR plan Issue/Sign BA agreements with CE/BA/sub-

contractors Create breach notification procedures

WHAT YOU CAN DO TO PROTECT PHI/EPHI Lock computer workstation when not at desk Lock up portable devices and documents that may

contain sensitive information at the end of each work day

Don’t forward work emails with sensitive info to personal email accounts

Don’t upload sensitive info to unauthorized websites

WHAT YOU CAN DO TO PROTECT PHI/EPHI CONTINUED When traveling, keep equipment in your

possession Don’t leave documents that contain PHI on

printers or fax machines, or on your desk when you are not there

Dispose of papers containing PHI via secure shredding bin

When exiting a screen, close out of all systems

SUMMARY

IN CONCLUSION

Startel & Startel Application Suite have been deemed HIPAA-compliant by Coalfire Systems!

Reports available for users on Startel Partner Portal Reproduction or distribution of the Reports with any non-

user (end user included) requires approval from Coalfire and Startel

For questions regarding Startel’s HIPAA-compliance, contact marketing@startel.com

THANK YOU!

Questions & Answersall questions are good questions