Audits Accounting of disclosures

Size: px

Start display at page:

Download "Audits Accounting of disclosures"

Rolf Sims
6 years ago
Views:

1 Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California Agenda Risk assessment Reporting a breach Lessons learned Audits Accounting of disclosures 1

2 Terms PHI = Protected Health Information CE = Covered entity HIPAA Privacy Rule HIPAA Security Rule HITECH Act HITECH data breach notification HIPAA formerly complaint-driven Patients often unaware of violations Now CEs must report breaches of confidentiality to OCR, patients, and sometimes media Audits 2

3 Data breach Unauthorized disclosure of, or access to, unsecured PHI Unauthorized refers to the HIPAA rules; specific patient authorization not always required Unsecured PHI PHI which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. Can be in any medium Paper Electronic 3

4 Secured PHI Must be encrypted and/or destroyed in accordance with federal guidelines g National Institute of Standards and Technology (NIST) Note: encryption still not mandated dtdb by HIPAA Encryption standards Data at rest: NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices. Data in motion: NIST Special Publications , Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; , Guide to IPsec VPNs; or , Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) validated. 4

5 Destruction standards NIST Special Publication , Guidelines for Media Sanitation, Breach examples: Stolen (unencrypted) laptop Network server hacked Patient EOB mailed to wrong addresses 5

6 Ignorance is not bliss Physicians will be held accountable for breaches that, through the exercise of reasonable diligence, should have been known to them. Implement systems to detect breaches Train staff to notify Privacy/Security officer immediately upon knowledge or suspicion of a breach Returned mail Files or electronic devices lost or stolen Work with IT and software vendors Unauthorized access to network Possibly audit staff access to EMR 6

7 Breach identified: Now what? Conduct a risk assessment Harm threshold! Include any business associates involved in the breach Document the details of your risk assessment Risk Assessment Would an unauthorized person reasonably be able to access or retain the PHI? Is PHI unsecured? Was it immediately retrieved? Is there evidence that the information wasn t accessed? Electronic forensic Unopened paper 7

8 Risk assessment In whose hands did the PHI land? Exemptions: Unintentional access by a workforce member Inadvertent disclosure to a workforce member acting in good faith within the scope of his or her duties In either case: PHI must not be further used or disclosed improperly Risk assessment Can the information breached cause significant risk of financial, reputational, or other harm? There may be less risk of harm if PHI was disclosed to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency recipient entity is obligated to protect the information Immediately destroy or mail back Fact- and case-specific Famous person? Known to each other? 8

9 If there was a breach: Determine the number of affected individuals Proceed with notification Method of notification Victims of breaches must be notified without unreasonable delay and no later than 60 calendar days after discovery of the breach A breach is considered discovered on the first day a covered entity knows or should have known about it < 500 individuals (patients): Annual notice to HHS individuals: HHS and media outlets must be notified without unreasonable delay 9

10 Method of notification Notify affected individuals (or next of kin if deceased) Written notification by 1 st class mail or if patient prefers Follow-up mailings, if necessary, as more information becomes available Contents of notice Brief description of what happened Date of breach and date breach discovered The type of information disclosed Full name, social security #, date of birth, home address, account number, disability code, etc. Steps the patient should take to protect him or herself Notify credit card company What you are doing to investigate & mitigate Pay for identity theft protection service or credit monitoring service Contacts for questions or additional information 10

11 Insufficient contact information? < 10 patients: alternative written notice, telephone, or other means 10+ patients: Conspicuous posting on home page of your web site for at least 90 days, or Conspicuous posting in major print or broadcast media likely to be seen by patients A toll-free number must be provided for at least 90 days where individuals can learn whether their information was breached Law enforcement exception Law enforcement official may request delay in writing if notification would impede a criminal investigation or cause damage to national security If law enforcement makes request orally, document the request, including the name of the official, i and delay notification i no longer than 30 days unless the official submits a request in writing specifying a longer delay 11

12 Data breaches reported to HHS 330 breaches reported as of Sept (500 or more individuals affected) Recent congress report: 30,000 smaller breaches from Sept to Dec >72,000 people Cause of breaches Theft/Loss Improper disposal Unauthorized access/disclosure Hacking 12

13 Reported breaches in order of prevalence 69 laptops 58 paper 21 unauthorized access/disclosure 18 theft 14 improper disposal 5 loss 42 desktop computer (theft, hacking) 39 portable electronic device (external hard drive, USB, etc.) Reported breaches in order of prevalence 29 network server 15 Other 7 3 EMR 3 Hard drive 3 mailings 2 back up tapes 1 CDs 13

14 Cloud computing NIST publication , Cloud Computing Synopsis and Recommendations OCR case descriptions A binder and clipboard were missing from a file room 4,083 individuals PHI Names, SSN, DOB Remediation CE transferred all logs to electronic database Electronic database accessible by authorized workforce members only Improved physical safeguards and retraining employees 14

15 OCR case descriptions A BA employee sent an to multiple patients w/o concealing pt addresses 937 individuals Dietary program Remediation BA counseled employee & retrained all employees OCR case descriptions File server at the Office of Health Services was compromised and impermissibly accessed 27,000 individuals PHI names, addresses, dx codes, name of meds Rx d, medication costs and SSNs Remediation Server removed from network Individuals and media notified Operating system replaced Additional i technical safeguards implemented 15

16 OCR case descriptions A nurse used the PHI of patients to obtain narcotics for her personal use 600 individuals affected PHI Names and account numbers Remediation Nurse terminated Monthly audit of Schedule II narcotics by each patient care dep t, matching med dispense log to the order and bill OCR case descriptions A shared desktop computer was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite unlocked 857 individuals Names, DOB, clinical info Remediation Individuals & media notified Technical safeguard: encryption Administrative safeguard: training of staff and cleaning crew 16

17 OCR case descriptions Employee left external hard drive in a vehicle that was stolen 15,500 individuals PHI Names, med record #s, care and treatment, DOB, age, gender, phone numbers Remediation Employee terminated for violating policies Deployment of a removable media encryption software tool OCR case descriptions Employee s laptop stolen out of her bag while she was making an admission visit in a patient s home CE had policy of encrypting computers, but employee changed security settings 1,000 individuals id PHI Names, addresses, DOB, phone #s, SSN, Medicare #s, electronic health records, commercial insurance info Remediation Notified patients and media, web site Sanctioned employee Established stringent computer security guidelines and trained staff 17

18 OCR case descriptions An imposter, posing as a representative of the recycling service used by the CE, removed several barrels of purged x- ray films and jackets individuals Remediation Patients notified and offered credit monitoring Root cause investigation Employees retrained on verification of identity P&Ps OCR case descriptions BA prepared a request-for-proposal which mistakenly included PHI. Posted online for 5 days. 22,642 individuals PHI SSN, DOB, gender, zip codes, enrollment info Remediation CE now requires several layers of review before allowing public disclosure of documents prepared by the BA BA provided patients with credit monitoring, fraud resolution resources, and identity theft insurance BA provided CE with assurances that it has taken steps to prevent this type of disclosure in future 18

19 Recently in the news...stanford 20,000 emergency room patients Names & diagnosis codes Online publicly for nearly one year Student of Fortune Data breaches reported to MIEC Stolen laptops Paper records in storage facility 19

20 Solutions: Don t allow any unsecured PHI to leave the office Ensure physical and technical safeguards of information in the office Full disk encryption cheap and easy laptops, desktops, servers, USBs and external hard drives. PDAs and smartphones Very difficult to ensure security At a minimum: Password protection iphone 4 allows you to disable simple passcode of four digits and re-enter a stronger passcode with more digits/characters Auto Erase feature erases data on the phone after ten failed attempts at the passcode Remote wipe capability VPN (Virtual Private Network) California law Physicians must notify patients of breaches of unencrypted computerized personal information. Social security number Drivers license or CA ID number Account number, credit or debit card number, in combination with any required security, access code or password that would permit access to an individual s financial account Medical information regarding medical history, mental or physical condition, or medical treatment or diagnosis Health insurance information 20

21 California law A good faith acquisition of personal information by an employee or agent of the physician is not considered a breach so long as the information is not used or subject to further unauthorized disclosures Notification ASAP and without unreasonable delay California law Notification made by written or electronic notice If cost of direct notice >$250,000, or if more than 500,000 people must be notified, or if the business doesn t have sufficient contact information: notice to every person for whom you have an address, and Conspicuous posting on web site; and Notify major statewide media 21

22 California Institutional Provider Law Licensed clinics, health facilities, home health agencies, and hospices Individually identifiable information in electronic or physical form Notify CDPH and patient(s) no later than 5 business days after breach detected 2010 Study: U.S. Cost of data breach Average cost: $214 per record Lost business, ex-post response, notification, detection & escalation In healthcare, customer turnover is main cost Avg. cost: $258 per record if on lost or stolen laptop or other mobile data-bearing device Forensics difficult and costly. 22

23 2010 Study: U.S. cost of data breach Malicious or criminal attacks are the most expensive cause of data breaches Negligence remains most common threat at 41% Penalties and enforcement HHS authorized to investigate complaints of suspected noncompliance Tiered civil monetary penalties based on the amount of neglect and intent from $ to $1.5 million per violation (with caps) Compliance audits State attorney generals empowered to enforce some HIPAA elements 23

24 Compliance audits Risk-based (size, type of entity) Not complaint- or breach-driven 150 CEs by end of 2012 Entities will be given advance notice Aggregate findings released for education Compliance audits: key concerns Incident detection and response Review of log access Secure wireless network Management of user access and passwords Theft or loss of mobile devices Up-to-date software Role-based access 24

25 Incident detection and response CEs and BAs: are you reasonably logging and reviewing system activities in a way that is likely to detect breaches? Staff trained to spot a breach and report it to the appropriate person? Review of log access Not expected to review every instance of access Targeted approach Patterns of unusually large access by an employee High-risk areas such as records of VIPs 25

26 Secure wireless network Encryption turned on Administrative access to configure the wireless access is password protected Management of user access and passwords Prohibit sharing of user IDs Configure systems to require strong passwords Access to administrative accounts closely controlled 26

27 Theft or loss of mobile devices Policies & training on safeguarding Encryption Store PHI centrally rather than on the device itself Up-to-date software Ensure that patches that address vulnerabilities are pushed out to workstations regularly Consider upgrading software or operating system if version is no longer supported by the vendor Keep anti-malware software up-to-date 27

28 Role-based access Balance security risks with patient safety Closely monitored break-the-glass glass solution Business Associates (BA) BA: those who access PHI as they are performing services on behalf of a physician Accountant Collections Transcriptionist IT service providers Copy services, etc. Physician s responsibility to conduct risk assessment and disclose breaches, even if fault of BA acting on physician s behalf 28

29 BA agreements Update to incorporate data-breach notification requirements: the time frame, method and content of the notification. Patient control of PHI EHR: patients have the right to obtain a copy of their record in electronic format Requests to withhold PHI from health plans for health care operations or payment purposes must be granted if: The patient pays you in full, out-of-pocket Genetic testing, etc. 29

30 EMR: Accounting of disclosures Produce upon patient request an accounting of all disclosures within the past three years: TPO Patient signed authorization Internal access Disclosures by BAs on behalf of CE Or list of all BAs and contact information Should be in BA agreement that they must produce accounting of disclosures EMR: Accounting of disclosures Effective as of Jan if: The CE obtained EMR after Jan 2009 The CE obtained EMR after Jan Effective as of Jan if: The CE obtained EMR before Jan

31 To do: Incorporate HITECH provisions into existing privacy and security policies and procedures Identifying breaches Update BA agreements Update NPP to include breach policies, patient control of & access to information Accounting of disclosures (EHR) Re-evaluate existing data security in light of new provisions How and where is unsecured PHI used and stored? Can it be encrypted? Vet and evaluate the security of BAs before sharing information. Pick vendors that can guarantee data protection through encryption, including employees mobile devices Train staff accordingly Establish sanctions for violations Questions? 31

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers