View the Replay on YouTube

Size: px

Start display at page:

Download "View the Replay on YouTube"

Annis Morton
5 years ago
Views:

1 View the Replay on YouTube HIPAA Omnibus Rule: Education & Practical Application for Breach Notification FairWarning Executive Webinar Series February 19, 2013

2 Agenda Breach Notification changes under the Final HITECH Rule What has not changed under the Final HITECH Rule Re-assessing Risk Assessment & What Constitutes a Breach Case examples before and after the Final HITECH Rule Breach Notification & Patient Privacy Monitoring FairWarning Managed Services Questions

3 Today s Panel Edward F. Shay Principal, Post & Schell, P.C. eshay@postschell.com Kurt J. Long FairWarning Founder and CEO Kurt@FairWarning.com Chuck Burbank FairWarning Director of Managed Services Chuck@FairWarning.com

4 The HITECH Breach Notification Rule Re-thinking Risk Assessment Edward F. Shay Principal, Post & Schell,PC

5 Objectives How has breach notification changed under the Final HITECH Rule ( FHR )? How has breach notification not changed under the FHR? Re-assessing Risk Assessment and What Constitutes a Breach Working through some case examples before and after FHR

6 How Did We Get Here? In 2009, Congress enacted HITECH, including requiring breach notification HHS issued an interim final breach notification rule ( IFR ) on August 24, 2009 FHR issued on January 25, 2013

7 How Has Breach Notification Changed? Four significant changes under the FHR: Major change in how a breach is evaluated Major change in what must be demonstrated to determine if a breach occurred Greater exposure to HITECH s huge penalties An evolving concept of the business associate adds complexities and risks

8 How Has Breach Notification Not Changed? The statutory/regulatory exceptions to what is a breach have not been changed, but remain narrow and often inapplicable Almost all other aspects of the IFR breach notification process remain unchanged For example: Notice content and timing is unchanged Law enforcement delay is unchanged Notification by business associates has one minor change

9 Re-assessing Risk Assessment Under the IFR, a breach was defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information. And: compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

10 Re-assessing Risk Assessment HITECH fundamentally changed what is meant by: compromises the security or privacy of the protected health information.

11 Elements of the Final HITECH Rule Risk Assessment Standard Possible breach is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the protected health information or to whom the disclosure was made; (iii) Whether the protected health information was actually acquired or viewed; and (iv) The extent to which the risk to the protected health information has been mitigated

12 Inside Factor One Nature/extent of PHI involved, types of identifiers and re-identification risk Whether data of sensitive nature Financial, credit card, SSN, DLN Risk of ID theft? Type, amount and effect of clinical data Potential for harm to individual or value to unauthorized person

13 Inside Factor Two Unauthorized user/disclosure recipient? Differences between snoopers, hackers and surfers ID thief versus hardware thief Does recipient have duty to protect? Ability to re-identify

14 Inside Factor Three Whether PHI was actually accessed/used? Must consider actual vs opportunity Must affirmatively show PHI not accessed Cannot just assume no access System/computer forensics used as example

15 Inside Factor Four Extent risk to PHI has been mitigated? Should always attempt to mitigate Consider obtaining assurances Keep PHI confidential Agree to return/destroy Keep in mind Security Rule requirements on responding to security incident, reassess risk, manage risks

16 Everything: What s Different? Focus is on harm to the PHI, not on harm to the subject individual Each factor measures an aspect of risk to the PHI OCR has said all four factors must be considered The assessment must conclude there is a low probability of risk

17 What s Different? Presumption and burden of proof The FHR presumes that a possible breach is an actual breach Absent proof that there is a low probability of risk, the covered entity must make notifications Burden of proof is on the covered entity/business associate Covered Entity/business associate has duty to document

18 Challenges Entities must often prove the negative Lost PHI is presumed to be compromised PHI OCR has not said what proof is adequate proof Disregard of duty/carelessness is willful neglect and creates major CMP exposure Strong incentive to over-report Disputes between parties

19 How Will It Work? Case One Laptop stolen from CCU workstation with patient names, date of admission and EKG results. Old assessment: no risk of harm. No SSN, DLN or other sensitive data. Almost same data as permitted directory disclosure. New assessment: cannot prove anything about unauthorized person, or disprove actual acquisition; and, no real way to mitigate.

20 How Will It Work? Case Two Nurse surfs EHRs during graveyard shift to help pass the time. Old assessment: No risk of harm. Denies ever copying, ing or saving any PHI. Simply bored and idly curious. Found credible, disciplined. New assessment: Clear breach. Nurse unauthorized. PHI actually acquired. Nature and extent of PHI all inclusive.

21 Case Three How Will It Work? Business associate maintains disease registry hosted by subcontractor. During upgrade rollout, new software anomaly is found that could allow users to access all entries in database. Old Rule: No risk of harm because no evidence anyone ever actually obtained unauthorized access. New Rule: Presumption of unauthorized access cannot be disproved. Forensics shows user access but cannot track to individual files. Duty to notify and report.

22 What Does This Mean? Attempts to prove low probability will require strong, objective and credible evidence May be better to simply report than risk wrongful assessment OCR may be inundated Sets stage for major contractual disputes under business associate agreements Puts a huge premium on encryption wherever possible

23 Contact Information Edward F. Shay

24 HIPAA Omnibus Rule: Education & Practical Application for Breach Notification FairWarning Executive Webinar Series February 19, 2013

OCR Creates Clarity to Enable Care Providers to Move Forward with User Activity Monitoring July 2012: OCR/HHS Findings from initial KPMG audits reveals patient privacy monitoring aka

50 40 30 20 10 User Activity Monitoring #1 Security Compliance Deficiency 0 Fines continue to hit healthcare systems across the nation.

compliance of HIPAA. Meaningful Use: Stage 2 November 2012: MU attestation to be audited to insure compliance of requirements pointing to HIPAA.

25 OCR Creates Clarity to Enable Care Providers to Move Forward with User Activity Monitoring July 2012: OCR/HHS Findings from initial KPMG audits reveals patient privacy monitoring aka User Activity Monitoring is the chief security compliance deficiency in hospitals. The empirical data is a call that underscores the importance of protecting patient privacy User Activity Monitoring #1 Security Compliance Deficiency 0 Fines continue to hit healthcare systems across the nation. Enforcement continues, even in the small organizations November 2012: OCR Director Leon Rodriquez says that Audits may continue in second half of 2013 and certainly in 2014 to insure compliance of HIPAA. Meaningful Use: Stage 2 November 2012: MU attestation to be audited to insure compliance of requirements pointing to HIPAA. The Significance of the Omnibus Rule Harm threshold goes away Burden of proof to disprove improper access is on the care provider and business associate Maintaining documentation is mandatory Investigate how PHI was used/acquired Assess the risk Identify the type of PHI involved

26 HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR HIPAA Audit Protocol Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution (a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop and Deploy the Information System Activity Review Process Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices Determine if the covered entity policy and procedures have been approved and updated on a periodic basis. FairWarning Analytics and Reports enable reviewing of information system activity, such as audit logs and access reports. FairWarning Investigations centralize management and tracking of security incidents (b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Determine the Activities that Will be Tracked or Audited Inquire of management as to whether audit controls have been implemented over information systems that contain or use ephi. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ephi. FairWarning Analytics record and examine activity in systems with ephi. These Analytics can then be automated as Enforced Policies to proactively alert users of any activity that is being tracked or audited.

27 HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR Audit Protocol HIPAA Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution (b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Select the Tools that Will be Deployed for Auditing and System Activity Reviews Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. FairWarning s Ready Programs maps to and supports over 185 applications that touch ephi. Nearly 50 applications have been fully certified by FairWarning to provide the necessary data to effectively audit access to ephi (b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop and Deploy the Information System Activity Review/Audit Policy Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review an , or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity's intranet would suffice. The FairWarning Implementation Toolkit is an open copyright best practices guide on how other customers implemented formal audit policies and how to communicate that to the work force (b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop Appropriate Standard Operating Procedures Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management's procedures in place to determine the systems and applications to be audited and how they will be audited. FairWarning centralizes where and how applications are audited. All systems touching ephi can be audited through the FairWarning Analytics and Reports. These audits can be automated as Enforced Policies and all investigations can be centrally managed within the product. Governance and dashboard reports give executive views of the effectiveness of the policies being enforced.

28 FairWarning Patient Privacy Monitoring: A Platform for Developing a Culture of Privacy Compatible with Every Major EHR and Over 185 Applications Used in Healthcare User and Patient Access Reports Cerner MEDITECH Siemens Streamline Health Collaborative Patient Privacy Monitoring Privacy Breach Detection Analytics and Alerts Governance and Compliance Effectiveness Investigations and Legal Defense

29 Sample Workflow Step 1: Initiate & Review Process Enforced policy triggers in Customer s FairWarning Privacy Monitoring Automated Alert Sent Chief Privacy Officer Notifies Analyst Healthcare provider receives patient complaint Analyst Reviews related reports Investigates for inappropriate access Works with management to gather more information Validates Findings

be closed without incident Access reported to be inappropriate; recommend taking

30 Sample Workflow Step 2: Investigation & Completion Analyst Document Results in Customer s FairWarning Privacy Monitoring Access reported to be appropriate; recommend investigation be closed without incident Access reported to be inappropriate; recommend taking appropriate action Shares investigation results with Management Management takes appropriate action

31 Managed Services - Overview No Need to Recruit Staff Healthcare Privacy and Security Personnel are in high demand and short supply No employee payroll taxes (Social Security, Medicare, Unemployment, etc.) No employee benefits No attrition issues, they become our problem Consistent Staffing No need to worry?

32 Managed Services - Overview Best Practices and Expert Knowledge Day One Reduces the risk window by 7-12 months Normal time to recruit is 3-6 months Normal learning curve is 4-6 months Enforced policies (automated alerts) based on best practices Proven workflow and remediation process Staff with first-hand experience dealing with OCR audits 3 rd party independent monitoring

33 Managed Services Learn More For more information contact To see a Presentation on Managed Services Conduct an Audit Readiness Assessment for Patient Privacy Monitoring Receive more information on the Managed Services Offering Receive a Use Case on Managed Services

34 Contact Us Edward F. Shay Principal, Post & Schell, P.C. Kurt J. Long FairWarning Founder and CEO Chuck Burbank FairWarning Director of Managed Services

HIPAA Privacy, Security and Breach Notification

HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance