HIPAA Security & Privacy

Size: px

Start display at page:

Download "HIPAA Security & Privacy"

Marilyn Jackson
6 years ago
Views:

1 HIPAA Security & Privacy New Omnibus Regulations Prepared by Keith Weiner for New York State HIMSS

2 Omnibus Rule Released on January 25, 2013, the final 563 page Omnibus Rule is the largest sweeping change to HIPAA. Effective March 26, 2013 Compliance enforcement starting September 23, 2013 Strengthens privacy and security protections for health information established under the 1996 HIPAA and 2009 HITECH Acts Strengthens OCR s ability to enforce the HIPAA privacy and security protections for both covered entities and business associates Final Rule Modifies Interim Breach Notification Rule But first, some background information

3 HIPAA Background -Security and Privacy Rules- The Health Insurance Portability and Accountability Act of 1996 HHS to protect privacy and security of PHI including ephi Hence - HIPAA Privacy Rule and the HIPAA Security Rule EHR adoption increases risks HIPAA game-changer

Security Rule Goal: Protect privacy of individual s ephi while allowing the adoption of new technologies to improve the quality and efficiency of patient care.

4 Security Rule Goal: Protect privacy of individual s ephi while allowing the adoption of new technologies to improve the quality and efficiency of patient care. Landscape: The EHR marketplace is diverse. Organizations have different risks. One size does not fit all Method: The Security Rule is flexible and scalable to allow the implementation of policies, procedures, and technologies to suit the organization and risk to ephi.

Security Rule Main Components Risk Analysis and Management State Law Administrative Safeguards Policies & Procedures Documentation Requirements

5 Security Rule Main Components Risk Analysis and Management State Law Administrative Safeguards Policies & Procedures Documentation Requirements Physical Safeguards Organizational Requirements Technical Safeguards Enforcement and Penalties for Noncompliance New Omnibus Regulations and Compliance Dates

6 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements: Business associates must follow the Security Rule for electronic protected health information. Business associates have business associate agreements with their subcontractors who must also follow the security rule for electronic protected health information (PHI). Covered entities do not have business associate agreements with business associates contractors. Marketing requires an authorization. Financial remuneration is defined. Exceptions to marketing are still in place. Business associates must obtain authorizations prior to marketing. Grandfather clause for business associate agreement transition Sale of PHI Source:

7 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements (Continued): Compound authorizations for research Authorizing future research for use or disclosure Any individually identifiable health information of a person deceased more than 50 years is no longer considered PHI under the Privacy Rule. Covered entities are now permitted to disclose a decedent s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE. Covered entities can disclose proof of immunization to a school where state or other law requires it prior to admitting a student. Written authorization is no longer required, but an agreement must still be obtained, which can be oral. The Notice of Privacy Practices must be revised and redistributed. Required restriction to health plan Access to electronic PHI Source:

8 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements (Continued): Covered entities must provide the recipient of any fundraising communication with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications and that the individual s choice to opt out is treated as a revocation of authorization under the privacy rule. Genetic information may not be used or disclosed for underwriting purposes. The Breach Notification Rule s harm threshold is removed and replaced with a more objective standard. Form and format of electronic copies Fees for paper and electronic copies Timeliness for paper and electronic records Title I of GINA required the Secretary to revise the HIPAA Privacy Rule. Genetic information is health information. Excludes long-term care plans from the underwriting prohibition Source:

9 Omnibus IT Concerns BAA must be updated for new engagements enforced September 23, 2013 BAA must be updated for existing engagements enforced September 23, 2014 Security and Privacy Rules Protections Increased OCR enforcement strengthened Breach notification rule significantly altered

10 OCR Audits Office of the Civil Rights Authority increased with Omnibus ARRA HITECH Act requires HHS to provide for periodic audits Ensures compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Pilot phase began November 2011 and concluded in December Risk Assessment essential in future audits

11 How OCR Facilitates Balanced Policy Public Awareness Compliance Tools Enforcement Privacy Access Security Rule/Risk Analysis Complaints/Higher Penalties Under HITECH Security Fact Sheets Mobile Devices Video Breach Reporting YouTube ONC Collaborations Audit De-Identification Guidance State Attorneys General

12 OCR Common Areas of Concern Risk Assessment Currency of Policies and Procedures Security Awareness and Training Workforce Clearance Workstation Security Encryption Business Associate Contracts and Other Arrangements What OCR looks for in an audit

13 Breach Stats The health information privacy of more than 21M has been reported to have been breached in United States since September of 2009 More than the entire population of Florida (2012 OCR statistics) 94% of health care organizations surveyed experienced at least one data breach in past two years - 45% had more than 5 incidents The average economic impact of a breach is $2.4 million The US per record cost of data breach averages $194 54% of organizations have little or no confidence they can detect all patient data loss or theft (Ponemon Institute - Dec. 2012) 51% of CEOs surveyed say their company experiences cyber attacks hourly or daily 77% of UK systems developers surveyed use real production data when developing applications 68% of US companies permit employee-owned devices in the workplace 60% of employees circumvent security features on their mobile devices The top three causes of a data breach are lost or stolen computing devices, employee mistakes, and third party mistakes

Breach Rules Replacement of the harm standard with a risk assessment previously underreported and subjective The covered entity or business associate has the burden to prove that an unauthorized

14 Breach Rules Replacement of the harm standard with a risk assessment previously underreported and subjective The covered entity or business associate has the burden to prove that an unauthorized disclosure is not a breach Exemptions exist (unintentional use in good faith within scope of authority without further impermissible disclosure, inadvertent disclosure to an authorized person, unauthorized person not easily retained PHI) Use or disclosure of PHI that is not permitted by the rule is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a risk assessment containing four elements:

15 4 Standards Determine Breach What was the nature and extent of PHI? How much clinical information was involved, could it be used in a manner adverse to the individual or to further the recipient s interests, can the patients be identified, does it involve sensitive information such as mental health, sexually transmitted diseases, substance abuse? Who is the unauthorized person who used PHI or to whom disclosed? Do they have an obligation to protect privacy and security of the PHI, were dates and types of health services impermissibly disclosed to an employer? Was the PHI actually acquired and used? Was PHI viewed or was there only an opportunity, was the information on a stolen laptop accessed, viewed, acquired, transferred or otherwise compromised, did the recipient open and read mail sent to the wrong address? Has the risk to the PHI been mitigated? Have satisfactory assurances been obtained from the recipient (through a confidentiality agreement or otherwise) that the PHI will not be further used or disclosed?

16 Notification If notification of a breach is required, the covered entity is required to notify all affected individuals within 60 calendar days of the discovery of the breach Wall of Shame HHS website features breaches of 500 or more individuals Individual Notice if 10 cannot be contacted, post to website or local media Media Notice 500 or more individuals state media as press release Secretary Notice 500 or more individuals within 60 days via website form Secretary Notice fewer than 500 within 60 days of calendar year

17 Breach Highlights From September 2009 through January 7, 2013: 525 reports involving over 500 individuals Over 64,000 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper Records Desktop Computers Portable Electronic Device

hardening NYP even encrypting desktops following Columbia University incident Encryption coming soon to email Encryption on USB Keys,

18 Safe Harbour Unencrypted data is not considered safe Encrypted data prevents unauthorized access/breach Data transmission should always use encryption Laptops will be encrypted All other mobile devices should be encrypted phones, tablets, etc - Mobile Iron for hardening NYP even encrypting desktops following Columbia University incident Encryption coming soon to Encryption on USB Keys, backups maybe in future? NIST Standard AES Secret (128 bit) Top Secret (256 bit) 31,536,000 years to crack 128 bit using current technology

Cause Willful Neglect Corrected Willful Neglect Not Corrected

19 Fines For Violations VIOLATION TYPE EACH VIOLATION REPEAT VIOLATIONS/YR Did Not Know $100 $50,000 $1,500,000 Reasonable Cause Willful Neglect Corrected Willful Neglect Not Corrected $1,000 $50,000 $10,000 $50,000 $1,500,000 $1,500,000 $50,000 $1,500,000

20 Post HITECH Enforcement Actions Cignet Health (MD) Denied patients the right of access to medical records Failed to respond to OCR s investigation Only CMP levied by HHS Massachusetts General Hospital Employee lost paper health records on public transit Privacy Rule standards to control employee access/removal of PHI from workplace Safeguards to PHI in all forms when off-premises UCLA Health System Repeated incidents of unauthorized access to e-phi by workforce members Assess threats/vulnerabilities and implement safeguards to reduce risk to confidentiality of e-phi

21 Post HITECH Enforcement Actions Phoenix Cardiac Surgery E-PHI disclosed through Internet when provider used third party application hosted in the cloud Business associate agreements required when sharing data with cloud computing service providers BCBS Tennessee E-PHI stored on servers stolen from deactivated data center after construction/relocation to new facility Reevaluate threats/vulnerabilities to e-phi caused by changing operational environment and manage risk Alaska DHSS Portable storage device stolen from personal vehicle symptomatic of widespread failure to implement program-wide information security safeguards

22 Post HITECH Enforcement Actions Massachusetts Eye and Ear Institute Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi Encrypt data stored on end-user devices Hospice of Northern Idaho Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule

time Oregon nursing assistant - 8 days for posting photos on social

23 What? Me Worry? HIPAA violation penalties can include both monetary fines and prison time Oregon nursing assistant - 8 days for posting photos on social media website UCLA researcher 4 months for accessing co-workers records after separation of employment Scales up to $500K and 10 years

24 Hospital Security Work Plan HIPAA Requirements and Beyond

25 Hospital Security Program

26 Hospital Security Work Plan Key Endeavours Risk Assessments Encryption Disaster Recovery

27 Policy Revision Policies in catalogue Policies match Security Rule regulations Addressable Policies Show regulation is being addressed Required Policies More prescriptive in nature Policies categorized as: Administrative Physical Technical May I see the policies?

28 Administrative Safeguards ADMINISTRATIVE SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Security Management Process (1) Risk Analysis R Risk Analysis Risk Management R Security Management Process Sanction Policy R Security Management Process Activity Review R Security Management Process Assigned Security Responsibility (2) R Assigned Security Responsibility Workforce Security (3) Authorization and/or Supervision A 9237( and ) See: Human Resources Policies On Intranet Workforce Clearance Procedure A 9237( and ) See: Human Resources Policies On Intranet Termination Procedures A 9237( and ) See: Human Resources Policies On Intranet Information Access Management (a)(4) Isolating Health Care Clearinghouse Functions R Isolating Health Care Clearinghouse Functions Access Authorization A Access Authorization Access Establishment and Modification A Access Establishment and Modification Security Awareness and Training (a)(5) Security Reminders A Security Reminders Protection from Malicious Software A Protection from Malicious Software Log-in Monitoring A Log-in Monitoring Password Management A Password Management Security Incident Procedures (a)(6) Response and Reporting R Response and Reporting Contingency Plan (a)(7) Data Backup Plan R Contingency Plan Disaster Recovery Plan R Contingency Plan Emergency Mode Operation Plan R Contingency Plan Testing and Revision Procedures A Contingency Plan Applications and Data Criticality Analysis A Contingency Plan Evaluation (a)(8) R Evaluation Business Associate Contracts and Other Arrangements (b)(1) Written Contract or Other Arrangement R Business Associate Agreements

29 Physical Safeguards PHYSICAL SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Facility Access Controls (a)(1) Contingency Operations A Contingency Operations Facility Security Plan A Facility Security Plan Access Control and Validation Procedures A Access Control and Validation Procedures Maintenance Records A Maintenance Records Workstation Use (b) Acceptable Use Policy R Acceptable Use Policy Workstation Security (c) R Workstation Security Device and Media Controls (d)(1) Disposal R Device and Media Controls Media Re-use R Device and Media Controls Accountability A Device and Media Controls Data Backup and Storage A Device and Media Controls

30 Technical Safeguards TECHNICAL SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Access Control (a)(1) Unique User Identification R Unique User Identification Emergency Access Procedure R Emergency Access Procedure Automatic Logoff A Automatic Logoff Encryption and Decryption A Encryption Audit Controls (b) R Audit Controls Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information A Mechanism to Authenticate Electronic Protected Health Information Person or Entity Authentication (d) R Person or Entity Authentication Transmission Security (e)(1) Integrity Controls A Integrity Controls Encryption A Encryption

31 HIPAA SECURITY RISK ASSESSMENTS The Security Circle of Life Continues

Risk Assessments Rules Risk Analysis 164.

32 Risk Assessments Rules Risk Analysis (a)(1)(ii)(A) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk Management (a)(1)(ii)(B) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a) [(the General Requirements of the Security Rule)]. NB: Rules ambiguous on manner or frequency

33 Risk Analysis Plan Policies and Procedures Match HIPAA Security Rules Analysis Tools From Gov t and Expert Consultant Examine Vulnerability, Threat, Risk Recommend Risk Management Controls Assess Validate Control Mechanisms, Re-Analyze Per Schedule Application Catalogue Incl. All Apps w/ ephi and PII Allscripts eclinicalworks Nextgen PICIS Eagle Others to follow Enterprise-Wide Risk Assessment IT-Specific Risk Assessment Including Vulnerability Scanning & Penetration Testing

34 Encryption Program Laptops Desktops BYOD USB Drives Backup Tapes Data At Rest Vendor Software Cloud Strategies Interfaces RHIO Data In Motion Encrypted Data = Safe Data Unusable unreadable -indecipherable

35 Disaster Recovery Strategy In 2013 Define Needs Identify Risk Design Controls Plan Monitoring Vendor Selection Process Implementation In 2014 Vendor-Hospital Solution Manage Uptime Manage Downtime Assess Risk Mitigation Monitor Distant Early Warning BASED UPON RESULTS OF RISK ASSESSMENTS

36 This Concludes The Presentation

37 Questions? Keith Richard Weiner

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400