Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24, 2017
Overview of HIPAA The Privacy Program The Security Program The Intersection of Privacy & Security Questions
HIPAA
Health Insurance Portability & Accountability Act Privacy Rule Security Rule 1996 Enacted 2003 Privacy Rule in effect 2005 Security Rule in effect 2009 Health Information for Technology for Economic & Clinical Health (HITECH) Act 2013 Omnibus Final Rule
Promotes Patient Rights The HIPAA Basics: There must be a Covered Entity There must be Protected Health Information (PHI) PHI requires both: Identifiers (1 or more of 18), and, Health Information (past, present or future) Framed by Needing to Know vs. Wanting to Know And be protected by using Reasonable Safeguards
Protected Health Information (PHI) Consists of all individually identifiable health information regarding past, present and future health care encounters Verbal Written/Paper Electronic
Components of HIPAA Portability & Accountability: Provides continuity of healthcare coverage, limits exclusions for pre-existing conditions, and prohibits discrimination based on health status
Administrative Simplification: Requires privacy & security protections for all forms of individually-identifiable health information
The Privacy Program
The Privacy Program: Overview of the Privacy Program Provides strategic and thought leadership Creates privacy policies, processes and internal controls Develops and maintains an appropriate framework on which the company collects, stores, processes and transfers personal data Privileged and Confidential
Overview of the Privacy Program Protects the privacy of protected health information (PHI), and sets limits and conditions on the uses and disclosures of PHI without patient authorization Implements appropriate training for Covered Persons", integrating policies and procedures for protecting and safeguarding PHI Acquires and develops necessary HIPAA related forms and documentation Privileged and Confidential
Privacy Program Components Privacy Program Components Policies & Procedures Protects Patient Rights Privacy Program Privacy Training Incident Response Privileged Confidential and Risk Management
HIPAA gives patients federal privacy rights The Notice of Privacy Practice explains these rights and describes how a Covered Entity will use and disclose PHI There are criminal and civil fines and sanctions for non-compliance All Covered Entities must have a sanctions policy
The Balancing Act The Balancing Act Access, Use and Disclosure of Minimum Necessary PHI for TPO: Treatment: Clinicians, providers and care team members Payment: Schedulers, registrars, coders and billers Healthcare Operations: Performing reviews, extracting necessary information, performing audits, surveys and investigations, etc. Upholding and Safeguarding Patient Rights under HIPAA: Itemized in the Notice of Privacy Practices Taken seriously by consumers and oversight agencies
The Interactive Privacy Officer The Interactive Privacy Officer Patients and Family Members Covered Individuals and Workforce Members Training, consultation, investigation, enforcement Business Associates Involved Third Parties Law enforcement, legal, Privileged religious and representatives, etc. Confidential Oversight Agencies
Roles and Responsibilities of the Privacy Function Builds a strategic and comprehensive privacy program that defines, develops, maintains and implements policies and processes that enable effective privacy practices Minimizes risk and ensures the confidentiality of PHI - oral, paper and/or electronic, across all media types Privileged and Confidential
Roles and Responsibilities of the Privacy Function Ensures privacy forms, policies, and procedures are up-to-date Conducts ongoing compliance monitoring in coordination with the organization's other compliance and operational assessment functions Privileged and Confidential
Roles and Responsibilities of the Privacy Function Oversees, develops and delivers initial and ongoing privacy training to the workforce Monitors all business associates and business associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed Privileged and Confidential
Roles and Responsibilities of the Privacy Function Manages all required breach determination and notification processes under HIPAA and applicable state confidentiality and/or breach rules and requirements Establishes and administers a process for investigating and acting on privacy and security complaints Privileged and Confidential
The Security Program
Overview of a Security Program Ensures that the data held at the organization remains secure Responsible for ensuring the Confidentiality, Integrity, and Availability (CIA) of data Responsible for the implementation of Administrative, Physical, and Technical Safeguards to protect sensitive data Heads the creation of policies and procedures to ensure this protection such as: Acceptable use Access control Data Handling and Retention Data Classification Ensures employees receive the proper training in order to enable them to protect sensitive information
Information Security protects PHI Confidentiality Only people with a need to know have access to patient records Integrity Lab results, etc., aren t changed or destroyed accidentally or maliciously Availability Patient records are there when you need them, computer systems are up and running, your user ID and password are working, etc.
Administrative Safeguards Careful hiring practices Training and education Policies and procedures Termination and separation protocols
Physical Safeguards Confidential patient care Document care and storage Document disposal and destruction
Electronic Safeguards User authentication Systems protection Safe hardware disposal
Components of a Security Program Security Policies Physical Security Personnel Security System & Data Identification Security Standards & Best Practices Incident Response System Security Plan System Development Life Cycle Organization s Security Policies & Programs Configuration Management Training & Awareness Laws & Regulations System Documentation Disaster Recovery Privileged and Confidential
Roles and Responsibilities of the Security Function Roles and Responsibilities of the Security Function Understanding the HIPAA Security Rule and keeping up-to-date with any and all changes to the law Developing and implementing policies and procedures to safeguard PHI Identifying and evaluating threats to the integrity of PHI Developing and implementing action plans for addressing risks to PHI Less people-centric than the privacy officer
The Intersection of the Privacy and Security Functions
How Does a Breach Affect Your Organization? Fines from government OCR can fine an organization up to $1.65 million per HIPAA provision violated per calendar year Litigation (class action) Breach notification costs/credit monitoring System downtime Reputational damage Patient loyalty Table: Categories of HIPAA Violations & Fine Amounts Violation category Each violation Violations of an identical provision (in a calendar year) Did Not Know $110-55,010 $1.65 million Reasonable Cause $1,100-55,010 $1.65 million Willful Neglect Corrected Willful Neglect Not Corrected $11,002-55,010 $1.65 million $55,010-1.65M $1.65 million
Privacy and Security Relationship Privacy and security go hand-in-hand Privacy All PHI - Oral, written or electronic Rules on the use of PHI Who is authorized to access PHI Patient rights and access to their medical information Limits PHI uses & disclosures to the minimum amount necessary Training Data Safeguards Confidentiality Appropriate Access (paper, physical or electronic) Policies & procedures Contracts (BAA) Incident Mitigation Security e-phi - Electronic PHI received, maintained or transmitted Rules on how to Protect e- PHI Mechanisms to ensure authorized access to e-phi Assurances for data integrity and availability Reviews to evaluate potential risks of e-phi
Privacy and Security Shared Responsibilities The Privacy and Security Officers: Have a role in developing the policies and procedures and training the workforce in HIPAA s requirements Establish and maintain a culture of compliance within the organization Work together to safeguard patient PHI Oversee internal sanctions for failure to comply with HIPAA policies Internal contact point for a security or privacy incident and/or PHI breach Regularly review and edit internal policies and procedures A marriage between the technical person and the one who understands compliance requirements. - Angela Rose, director of HIM Practice Excellence at the American Health Information Management Association
Breach Notification By law the covered entity must notify the affected Individuals, Health and Human Services, and if 500+ individuals, the Media
Incident Response: Privacy and Security Privacy and Security are interconnected Both can contribute to workforce readiness and awareness A Security breach is often a Privacy breach both areas would mobilize in incident investigation and response
Incident Response: Privacy and Security Example: i. A breach occurs ii. The Chief Information Security Officer activates an incident response team which assesses the scope of the incident - What information was accessed or misused? iii. The Incident Response coordinator contacts the Privacy Officer to determine if there needs to be a breach declaration - Does the breach impact solely privacy, security, or a combination of both? iv. If there has been a breach of personal information, Privacy and Security will mutually determine the appropriate response and relief; e.g. patient notification, credit monitoring, etc.
Auditing and Monitoring: The Union of Privacy and Security Regulations that affect Privacy and Security: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The American Recovery and Reinvestment Act of 2009 (ARRA)- HITECH Modifications to the HIPAA Privacy, Security, and Enforcement Rules the Health Information Technology for Economic and Clinical Health Act; Final Rule The Payment Card Industry Data Security Standard (PCI DSS)
Auditing and Monitoring: The Union of Privacy and Security (Continued) The focus of the security program is to protect the Confidentiality, Availability, and Integrity of data Controls and procedures for both areas make up the umbrella which protects the organization from threats and unauthorized disclosures of protected information Compliance monitoring is important for both privacy and security The controls are only as good as they are effective! Must provide evidence that the controls are in working order for audits document!
Treat PHI as if it was your OWN!
Questions? Regina Verde, MS, MBA, CHC Chief Corporate Compliance and Privacy Officer University of Virginia Health System Corporate Compliance and Privacy Office Office: 434-924-9741 Mobile: 434-465-0761