HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements Impact on Firm Operations Compliance Program Tips
My Background Adam Carlson 12+ years in information security M.S. from UC Davis, ISACA CISM Security researcher studying Internet threats Security auditor for financial services/fortune 500 Chief Security Officer at UC Berkeley Legal IT security consultant (and some healthcare) Currently security solutions consultant at Intapp Member of ILTA LegalSEC Vendor Advisory Board I am not a lawyer
Acronyms To Remember PHI Protected Health Information HHS Health and Human Services OCR Office of Civil Rights in HHS CE Covered Entity BA Business Associate BAA Business Associate Agreement
HIPAA Background A Long And Winding Road
HIPAA Origins Health Insurance Portability and Accountability Act Originally passed in 1996 Title I: Strengthens health care coverage guarantees for employees Title II: Reduce fraud, simplify administration, medical liability Contained privacy and security requirements Only applied to covered entities
Who Are These Covered Entities Possibly your clients A Health Care Provider A Health Plan A Health Care Clearinghouse So why do law firms care? Business associates of covered entities managing protected health information are expected to implement similar protections Group health plans
Law Firms Are Business Associates A business associates agreement (BAA) is meant to ensure that business associates afford protected health information the same types of protections as the covered entity.
Protected Health Information Broad definition Includes names and addresses Data must be affiliated with Covered Entity
Patient vs. Hospital Example Patient Law Firm: Medical Records Received From Patient Are Not PHI Hospital Law Firm: Medical Records Received From Hospital Are PHI
Straightforward Situation Covered Entity Covered Entity Business Associate Law Firm Business Associate Subcontractor 1 Subcontractor 2 Law Firm Business Partners requiring Business Associate Agreements Subcontractor 3
Much Harder To Classify Covered Entity Covered Entity Business Associate Business partner of a covered entity and law firm client Your Law Firm Your Law Firm Key decision: How will you identify and classify PHI?
Recent Changes Increased Liability Business associates had only contractual obligations Large number of breaches prompted change 57% of Reported Breaches Involved Third-Parties HITECH Act of 2009 Applied certain security requirements directly to law firms Increased breach notification requirements Omnibus Rule of 2013 Clarified security and privacy expectations of law firms Set date for compliance (Mar 2013) and enforcement (Sep 2013)
Civil Penalties for Noncompliance HHS Civil Monetary Penalties for Violations $100 to $50,000 per violation Up to $1.5 million per year for violations of identical provision Noncompliant entities likely to have multiple violations Separate violation for each person affected or each day of continuing noncompliance
Brief Recap HIPAA contains privacy and security requirements for protecting health information These requirements were traditionally imposed on law firms through contract The Omnibus Rule of 2013 applied these requirements directly to law firms Law firms will face fines for non-compliance starting in September 23, 2013
Requirements Overview
Three Key Rules To Understand Privacy Rule Security Rule Breach Notification Rule All three rules apply to law firms classified as business associates
Privacy Rule Finalized in 2000, compliance required by 2003 Applies to ALL protected health information (PHI) Imposes restrictions on uses and disclosures Calls for reasonable and appropriate safeguards Administrative Technical Physical Requires business associates agreements
Security Rule Finalized in 2003, compliance required by 2005 Applies only to ephi (electronic protected health information) Meant to address fears about digitization of health records called for by HIPAA Enumerates more detailed requirements: Administrative Safeguards Technical Safeguards Physical Safeguards
Relationship Between The Rules From official Health and Human Services Guidance: The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access. While Security Rule was meant to apply to only ephi, Privacy Rule requirements call for similar protections described by the Security Rule
Breach Notification Rule Created as a part of the 2009 HITECH Act Requires breaches of PHI to the individuals, HHS, and in some cases the media Breaches must be reported within 60 days Breaches of over 500 records are permanently listed on the HHS website Omnibus strengthened reporting requirements by broadening the definition of a breach
What This Means For Law Firm Operations
Formal Compliance Program Law firms must address compliance requirements Privacy Rule Security Rule Breach Notification Rule May require changes to business processes How matters are taken in How matters are protected and managed May require increased monitoring and oversight May impact relationship with law firm vendors and service providers
Determining the Scope of HIPAA Recommended best practices Formalize business associate agreement intake process Systematically review every practice area Classify matters during intake Inventory vendors/business partners with access to PHI Bonus: Use DLP software
Common Practice Areas Handling PHI Pharmaceutical & Medical Device Litigation Employment Litigation Insurance (and Insurance Litigation) Health Care (and Health Care Litigation) ERISA Litigation And many more.
Privacy Rule Compliance Limit how PHI is disclosed externally Already addressed by professional responsibility and MRPC Implement reasonable and appropriate safeguards Minimum necessary requirement more specific make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Implementation specification for internal use Identify the persons who need access to PHI For each role, identify the type of PHI and the conditions for access
Security Rule Goals Covered entities must ensure the confidentiality, integrity, availability of all ephi they create, receive, maintain or transmit Anticipate and address threats to PHI Protect against reasonably anticipated impermissible uses or disclosures Ensure workforce compliance
Three Types Of Protections Administrative Safeguards Security Management and Information Access Management Physical Safeguards Facility Access and Workstation/Device Security Technical Safeguards Access Controls, Audit Controls, Integrity Controls, Transmission Security
Projected Level of Effort ( Estimated ) Administrative Safeguards Physical Safeguards Technical Safeguards
Physical Safeguards Facility Access Controls Business continuity, facility protections, maintenance management Workstation Use Approved use-cases, workstation privacy, remote access users Workstation Security Physical security of workstations accessing ephi Device and Media Controls Media disposal and reuse, backup systems, secure deletion
Technical Safeguards Access Control Unique user identification Emergency access procedures Automatic logoff protections Encryption and decryption Audit Controls Integrity Person or Entity Authentication Transmission Security
Administrative Safeguards Security Management Process Come back to this in a minute Assigned Security Responsibility Designate security official Workforce Security Authorization and/or supervision, workforce clearance, termination Information Access Management Isolate health care clearinghouse, access authorization, access establishment and modification
Admin. Safeguards Continued Security Awareness and Training Security reminders, malicious software, log-in monitoring, password management Security Incident Procedures Response and reporting Contingency Plan Data backups, disaster recovery, emergency mode operation plan Evaluation Periodic technical and non-technical evaluation Business Associate Agreements
Security Management Process- 164.308(a)(1) Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information Risk Management Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level Sanction Policy Develop sanction policy for violations of policies and procedures Information System Activity Review Regularly review records of system activity and audit logs
In Other Words Do whatever is reasonable and appropriate to protect the confidentiality, integrity and availability of PHI Take a process-oriented rather than checklist-oriented approach Document the results of the risk assessment and risk management processes Periodically review and re-assess existing protections
Risk Analysis Guidance Necessary elements: Scope of the Analysis Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk Finalize Documentation
Tips For An Effective HIPAA Program
First Steps Engage and educate firm stakeholders Security investments or business process changes may be needed Designate a HIPAA Privacy Officer Designate a HIPAA Security Officer Inventory existing Business Associate Agreements Identify practice groups working with PHI Determine scope of HIPAA compliance concerns
Address The Low Hanging Fruit Update firm policies to address HIPAA requirements Revise vendor contracts to include BAA language Inventory systems and physical locations storing PHI Review systems against technical safeguards Review locations against physical safeguards Educate and train employees on HIPAA fundamentals Document these efforts
Policies That Might Be Impacted Privacy Policy Sanction Policy Remote Access Policy Incident Response Policy Mobile Device Policy Portable Device/Encryption Policy Business Associate/Vendor Management Policy
Breach Notification Rule Ensure attorneys/staff can recognize a HIPAA breach Provide a means to report/escalate breaches quickly Prepare required breach analysis process Establish rapid communications plan Form the appropriate teams ahead of time Investigation team Breach analysis team Communications/response team
Strategic Compliance Questions How will your firm identify and classify matters containing PHI? How will your firm interpret and implement the minimum necessary requirement? How will your firm address the information system activity review requirement? How will your firm address the risk analysis requirement
Effective Ways To Limit Effort Identify matters containing PHI during intake Centralize PHI into fewer systems Reduces risk analysis scope dramatically Minimizes access control maintenance and management Minimizes amount of requisite logging and monitoring Designate approved vendors and business partners who may need to access ephi
If You Feel Behind Document what you are doing today for security Implement encryption on mobile devices Evaluate your celebrity exposure Focus initially on matters with high volumes of records Develop a compliance roadmap of where you are going
Some Useful Resources Official HHS HIPAA Website http://www.hhs.gov/ocr/privacy/index.html Official Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html Official Minimum Necessary Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html Sample BAA Provisions http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Additional Resources HIPAA Audit Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html HIPAA Enforcement Examples http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/casebyissue.html NIST 800-60-1 HIPAA Security Rule Guidance http://csrc.nist.gov/publications/nistpubs/800-66-rev1/sp-800-66-revision1.pdf NIST HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/ Educause HIPAA Resources http://www.educause.edu/library/health-insurance-portability-and-accountability-act-hipaa Tweet (#LegalSEC) or share more on the forums!
Thanks! Questions?