The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San Francisco
Disclaimer This training presentation is provided solely for educational purposes and, in developing and presenting these courses, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This training presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on these courses for such purposes. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 1 HIPAA Security & Privacy: Preparing for Compliance
Agenda Industry Challenges Trends in Security and Privacy Omnibus Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rule Requirements - Recap Security Risk Assessment and Privacy Assessment Approach What Does This Mean For a Hybrid Entity 2 HIPAA Security & Privacy: Preparing for Compliance
Industry Challenges Trends in Security and Privacy
Industry trends: data breach perspective The number of individuals impacted by breaches reported to the Department of Health and Human Services (HHS) is steadily increasing. According to the HHS Website for Breaches Affecting 500 or More Individuals, 682 data breaches of unsecured PHI in 40+ states have been reported between September 2009 and September 2013* 5,382,911 individuals have been impacted Business associates were involved in ~23% of the reported breaches 1 Theft (58%) and Loss(16%) were the two major causes of breaches involving unsecured PHI Breached information was stored in laptops (28%), paper records (22%), desktop computers (16%) and portable devices (15%) States with more than 5 breaches and/or more than 100,000 impacted individuals States with less than 5 breaches and less than 100,000 impacted individuals States with no posted breaches Theft of and unauthorized access to laptops, computers, paper records, and portable electronic devices (e.g., USB Drives) are lo-tech, yet significant causes of PHI data breaches for which organizations are being reported. *Based on data published by HHS as of September 30, 2013 1 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 4 HIPAA Security & Privacy: Preparing for Compliance
Omnibus HIPAA Security and Privacy Rule Requirements - Recap
Summary of Major Provisions The following includes several major provisions and updates included within the HIPAA Omnibus Rule: 1 Business Associates and Subcontractors Definition of business associate ( BA ) has been expanded to include vendors that not only view Protected Health Information (PHI), but also exclusively maintain it. This also includes subcontractors of BAs Delineation of BA expanded to additional organizations 2 Breach Notification Rule Breach notification requirements have been subject to changes for breaches of unsecured (PHI) Four (4) defined risk assessment factors 3 Increased Civil Penalties and Enforcement HIPAA adopts the tiered civil money penalty structure set forth in the Health Information Technology for Economic and Clinical Health (HITECH) Act 4 Increase in Patients Rights and Access Increased patient access to electronic medical records 5 Limitations on Use and Disclosures Changes of patient authorization procedures have been made for the use and disclosure of PHI such as marketing and research purposes 6 HIPAA Security & Privacy: Preparing for Compliance
Effective Date and Compliance Date The following table represents specific dates associated with the recent updates to HIPAA Privacy and Security rules, also known as the final omnibus rule : [1] Specific Dates Comments Effective Date March 26, 2013 Date in which the final rule is effective. Required Compliance Date September 23, 2013 Covered entities and business associates must comply with the applicable requirements of the final omnibus rule within 180 days of the Effective Date. Additional time is allowed for business associates in the following case: Situations Extended Compliance Date Comments Existing BAAs which are in compliance with pre-omnibus rule September 22, 2014 Such BAAs are provided one additional year to conform to the final omnibus rule. Compliance with the final omnibus rule is required for business associates when existing BAAs are renewed or modified. 7 HIPAA Security & Privacy: Preparing for Compliance
Implementation of New Rule (Covered Entities) Covered entities should consider the following high level action items to effectively respond to the HIPAA updated requirements and initiate steps toward compliance: Covered Entity - Top Priority Action Items 1 Business Associate and Subcontractor Agreements: Review and revise BA and Subcontractor Agreements to incorporate new requirements set forth by the final omnibus rule. Incorporate amendments where necessary. 2 Update HIPAA Policies and Procedures: Review and revise, where necessary, HIPAA Privacy and Security policies and procedures. Incorporate new rules related to Bas and subcontractors. 3 Update Breach Notification Policies, Procedures and Training: Review and update breach notification policies and procedures to incorporate the new definition of breach. Also, review and update both HIPAA and breach notification trainings. 4 Perform Risk Assessment Scope and Procedures: Review previous risk assessment results and procedures and make updates to incorporate new requirements set forth by the final omnibus rule. 8 HIPAA Security & Privacy: Preparing for Compliance
Implementation of New Rule (Business Associates) Business associates and subcontractors should consider the following high level action items to effectively respond to the HIPAA updated requirements and initiate steps toward compliance: Business Associates Top Priority Action Items 1 2 3 4 5 6 Update HIPAA Policies and Procedures: Review and update, as necessary, HIPAA Privacy and Security policies and procedures, including the definition of PHI, as the new final omnibus rule has made such a distinction. Update Business Associates Agreements: Review and revise Business Associate Agreement to incorporate the new provisions required under the final omnibus rule. Develop amendments for current BAA s and amend the process for drafting BAA s going forward. Update and Distribute Notice of Privacy Practice (NPP): Review and make updates to the NPP to include statements required by the new final omnibus rule (i.e. changes to sale of PHI, paid out-of-pocket restrictions, etc. Provide individuals with updated NPP s regarding improved patient access Update HIPAA Authorization Forms: Review and update all HIPAA authorization forms to include statements required by the new final omnibus rule. Perform Risk Assessment Scope and Procedures: Review previous risk assessment results and procedures and make updates to incorporate new requirements set forth by the final omnibus rule. Update Breach Notification Policies, Procedures and Training: Review and update breach notification policies and procedures to incorporate the new definition of breach as defined by Office of Civil Rights (OCR). 9 HIPAA Security & Privacy: Preparing for Compliance
Security Risk Assessment and Privacy Assessment Approach
Security Risk Assessment and Privacy Assessment The following describes Deloitte s approach for executing a security risk and privacy assessment for HITECH/HIPAA. Phase1 Phase 2 Phase 3 Phase 4 Business Processes Prioritization and Application Inventory HIPAA Privacy and Security Assessment Remediation Plan Development Cost Estimation and Remediation Assistance Business processes are identified for privacy and security assessment PHI data maps are developed Applications / systems are identified HIPAA privacy assessment (HIPAA Privacy Rule and HITECH requirements) HIPAA security assessment (Administrative, Physical, and Technical Safeguards) A list of projects to address HIPAA privacy and security control gaps, considering: Addressable vs. Required requirements Customer requirements PHI breach risks Dependencies Quantitative analysis for a realistic remediation project cost estimation Refinement of the remediation projects execution plan Assist in remediation execution 11 HIPAA Security & Privacy: Preparing for Compliance
Security Risk Assessment and Privacy Assessment Preparing for an HHS OCR HIPAA Security and Privacy Audit 2 HIPAA Privacy Rule Are policies and procedures up-to-date? Have all policies and procedures been implemented? Do policies and procedures actually work? Have all appropriate stakeholders been adequately trained on the HIPAA Privacy Rule? Is evidence of training documented? Do you have a clear, written sanctions policy? Has sanctions policy been applied consistently? 2 The HIPAA Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 12 HIPAA Security & Privacy: Preparing for Compliance
Audit considerations Preparing for an HHS OCR HIPAA Security and Privacy Audit 3 HIPAA Security Rule Not a checklist of controls approach Do you have a risk management framework in place? Can you provide evidence that the risk management framework is leveraged as a normal course of business? Can you trace the HIPAA Security Rule to your actual policies and procedures? 3 The HIPAA Audit Program Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 13 HIPAA Security & Privacy: Preparing for Compliance
Q&A How frequently does your organization perform an information security risk assessment and privacy assessments? How would you characterize the risk assessment - e.g., application vs. process based, stakeholders involved, risk management process, alignment with privacy, reporting? Does your organization leverage a framework approach to information security and privacy? 14 HIPAA Security & Privacy: Preparing for Compliance
What Does This Mean For A Hybrid Covered Entity?
HIPAA Compliance Are State, county or local health departments required to comply with the HIPAA Privacy Rule? Answer: Yes, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. http://www.hhs.gov/ocr/privacy/hipaa/faq/covered_entities/358.html 16 HIPAA Security & Privacy: Preparing for Compliance
What Is A Hybrid Entity The HIPAA Privacy Rule gives you the option to restrict application of the HIPAA Privacy Rule to certain parts of the organization by designating the health care components That written designation then makes that part of the organization a Covered Entity Function 17 HIPAA Security & Privacy: Preparing for Compliance
Hybrid Covered Entity The Covered Entity maintains the legal and administrative responsibilities. Policies, procedures, and the safeguard requirement Must ensure that the health care component complies with the Privacy Rule Erect fire walls between the Covered Entity and non-covered entity portions of the organization Workforce members who work on both sides must not inappropriately share information between their responsibilities Transfer of PHI held by the health care component to other components is a disclosure subject to the HIPAA privacy rule and is allowed only under the same circumstances as would make it permissible for a separate entity Has legal responsibility(ies) for compliance with the Privacy Rule 18 HIPAA Security & Privacy: Preparing for Compliance
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited