Introduction CHAPTER 1

Similar documents
Putting It All Together:

HIPAA Security and Privacy Policies & Procedures

HIPAA & Privacy Compliance Update

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

by Robert Hudock and Patricia Wagner April 2009 Introduction

Healthcare Privacy and Security:

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Electronic Communication of Personal Health Information

HIPAA FOR BROKERS. revised 10/17

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Mastering Data Privacy, Social Media, & Cyber Law

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA and the Chiropractic Practice

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules


Federal Breach Notification Decision Tree and Tools

What is Cybersecurity?

HIPAA Federal Security Rule H I P A A

Data Backup and Contingency Planning Procedure

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

SECURITY STATE OF THE INDUSTRY

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

HIPAA Privacy, Security and Breach Notification

Cybersecurity and Hospitals: A Board Perspective

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Data Privacy & Protection

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA COMPLIANCE AND

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Security Manual

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

efolder White Paper: HIPAA Compliance

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

HIPAA Security Awareness Training

COMMENTARY. Information JONES DAY

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

Department of Public Health O F S A N F R A N C I S C O

NOTICE OF PRIVACY PRACTICES

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

What to do if your business is the victim of a data or security breach?

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Data Compromise Notice Procedure Summary and Guide

HIPAA Compliance and Auditing in the Public Cloud

Seven gray areas of HIPAA you can t ignore

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Compliance & HIPAA Annual Education

Privacy and Security in the Age of Meaningful Use

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Information Governance, the Next Evolution of Privacy and Security

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Compliance. Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

HIPAA and HIPAA Compliance with PHI/PII in Research

Website Privacy Policy

01.0 Policy Responsibilities and Oversight

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Tracking and Reporting

HIPAA / HITECH Overview of Capabilities and Protected Health Information

SECURETexas Health Information Privacy & Security Certification Program

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Keeping It Under Wraps: Personally Identifiable Information (PII)

HIPAA Compliance & Privacy What You Need to Know Now

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Breach Notification Remember State Law

Guidance for Exchange and Medicaid Information Technology (IT) Systems

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

When the Other Brother Steps Up: State Privacy Enforcement Actions

HIPAA 101: What All Doctors NEED To Know

Transcription:

CHAPTER 1 Introduction Data security breaches are an everyday occurrence. The news media constantly publicize data breaches, especially those involving retailers in which hackers steal the payment card information from millions of consumers. Perhaps of more concern, though, are data breaches in the healthcare field. In February 2015, Anthem, Inc., the country s second-largest health insurer, announced a massive data breach involving unauthorized access to its database of personal information concerning current and former Anthem members. Victims around the country have experienced identity theft incidents. At the time of this writing, a class action pending in the US District Court for the Northern District of California now seeks compensation for the victims. Also, from 2004 to 2008, former California First Lady Maria Shriver, the late actress Farrah Fawcett, singer Britney Spears, and Cheers actress Shelley Long were all victims of breaches involving the unauthorized access to their medical records at the UCLA Medical Center. In the past several months, news reports surfaced regarding hospitals that have fallen victim to ransomware attacks. Ransomware is a form of malicious software that, when it infects a computer system, quickly encrypts data on the system and sometimes network storage or other computers. The victim receives a message demanding ransom money to provide a key to decrypt the user s files. If the user fails to pay the ransom, the user could lose access to his or her data. Recent ransomware attacks have locked up electronic medical records of entire hospitals, disabling their information systems and potentially endangering patients. Health records are among the most sensitive sets of information about us. The results of an unauthorized disclosure of health records could be devastating. Leakage of health records could lead to victims embarrassment, stigma, job loss, and even identity theft. Following concerns about the privacy and security of health records in the 1990s, the public began to demand protection to ensure that the healthcare industry would implement controls over what information was 1

2 A GUIDE TO HIPAA SECURITY AND THE LAW, SECOND EDITION gathered from patients, how the information could be shared, and the secure management of that information. This public concern prompted Congress to enact legislation in 1996 calling for safeguards over the privacy and security of health information. The 1996 legislation, called the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 1 has had a broad impact on the healthcare industry since its enactment, transforming practices for creating, storing, managing, transmitting, and disclosing health information in this country. HIPAA called for federal standards for the privacy and security of certain health information (called protected health information under HIPAA, and PHI here). The privacy and security portions of HIPAA appear in the Administrative Simplification subtitle of HIPAA, and later regulations create the standards for privacy and security. The Department of Health and Human Services (HHS) promulgated these regulations in the form of a Privacy Rule 2 and a Security Rule. 3 In general, HHS intended the administrative simplification provisions in HIPAA to increase the ease and efficiency of exchanging health information and conducting healthcare transactions electronically. Specifically, HIPAA contemplated the use of electronic data interchange (EDI) to accelerate electronic processing of transactions in the healthcare industry. HHS hoped standardizing the formats for many of the most common EDI exchanges of health information would mean the end of much of the confusion in claims submission and payment caused by inconsistent formats and forms, under the Medicare and Medicaid Programs, and beyond. Since the enactment of HIPAA, the healthcare field has seen the proliferation of Internet-based services and cloud computing in addition to EDI. Nonetheless, the Privacy Rule and Security Rule have continued to govern the creation, receipt, use, processing, maintenance, and transmission of electronic PHI regardless of the technology used by businesses in the healthcare field. The American Bar Association Section of Science & Technology Law published the first edition of this book in 2007. Since then, two important sets of changes to the law have taken place. First, Congress 1. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996) [hereinafter HIPAA]. 2. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82,462 (2000) (codified as amended at 45 C.F.R. pts. 160, 164). 3. Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) (codified at 45 C.F.R. pts. 160, 162, 164).

Introduction 3 passed the Health Information Technology for Economic and Clinical Health Act, also called the HITECH Act. The HITECH Act is part of a larger piece of stimulus legislation enacted during the financial crisis that started in the late 2000s. 4 The HITECH Act made certain changes to HIPAA security and privacy provisions, called for notification of data security breaches to affected individuals, and strengthened HIPAA s enforcement provisions. Second, HHS issued interim and later final regulations to flesh out the provisions of the HITECH Act, to strengthen HIPAA enforcement, and to somewhat simplify the HIPAA Security Rule and the HIPAA Privacy Rule. The final set of regulations emerging from the HITECH Act is commonly referred to as the HIPAA Final Omnibus Rule. 5 The compliance deadline for the HIPAA Final Omnibus Rule was in September 2013. Unlike other books on HIPAA, the focus of this book is the HIPAA Security Rule, as modified by the HITECH Act and the HIPAA Final Omnibus Rule. This publication discusses the Security Rule s role in the broader context of HIPAA, the HITECH Act, and their regulations. At the heart of this publication is a detailed section-by-section analysis of each provision in the Security Rule covering a security safeguard. This analysis explains the security topic and what organizations can do to comply. This publication also covers the legal risks of noncompliance by describing the applicable enforcement mechanisms that apply, reporting on past enforcement actions, and describing the body of case law emerging from litigation relating to HIPAA/HITECH security. The intended audience of this book is healthcare and information security professionals, lawyers specializing in these fields, administrators, compliance officers, chief information security officers, and security personnel. Hopefully, the book will provide the reader with useful guidance in meeting security requirements related to PHI. The Security Rule focuses on PHI in electronic form. The HIPAA Privacy Rule also requires covered entities to implement appropriate administrative, technical and physical safeguards for the privacy of PHI, 4. Health Information Technology for Economic and Clinical Health Act within the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009). 5. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (2013).

Introduction 5 associate can reasonably anticipate, as well as the costs that will be reasonable and appropriate in addressing those risks. Risk assessment includes prioritizing and quantifying the risks. Mitigation and remediating threats that pose risks should follow the risk assessment. If mitigation and remediation are not reasonable and appropriate, it may be necessary to transfer risks (using insurance or third-party indemnification, for instance) or to simply accept and plan on handling risks that cannot otherwise be mitigated. Regardless, the Security Rule requires ongoing monitoring and periodic review to facilitate an ongoing assessment and reevaluation of risks. Secure electronic transmission of health information offers opportunities to improve the quality and efficiency of healthcare delivery by improving access to information. Specifically, access by healthcare professionals, health plan administrators, and patients will improve. In addition, secure transmission of electronic health information will foster opportunities to implement cost savings as a result of standardized healthcare transactions and the use of the Internet and cloud service providers. Secure electronic transmission of health information can create opportunities to identify and treat those who are at risk for specific diseases, to conduct medical research, and to detect fraud and abuse. Moreover, the distribution of electronic data can extend far beyond the community where the patient is physically located. Prior to the promulgation of national standards for the confidentiality, security, and electronic exchange of PHI, disparate state laws were a source of confusion and inconsistency. By contrast, comprehensive minimum national standards 9 for the privacy and security of PHI will encourage increased and appropriate use of electronic information while protecting a patient s need for privacy. 10 Another important health information trend has been the proliferation of non-pc mobile devices. Electronic health data is becoming increasingly mobile as more information becomes available in electronic form. Since the first edition of this book, a revolution in mobile computing has taken place, and mobile computing holds the promise 9. HIPAA does not establish comprehensive standards. Rather, it sets a national uniform floor of standards. HIPAA expressly preserves state privacy laws that are in conflict with HIPAA if the state provision is more stringent than the federal provisions. 45 C.F.R. 160.203. Consequently, there could potentially be different versions of privacy rules for each of the states, the District of Columbia, Puerto Rico, and U.S. possessions and territories. 10. State laws requiring the protection of personal information of citizens are becoming increasingly common. One example is California s AB 1950. Cal. Civil Code 1798.81.5. AB 1950, however, does not apply to covered entities, perhaps to avoid disturbing the national standard created by the Security Rule. Id. 1798.81.5(e)(3).

6 A GUIDE TO HIPAA SECURITY AND THE LAW, SECOND EDITION for significant changes in the way professionals provide healthcare services. Healthcare professionals are commonly using smartphones and tablet computers for their everyday work. In addition, special hardware and software applications allow healthcare professionals and patients to use their general-purpose mobile devices for a wide variety of diagnostic, imaging, and wellness applications. Covered entities and business associates must now account for mobile computing in their Security Rule and Privacy Rule compliance programs. Managing mobile health initiatives will not be easy, and mobile devices raise a host of general and healthcare-specific legal issues. 11 Emerging technologies will pose even greater HIPAA security challenges. For instance, smart devices, wearable computers, Internet of Things devices and systems, augmented and virtual reality systems, telemedicine, 3D printing, new types of mobile devices (even automobiles), and surgical and service robots may create, receive, maintain, or transmit PHI. Covered entities and business associates will need to secure PHI on these new kinds of devices as well. Future decades will see far greater security challenges in the healthcare field. Accordingly, organizations should continuously anticipate future security threats and opportunities as they adopt emerging technologies. Hopefully, this book will assist in those efforts. 11. Author Stephen Wu has also written on the general legal issues concerning mobile device management in his August 2013 book, A Legal Guide to Enterprise Mobile Device Management: Managing Bring Your Own Device (BYOD) and Employer-Issued Device Programs, also published by the American Bar Association Section of Science & Technology Law.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback