Higher quality. lives. Healthier
79 Slides1.55 MB
Higher quality. lives. Healthier
HIPAA Privacy & Security Basics Brad Trudell MetaStar, Inc. June 2018
What Is HIPAA? “HIPAA” is the Health Insurance Portability and Accountability Act of 1996 Deals with portability of health coverage, special enrollment rights, pre-existing conditions, creditable coverage, etc. Administrative Simplification portion of HIPAA addresses standards for electronic transmissions of health information, as well as privacy & security of health info Higher quality. lives. Healthier
HIPAA Timeline 1996: 2003: 2005: 2009: HIPAA law passed by Congress Privacy Rule went into effect Security Rule went into effect HITECH enacted as part of ARRA CMS EHR Incentive Programs Significant changes to HIPAA 2013: HIPAA/HITECH Omnibus Final Rule published Business Associates, Breach Notification Higher quality. lives. Healthier
HIPAA Privacy & Security Rules The Privacy Rule Requires safeguarding of protected health information (PHI): paper, conversations, faxes, emails, in systems, etc. Limits how PHI may be used and disclosed Provides patients with rights in respect to their PHI The Security Rule Ensures the confidentiality, integrity, and availability of all electronic protected health information (ePHI) we create, receive, maintain, or transmit: In computer systems/ applications On portable devices In transactions Higher quality. Healthier lives.
Information Protected by HIPAA Privacy Rule covers Protected Health Information (“PHI”) – health info that: Is created or received by a health care provider, health plan, employer, or clearinghouse; and Relates to an individual’s health or condition, provision of care, or payment for care Examples: doctors’/nurses’ notes, X-ray films, lab reports, billing and payment info Higher quality. lives. Healthier
Key Sections of the Privacy Rule 1. Uses & Disclosures of PHI 2. Notice of Privacy Practices 3. Right to Access & Request Amendments of Records (by patients/guardians) 4. Rights to Request Protections of PHI 5. Right to Request an Accounting of Disclosures 6. Administrative Requirements (e.g. training, documentation, sanctions, etc.) Privacy Rule effective date: 4/14/2003 Higher quality. lives. Healthier
Key Sections of the Security Rule 1. 2. 3. 4. 5. 6. General Rules Administrative Safeguards Technical Safeguards Physical Safeguards Organizational Requirements Policies & Procedures and Documentation Requirements Security Rule effective date: 4/20/2005 Higher quality. lives. Healthier
Covered Entities under HIPAA Health care providers who electronically transmit health information Hospitals, clinics, physicians, dentists, etc. Health plans Individual and group plans that pay for care Health insurers, employer-sponsored plans, and government programs such as Medicare and Medicaid Health care clearinghouses Higher quality. lives. Healthier
Business Associates Perform functions or services on behalf of Covered Entities that involve the use or disclosure of PHI Examples: auditors, attorneys, accountants, IT/IS vendors, third party administrators, billing services, etc. Business Associates now required to comply with most provisions of HIPAA Higher quality. lives. Healthier
Penalties for HIPAA Violations Four-tiered penalty scheme for violations: Did Not Know Reasonable Cause Willful Neglect, Corrected in 30 Days Willful Neglect, Not Corrected Penalties range from 100 to 50,000 for each violation, up to 1.5 million/year Higher quality. lives. Healthier
Examples of Recent Penalties Higher quality. lives. Healthier
1. Lahey Hospital - November 24, 2015 Lahey notified OCR of laptop stolen from unlocked treatment room, containing ePHI of 599 patients OCR investigation revealed widespread non-compliance with HIPAA rules Lahey agreed to pay 850,000 and adopt robust corrective action plan including: SRA/risk management plan, to be submitted to HHS Developing, and training staff on, specific HIPAA policies Reporting lack of compliance with policies Higher quality. Healthier to HHS lives.
2. Advocate Health Care – August 4, 2016 Advocate submitted three breach notification reports affecting ePHI of approx. 4 million individuals OCR: failed to conduct SRA; implement P&P’s; safeguard areas with PHI; obtain BAA Advocate agreed to pay 5.55 million (largest ever) and adopt corrective action plan : SRA/risk management plan, to be submitted to HHS Develop and train staff on specific HIPAA Higher quality. Healthier policies lives. Ensure BA’s enter into BAA’s before
Common HIPAA Compliance Issues Higher quality. lives. Healthier
HIPAA Compliance Issues 1. Security Risk Assessments Assessments/updates required by Security Rule & MU of EHR Covers physical, administrative, & technical security safeguards Looks at biggest threats to, and vulnerabilities of, your ePHI system Likelihood X Impact Risk Create action plan for fixing risks from SRA Higher quality. lives. Healthier
HIPAA Compliance Issues 2. Written Policies & Procedures Privacy & Security rules require a variety of policies & procedures to be documented Name Privacy/Security Officers responsible for development & implementation Add P&P duties to job descriptions P &P’s to form basis of workforce training Must be retained for at least six years Available to staff responsible for implementation Higher quality. lives. Healthier
HIPAA Compliance Issues Security Policies & Procedures: Risk analysis/assessment Information security policies Security incident management Business continuity/disaster recovery Data backup/destruction/encryption Internal auditing controls Physical security Higher quality. lives. Healthier
HIPAA Compliance Issues Privacy Policies & Procedures: Notice of privacy practices Uses and Disclosures of PHI Treatment, payment, & health care operations Individual rights: access, amend, accounting Minimum necessary requirement Business associate agreements Complaints/sanctions Higher quality. lives. Healthier
HIPAA Compliance Issues 3. Encryption of Data At Rest/In Motion Addressable in Security Rule -- must encrypt if “reasonable and appropriate” to do so Must document choice to not encrypt Encrypt data at rest (encrypted laptops, 3rd party software) & in motion (SSL, VPN) Avoids breaches by rendering data “unusable, unreadable, & indecipherable” Costs to encrypt have declined sharply Higher quality. lives. Healthier
HIPAA Compliance Issues 4. Securing Paper Documents Treat paper records same as electronic Avoid leaving in unattended workspaces Do not mix in with regular trash -designate locked bins for disposal/recycling Shred all documents containing PHI, financial, or other sensitive information Creates “secured” PHI, avoids breaches Double check addresses when mailing PHI Higher quality. lives. Healthier
HIPAA Compliance Issues 5. Server Rooms/Data Closets Servers, routers, switches, wiring, etc. should be in locked rooms with limited access Avoid storage rooms/cleaning closets Protect with fire suppression and fire alarms Back-up power supply: UPS and generators Climate control: AC, fans, humidity control Healthier Overhead waterHigher pipes quality. and rooms with lives. external windows should be avoided
HIPAA Compliance Issues 6. Unlocked/Unattended Workstations Periodically remind employees to: - lock workstation before leaving desk - put away paper documents with PHI - not post usernames/passwords - keep ID badges on their person Conduct random walk-throughs Set workstations to lock/log-off users after periods of inactivity Higher quality. lives. Healthier
HIPAA Compliance Issues 7. Fax Transmissions of PHI Place fax machines in low traffic areas Empty incoming/outgoing faxes frequently Electronic copies stored in fax machines should be backed up/periodically erased Always use cover sheet when faxing Include warning: “If Fax containing PHI is received by mistake, unintended recipient is to return to sender or destroy, and must not disclose to any third party.” Higher quality. lives. Healthier
HIPAA Compliance Issues 8. Security & Privacy Training Security Rule: Must implement employee security training program Must provide periodic security updates Privacy Rule: Must train/re-train all employees on privacy P&P’s as necessary & appropriate for job functions New hires: must train within reasonable time Maintain training documentation for 6 years Higher quality. Healthier lives.
HIPAA Compliance Issues 9. Breach Notification Breach: unauthorized use or disclosure of unencrypted PHI, if probability PHI was compromised is greater than low Must investigate potential breach reports Should log potential & actual breaches If a breach occurs, must notify individual If large breach occurs ( 500), must notify HHS and local media Higher quality. lives. Healthier
HIPAA Compliance Issues 10. Contingency Planning Establishes how access to ePHI is recovered during emergency, system failure, or disaster Back up data frequently, store off-site, and encrypt backup tapes/disks Must have written backup/recovery P&P’s Periodically test & revise contingency plan: simulate a disaster or major system outage Helps identify issues prior to a real emergency Higher quality. Healthier lives.
HIPAA Compliance Issues 11. Notice of Privacy Practices Must be updated with 2013 changes Revised NPP’s must be posted promptly Must be available to take copy with, and clearly posted on-site & on website Make good faith effort to obtain patient’s written acknowledgement of receipt Document efforts to get acknowledgement Higher quality. lives. Healthier
HIPAA Compliance Issues 12. Mobile Device Security Require use of passwords, screen locking Install & enable device encryption Activate remote wiping Update firewalls, O/S, other security software Download apps only from trusted sites Helps avoid viruses, worms, trojans, etc. Use encrypted VPN connections when sending/receiving ePHI over public Wi-Fi Higher quality. lives. Healthier
Responding to Requests for PHI Higher quality. lives. Healthier
Responding to Requests for PHI May not use/disclose individual’s PHI without authorization, with several exceptions: May use/disclose PHI for TPO without authorization Must disclose to individual or HHS upon request May disclose for public interest/health oversight purposes Public health & safety, regulatory Higher quality. Healthier agencies, national security lives. 31
Responding to Requests for PHI May use/disclose PHI with written authorization: Name of individual who is subject of the PHI Who may disclose & receive the PHI Description of PHI to be disclosed Purpose of the disclosure Expiration date or event Individual's right to revoke the authorization Higher quality. Healthier Signed/dated bylives. individual or personal representative
Responding to Requests for PHI Personal Representatives: must treat as individual State law determines who may be a PR: Parent or guardian of minor child Health care power of attorney Access to PHI upon incapacitation Durable financial power of attorney Access to financial information immediately Guardianship (guardian of the person) Higher quality. Healthier Conservatorshiplives. (guardian of the estate)
Breach Notification Requirements Higher quality. lives. Healthier
Duty to Notify Prior to 2009, no federal law required organizations to notify affected individuals of inappropriate uses or disclosures of health information Only two states (California, Arkansas) required such notifications South Dakota’s 2018 Data Breach Notification Law: Applies to personal information Also applies to names/health information (HIPAA) Higher quality. lives. Healthier
Duty to Notify HIPAA Privacy Rule effective in 2003 Explained permissible uses and disclosures of protected health information (“PHI”) Provided individuals with certain rights regarding PHI (access, amend, etc.) Did NOT contain explicit duty for covered entities to notify individuals of breaches of PHI Contained duty to mitigate any harmful effect of a use or disclosure of PHI which violates the Privacy Rule Higher quality. lives. Healthier
HITECH Act Enacted as part of the American Recovery and Reinvestment Act of 2009 Made significant changes to HIPAA Privacy and Security Rules Established Breach Notification requirements: Determining when a Breach of “Unsecured” PHI has occurred How, when, and to whom such a Breach must be reported Higher quality. lives. Healthier
What Is A Breach? HITECH Act defines a “Breach” as: 1. The acquisition, access, use, or disclosure 2. Of “unsecured” PHI 3. In a manner not permitted by the Privacy Rule 4. Which compromises the security or privacy of the PHI So not every Privacy Rule violation will constitute a Breach Each of the four elements must be present Higher quality. lives. Healthier
1. The acquisition, access, use, or disclosure “Use” means sharing, utilizing, or analyzing PHI within the entity “Disclosure” means releasing, transferring, or divulging PHI outside of the entity “Acquisition” and “access” are to be interpreted by their plain meanings HHS states they are included within “use” and “disclosure” definitions Higher quality. lives. Healthier
2. Of Unsecured PHI Only “unsecured” PHI will trigger Breach Notification obligation Not secured through use of an approved method that renders PHI “unusable, unreadable, or indecipherable” to unauthorized individuals HHS Guidance indicates that encryption and destruction of PHI are the only two approved methods Higher quality. lives. Healthier
3. In a Manner not Permitted by the Privacy Rule An acquisition, access, use or disclosure of unsecured PHI must be a violation of the Privacy Rule to give rise to a Breach Violation of Security Rule will not, by itself, constitute a Breach Could lead to a Breach if it results in impermissible use or disclosure of PHI under Privacy Rule Higher quality. lives. Healthier
4. Which compromises the security or privacy of the PHI Privacy violation must “compromise security or privacy of PHI” to be a Breach In 2013, “risk of harm” test was replaced with “probability of compromise” test Must show “there is a low probability that the PHI has been compromised” Otherwise the inappropriate use or disclosure will be presumed to be a Breach Four factors must be considered when determining “probability of compromise” Higher quality. lives. Healthier
“Probability of Compromise” 1. The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification How sensitive is the information? Credit card numbers, SSN’s? Detailed medical/clinical information? Could the PHI be used in a manner adverse to the patient, or for recipient’s own gain? If no identifiers, could PHI be linked with other info to re-identify the patient? Higher quality. lives. Healthier
“Probability of Compromise” 2. The unauthorized person who impermissibly used or received the PHI Does he/she have an obligation to protect the privacy/security of the PHI? What is likelihood that he/she knows the value of the PHI and may attempt to use it or sell it to others? Again, must also consider risk of reidentification (inappropriate disclosure to employer, for example) Higher quality. Healthier lives.
“Probability of Compromise” 3. Whether the PHI was actually acquired or viewed Was it actually acquired or viewed, or simply an opportunity for it to be acquired or viewed? Forensic analysis on a recovered laptop may show that PHI was never accessed, viewed, transferred, acquired, etc. PHI mailed in error and opened by an unintended recipient will be considered viewed and acquired Higher quality. Healthier lives.
“Probability of Compromise” 4. The extent to which the risk to the PHI has been mitigated Obtain satisfactory assurance from unintended recipient that PHI will not be further used/disclosed, or will be destroyed Such assurances from unaffiliated third parties may not be sufficient Higher quality. lives. Healthier
Notification Requirements Once a Breach occurs, each individual whose PHI is breached must be notified Notice must be sent by first class mail May be sent in multiple mailings if needed If individual is deceased, sent to next of kin For minors, may be sent to personal representative Must be sent without “unreasonable delay” and no later than 60 days after discovery Notifications must contain specific information about the Breach Higher quality. lives. Healthier
Content of Notifications 1. Brief description of what happened 2. Description of the types of unsecured information involved in the breach 3. Steps individuals should take to protect themselves from potential harm 4. What the entity is doing to investigate, mitigate harm to individuals, and prevent further breaches 5. Contact procedures for individuals to ask questions or learn additional info Higher quality. lives. Healthier
Notification to HHS All breaches must be reported to HHS Breaches involving 500 individuals must be reported “immediately” List of large breaches posted by HHS Breaches involving 500 must be logged, reported annually to HHS within 60 days of end of calendar year All breaches must be reported using electronic form on HHS.gov Higher quality. lives. Healthier
Notification to Media If 500 individuals within a jurisdiction or state are affected by a breach, notice must be provided to prominent media Jurisdiction means smaller than a state “Prominent media outlet” is fact specific, depending on state/jurisdiction affected In addition to individual notice, but with same content requirements and within same timeframe (no more than 60 days) Higher quality. lives. Healthier
Notification by Business Associate Business Associate must notify Covered Entity within 60 days of breach discovery Notification must include, if possible, identification of each affected individual and any other info covered entity must include in notice to the individual BA and CE may contractually determine who will provide notice to individual(s) HHS stresses that only one entity should provide the individual notice Higher quality. lives. Healthier
Encryption as Safe Harbor Encryption: Transforming data into a form in which there is a low probability that it can be understood by unauthorized persons Recipient must possess correct key to decrypt the encrypted data Provides safe harbor for incidents that would otherwise result in breaches Will not be required to notify affected individuals or HHS if PHI is encrypted Higher quality. lives. Healthier
Reporting Breaches Each employee is responsible for reporting suspected privacy braches or security incidents May be reported to your immediate supervisor, or to the Privacy Officer: Carole Boos 605-773-5990 [email protected] Higher quality. lives. Healthier
Encryption Requirements Higher quality. lives. Healthier
Encryption as Safe Harbor Encryption: Transforming data into a form in which there is a low probability that it can be understood by unauthorized persons Recipient must possess correct key to decrypt the encrypted data Provides safe harbor for incidents that would otherwise result in breaches Will not be required to notify affected individuals or HHS if PHI is encrypted Higher quality. lives. Healthier
Encryption as Safe Harbor “Secured PHI” means: PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals by meeting the requirements of the technologies and methodologies provided in the Secretary’s guidance. Higher quality. lives. Healthier
Encryption as Safe Harbor To take advantage of Safe Harbor, encryption processes for data at rest must be consistent with: NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices Encryption processes for data in motion must comply with: NIST SP’s 800-52, Guidelines for the Selection and Use of Transport Layer Se curity (TLS) Implementations ; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. Higher quality. lives. Healthier
Security Rule & Encryption Encryption of PHI at rest and in motion is addressable under Security Rule PHI “at rest” is stored on desktops, laptops, servers, mobile devices, USB flash drives, CD’s & DVD’s, etc. PHI “in motion” is moving across a network, including wireless transmissions Must encrypt PHI unless not reasonable and appropriate for entity to do so Must then document reasoning and implement equivalent alternative measure Higher quality. lives. Healthier
Encryption of PHI At Rest Large bulk of entity’s PHI is at rest Costly and complex to encrypt Encrypt as much as possible P&P’s, training help address remainder Use risk-based approach to decide: Full disk encryption for desktops/laptops File/folder encryption Unlocked/accessible servers Back up tapes/disks Mobile devices Higher quality. lives. Healthier
Encryption of PHI In Motion NIST recommends Transport Layer Security (“TLS”) to secure PHI in motion TLS is a protocol that provides authentication, confidentiality and data integrity between two applications communicating PHI across network Must periodically be updated and patched against latest threats Higher quality. lives. Healthier
Emailing PHI The Security Rule allows e-PHI to be sent over an electronic open network, if adequately protected: Covered entity must implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. Covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, Higher quality.andHealthier document the decision. lives.
Emailing PHI Unencrypted email like sending a postcard Encrypted email meeting NIST standards for data at rest and in motion should be used Alternatives to email should be considered: Telephone call to recipient of PHI Secure extranet with encryption Secure CD, DVD or flash drive Warn patients about risks of emailing PHI Avoid emailing PHI to personal accounts Send minimum necessary amount of PHI Higher quality. lives. Healthier
HIPAA Privacy, Security, and Breach Audits Higher quality. lives. Healthier
HIPAA Audits: Governing Law HITECH Act was signed into law as part of the American Recovery and Reinvestment Act of 2009 (ARRA), also referred to as the “Stimulus Bill” Requires HHS to audit covered entities/business associates for compliance with HIPAA Privacy & Security Rules and Breach Notification standards Higher quality. lives. Healthier
OCR HIPAA Audits U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) is responsible for enforcing compliance with HIPAA and HITECH Prior to HITECH Act, HIPAA regulations were rarely enforced Investigations were largely complaint driven Higher quality. lives. Healthier
Goals of OCR Audit Program OCR: HIPAA Audit not an investigation, and does not indicate a complaint has been filed Random audits are designed to improve compliance by identifying best practices and areas where technical assistance may be needed If an Audit does reveal serious compliance issues: OCR may initiate a formal compliance review of entity, may result in civil monetary penalties Higher quality. lives. Healthier
Structure of Audit Program: Phase 1 2011-2012: KPMG audited 115 randomly selected covered entities Comprehensive on-site visits OCR developed audit protocol tool 2013 OCR formal evaluation report: Most entities had areas of non-compliance “Unaware of requirement” most common reason Most entities failed to perform thorough risk assessment Higher quality. lives. Healthier
Phase 1 Audit Findings 11% of audited entities had no findings Providers: 53% of audited entities but responsible for 65% of violations Almost all audited providers had at least one Security violation 60% of findings were Security, 30% were Privacy, 10% were Breach Higher quality. lives. Healthier
Phase 1 Audit Findings Most common compliance failures: Lack of updated policies and procedures Failing to follow policies and procedures No regular risk assessments conducted Poor awareness of HIPAA requirements within organization Higher quality. lives. Healthier
Structure of Audit Program: Phase 2 July 2016: OCR commenced Phase 2 of HIPAA audit program 167 covered entities received notice of a desk audit from HHS/OCR 33 business associates selected for audits in September 2016 OCR audit protocol tool updated April 2016 Higher quality. lives. Healthier
Top Six HIPAA To-Do List 1. Conduct a Thorough Risk Assessment Required by Security Rule, MU of EHR Assess potential threats to confidentiality, integrity, and availability of ePHI Physical, administrative, and technical safeguards Represents snapshot in time NIST SP 800-30 is commonly used methodology for conducting SRA’s Higher quality. lives. Healthier
Top Six HIPAA To-Do List 2. Action Plan Address the Top Risks Auditors want SRA, but also risk mitigation Create ongoing action plan to begin fixing/ mitigating biggest risks identified in SRA Attach name & target date to each risk Keep log of progress: when, what, & by whom Write/update processes, workflows, & policies Update software Implement training and awareness programs Higher quality. lives. Healthier
Top Six HIPAA To-Do List 3. Document Policies & Procedures Security Rule: Risk analysis/assessment Information security policies Security incident management Business continuity/disaster recovery Data backup/destruction/encryption Internal auditing controls Physical security Higher quality. lives. Healthier
Top Six HIPAA To-Do List 3. Document Policies & Procedures Privacy Rule: Notice of privacy practices Uses and Disclosures of PHI (TPO) Individual rights: access, amend, accounting Minimum necessary requirement Business associate agreements Complaints/sanctions Breach notification processes Higher quality. lives. Healthier
Top Six HIPAA To-Do List 4. Review Business Associate Agreements Ensure BAA template language is current BA must notify CE upon discovery of Breach BA must comply with Security Rule Maintain up to date inventory of BA’s Accounts payable may help to identify BA’s OCR will use list to select BA’s for audits Higher quality. lives. Healthier
Top Six HIPAA To-Do List 5. Train Staff on Policies & Procedures Privacy and security training for new hires As necessary and appropriate for job duties Training must be documented Annual HIPAA refresher course Periodic reminders (newsletter, email) Should know name of privacy & security officers, how to report incidents/breaches Higher quality. lives. Healthier
Top Six HIPAA To-Do List 6. Organize Documentation Keep policies, other docs for six years Should be accessible by staff who need them Maintain asset list and network diagram Results of recent SRA, with action plan Access requests, authorizations, complaints Log of Breaches, incident investigations Document new hire/annual training Higher quality. lives. Healthier
Questions? For any HIPAA related questions, feel free to contact Carole Boos or Dan Hoblick by calling 605-773-5990 For additional information you may also visit the SD DHS HIPAA page: http://dhs.sd.gov/HIPAA.aspx Higher quality. lives. Healthier
Contact: Higher quality. lives. Healthier
