HIPAA Privacy Security Basics Brad Trudell Meta Star
HIPAA Privacy & Security Basics Brad Trudell Meta. Star, Inc. June 2018
What Is HIPAA? “HIPAA” is the Health Insurance Portability and Accountability Act of 1996 Deals with portability of health coverage, special enrollment rights, pre-existing conditions, creditable coverage, etc. Administrative Simplification portion of HIPAA addresses standards for electronic transmissions of health information, as well as privacy & security of health info Higher quality. Healthier lives.
HIPAA Timeline 1996: HIPAA law passed by Congress 2003: Privacy Rule went into effect 2005: Security Rule went into effect 2009: HITECH enacted as part of ARRA − CMS EHR Incentive Programs − Significant changes to HIPAA 2013: HIPAA/HITECH Omnibus Final Rule published − Business Associates, Breach Notification Higher quality. Healthier lives.
HIPAA Privacy & Security Rules The Privacy Rule − Requires safeguarding of protected health information (PHI): paper, conversations, faxes, emails, in systems, etc. − Limits how PHI may be used and disclosed − Provides patients with rights in respect to their PHI The Security. Rule − Ensures the confidentiality , integrity , and availability of all electronic protected health information (e. PHI) we create, receive, maintain, or transmit: ØIn computer systems/ applications ØOn portable devices ØIn transactions Higher quality. Healthier lives.
Information Protected by HIPAA Privacy Rule covers Protected Health Information (“PHI”) – health info that: − Is created or received by a health care provider, health plan, employer, or clearinghouse; and − Relates to an individual’s health or condition, provision of care, or payment for care Examples: doctors’/nurses’ notes, X-ray films, lab reports, billing and payment info Higher quality. Healthier lives.
Key Sections of the Privacy Rule 1. Uses & Disclosures of PHI 2. Notice of Privacy Practices 3. Right to Access & Request Amendments of Records (by patients/guardians) 4. Rights to Request Protections of PHI 5. Right to Request an Accounting of Disclosures 6. Administrative Requirements (e. g. training, documentation, sanctions, etc. ) Privacy Rule effective date: 4/14/2003 Higher quality. Healthier lives.
Key Sections of the Security Rule 1. 2. 3. 4. 5. 6. General Rules Administrative Safeguards Technical Safeguards Physical Safeguards Organizational Requirements Policies & Procedures and Documentation Requirements Security Rule effective date: 4/20/2005 Higher quality. Healthier lives.
Covered Entities under HIPAA Health care providers who electronically transmit health information − Hospitals, clinics, physicians, dentists, etc. Health plans − Individual and group plans that pay for care − Health insurers, employer-sponsored plans, and government programs such as Medicare and Medicaid Health care clearinghouses Higher quality. Healthier lives.
Business Associates Perform functions or services on behalf of Covered Entities that involve the use or disclosure of PHI Examples: auditors, attorneys, accountants, IT/IS vendors, third party administrators, billing services, etc. Business Associates now required to comply with most provisions of HIPAA Higher quality. Healthier lives.
Penalties for HIPAA Violations Four-tiered penalty scheme for violations: − Did Not Know − Reasonable Cause − Willful Neglect, Corrected in 30 Days − Willful Neglect, Not Corrected Penalties range from $100 to $50, 000 for each violation, up to $1. 5 million/year Higher quality. Healthier lives.
Examples of Recent Penalties Higher quality. Healthier lives.
1. Lahey Hospital - November 24, 2015 Lahey notified OCR of laptop stolen from unlocked treatment room, containing e. PHI of 599 patients OCR investigation revealed widespread noncompliance with HIPAA rules Lahey agreed to pay $850, 000 and adopt robust corrective action plan including: SRA/risk management plan, to be submitted to HHS Developing, and training staff on, specific HIPAA policies Reporting lack of compliance with policies to HHS Higher quality. Healthier lives.
2. Advocate Health Care – August 4, 2016 Advocate submitted three breach notification reports affecting e. PHI of approx. 4 million individuals OCR: failed to conduct SRA; implement P&P’s; safeguard areas with PHI; obtain BAA Advocate agreed to pay $5. 55 million (largest ever) and adopt corrective action plan : SRA/risk management plan, to be submitted to HHS Develop and train staff on specific HIPAA policies Ensure BA’s enter into BAA’s before accessing PHI Develop an encryption report, submit to HHS Higher quality. Healthier lives.
Common HIPAA Compliance Issues Higher quality. Healthier lives.
HIPAA Compliance Issues 1. Security Risk Assessments/updates required by Security Rule & MU of EHR Covers physical, administrative, & technical security safeguards Looks at biggest threats to, and vulnerabilities of, your e. PHI system Likelihood X Impact = Risk Create action plan for fixing risks from SRA Higher quality. Healthier lives.
HIPAA Compliance Issues 2. Written Policies & Procedures Privacy & Security rules require a variety of policies & procedures to be documented Name Privacy/Security Officers responsible for development & implementation Add P&P duties to job descriptions P &P’s to form basis of workforce training Must be retained for at least six years Available to staff responsible for implementation Higher quality. Healthier lives.
HIPAA Compliance Issues Security Policies & Procedures: Risk analysis/assessment Information security policies Security incident management Business continuity/disaster recovery Data backup/destruction/encryption Internal auditing controls Physical security Higher quality. Healthier lives.
HIPAA Compliance Issues Privacy Policies & Procedures: Notice of privacy practices Uses and Disclosures of PHI Treatment, payment, & health care operations Individual rights: access, amend, accounting Minimum necessary requirement Business associate agreements Complaints/sanctions Higher quality. Healthier lives.
HIPAA Compliance Issues 3. Encryption of Data At Rest/In Motion Addressable in Security Rule -- must encrypt if “reasonable and appropriate” to do so Must document choice to not encrypt Encrypt data at rest (encrypted laptops, 3 rd party software) & in motion (SSL, VPN) Avoids breaches by rendering data “unusable, unreadable, & indecipherable” Costs to encrypt have declined sharply Higher quality. Healthier lives.
HIPAA Compliance Issues 4. Securing Paper Documents Treat paper records same as electronic Avoid leaving in unattended workspaces Do not mix in with regular trash -- designate locked bins for disposal/recycling Shred all documents containing PHI, financial, or other sensitive information Creates “secured” PHI, avoids breaches Double check addresses when mailing PHI Higher quality. Healthier lives.
HIPAA Compliance Issues 5. Server Rooms/Data Closets Servers, routers, switches, wiring, etc. should be in locked rooms with limited access Avoid storage rooms/cleaning closets Protect with fire suppression and fire alarms Back-up power supply: UPS and generators Climate control: AC, fans, humidity control Overhead water pipes and rooms with external windows should be avoided Higher quality. Healthier lives.
HIPAA Compliance Issues 6. Unlocked/Unattended Workstations Periodically remind employees to: - lock workstation before leaving desk - put away paper documents with PHI - not post usernames/passwords - keep ID badges on their person Conduct random walk-throughs Set workstations to lock/log-off users after periods of inactivity Higher quality. Healthier lives.
HIPAA Compliance Issues 7. Fax Transmissions of PHI Place fax machines in low traffic areas Empty incoming/outgoing faxes frequently Electronic copies stored in fax machines should be backed up/periodically erased Always use cover sheet when faxing Include warning: “If Fax containing PHI is received by mistake, unintended recipient is to return to sender or destroy, and must not disclose to any third party. ” Higher quality. Healthier lives.
HIPAA Compliance Issues 8. Security & Privacy Training Security Rule: Must implement employee security training program Must provide periodic security updates Privacy Rule: Must train/re-train all employees on privacy P&P’s as necessary & appropriate for job functions New hires: must train within reasonable time Maintain training documentation for 6 years Higher quality. Healthier lives.
HIPAA Compliance Issues 9. Breach Notification Breach: unauthorized use or disclosure of unencrypted PHI, if probability PHI was compromised is greater than low Must investigate potential breach reports Should log potential & actual breaches If a breach occurs, must notify individual If large breach occurs (>500), must notify HHS and local media Higher quality. Healthier lives.
HIPAA Compliance Issues 10. Contingency Planning Establishes how access to e. PHI is recovered during emergency, system failure, or disaster Back up data frequently, store off-site, and encrypt backup tapes/disks Must have written backup/recovery P&P’s Periodically test & revise contingency plan: simulate a disaster or major system outage Helps identify issues prior to a real emergency Higher quality. Healthier lives.
HIPAA Compliance Issues 11. Notice of Privacy Practices Must be updated with 2013 changes Revised NPP’s must be posted promptly Must be available to take copy with, and clearly posted on-site & on website Make good faith effort to obtain patient’s written acknowledgement of receipt Document efforts to get acknowledgement Higher quality. Healthier lives.
HIPAA Compliance Issues 12. Mobile Device Security Require use of passwords, screen locking Install & enable device encryption Activate remote wiping Update firewalls, O/S, other security software Download apps only from trusted sites Helps avoid viruses, worms, trojans, etc. Use encrypted VPN connections when sending/receiving e. PHI over public Wi-Fi Higher quality. Healthier lives.
Responding to Requests for PHI Higher quality. Healthier lives.
Responding to Requests for PHI May not use/disclose individual’s PHI without authorization, with several exceptions: May use/disclose PHI for TPO without authorization Must disclose to individual or HHS upon request May disclose for public interest/health oversight purposes Public health & safety, regulatory agencies, national security Higher quality. Healthier lives. 31
Responding to Requests for PHI May use/disclose PHI with written authorization: Name of individual who is subject of the PHI Who may disclose & receive the PHI Description of PHI to be disclosed Purpose of the disclosure Expiration date or event Individual's right to revoke the authorization Signed/dated by individual or personal representative Higher quality. Healthier lives.
Responding to Requests for PHI Personal Representatives: must treat as individual State law determines who may be a PR: Parent or guardian of minor child Health care power of attorney Access to PHI upon incapacitation Durable financial power of attorney Access to financial information immediately Guardianship (guardian of the person) Conservatorship (guardian of the estate) Higher quality. Healthier lives.
Breach Notification Requirements Higher quality. Healthier lives.
Duty to Notify Prior to 2009, no federal law required organizations to notify affected individuals of inappropriate uses or disclosures of health information Only two states (California, Arkansas) required such notifications South Dakota’s 2018 Data Breach Notification Law: üApplies to personal information üAlso applies to names/health information (HIPAA) Higher quality. Healthier lives.
Duty to Notify HIPAA Privacy Rule effective in 2003 üExplained permissible uses and disclosures of protected health information (“PHI”) üProvided individuals with certain rights regarding PHI (access, amend, etc. ) üDid NOT contain explicit duty for covered entities to notify individuals of breaches of PHI üContained duty to mitigate any harmful effect of a use or disclosure of PHI which violates the Privacy Rule Higher quality. Healthier lives.
HITECH Act Enacted as part of the American Recovery and Reinvestment Act of 2009 Made significant changes to HIPAA Privacy and Security Rules Established Breach Notification requirements: üDetermining when a Breach of “Unsecured” PHI has occurred üHow, when, and to whom such a Breach must be reported Higher quality. Healthier lives.
What Is A Breach? HITECH Act defines a “Breach” as: 1. 2. 3. 4. The acquisition, access, use, or disclosure Of “unsecured” PHI In a manner not permitted by the Privacy Rule Which compromises the security or privacy of the PHI So not every Privacy Rule violation will constitute a Breach Each of the four elements must be present Higher quality. Healthier lives.
1. The acquisition, access, use, or disclosure “Use” means sharing, utilizing, or analyzing PHI within the entity “Disclosure” means releasing, transferring, or divulging PHI outside of the entity “Acquisition” and “access” are to be interpreted by their plain meanings üHHS states they are included within “use” and “disclosure” definitions Higher quality. Healthier lives.
2. Of Unsecured PHI Only “unsecured” PHI will trigger Breach Notification obligation Not secured through use of an approved method that renders PHI “unusable, unreadable, or indecipherable” to unauthorized individuals HHS Guidance indicates that encryption and destruction of PHI are the only two approved methods Higher quality. Healthier lives.
3. In a Manner not Permitted by the Privacy Rule An acquisition, access, use or disclosure of unsecured PHI must be a violation of the Privacy Rule to give rise to a Breach Violation of Security Rule will not, by itself, constitute a Breach üCould lead to a Breach if it results in impermissible use or disclosure of PHI under Privacy Rule Higher quality. Healthier lives.
4. Which compromises the security or privacy of the PHI Privacy violation must “compromise security or privacy of PHI” to be a Breach In 2013, “risk of harm” test was replaced with “probability of compromise” test üMust show “there is a low probability that the PHI has been compromised” üOtherwise the inappropriate use or disclosure will be presumed to be a Breach üFour factors must be considered when determining “probability of compromise” Higher quality. Healthier lives.
“Probability of Compromise” 1. The nature and extent of PHI involved, including types of identifiers and likelihood of reidentification How sensitive is the information? Credit card numbers, SSN’s? Detailed medical/clinical information? Could the PHI be used in a manner adverse to the patient, or for recipient’s own gain? If no identifiers, could PHI be linked with other info to re-identify the patient? Higher quality. Healthier lives.
“Probability of Compromise” 2. The unauthorized person who imper- missibly used or received the PHI Does he/she have an obligation to protect the privacy/security of the PHI? What is likelihood that he/she knows the value of the PHI and may attempt to use it or sell it to others? Again, must also consider risk of re-identification (inappropriate disclosure to employer, for example) Higher quality. Healthier lives.
“Probability of Compromise” 3. Whether the PHI was actually acquired or viewed Was it actually acquired or viewed, or simply an opportunity for it to be acquired or viewed? Forensic analysis on a recovered laptop may show that PHI was never accessed, viewed, transferred, acquired, etc. PHI mailed in error and opened by an unintended recipient will be considered viewed and acquired Higher quality. Healthier lives.
“Probability of Compromise” 4. The extent to which the risk to the PHI has been mitigated Obtain satisfactory assurance from unintended recipient that PHI will not be further used/disclosed, or will be destroyed Such assurances from unaffiliated third parties may not be sufficient Higher quality. Healthier lives.
Notification Requirements Once a Breach occurs, each individual whose PHI is breached must be notified üNotice must be sent by first class mail üMay be sent in multiple mailings if needed üIf individual is deceased, sent to next of kin üFor minors, may be sent to personal representative üMust be sent without “unreasonable delay” and no later than 60 days after discovery üNotifications must contain specific information about the Breach Higher quality. Healthier lives.
Content of Notifications 1. Brief description of what happened 2. Description of the types of unsecured information involved in the breach 3. Steps individuals should take to protect themselves from potential harm 4. What the entity is doing to investigate, mitigate harm to individuals, and prevent further breaches 5. Contact procedures for individuals to ask questions or learn additional info Higher quality. Healthier lives.
Notification to HHS All breaches must be reported to HHS Breaches involving ≥ 500 individuals must be reported “immediately” List of large breaches posted by HHS Breaches involving <500 must be logged, reported annually to HHS within 60 days of end of calendar year All breaches must be reported using electronic form on HHS. gov Higher quality. Healthier lives.
Notification to Media If >500 individuals within a jurisdiction or state are affected by a breach, notice must be provided to prominent media üJurisdiction means smaller than a state “Prominent media outlet” is fact specific, depending on state/jurisdiction affected In addition to individual notice, but with same content requirements and within same timeframe (no more than 60 days) Higher quality. Healthier lives.
Notification by Business Associate must notify Covered Entity within 60 days of breach discovery Notification must include, if possible, identification of each affected individual and any other info covered entity must include in notice to the individual BA and CE may contractually determine who will provide notice to individual(s) üHHS stresses that only one entity should provide the individual notice Higher quality. Healthier lives.
Encryption as Safe Harbor Encryption: Transforming data into a form in which there is a low probability that it can be understood by unauthorized persons Recipient must possess correct key to decrypt the encrypted data Provides safe harbor for incidents that would otherwise result in breaches üWill not be required to notify affected individuals or HHS if PHI is encrypted Higher quality. Healthier lives.
Reporting Breaches Each employee is responsible for reporting suspected privacy braches or security incidents May be reported to your immediate supervisor, or to the Privacy Officer: Carole Boos 605 -773 -5990 Carole. Boos@state. sd. us Higher quality. Healthier lives.
Encryption Requirements Higher quality. Healthier lives.
Encryption as Safe Harbor Encryption: Transforming data into a form in which there is a low probability that it can be understood by unauthorized persons Recipient must possess correct key to decrypt the encrypted data Provides safe harbor for incidents that would otherwise result in breaches üWill not be required to notify affected individuals or HHS if PHI is encrypted Higher quality. Healthier lives.
Encryption as Safe Harbor “Secured PHI” means: Ø PHI that has been rendered unusable , unreadable , or indecipherable to unauthorized individuals by meeting the requirements of the technologies and methodologies provided in the Secretary’s guidance. Higher quality. Healthier lives.
Encryption as Safe Harbor To take advantage of Safe Harbor, encryption processes for data at rest must be consistent with: üNIST SP 800 -111, Guide to Storage Encryption Technologies for End User Devices Encryption processes for data in motion must comply with: üNIST SP’s 800 -52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800 -77, Guide to IPsec VPNs; or 800 -113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140 -2 validated. Higher quality. Healthier lives.
Security Rule & Encryption of PHI at rest and in motion is addressable under Security Rule üPHI “at rest” is stored on desktops, laptops, servers, mobile devices, USB flash drives, CD’s & DVD’s, etc. üPHI “in motion” is moving across a network, including wireless transmissions Must encrypt PHI unless not reasonable and appropriate for entity to do so üMust then document reasoning and implement equivalent alternative measure Higher quality. Healthier lives.
Encryption of PHI At Rest Large bulk of entity’s PHI is at rest Costly and complex to encrypt üEncrypt as much as possible üP&P’s, training help address remainder Use risk-based approach to decide: üFull disk encryption for desktops/laptops üFile/folder encryption üUnlocked/accessible servers üBack up tapes/disks üMobile devices Higher quality. Healthier lives.
Encryption of PHI In Motion NIST recommends Transport Layer Security (“TLS”) to secure PHI in motion üTLS is a protocol that provides authentication, confidentiality and data integrity between two applications communicating PHI across network üMust periodically be updated and patched against latest threats Higher quality. Healthier lives.
Emailing PHI The Security Rule allows e-PHI to be sent over an electronic open network, if adequately protected: Covered entity must implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. Covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. Higher quality. Healthier lives.
Emailing PHI Unencrypted email like sending a postcard Encrypted email meeting NIST standards for data at rest and in motion should be used Alternatives to email should be considered: üTelephone call to recipient of PHI üSecure extranet with encryption üSecure CD, DVD or flash drive Warn patients about risks of emailing PHI Avoid emailing PHI to personal accounts Send minimum necessary amount of PHI Higher quality. Healthier lives.
HIPAA Privacy, Security, and Breach Audits Higher quality. Healthier lives.
HIPAA Audits: Governing Law HITECH Act was signed into law as part of the American Recovery and Reinvestment Act of 2009 (ARRA), also referred to as the “Stimulus Bill” Requires HHS to audit covered entities/business associates for compliance with HIPAA Privacy & Security Rules and Breach Notification standards Higher quality. Healthier lives.
OCR HIPAA Audits U. S. Department of Health and Human Services’ Office of Civil Rights (OCR) is responsible for enforcing compliance with HIPAA and HITECH Prior to HITECH Act, HIPAA regulations were rarely enforced Investigations were largely complaint driven Higher quality. Healthier lives.
Goals of OCR Audit Program OCR: HIPAA Audit not an investigation, and does not indicate a complaint has been filed Random audits are designed to improve compliance by identifying best practices and areas where technical assistance may be needed If an Audit does reveal serious compliance issues: OCR may initiate a formal compliance review of entity, may result in civil monetary penalties Higher quality. Healthier lives.
Structure of Audit Program: Phase 1 2011 -2012: KPMG audited 115 randomly selected covered entities Comprehensive on-site visits OCR developed audit protocol tool 2013 OCR formal evaluation report: Most entities had areas of non-compliance “Unaware of requirement” most common reason Most entities failed to perform thorough risk assessment Higher quality. Healthier lives.
Phase 1 Audit Findings 11% of audited entities had no findings Providers: 53% of audited entities but responsible for 65% of violations Almost all audited providers had at least one Security violation 60% of findings were Security, 30% were Privacy, 10% were Breach Higher quality. Healthier lives.
Phase 1 Audit Findings Most common compliance failures: Lack of updated policies and procedures Failing to follow policies and procedures No regular risk assessments conducted Poor awareness of HIPAA requirements within organization Higher quality. Healthier lives.
Structure of Audit Program: Phase 2 • July 2016: OCR commenced Phase 2 of HIPAA audit program • 167 covered entities received notice of a desk audit from HHS/OCR • 33 business associates selected for audits in September 2016 • OCR audit protocol tool updated April 2016 Higher quality. Healthier lives.
Top Six HIPAA To-Do List 1. Conduct a Thorough Risk Assessment • Required by Security Rule, MU of EHR • Assess potential threats to confidentiality, integrity, and availability of e. PHI • Physical, administrative, and technical safeguards • Represents snapshot in time • NIST SP 800 -30 is commonly used methodology for conducting SRA’s Higher quality. Healthier lives.
Top Six HIPAA To-Do List 2. Action Plan → Address the Top Risks • Auditors want SRA, but also risk mitigation • Create ongoing action plan to begin fixing/ mitigating biggest risks identified in SRA Attach name & target date to each risk Keep log of progress: when, what, & by whom Write/update processes, workflows, & policies Update software Implement training and awareness programs Higher quality. Healthier lives.
Top Six HIPAA To-Do List 3. Document Policies & Procedures • Security Rule: Risk analysis/assessment Information security policies Security incident management Business continuity/disaster recovery Data backup/destruction/encryption Internal auditing controls Physical security Higher quality. Healthier lives.
Top Six HIPAA To-Do List 3. Document Policies & Procedures • Privacy Rule: Notice of privacy practices Uses and Disclosures of PHI (TPO) Individual rights: access, amend, accounting Minimum necessary requirement Business associate agreements Complaints/sanctions • Breach notification processes Higher quality. Healthier lives.
Top Six HIPAA To-Do List 4. Review Business Associate Agreements • Ensure BAA template language is current BA must notify CE upon discovery of Breach BA must comply with Security Rule • Maintain up to date inventory of BA’s Accounts payable may help to identify BA’s OCR will use list to select BA’s for audits Higher quality. Healthier lives.
Top Six HIPAA To-Do List 5. Train Staff on Policies & Procedures • Privacy and security training for new hires As necessary and appropriate for job duties Training must be documented • Annual HIPAA refresher course • Periodic reminders (newsletter, email) • Should know name of privacy & security officers, how to report incidents/breaches Higher quality. Healthier lives.
Top Six HIPAA To-Do List 6. Organize Documentation • Keep policies, other docs for six years • Should be accessible by staff who need them • Maintain asset list and network diagram • Results of recent SRA, with action plan • Access requests, authorizations, complaints • Log of Breaches, incident investigations • Document new hire/annual training Higher quality. Healthier lives.
Questions? For any HIPAA related questions, feel free to contact Carole Boos or Dan Hoblick by calling 605 -773 -5990 For additional information you may also visit the SD DHS HIPAA page: http: //dhs. sd. gov/HIPAA. aspx Higher quality. Healthier lives.
Contact: Higher quality. Healthier lives.
- Slides: 79