Protecting PHI with encryption for HIPAA compliance


Published on

A walk through of the new HIPAA regulations found in the ARRA bill (HITECH).

Encryption of PHI is a must.

Published in: Technology
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting PHI with encryption for HIPAA compliance

  1. 1. Todd Merrill<br />Protecting PHI with encryption for HIPAA compliance<br />August / 18 / 2010<br />
  2. 2. Todd Merrill, CEO GlobalCrypto <br />@ToddMerrill<br /> <br />
  3. 3. HIPAA, seriously?<br />What does one experience once they’ve grown cold to HIPAA compliance threats?<br />HIPAAthermia<br />What do you call someone who complains incessantly about HIPAA?<br />HIPAAchondriac<br />
  4. 4. The Bailout Bill of 2009 (ARRA) <br />The Financial Stimulus bill of Feb. 2009 <br />(American Recovery and Reinvestment Act)<br />Title XIII, Subtitle D (Privacy and Security)<br />Subtitle A (Promotion of HIT)<br /> <br />
  5. 5. The Players<br />Covered Entities<br />Business Associates<br />“The Secretary” HHS <br />
  6. 6. Timeline<br />Feb 17, 2009 ARRA passed, new tiered civil penalties, state enforcement <br />April 2009 +60d list of encryption technologies published<br />Aug 2009 +180d breach notification regs published<br />Dec 31 2009 HHS must adopt certain technical standards<br />Feb 18, 2010 + 1yr several studies due<br />
  7. 7. Timeline continued<br />Feb 18, 2010 +1yr <br /> BA accountability rules effective<br /> BA requirements clarified<br /> Right to restrict disclosures to health plans<br /> Limited set of data is minimum to satisfy standard<br /> Right to electronic access/copy<br /> Clarification of imposition of criminal penalties on individuals<br /> Civil penalty money flows to OCR to fund enforcement<br /> Requirement for Secretary to periodically audit CE & BA<br />
  8. 8. Timeline (part 3)<br />Aug 18, 2010 +18 mo <br /> Prohibition on sale of data<br /> Report due on how to give some HIPAA penalty $ to victims<br />Regs on imposition of civil penalties for willful neglect <br />Jan 1, 2011 accounting for new disclosure rules effective<br />Feb 18, 2011 +2yr <br /> Clarification on ability to pursue civil penalties vs. criminal<br /> Requirement for monetary civil penalties for willful neglect<br />
  9. 9. Timeline (part 4)<br />Feb 18, 2012 +3yr <br /> Regulations for giving victims a % of HIPAA penalties<br />2013: Newer systems must comply with disclosure rules<br />2014: Older systems must comply with disclosure rules<br />Feb 2014 +5yr: GAO study on ARRA impact<br />2016: Extended deadline for older systems to comply with disclosure rules<br />
  10. 10. The Changes<br />Privacy and Security<br />Enforcement<br />Non-HIPAA entity provisions<br />Admin/studies/reports/education<br />
  11. 11. The Information: PHI<br />Permitted Use<br />Incidental Use<br />Public Benefit<br />Research<br />Disclosures<br />Patient may request Logs of all Disclosures<br />Safeguards<br />
  12. 12. Business Associate Agreements<br />What are they<br />What is covered<br />Who is covered<br /> Section 13401 changes things<br />
  13. 13. Breach of Protected Health Information <br />Definition of a Breach<br />“The unauthorized acquisition, access, use or disclosure of protected health information”<br />Unless the breach occurs within the scope of a professional relationship<br />Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case - MarketWatch (press release)- Tue, 27 Jul 2010 18:11:39 GMT+00:00<br />
  14. 14. Breach Notification <br />Was it a breach?<br /> 1. Meets the definition<br /> 2. Info was not protected by encryption-like technology<br />Without Encryption: <br />BA’s report breaches to the Covered Entity<br />The Covered Entity reports to the compromised individuals<br />
  15. 15. Notification Requirements<br />Notice must be given within 60 days of discovery<br />Discovery happens when one employee knows<br />All breaches are reported to the HHS Secretary via the CE<br /><ul><li>In an annual log if fewer than 500 records are breached
  16. 16. Immediately if 500 records are breached </li></ul> (The media will be alerted & you will be famous)<br /><br />
  17. 17.
  18. 18.
  19. 19. HIPAA Enforcement changes<br />Direct Accountability for BAs (Section 13401/13404)<br />Criminal Penalties (Section 13409) <br />HIPAA violation leads to jail time<br />The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.<br />By Pamela Lewis Dolan, amednews staff. Posted June 7, 2010.<br />
  20. 20. Civil Penalties<br />Section 13410(a) requires the HHS Secretary formally investigate any credible complaint of willful neglect and impose civil monetary penalties if guilty.<br />Section 13410(c) gives civil monetary penalties to the HHS to be used for enforcement purposes (vs. the general treasury)<br />GAO must develop a way for victims to receive a portion of penalties collected by Feb 2012.<br />
  21. 21. Penalties<br />Old law:<br />$100 / violation<br />$25,000 annual max<br />Post ARRA law:<br />$50,000 / violation possible<br />$1.5M annual max<br />Unless violation is corrected within 30 days or <br />willful neglect criminal penalties<br />
  22. 22. Penalties--details<br />
  23. 23. Audits<br />HHS Secretary must now conduct periodic compliance audits.<br />State AGs are empowered to enforce too.<br />Penalty money now flows into an enforcement fund.<br />Remuneration will be given to those who were compromised. <br />
  24. 24. Security Rule—Administrative (164.308(a) )<br />Security Management Process<br />Assigned Security Responsibility <br />Workforce Security<br />Information Access Management<br />Security Awareness and Training<br /><ul><li> </li></li></ul><li>Security Rule—Incident Procedures (164.308)<br />Contingency Plan<br />Evaluation<br />BA Contracts and other Arrangements<br />
  25. 25. Security Rule—Physical (164.310)<br />Facility Access Controls<br />Workstation Use<br />Workstation Security<br />Device and Media Controls<br />Confidential data of thousands of hospital employees compromised by data breach<br />July 27, 2010 12:17 AM<br />A Boise, Idaho-based hospital announced last week that a computer server backup tape containing the personal information of thousands of its employees has gone missing. <br />
  26. 26. Security Rule—Technical (section 164.312)<br />Access control<br />Audit controls<br />Integrity<br />Person or entity authentication<br />Transmission security<br /><ul><li> </li></li></ul><li>General Security Safeguards<br />Encrypted Archival <br />Disaster Recovery<br />SAS-70 II and ISO 17799 (ISO 27000)<br />Emergency Access<br />WiFi security <br />AV<br />Firewalls<br />OS full disk encryption<br />
  27. 27. Simple ways PHI gets compromised<br />Loss of equipment, laptops, servers, flash drives, phone<br />Improper disposal of paper records<br />Emailing information between organizations<br />Lack of HTTPS on a web site with forms<br />Emailing web forms back to your office<br />Compromise of Web Server Database<br />Sharing of login credentials / lack of controls<br />Open Wi-fi (home/office/coffee shops/hotels)<br />
  28. 28. Encryption is a technical Silver Bullet<br />
  29. 29. Encryption at Rest<br />Encrypt information while it’s being stored<br />On a server (web, email, network share)<br />On a local hard drive<br />On local removable media<br />In your email inbox<br />
  30. 30. Encryption in Motion<br />Encrypt information as it moves across the web<br />Point to Point (HTTPS, sFTP, Web Portals)<br />End to End (encrypted Email, document encryption)<br />
  31. 31. Ideal technical solution<br />Encrypts at rest <br />Encrypts in motion, end-to-end<br />Provides audit logging, robust audit trail<br />Housed in a secure data center<br />Provides encrypted, automated archival<br />Enforces strong, unique access controls<br />Simple to use<br />
  32. 32. Questions & Follow up<br />Todd Merrill<br /><br />678-521-5305 <br />