in partnership with

February 6, 2014

MPCA HIPAA Compliance/Meaningful Use
Requirements and Security Risk Assessment
Seri...
About MPCA
Michigan Primary Care Association (MPCA)
Has been the voice for Health Centers and other community-based
provid...
About OSIS
Ohio Shared Information Services, Inc. (OSIS)
We are a 501c(3) non-profit organization that partners with Feder...
Presented by:
Jay Trinckes, Vice President of Information Security, OSIS
• Certified Information Systems Security Professi...
Overview of MPCA webinar Series
Series of 5 Webinars to assist members with HIPAA
Compliance and Meaningful Use
• Webinar ...
webinar 1: Topics
•
•
•
•
•
•

HIPAA/HITECH Basics 101
Privacy Rule
Security Rule
Enforcement Activities
New Omnibus Rule ...
HIPAA/HITECH BASICS 101
Overview of HIPAA/HITECH
• The Health Insurance Portability and
Accountability Act (HIPAA) was enacted
in1996 as a respons...
HHS Responsibilities
• The Department of Health and Human Services
(HHS) was assigned responsibility and oversight
over:
–...
HITECH ACT

• Part of the American Recovery and
Reinvestment Act (ARRA) of 2009
• The Health Information Technology for
Ec...
Covered Entities
• Health Plan
• Healthcare Clearing House
• Covered Healthcare Provider
– Healthcare – care, services, or...
Covered Transaction
•
•
•
•
•
•
•
•
•
•
•

Healthcare claims or equivalent encounter information;
Healthcare payment and r...
Direct Identifiers

Direct Identifiers of the individual or of relatives, employers, or household
members of the individua...
PRIVACY RULE
―I will respect the privacy of
my patients, for their problems
are not disclosed to me that
the world may know.‖ – Hippocr...
Privacy Basics
• In the most basic terms, a health center (and
business associate) may NOT use or disclose
protected healt...
Minimum Necessary
• A health center and business associate must develop
policies and procedures to reasonably limit to, th...
Administrative Requirements
•
•
•
•
•
•
•
•
•

Privacy Personnel Designations
Privacy Training
Administrative Safeguards
C...
SECURITY RULE
Security Rule Basics
• Security is always evolving; on-going
• Two primary purposes for the Security
Rule
– Intended to pr...
Important Requirements
• Administration
– Security Management Process
• Risk Analysis, Risk Management, Sanction Policy,
I...
Administrative Safeguards
• Over ½ of the HIPAA Security requirements
are covered under the Administrative
Safeguards
• Ad...
Security Management
• Must ―implement policies and procedures
to prevent, detect, contain, and correct
security violations...
Evaluation
• One of the most important requirements of the
HIPAA Security Rule is reflected in 45 CFR
164.308(a)(8) that s...
Physical Safeguards –
First Layer of Defense

• Physical Layer

– Controls over physical access
– Procedures and maintenan...
Technical Safeguards
• The objective of these safeguards is to
mitigate the risk of electronic protected
health informatio...
Required vs. Addressable
• Addressable is NOT the same as optional!
• Addressable means the entity must:
– Perform an asse...
Privacy Rule vs. Security Rule
Security Rule
Privacy Rule
• Intended to protect
• Implement
certain Electronic
Protected H...
OMNIBUS RULE
Omnibus Rule
• Effective: March 26, 2013 – 180 days to comply –
deadline September 23, 2013
– Modifies Privacy, Security, ...
Business Associates
• Omnibus Rule:
– Directly liable
– Implement administrative, physical, and technical
safeguards to pr...
Examples of
Business Associates
• Companies that provide certain types of functions, activities, and
services to covered e...
Omnibus Rule (cont.)
• Enforcement Rule
– Increased tiers for Civil Monetary Penalties
(CMP); ‗willful neglect‘

• Breach ...
ENFORCEMENT
ACTIVITIES
• HITECH:

Enforcement

Violation Category
Section 1176(a)(1)

Each Violation

All Such Violations of an Identical
Provisi...
Civil Monetary Penalties (CMP)
• Civil Monetary Penalties (CMP)
– Cignet Health of Prince George‘s County, MD - $4.3 milli...
Enforcement (cont.)

US Code Title 42 Chapter 7 – 1320d-6
• Wrongful disclosure of individually identifiable health inform...
OCR Audit
• Transition form relaxed pilot to full-on
enforcement
• Organizations will need to be prepared for 169item perf...
Potential Violations
Some examples of potential violations are,
but not limited to, the following:
• Inappropriate use or ...
SECURITY
INCIDENT/BREACH
NOTIFICATION
Security Incident
• Security incidents are those situations
where it is believed that protected health
information has bee...
Breach Notification Rule
• Breach is defined as “the acquisition, access,
use, or disclosure of protected health informati...
Breach Risk Assessment –
LoProCo

• ―Breach‖ definition modified by Omnibus
Rule:
– Eliminated ‗harm‘ threshold
– Adopted ...
Factor 1 – Nature/Extent

• Nature and extent of PHI involved
including the type of identifiers and the
likelihood of re-i...
Direct Identifiers

Direct Identifiers of the individual or of relatives, employers, or household
members of the individua...
Factor 2 –
Unauthorized Person

• The unauthorized person who used the
PHI or to whom the disclosure was made
– Was person...
Factor 3 –
Acquired/Viewed

• Was the PHI actually acquired or viewed?
• HHS provided two examples:
– Low probability of c...
Factor 4 – Mitigate Risk

• The extent to which the PHI has been
mitigated.
• Make efforts to mitigate risks
– Confidentia...
Breach Notification

• Notify relevant parties involved ‗without
unreasonable delay‘ or
• Within 60 days from ―date of dis...
Individual Notification
• Brief description, including date of breach
• Types of information
• Steps to take to protect ag...
Media/HHS Notification
• Less than 500 – make log and report
within 60 days after calendar year on
HHS website
• Over 500 ...
Notification Exceptions
• Unintentional access by workforce member; good
faith and scope of employment
• Inadvertent discl...
Safe Harbor
• If data is properly encrypted, it is
considered secure and falls under ‗safe
harbor‘
• Must follow HHS‘s spe...
Privacy Changes
Notice of Privacy Practices
• NPP should contain:
– Uses/Disclosures of PHI
– PHI-related legal duties
– Individual Rights...
Fundraising and
Opt-Out Clause

• NPP must contain an opt-out clause
• If so, Health center may contact individual to
rais...
Individual Notification in
Event of Improper PHI Disclosure

• NPP must include:
– Individual‘s right to receive notificat...
NPP Modification
Implementation

• NPP should be available upon request by
individual
• NPP should be available at site an...
“Out of Pocket” Restrictions
• Individuals may restrict PHI disclosure for
items/services paid ‗out-of-pocket‘
• NPP must ...
Electronic PHI
• Individuals have the right to electronic copies of
their PHI upon request
–
–
–
–

Provide in form/format...
MEANINGFUL USE
OVERVIEW
Meaningful Use

• Center for Medicare and Medicaid provides
incentives (i.e. $) for the use of Electronic Health
Record (E...
IMPEDIMENTS,
RECOMMENDATIONS,
SUMMARY
Impediments to Compliance
• Awareness
• Technology moving faster than
policies/procedures/regulations
• No one taking resp...
Recommendations
• Make Information Security a priority in the
organization - Every company needs a
CISO
• Understand weake...
Summary
•
•
•
•
•
•
•
•
•
•

Assume Audit will happen
Prepare for Audit
Take Ownership
Conduct Risk Assessment
Update Poli...
Service Offerings
• HIPAA Compliance Program
• HIPAA/HITECH Information Systems Security Risk Assessment
• Administrative ...
Questions
Jay@OSISSecurity.com
513-707-1623 (direct)
in partnership with

Thursday, February 20, 2014
2pm – 3pm EST

MPCA HIPAA Compliance/Meaningful Use
Requirements and Secu...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs...
Upcoming SlideShare
Loading in...5
×

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

682

Published on

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

Published in: Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
682
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Source: http://www.healthcareitnews.com/news/ocr-director-talks-hippa-survival?single-page=true
  • Source: http://www.healthcareitnews.com/news/ocr-director-talks-hippa-survival?single-page=true
  • Source: http://www.healthcareitnews.com/news/ocr-director-talks-hippa-survival?single-page=true
  • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
  • Source: http://www.healthcareitnews.com/news/ocr-director-talks-hippa-survival?single-page=true
  • Source: http://www.ponemon.org/news-2/23http://www.propertycasulaty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca?t=commercial&page=2
  • Source: http://www.healthcarefinancenews.com/news/cms-pays-providers-123b-ehr-incentives-feb
  • Source: http://ihealthtran.com/wordpress/wp-content/uploads/2013/03/Inforgraphic-traditional-paper-records-vs-Electronic-medical-records-EMR-Infographic-friday1.jpg
  • Source: http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02
  • MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

    1. 1. in partnership with February 6, 2014 MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 1 HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)
    2. 2. About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since 1980. It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCA‘s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan. www.MPCA.net 517-381-8000
    3. 3. About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501c(3) non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide IT and security related services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare. www.OSISSecurity.com 513-677-5600 x1223
    4. 4. Presented by: Jay Trinckes, Vice President of Information Security, OSIS • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified in Risk and Information Systems Control (CRISC) • National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) • Author: • • • Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA Regional Upcoming: PMI National Conference, Chicago, IL – May 2014 Experience: risk assessments, vuln/pen tests, information security management, former law enforcement officer.
    5. 5. Overview of MPCA webinar Series Series of 5 Webinars to assist members with HIPAA Compliance and Meaningful Use • Webinar 1: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1) • Webinar 2: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2) • Webinar 3: Meaningful Use Requirements for FQHCs • Webinar 4: Preliminary Assessment Tool for FQHCs • Webinar 5: Review of Preliminary Assessment for FQHCs
    6. 6. webinar 1: Topics • • • • • • HIPAA/HITECH Basics 101 Privacy Rule Security Rule Enforcement Activities New Omnibus Rule Changes Questions/Answers
    7. 7. HIPAA/HITECH BASICS 101
    8. 8. Overview of HIPAA/HITECH • The Health Insurance Portability and Accountability Act (HIPAA) was enacted in1996 as a response from Congress to: – Increase technology in healthcare – Protect against potential fraud or compromise of sensitive information – Different regulations within states contradicting federal regulations – Regional isolation – everyone doing their own thing
    9. 9. HHS Responsibilities • The Department of Health and Human Services (HHS) was assigned responsibility and oversight over: – Implementation – Enforcement through the Office for Civil Rights (OCR) • Published/Finalized as a result of the Administrative Simplifications Provisions – – – – The Privacy Rule The Electronic Transactions and Code Sets Rule The National Identifier Requirements The Security Rules
    10. 10. HITECH ACT • Part of the American Recovery and Reinvestment Act (ARRA) of 2009 • The Health Information Technology for Economic and Clinical Health Act (The HITECH Act) – Revised HIPAA and amended enforcement regulations – Stiffer Penalties – Provided enforcement actions for State Attorney Generals – Increased Breach Notification Rules
    11. 11. Covered Entities • Health Plan • Healthcare Clearing House • Covered Healthcare Provider – Healthcare – care, services, or supplies related to the health of an individual – Information must be transmitted in an electronic form – Covered Transactions
    12. 12. Covered Transaction • • • • • • • • • • • Healthcare claims or equivalent encounter information; Healthcare payment and remittance advice; Coordination of benefits; Healthcare claim status; Enrollment and dis-enrollment in a health plan; Eligibility for a health plan; Health plan premium payments; Referral certification and authorization; First Report of injury; Health claims attachments; and Other transactions that the Secretary of HHS may prescribe by regulation.
    13. 13. Direct Identifiers Direct Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR 164.514(e)(2) and include the following eighteen (18) items: 1. 2. Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to ‗000‘. 3. 4. 5. 6. 7. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; 18. Any other unique identifying number, characteristic, or code. Omnibus Rule includes Genetic Information as Protected Health Information
    14. 14. PRIVACY RULE
    15. 15. ―I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.‖ – Hippocratic Oath, Dr. Louis Lasagna (Wikipedia 2010)
    16. 16. Privacy Basics • In the most basic terms, a health center (and business associate) may NOT use or disclose protected health information except as permitted or required by the HIPAA Privacy Rule. • A health center and business associate should apply the least amount of privileges to their individual employees based upon the roles of their employees. • These restrictions should be applied through policies and procedures to restrict access to protected health information as ‗need-to-know‘ or to perform their job functions.
    17. 17. Minimum Necessary • A health center and business associate must develop policies and procedures to reasonably limit to, the minimum necessary, its disclosures and requests for protected health information for payment and healthcare operations. • There are several different examples to demonstrate how the minimum necessary standards can be applied, but there may be an easier example of what not to do. – It would be a violation of the minimum necessary standard if a hospital employee is allowed routine, unimpeded access to patients‘ medical records if that employee does not need this access to do his or her job. Minimum necessary requirements do NOT apply to disclosures to or requests by a healthcare provider for treatment; uses or disclosures made to the individual; uses or disclosures made pursuant to an authorization; disclosures made to the Secretary; uses or disclosures that are required by law; and uses or disclosures that are required for compliance with the Privacy Rule.
    18. 18. Administrative Requirements • • • • • • • • • Privacy Personnel Designations Privacy Training Administrative Safeguards Complaint Handling Workforce Member Sanctions Mitigation Retaliation Waiver of Rights Privacy Policies
    19. 19. SECURITY RULE
    20. 20. Security Rule Basics • Security is always evolving; on-going • Two primary purposes for the Security Rule – Intended to protect certain electronic healthcare information – While allowing the proper access and use of the information • Goal: To promote the expanded use of electronic health information in the healthcare industry
    21. 21. Important Requirements • Administration – Security Management Process • Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review – Security Awareness Training – Security Incident Procedures – Contingency Planning • Physical – Workstation, Device, Remote Access • Technical – Access Control, Integrity, Transmission
    22. 22. Administrative Safeguards • Over ½ of the HIPAA Security requirements are covered under the Administrative Safeguards • Administrative Safeguards are: – Administrative actions – Policies/Procedures • To manage security, must measure the: – – – – Selection of mitigating controls Development controls accordingly Implementation of controls Maintenance of controls Will discuss more in webinar 2
    23. 23. Security Management • Must ―implement policies and procedures to prevent, detect, contain, and correct security violations.” – Conduct a Risk Assessment • Risk Analysis – ―conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center.‖ • Risk Management - ―implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level.‖
    24. 24. Evaluation • One of the most important requirements of the HIPAA Security Rule is reflected in 45 CFR 164.308(a)(8) that states a health center is required to: – ―Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [the HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements [of the HIPAA Security Rule].‖ • Also, one of the ‗meaningful use‘ core objectives Will discuss more in webinar 3
    25. 25. Physical Safeguards – First Layer of Defense • Physical Layer – Controls over physical access – Procedures and maintenance of documents/hardware • Two Areas: – Facility Access Control – Device/Media Controls • Physical security requires a total commitment to a CULTURE of security and an adherence to the principles of physical security. – Proper Identification – Proper Authorization – Need to Know; Minimum Use ―60% of all theft is committed by internal staff‖ Will discuss more in webinar 2
    26. 26. Technical Safeguards • The objective of these safeguards is to mitigate the risk of electronic protected health information being used or disclosed in an unauthorized manner. • CIA Triad – Confidentiality – Integrity – Availability Will discuss more in webinar 2
    27. 27. Required vs. Addressable • Addressable is NOT the same as optional! • Addressable means the entity must: – Perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the entity‘s environment – Decide whether to implement the addressable specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one – Document the assessments and all decisions
    28. 28. Privacy Rule vs. Security Rule Security Rule Privacy Rule • Intended to protect • Implement certain Electronic Protected Health appropriate and Information (EPHI) reasonable • Secure the confidentiality, integrity, availability while safeguards to allowing authorized use secure Protected and disclosure – Administrative Health – Physical Information (PHI): – Administrative – Physical – Technical – Technical • More Detailed and Comprehensive
    29. 29. OMNIBUS RULE
    30. 30. Omnibus Rule • Effective: March 26, 2013 – 180 days to comply – deadline September 23, 2013 – Modifies Privacy, Security, Enforcement Rule, and Breach Notification Rules • Business Associates (and subcontractors of a BA) are now directly liable for compliance – minimum necessary applies – Limit use/disclosure for marketing/fundraising prohibit sale of PHI – Individuals have right to electronic copies of health information – Right to restrict disclosure for ‗out-of-pocket‘ payments – Modify authorization for proof of immunization to schools – Enable access to decedent information (after 50 years)
    31. 31. Business Associates • Omnibus Rule: – Directly liable – Implement administrative, physical, and technical safeguards to protect CIA of EPHI – BA is any organization that creates, receives, maintains, or transmits PHI on health center‘s behalf • Any agent, or subcontractor of BA is also considered a BA – Agent must enter into a BAA with subcontractor to comply with HIPAA Security Rules and applicable Privacy Rules Will discuss more in webinar 2
    32. 32. Examples of Business Associates • Companies that provide certain types of functions, activities, and services to covered entities. – – – – – – – – – – Claims Processing; Data Analysis; Utilization review; Billing; Legal Services; Accounting/financial services; Consulting; Administrative; Accreditation; or Other related services • Omnibus Rule added: – Patient Safety Organizations – Health Information Organizations, E-Prescribing Gateways, other data transmission services that require routine access – Persons that offer personal health records to one or more individuals on behalf of health center Will discuss more in webinar 2
    33. 33. Omnibus Rule (cont.) • Enforcement Rule – Increased tiers for Civil Monetary Penalties (CMP); ‗willful neglect‘ • Breach Notification – Removes ‗harm‘ threshold; every security incident is presumed a breach, unless risk analysis demonstrates low probability of compromise • Privacy Rules – includes protection of genetic information • De-Identification - guidance
    34. 34. ENFORCEMENT ACTIVITIES
    35. 35. • HITECH: Enforcement Violation Category Section 1176(a)(1) Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect – Not Corrected $50,000 $1,500,000 • [Note: State Attorney Generals can also bring enforcement actions.] • OCR has collected over $50 million from enforcement • It is more cost effective to become HIPAA compliant than to risk enforcement
    36. 36. Civil Monetary Penalties (CMP) • Civil Monetary Penalties (CMP) – Cignet Health of Prince George‘s County, MD - $4.3 million (denied patients‘ rights to medical records); refused to cooperate with OCR – BlueCross and BlueShield of Tennessee - $1.5 million (first HITECH breach notification; spent nearly $17 million for efforts related to loss of 57 hard drives with 1 million customer records; inadequate admin safeguards and facility access controls) – Massachusetts General Physicals Organization, Inc. settled $1 million (loss of 192 patient records – some having HIV/AIDS) – Health Net settled for $250,000 with state AG for losing unencrypted hard drive of 1.5 million participants – Accretive Health, Inc. being sued by Minnesota AG for losing unencrypted laptop of 23,500 individuals – TRICARE – class action lawsuit of $4.9 Billion ($1,000/record) for losing 4.9 million records of military personnel on unencrypted tape drive being handled by third party SAIC – Medical Records Firm, Impairment Resources, LLC. filed for bankruptcy after a burglary involving the loss of 14,000 (worked for over 600 clients/insurers on reviewing medical records for workers comp/auto)
    37. 37. Enforcement (cont.) US Code Title 42 Chapter 7 – 1320d-6 • Wrongful disclosure of individually identifiable health information • Offense: A person who knowingly and in violation of this part– Uses or causes to be used a unique health identifier; – Obtains individually identifiable health information relating to an individual; or – Discloses individually identifiable health information to another person A person described … shall— • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
    38. 38. OCR Audit • Transition form relaxed pilot to full-on enforcement • Organizations will need to be prepared for 169item performance audit, concentrating on: – HIPAA Privacy Rule – HIPAA Security Rule – Breach Notification Rule • Business associates will also be subject to these audits • Providers are being recommended to have an annual third-party independent report conducted on them for HIPAA compliance.
    39. 39. Potential Violations Some examples of potential violations are, but not limited to, the following: • Inappropriate use or disclosure of protected health information. • Any fraudulent activity involving protected health information; • Unauthorized access of protected health information; or • Improper handling of protected health information.
    40. 40. SECURITY INCIDENT/BREACH NOTIFICATION
    41. 41. Security Incident • Security incidents are those situations where it is believed that protected health information has been used or disclosed in an unauthorized fashion. – Actual unauthorized access, use, or disclosure – Interference with system operations (Denial of Service) • According to a report by Solutionary, security service provider, companies pay $6,500 an hour from a DDoS attack and up to $3,000 a day to mitigate/recover from malware infections.
    42. 42. Breach Notification Rule • Breach is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [45 CFR Subpart E – Privacy of Individually Identifiable Health Information] of this part which compromises the security or privacy of the protected health information [or poses a significant risk of financial, reputational, or other harm to the individual].” • Ponemon Survey: – Overall Cost $188 per record (2012) • Healthcare $233 per record (2012) • Pharmaceutical $207 per record (2012) – Full cost of a data breach averages $5.4 million (includes account detection, notification, postresponse and loss of business)
    43. 43. Breach Risk Assessment – LoProCo • ―Breach‖ definition modified by Omnibus Rule: – Eliminated ‗harm‘ threshold – Adopted 4 factor test • Nature and extent of information involved • Unauthorized person who used the information or whom the disclosure was made • Whether the information was actually acquired or viewed; and • Extent to which the risk to the information has been mitigated • Presumption of Breach unless demonstrate a low probability of a compromise (LoProCo)
    44. 44. Factor 1 – Nature/Extent • Nature and extent of PHI involved including the type of identifiers and the likelihood of re-identification • Information sensitivity? – Financial: social security numbers; credit cards (fraud potential?) – Clinical: chart notes, diagnosis/treatment details – Direct Identifiers • Consider Context • Open Source Intelligence (OSINT)
    45. 45. Direct Identifiers Direct Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR 164.514(e)(2) and include the following eighteen (18) items: 1. 2. Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to ‗000‘. 3. 4. 5. 6. 7. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; 18. Any other unique identifying number, characteristic, or code. Omnibus Rule includes Genetic Information as Protected Health Information
    46. 46. Factor 2 – Unauthorized Person • The unauthorized person who used the PHI or to whom the disclosure was made – Was person obligated to adhere to HIPAA Regulations? – Can information be linked to other information to likely make a re-identification?
    47. 47. Factor 3 – Acquired/Viewed • Was the PHI actually acquired or viewed? • HHS provided two examples: – Low probability of compromise – stolen laptop recovered; forensic analysis determined no one accessed hard drive; indicated no breach – High probability of compromise – unauthorized recipient received PHI in error; viewed the PHI; reported it to center
    48. 48. Factor 4 – Mitigate Risk • The extent to which the PHI has been mitigated. • Make efforts to mitigate risks – Confidentiality agreements – Assurances for destruction of PHI • Reliability of mitigation-agreement: consider if recipient is in health network or outside of network
    49. 49. Breach Notification • Notify relevant parties involved ‗without unreasonable delay‘ or • Within 60 days from ―date of discovery‖ • Describe in ―plain language‖ • May delegate to business associate, but who is best situated to contact individuals
    50. 50. Individual Notification • Brief description, including date of breach • Types of information • Steps to take to protect against potential harm • Mitigating steps taken by entity • Contact information for individuals to learn more
    51. 51. Media/HHS Notification • Less than 500 – make log and report within 60 days after calendar year on HHS website • Over 500 individuals – immediately report breach to HHS secretary • Over 500 residents – notify prominent media outlet serving State or jurisdiction
    52. 52. Notification Exceptions • Unintentional access by workforce member; good faith and scope of employment • Inadvertent disclosure between two of health center‘s workforce • Disclosure to unauthorized person deemed unable to have retained the information • Remember: – Impermissible use or disclosure of unsecured PHI is presumed a breach – Presumption may be overcome by 4 factor test; loproco – Health center could always opt to report in absence of formal breach risk assessment
    53. 53. Safe Harbor • If data is properly encrypted, it is considered secure and falls under ‗safe harbor‘ • Must follow HHS‘s specification on encryption standards – Not all encryption is the same.
    54. 54. Privacy Changes
    55. 55. Notice of Privacy Practices • NPP should contain: – Uses/Disclosures of PHI – PHI-related legal duties – Individual Rights • Change: – Include required authorization for the following PHI Use: • Uses/disclosures of psychotherapy notes • Uses/disclosures of PHI for marketing purposes • Disclosures that constitute sale of PHI • Individual‘s authorization is required for any use/disclosures not discussed in the NPP
    56. 56. Fundraising and Opt-Out Clause • NPP must contain an opt-out clause • If so, Health center may contact individual to raise funds and disclose: – – – – – – Demographic information Dates of health care Department of service information Treating physician Outcome information Health insurance status
    57. 57. Individual Notification in Event of Improper PHI Disclosure • NPP must include: – Individual‘s right to receive notification in event of privacy breach – Health center‘s requirement to communicate breach news to individual
    58. 58. NPP Modification Implementation • NPP should be available upon request by individual • NPP should be available at site and posted in clear/prominent location • Provide revised NPP to new patients; make copies for individuals upon request • Post on website (45 CFR 164.520c(3)(i))
    59. 59. “Out of Pocket” Restrictions • Individuals may restrict PHI disclosure for items/services paid ‗out-of-pocket‘ • NPP must contain this new right • New record keeping system not required – Must develop method to ‗red flag‘ or ‗make a notation in the record‘ to prevent disclosure • If law requires disclosure – must disclose • Medicare/Medicaid: – If required by law without exception, submit claim – If Medicare beneficiary pays ‗out of pocket‘ must restrict • Other considerations
    60. 60. Electronic PHI • Individuals have the right to electronic copies of their PHI upon request – – – – Provide in form/format requested if possible Or, provided in agreeable form Machine-readable copies when possible Requests for PHI to 3rd party must be: • • • • Written Signed Clearly designate recipient Include destination location • Provide access within 30 days (can be granted another 30-day extension)
    61. 61. MEANINGFUL USE OVERVIEW
    62. 62. Meaningful Use • Center for Medicare and Medicaid provides incentives (i.e. $) for the use of Electronic Health Record (EHR) Technologies • As of July 2013, estimated $9.5 billion has been paid out to over 250,000 physicians and hospitals. • Stage 1: 15 core objectives to meet – Core 15 – determines if a security risk analysis was conducted or reviewed as required under 45 CFR 164.308(a)(1) – In addition, security updates must be implemented • Stage 2 – Ensure adequate privacy and security protection for personal health information (same as Core 15 above); ALSO addresses the encryption/security of data stored within the EHR software – Use secure electronic messaging to communicate with patients on relevant health information
    63. 63. IMPEDIMENTS, RECOMMENDATIONS, SUMMARY
    64. 64. Impediments to Compliance • Awareness • Technology moving faster than policies/procedures/regulations • No one taking responsibility for compliance • Systemic issues – management doesn‘t believe it is important • Lack of resources
    65. 65. Recommendations • Make Information Security a priority in the organization - Every company needs a CISO • Understand weakest link – PEOPLE • Security is an ongoing process • Resources
    66. 66. Summary • • • • • • • • • • Assume Audit will happen Prepare for Audit Take Ownership Conduct Risk Assessment Update Policies/Procedures Revise BAAs Modify Notice of Privacy Practices Train and Educate Evaluate Document, Document, Document
    67. 67. Service Offerings • HIPAA Compliance Program • HIPAA/HITECH Information Systems Security Risk Assessment • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Internal/External Vulnerability/Penetration Test • Organizational Requirements • Policies, Procedures, & Documentation Requirements • Policies/Procedures • Security Awareness Training • Mitigation Management • Vendor Due Diligence • Security Incident Response Handling • Business Continuity/Disaster Recovery Planning • Subject Matter Expertise
    68. 68. Questions Jay@OSISSecurity.com 513-707-1623 (direct)
    69. 69. in partnership with Thursday, February 20, 2014 2pm – 3pm EST MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 2 HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2)
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×