Rightscale webinar-hipaa-public-cloud

878 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
878
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Telcos built point-2-point networks for their customers
  • On January 25, 2013, the US Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA compliant application in the public cloud.MAIN MESSAGE: Know how the Omnibus Rule affects you!
  • Today we will discuss three issues …
  • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.Title II of HIPAA, includes regulations for the use and disclosure of Protected Health Information (PHI), such as medical records and payment history. This is the portion that requires companies to make sure that medical information isn’t improperly shared or disclosed -- which impacts companies that have PHI in the cloud.
  • The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual.Security RuleDefines “Who” is Covered by the Security RuleHITECH expanded the responsibilities of business associatesDefines “What” information is protectedAll PHI a covered entity creates, receives, maintains or transmits in electronic form. (a.k.a., electronic protected health information (e-PHI)” – A subset of the Privacy RuleSecurity Rule does not apply to PHI transmitted orally or in writing
  • The Privacy RuleThe HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. Part 160 - GENERAL ADMINISTRATIVE REQUIREMENTS Subpart A - General Provisions Subpart B - Preemption of State Law Subpart C - Compliance and Investigations Subpart D - Imposition of Civil Money Penalties Subpart E - Procedures for Hearings Part 164 - SECURITY AND PRIVACY Subpart A - General Provisions Section 164.102 - Statutory basis. Section 164.103 - Definitions. Section 164.104 - Applicability. Section 164.105 - Organizational requirements. Section 164.106 - Relationship to other parts. Subpart E - Privacy of Individually Identifiable Health Information Section 164.500 - Applicability. Section 164.501 - Definitions. Section 164.502 - Uses and disclosures of protected health information: general rules. Section 164.504 - Uses and disclosures: Organizational requirements. Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations. Section 164.508 - Uses and disclosures for which an authorization is required. Section 164.510 - Uses and disclosures requiring an opportunity for the individual to agree or to object. Section 164.512 - Uses and disclosures for which an authorization or opportunity to agree or object is not required. Section 164.514 - Other requirements relating to uses and disclosures of protected health information. Section 164.520 - Notice of privacy practices for protected health information. Section 164.522 - Rights to request privacy protection for protected health information. Section 164.524 - Access of individuals to protected health information. Section 164.526 - Amendment of protected health information. Section 164.528 - Accounting of disclosures of protected health information. Section 164.530 - Administrative requirements. Section 164.532 - Transition provisions. Section 164.534 - Compliance dates for initial implementation of the privacy standards.
  • The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.5Give examples of one of eachThe Security RuleThe HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.  http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr160_07.htmlPart 160 - GENERAL ADMINISTRATIVE REQUIREMENTS Subpart A - General Provisions Subpart B - Preemption of State Law Subpart C - Compliance and Investigations Subpart D - Imposition of Civil Money Penalties Subpart E - Procedures for Hearings Part 164 - SECURITY AND PRIVACY Subpart A - General Provisions Section 164.102 - Statutory basis. Section 164.103 - Definitions. Section 164.104 - Applicability. Section 164.105 - Organizational requirements. Section 164.106 - Relationship to other parts. Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.302 - Applicability. Section 164.304 - Definitions. Section 164.306 - Security standards: General rules. Section 164.308 - Administrative safeguards. Section 164.310 - Physical safeguards. Section 164.312 - Technical safeguards. Section 164.314 - Organizational requirements. Section 164.316 - Policies and procedures and documentation requirements. Section 164.318 - Compliance dates for the initial implementation of the security standards. Appendix A to Subpart C of Part 164 - Security Standards: Matrix Down and Dirty on Security RuleRisk analysis as part of their security management processesAdministrative Safeguards: Governance, Defined staff roles, access management, training and awareness, program reviewsPhysical Safeguards: Facility Access and Control, Workstation and Device SecurityTechnical Safeguards: Access control, monitoring of access, integrity controls, transmission securityOrganizational Requirements: Covered entities must manage business associatesPolicies and Procedures and Documentation Requirements: Must have them and keep them for 6 years & need periodic reviews
  • Definition of BreachA breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There are three exceptions to the definition of “breach.”  The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate.  The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate.  In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.  The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.Unsecured Protected Health Information and GuidanceCovered entities and business associates must only provide the required notification if the breach involved unsecured protected health information.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. Breach Notification RequirementsFollowing a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.  In addition, business associates must notify covered entities that a breach has occurred.Individual NoticeCovered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.  Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.   These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.Media NoticeCovered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.Notice to the SecretaryIn addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.  If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.Notification by a Business AssociateIf a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.  Burden of ProofCovered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.Breaches Affecting 500 or More IndividualsIf a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.  If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.  If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.For questions regarding the completion and submission of this form, please e-mail OCRBreach@hhs.gov.reaches Affecting Fewer than 500 IndividualsFor breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually.  All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1, 2010.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.  A separate form must be completed for every breach that has occurred during the calendar year.  If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.  If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.  For questions regarding the completion and submission of this form, please e-mail OCRBreach@hhs.gov.
  • Today we will discuss three issues …
  • Final regulations have now been released for the HITECH Act that have relevance to HIPAA data in the cloud.
  • Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.Business Associate Contracts. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
  • Incidental: JanitorsConduit: ISP
  • clarify that a business associate includes an entity that ‘‘creates, receives, maintains, or transmits’’ protected health information on behalf of a covered entity. Page 8: The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, applies only to protected health information in electronic form and requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information. Like the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities. (emphasis added)The Omnibus rule can be found at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
  • We adopt the modifications to the Security Rule as proposed to implement the HITECH Act’s provisions extending direct liability for compliance with the Security Rule to business associates. In response to the concerns raised regarding the costs of compliance, we note that the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including a subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it. See § 164.314(a). BA Limits:The final rule adopts the proposed modifications to §§ 164.502(e) and 164.504(e). As we discussed above, while section 13404 of the HITECH Act provides that business associates are now directly liable for civil money penalties under the HIPAA Privacy Rule for impermissible uses and disclosures and for the additional HITECH requirements in Subtitle D that are made applicable to covered entities, it does not apply all of the requirements of the Privacy Rule to business associates and thus, the final rule does not. Therefore, business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate, which would then make it a contractual requirement for which contractual liability would attach.
  • First, we have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under
  • We proposed to modify this section to re-designate § 164.105(a)(2)(iii)(C) as (D), and to include a new paragraph (C), which makes clear that, with respect to a hybrid entity, the covered entity itself, and not merely the health care component, remains responsible for complying with §§ 164.314 and 164.504 regarding business associate arrangements and other organizational requirements. Hybrid entities may need to execute legal contracts and conduct other organizational matters at the level of the legal entity rather than at the level of the health care component. The final rule adopts this change.
  • 4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected Reasonable cause is currently defined at § 160.401 to mean: ‘‘circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.’’ Talk about “Identical violations”
  • http://www.sans.org/security-trends/2013/05/30/analyzing-the-cost-of-a-hipaa-related-breach-through-the-lens-of-the-critical-security-controls
  • SoftLayer may change with IBM.Make sure to re-iterate that the Business Associate management is probably the most problematic part of HIPAA in public cloud
  • Rightscale webinar-hipaa-public-cloud

    1. 1. #rightscaleHIPAA in Public CloudThe Rules Have Been SetWatch the video of this presentation
    2. 2. #rightscale#2Your Panel TodayPresenting• Phil Cox, Director of Security and Compliance, RightScaleQ&A• Ryan Geyer, Cloud Solutions Engineer, RightScale• Michael Curry, Account Manager, RightScalePlease use the “Questions” windowto ask questions any time!
    3. 3. #rightscale#3Introduction• On January 25, 2013, HHS released the Omnibus Rule whichfinalized all the former HIPAA/HITECH interim rules• Most of this session will be about HIPAA/HITECH and notnecessarily cloud (if you don‟t understand the former, you‟ll haveno clue how to applies it to the latter)
    4. 4. #rightscale#4#rightscalecomputeMy Core Message for Today:HIPAA compliance inpublic cloud is aboutgovernance
    5. 5. #rightscale#5Can Using RightScale Help?• RightScale‟s management features can be helpful as companieswork to comply with HIPAA:• Monitoring• Access control• Audit trails• ServerTemplate• Advanced monitoring and auditing capabilities are best practicesthat will help you comply with HIPAA regulations• Gives visibility into system access and configurations whenperforming a risk assessment after an allegation of a breach
    6. 6. #rightscale#6Healthcare in the Cloud with RightScale• Developed self-service labenvironments• Reduced provisioning time from25 days to 30 minutes• Measures costs in cents per hourfor compute and storage• Integrated public and privateclouds• Satisfied regulatory and auditrequirements• Automated provisioning forWindows environments
    7. 7. #rightscale#7Agenda• Quick HIPAA level set• Key Rules• Wrap-up
    8. 8. #rightscale#8Important Terms• Covered Entity:• A health plan, A health care clearinghouse, A health care provider whotransmits any health information in electronic form in connection with atransaction• Business Associate: Operates on behalf of a CE• Think: function or activity involving the use or disclosure of individuallyidentifiable health information: claims processing or administration, dataanalysis, processing or administration, utilization review, qualityassurance, billing, benefit management, etc.• Protected Healthcare Information• Think Individually identifiable health information:• Any demographic information related to the condition, provision orpayment of health care to an individual• Identifies the individual
    9. 9. #rightscale#9More Term Definition• HHS – US Department of Health and Human Services. Basicallythe ones that make the rules • Secretary – Runs HHS• NIST – National Institute of Standards and Technology (US). TheUS federal technology agency that, for our purposes, works withindustry to develop technology standards and guidance.• US Federal government defers to NIST tech publications and standardsfor just about everything.
    10. 10. #rightscale#10About HIPAA• HIPAA is the Health Insurance Portability and Accountability Actof 1996• Title II: Preventing Health Care Fraud and Abuse; AdministrativeSimplification; Medical Liability Reform• Defines policies, procedures and guidelines for maintaining the privacyand security of individually identifiable health• 3 Main “Rules” from the Administrative Simplification Rules• Privacy Rule• Security Rule• Breach Notification Rule• More about these later …
    11. 11. #rightscale#11About HITECH• HITECH Act, part of the American Recovery and ReinvestmentAct of 2009• Made law February 17, 2009 (13 years after HIPAA)• Is the “enforcement” rule that gave HIPAA teeth
    12. 12. #rightscale#12Back to HIPAA: The “3 Main Rules”• They apply to covered entities and business associates• Privacy: Impose controls around preventing unauthorizeddisclosure of protected healthcare information in any form• Security: Purpose is to prevent unauthorized electronic accessto protected healthcare information• Breach Notification: Purpose is to ensure timely notification ofaffected parties in event of a failure in the above 2 controls
    13. 13. #rightscale#13Privacy Rule Primer• Requires appropriate safeguards to protect the privacy ofpersonal health information• Sets limits and conditions on the uses and disclosures thatmay be made of such information without patient authorization• All about authorized disclosure
    14. 14. #rightscale#14Security Rule Primer• Maintain reasonable and appropriate administrative, technical,and physical safeguards for protecting e-PHI• Specifically:• Ensure the confidentiality, integrity, and availability of all e-PHI theycreate, receive, maintain or transmit;• Identify and protect against reasonably anticipated threats to the securityor integrity of the information;• Protect against reasonably anticipated, impermissible uses or disclosures;and• Ensure compliance by their workforce• Required and Addressable Implementation Specifications• “Required" implementation specifications must be implemented• “Addressable" permits entities to adopt an alternative measure thatachieves the purpose of the standard
    15. 15. #rightscale#15Breach Notification Primer• Notification required if breach involved unsecured protectedhealth information• Unsecured is PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized individuals• Covered entities must notify• Affected individuals• Prominent media outlets serving the State or jurisdiction if >500 residents• Notify HHS within 60 days (if <500 can do annually)• Business Associate must notify the covered entity (w/in 60 days)• Burden of proof• All required notifications have been provided –OR–• Disclosure did not constitute a breach
    16. 16. #rightscale#16Key Issues When Dealing with “Cloud”• Per the recent NIST conference:• Location• Where is PHI? – geo location• Providers need to give assurance and warrants• Breach• What does the provider do to prevent breaches of PHI?• If there is a breach, what is the response capability?• Access• Proper controls to limit access• Monitoring – Can provider give the following• Not only modifications, but read/print too?• Any access?
    17. 17. #rightscale#17Agenda• Quick HIPAA level set• Key Rules• Wrap-up
    18. 18. #rightscale#18Changes Affecting HIPAA & Public Cloud• Business Associates• Breach notification• State law preemption• Use of PHI in Marketing• Application of HIPAA to hybrid entities
    19. 19. #rightscale#19Business Associate• By law, the HIPAA Privacy Rule applied only to covered entities• The Privacy Rule allows covered providers and health plans todisclose protected health information to these “businessassociates” if the providers or plans obtain satisfactoryassurances that the business associate will use the informationonly for the purposes for which it was engaged by the coveredentity, will safeguard the information from misuse, and will helpthe covered entity comply with some of the covered entity‟sduties under the Privacy Rule.
    20. 20. #rightscale#20Who Is a Business Associate?• Those who will create, receive, maintain, or transmit protectedhealth information for a covered entity• Generally a person who performs functions or activities on behalf of, orcertain services for, a covered entity that involve the use or disclosure ofprotected health information.• New: Specific call out for• Patient Safety Organizations• Health Information Organizations (HIO), E-Prescribing Gateways, andOther Persons That Facilitate Data Transmission; as Well as Vendors ofPersonal Health Records• Subcontractors {recursive}
    21. 21. #rightscale#21There are Exceptions• Incidental Access: With persons or organizations (e.g.,janitorial service or electrician) whose functions or services donot involve the use or disclosure of protected health information,and where any access to protected health information by suchpersons would be incidental, if at all.• Conduit: With a person or organization that acts merely as aconduit for protected health information, for example, the USPostal Service, certain private couriers, and their electronicequivalents…
    22. 22. #rightscale#22Conduit Exception Clarification• ... We note that the conduit exception is limited totransmission services (whether digital or hard copy)… Incontrast, an entity that maintains protected health information onbehalf of a covered entity is a business associate and not aconduit, even if the entity does not actually view the protectedhealth information…the difference between the two situations isthe transient versus persistent nature of that opportunity.For example, a data storage company that has access toprotected health information (whether digital or hard copy)qualifies as a business associate, even if the entity does notview the information or only does so on a random or infrequentbasis. (emphasis added)
    23. 23. #rightscale#23Why BA Focus?• 1/3 of all breaches related to 3rd parties• 55% of people affected related to 3rd parties• So a 3rd party disclosure has a larger impact than a non-3rd party
    24. 24. #rightscale#24HHS Theme with BA• Persistency of data, not degree of access is the key driver• Focus on:• Security rule: Tech, Admin, Physical• Privacy rule: Use and disclosure• Direct liability• Criminal & Civil• Flows to sub-contractors• Does encryption remove you from BA?• At this time, as I understand it, NO.• More on this in a bit …
    25. 25. #rightscale#25What HHS Is Pushing• Trend is more towards risk• Beef up contracts WRT security• Represent and warrant that they meet the controls that are specified in the appendix of thecontract/agreement• Pre-contract assessment (quick hit)• Post contract audit• Risk Assessment• Short form• What PHI• Where is it• Use that to assess risk and identify specific controls for a given BA
    26. 26. #rightscale#26Direct Liability & Sub-Contractors• Modified to implement the HITECH Act‟s provisions extendingdirect liability for compliance to business associates• Now directly liable for civil money penalties• A subcontractor that creates, receives, maintains, or transmitsprotected health information on behalf of a business associate,including with respect to personal health record functions, is aHIPAA business associate• BA must have a BAA with subcontractors (just another BA). This isrecursive.
    27. 27. #rightscale#27BAA: Is It Optional?• Per Page 5591• Comment: One commenter suggested that business associateagreements should be an „„addressable‟‟ requirement under theSecurity Rule.• Response: The HITECH Act does not remove the requirementsfor business associate agreements under the HIPAA Rules.Therefore, we decline to make the execution of businessassociate agreements an „„addressable‟‟ requirement under theSecurity Rule.• If you decide to forego the BAA, make an informed decision …
    28. 28. #rightscale#28Changes to Breach Notification Rule• Clarified the term “Breach”• Basically guilty until proven innocent• Changed “risk of harm” to “low probability PHI compromised”• Means you have to do a risk assessment. Can you? (next slide)• Changed „„unauthorized individuals‟‟ to „„unauthorized persons.‟‟• How does the BNR affect you?• You need to be watching (if not, maybe “willful neglect”?)• Review is important• Need to have a mechanism for notification• Business Associates need to notify Covered Entities
    29. 29. #rightscale#29Risk Assessment Considerations1. Nature and extent of PHI involved• Types of identifiers and likelihood of re-identification2. Who accessed/used the information3. If the PHI was actually acquired/viewed4. Extent to which the risk to PHI has been mitigated-OR-Notify!
    30. 30. #rightscale#30What about Encryption?• If Protected health information (PHI) is rendered unusable,unreadable, or indecipherable to unauthorized individuals – thenno Breach Notification• Encryption must be consistent with NIST guidelines:• NIST Special Publication 800-111 (storage)• NIST Special Publications 800-52, 800-77 (transit)• NIST Special Publication 800-88 (destruction)• Federal Information Processing Standards (FIPS) 140-2 (validated crypto)• It does not remove you from being a BA, but does limit Breachnotification• NIST conference seemed to indicate HHS is looking at this.
    31. 31. #rightscale#31Preemption of State Law• HIPAA privacy requirements supersede only contrary provisionsof State law UNLESS State law provides more stringent privacyprotections than the HIPAA Privacy Rule
    32. 32. #rightscale#32Marketing & Other Use of PHI• Marketing communications that involve financial remuneration• In reality anything other than billing that involves financial remuneration• Covered entity must obtain a valid authorization from theindividual before using or disclosing• Authorization must disclose the fact that the covered entity isreceiving financial remuneration from a third party
    33. 33. #rightscale#33Hybrid Entities• Covered entity itself, and not merely the health carecomponent (HCC)• If you share PHI with the non HCC part of your org, could beconsidered a breach• Responsible for business associate arrangements andother organizational requirements• Hybrid entities may need to execute legal contracts andconduct other organizational matters at the level of thelegal entity rather than at the level of the health carecomponent
    34. 34. #rightscale#34Consequences• Fines• Caps on types, not totalsViolation Category Each Violation Annual cap onidentical violationsDid not know $100-$50,000 $1.5mReasonable Cause $1,000-$50,000 $1.5mWillful Neglect - Corrected $10,000-$50,000 $1.5mWillful Neglect – Not Corrected $50,000 $1.5m
    35. 35. #rightscale#35Real World Example• Idaho State University (ISU): 17,500 patients at ISUs PocatelloFamily Medicine Clinic.• The breach was blamed on the disabling of firewall protections, and failureof ISU to notice the change or the lack of protection.• Consequences• $400,000 fine (>$20/account) + internal costs ($200K)• 2 year Corrective Action Plan, defining enhanced security procedures andincreased reporting to HHS – Likely 1 FTE ($400K over 2 years)• Proactive:• A firewall management tool- $40K procurement, $15K second yearmaintenance costs and .1 FTE.• Punch Line: If they had spent $75K could have saved $1M
    36. 36. #rightscale#36Timeframes• Passed January 25th, 2013• In effect March 26, 2013• Compliance date is September 23, 2013• 180 days: “In addition, to make clear to the industry our expectation thatgoing forward we will provide a 180-day compliance date for futuremodifications to the HIPAA Rules …”
    37. 37. #rightscale#37Conclusion• Rules are set, you should read the Omnibus Rule• Managing your Business Associates are critical• If you are a Business Associate, you now have direct liability• You are responsible for your subcontractors and they for theirsubcontractors• Good security, as always, will cover most of what you need.
    38. 38. #rightscale#38Can Using RightScale Help?• RightScale‟s management features can be helpful as companieswork to comply with HIPAA:• Monitoring• Access control• Audit trails• ServerTemplate• Advanced monitoring and auditing capabilities are best practicesthat will help you comply with HIPAA regulations• Gives visibility into system access and configurations whenperforming a risk assessment after an allegation of a breach
    39. 39. #rightscale#39Status on Our Cloud Providers and BAA• The good news is that several of our cloud providers will sign aBAA.• Azure: Will sign a BAA• Datapipe: On a case-by-case basis• AWS: No public statement• We have heard from at least one customer that they were able to get AWSto sign a BAA• GCE: Not at this time• Rackspace: Not at this time• Softlayer: Not at this time
    40. 40. #rightscale#40RightScale and BAA• We do not “create, receive, maintain, or transmit” PHI• We do not have access to PHI• If we are invited to an account, we may have “incidental” access• RightLink runs on the instance, it does not interact with theelectronic personal health information (ePHI) as part of itsnormal operations• You are not required to sign a BAA with your AV vendor• Our understanding is that RightScale is not a BusinessAssociate
    41. 41. #rightscale#41Questions?
    42. 42. #rightscale#42My Contact Info• Email: phil@rightscale.com• Twitter: sec_prof• Google+: phil@rightscale.com

    ×