Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
1. HealthCare Information Security
An Evolving Regulatory Landscape with Increasing Stakes
Thomas J. DeMayo
Director
IT Audit and Consulting Services
TDeMayo@odpkf.com
2. HIPAA – The History
•
•
•
Health Insurance Portability and Accountability Act (“HIPAA”)
was passed in 1996 to encourage electronic transmission of
payer/patient information and payment
Privacy Rule – (2003) Designed to ensure patient health
information was guaranteed a minimum level of protection
across all states
Security Rule – (2005) Added administrative, technical and
procedural safeguards to electronic protected health
information (ePHI)
–
Compliments the Privacy Rule
2
3. HIPAA – The History
•
HITECH – (2009) Enacted to promote and expand the
adoption of Health Information Technology
–
Added increased restrictions (e.g. Privacy and Security Rules now
apply to Business Associates (“BA”)
–
enhanced civil monetary penalties – e.g. Tiered penalty structured
with penalties up to $1.5m per year for each violation
–
Introduced the Breach Notification Rule
–
Required HHS to perform periodic audits of Covered Entities (“CE”)
3
4. HIPAA – The History
• Omnibus Rule (2013) – Finalized and/or
modified provisions of the Interim Rule and/or
added additional provisions
4
6. Security Rule Changes
• The Final Rule did not make any changes to
the Security Rule
– Confirmed that the Security Rule applies to
business associates
– Extended the application of the rule to
subcontractors
– Expanded liability for storage providers (e.g. Cloud
Providers)
6
7. Security Rule Clarification
• Health and Human Services (“HHS”) clarified:
• “Flexibility of approach” or “Reasonableness” of the controls continue
to apply; however, documentation of the approach and rationale is
required
• Internet, Extranets, and Intranets are forms of electronic transmission
media – If they transmit ePHI they are in scope
– Certain transmissions including paper via facsimile and of voice via
telephone, are not considered transmission via electronic media if the
information did not exist in electronic form immediately prior to
transmission.
• Copiers and fax machines that store ePHI are subject to the Security
Rule requirements
7
8. What exactly is the Security Rule?
• Consists of 78 standards that encompass
administrative, technical, and physical
safeguards
– Administrative – policies, awareness
training, assigning a security officer
– Technical – passwords, antivirus, firewalls
– Physical – physical storage of electronic
media, positioning of equipment
8
9. What exactly is the Security Rule?
• The standards (what must be done) contain
implementation specifications (how it must be
done)
• Implementation Specifications are either:
– Required – the specification must be implemented
as stated
9
10. What exactly is the Security Rule?
• Implementation Specifications are either: (cont…)
– Addressable - Must perform an assessment to determine
whether the specification is a reasonable and appropriate
safeguard in the covered entity’s environment. After
performing the assessment, an organization decides if it will:
• Implement the addressable implementation specification as stated;
• Implement an equivalent alternative measure that allows the entity to
comply with the standard; or,
• Not implement the addressable specification or any alternative
measures, if equivalent measures are not reasonable and appropriate
within its environment
10
11. What exactly is the Security Rule?
• Of the 78 standards:
– 26 are Addressable
– 52 are Required
***Addressable Does NOT imply OPTIONAL***
11
12. Results of Office For Civil Rights Audit
• Audits in 2012 showed that the Security Rule
requirements are not being met by covered
entities
– Office for Civil Rights (“OCR”) officials have
publicly stated this must change
• Of the 159 covered entities audited
– 10% of selectees had no audit findings
– 10% of selectees were totally unprepared for audit
12
13. Results of OCR Audit
• Of the 159 covered entities audited (cont…)
–
–
–
–
Security accounted for more than 60% of audit findings
Providers had greatest proportion of findings – 65%
Smallest entities struggled the most in all three areas
Significantly fewer findings for those entities who fully
implemented addressable specifications
– Most common excuse heard for non-compliance –
“unaware of the requirement”
– Lack of application of sufficient resources, incomplete
implementation, complete disregard
13
14. Results of OCR Audit
• Top Areas Reported
– Security
– Privacy
•
•
•
•
Risk analysis
Access control
Contingency planning
Media movement and
disposal,
• Audit controls and
monitoring
• Notice of privacy
practices
• Access of individuals
• Minimum necessary, and
• Authorizations
14
16. Risk Assessment – Why the Fuss?
• Conducting a formalized Risk Assessment is
essential
• The HIPAA Security and Breach Rule
Framework is built on the results of the Risk
Assessment process
– The results of the risk assessment are what will
drive the compliance initiative and will be the
foundation on which the security activities are
built
16
17. Risk Assessment – Why the Fuss?
• OCR has made it very clear that all covered
entities must have a formalized risk
assessment
– Prediction – if your organization is selected for an
audit your documented risk assessment will be
one of the items selected for review
17
18. Risk Assessment Requirement
• Required implementation specification at
§164.308(a)(1)(ii)(A)
– Requires a covered entity to “*c+onduct an
accurate and thorough assessment of the
potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information held by
the covered entity.”
18
19. Risk Management Requirement
• Once the risks are identified they must be
managed
• Required implementation specification
at §164.308(a)(1)(ii)(b) – “Implement security measures sufficient to reduce
risks and vulnerabilities to a reasonable and
appropriate level to comply with §164.306(a).”
19
20. §164.306 Security standards: General rules
• §164.306(a) - Covered entities and business associates
must do the following:
– (1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity or
business associate creates, receives, maintains, or transmits
– (2) Protect against any reasonably anticipated threats or hazards
to the security or integrity of such information
– (3) Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or
required under subpart E of this part
– (4) Ensure compliance with this subpart by its workforce
20
22. What are the steps?
• Scope of the Analysis - the scope of the risk analysis includes all the
people, processes and technology that are involved in the
creation, transmission, maintenance and/or storage of ePHI
• Data Collection – an organization must identify where data is being
stored, received, maintained or transmitted. If your organization is
hosting health information at a HIPAA compliant data center, the
organization will need to contact their hosting provider to
document where and how the data is stored
• Identify and Document Potential Threats and Vulnerabilities –
identify and document any reasonably anticipated threats to ePHI.
Anticipating potential HIPAA violations can help your organization
quickly and effectively reach a resolution
22
23. What are the steps?
• Assess Current Security Measures – inventory all of the existing
security controls implemented by the organization and determine
how effective they are in managing the threats and vulnerabilities
identified in the previous step
• Determine the Likelihood of Threat Occurrence – for each threat
event, determine how likely the event is to occur relative to the
organization’s specific circumstances
• Determine the Potential Impact of Threat Occurrence – by using
either qualitative or quantitative methods, assess the maximum
impact that a data threat would have on your organization
– How many people could be affected? What extent of private data
could be exposed – just medical records, or both health information
and billing information combined?
23
24. What are the steps?
• Determine the Level of Risk – combine the likelihood of the occurrence with
the potential impact to determine the ultimate risk level. Documented risk
levels should be accompanied by a list of corrective actions that would be
performed to mitigate risk, should the resulting risk be too high
• Finalize Documentation – summarize everything in an organized document –
HHS doesn’t specify a specific format, but they do require the analysis in
writing
• Periodic Review and Updates to the Risk Assessment – it is important to
ensure that the risk analysis process is ongoing – one requirement includes
conducting a risk analysis on a regular basis
***Be sure the person conducting the risk assessment has the technical capacity to
understand and communicate all the risks***
24
25. Penalties for Non-Compliance
• Tiered structure based on the level of culpability:
– Unknowing. The covered entity or business associate did not know
and reasonably should not have known of the violation
– Reasonable Cause. The covered entity or business associate knew, or
by exercising reasonable diligence would have known, that the act or
omission was a violation, but the covered entity or business associate
did not act with willful neglect
– Willful Neglect – Corrected. The violation was the result of
conscious, intentional failure or reckless indifference to fulfill the
obligation to comply with HIPAA. However, the covered entity or
business associate corrected the violation within 30 days of discovery
– Willful Neglect – Uncorrected. The violation was the result of
conscious, intentional failure or reckless indifference to fulfill the
obligation to comply with HIPAA, and the covered entity or business
associate did not correct the violation within 30 days of discovery
25
27. Penalties for Non-Compliance
• While the Final Rule includes many provisions
that amplify the penalties associated with a
violation of HIPAA, there is some flexibility
built into the Final Rule with respect to
imposition of such penalties as long as the
violations are NOT due to Willful Neglect
27
28. Breach Notification Rule
• HHS defines "breach" as the
"acquisition, access, use, or disclosure" of PHI in
violation of the Privacy Rule that "compromises the
security or privacy" of the PHI
• Under the interim rule, the phrase “compromise”
meant the inappropriate use or disclosure of PHI
involving significant risk of financial, reputational or
other harm
– Risk of harm standard was too subjective
28
29. Breach Notification Rule
The Final Rule changed the term “compromise” to
mean that unless an exception applies, an
impermissible use or disclosure of PHI is presumed to
be a "breach," unless the HIPAA-covered entity can
demonstrate there is a low probability that the PHI has
been compromised based upon, at minimum, a fourpart risk assessment
29
30. Breach Notification Rule
• Four part Risk Assessment:
– The nature and extent of the PHI involved, including the
types of identifiers and likelihood of re-identification
– The unauthorized person who used the PHI or to whom
the disclosure of PHI was made
– Whether the PHI was actually viewed or acquired
or, alternatively, if only the opportunity existed for the
information to be viewed or acquired
– The extent to which the risk to the PHI has been mitigated
***The Risk Assessment and results thereof must be documented and
stored for reference***
30
31. Notification Requirements
• Varies based on the number of affected individuals
– Must notify the individual, without unreasonable delay and in
no case later than 60 days from discovery of the breach
– If less than 500 people are affected, must notify the Secretary
annually within 60 days after the end of the calendar year in
which the breach occurred
– If greater than 500 people affected, must notify the Secretary
without unreasonable delay and in no case later than 60 days
from discovery of the breach
– If greater than 500 people affected in a single state or
jurisdiction, must notify prominent media outlets
31
32. Notification Requirements
Covered entities are ultimately responsible for
notifying individuals. The task can be contracted
to the business associate that “caused” the
breach, but ultimately, HHS is going to hold the
covered entity responsible for notification in a
timely manner
32
33. Questions?
Tom DeMayo, CISSP, CIPP, CPT, CEH, MCSE
Director, IT Audit and Consulting Services
TDeMayo@odpkf.com
646.449.6353
33