Keynote Presentation "Building a Culture of Privacy and Security into Your Organization"


Published on

There are real life consequences for organizations that do not integrate privacy and security throughout the continuum of HIT adoption, including health information breaches that could result in identity theft, financial loss and even altered records that can impact patient safety. Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT, whose office is directly engaged with these issues, will lead an interactive keynote discussion on ways to build a culture of privacy and security in healthcare organizations.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Keynote Presentation "Building a Culture of Privacy and Security into Your Organization"

  1. 1. Privacy and Security: Building a Privacy and SecurityCulture in Health CareOrganizationsApril 25th, 2012Joy Pritts, JD,Chief Privacy OfficerOffice of the National CoordinatorHealth Information Technology
  2. 2. HHS Reaches $100,000 Settlement with 5 PhysicianPractice over HIPAA Violations 1
  3. 3. Why Create a Culture of Privacy and Security?• Assists Compliance to Law – New Developments • HIPAA Privacy and Security Rules • Enforcement• Good business• It’s Just the Right Thing To Do – Patient Trust 2
  4. 4. Compliance:Federal Health Information Privacy Laws• HIPAA Privacy and Security Rules – Health Insurance Portability and Accountability Act of 1996, effective 2003 and 2005, respectively• Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 – Final Rule submitted to OMB March 24th, 2012• Others (e.g., 42 CFR part 2) 3
  5. 5. Who Must Comply with HIPAA Privacy and Security Rules? • Covered entities (CEs) –Health plans –Health care clearinghouses –Most health care providers 4
  6. 6. Business Associates and HITECH• Business Associates include: • EHR Vendors • Data Analytic Firms• HITECH Clarifies Business Associates include: • Health Information Exchanges • Personal Health Record Vendors• HITECH Specifies that Business Associates • Must follow administrative, physical and technical safeguards of the Security Rule • Must Follow use and Disclosure Limits of Privacy Rule • Subject to the same Civil and Criminal Penalties as Covered Entities 5
  7. 7. HIPAA Privacy Rule: Two Sides of One CoinProtect Privacy: Patients’ Rights:A CE may not use or • Right to accessdisclose PHI except: • Right to an• as the Privacy Rule accounting ofpermits or requires disclosures of(ie. payment, • Right to correcttreatment operations or amendetc) • Right to notice of privacy• as the patient or practicestheir representative • Right to file aauthorizes in writing. complaint 6
  8. 8. HIPAA Security Rule (CFR 164.306)• Protects Patient Health Information that is transmitted by or maintained in any form of electronic media• Framework of Technical, Administrative, Physical Safeguards• Ensures workforce training and complianceFlexible Approach (Addressable): Size, complexity and capabilities of Covered Entity Security Capabilities of CE hardware and software Cost of Security Measures Probability and criticality of potential risks to ePHI 7
  9. 9. So… Isn’t this old news? Then, why Are So Many Organizations Not In Compliance? 8
  10. 10. Major Causes of Breaches of PHI in 2010Breaches over 500 records:• Theft and loss were the most common reported causes of large breaches.• Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or theft of electronic media• This accounted for records of 2,979,121 individuals.• Loss of electronic media or paper records affected approximately 1,156,847 individuals - OCR Report to Congress on Breaches of Unsecured Information, 2011 9
  11. 11. Risk Assessments• 25% of healthcare organizations do not conduct security risk assessments – HIMSS 2011 Security Study• 39% of healthcare organizations do not or are not sure if they perform a risk assessment – Ponemon Study, 2011 10
  12. 12. Business Associates and Breaches Due to the high volume of records handled, a breaches from business associates translate into a disproportionate number of patients affected:• Business associates involved in 22% of the breaches• But this 22% accounts for 63% of all patients affected by the breaches 11
  13. 13. Security and Mobile Devices - Ponemon Institute, 2011 12
  14. 14. HITECH: It’s a New Day . . . 13
  15. 15. HITECH and Privacy and Security• Established Chief Privacy Officer for the Office of the National Coordinator• Increased fines for breaches• Created mandatory fines for willful neglect• Created Mandatory Breach Notification Rule• Established basis for Meaningful Use 14
  16. 16. Meaningful Use and Privacy and SecurityMU Stage 1 requires eligible providers and hospitals to• Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.• No exclusion. 15
  17. 17. Enforcement• OCR has begun systematic audits of 150 organizations• CMS and Meaningful Use audits for Incentive funds are set to begin 16
  18. 18. Enforcement: Large organizations• Blue Cross Blue Shield of Tennessee (BCBST) settled with OCR for $1,500,000 for the theft of 57 hard drives to theft, March 13, 2012• Hard Drives contained names, social security numbers, diagnosis codes, DoB and Plan ID #s for over 1 million individuals• Caused by failure to implement appropriate physical access controls 17
  19. 19. Small Practice Enforcement Phoenix Cardiac Surgery (5 physician practice) was posting clinical and surgical appointments for its patients on an Internet-based publicly accessible calendar 18
  20. 20. Phoenix Cardiac Surgery• July 2007 to February 2009, Practice posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar• September 2005 until November 2009, Practice daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts 19
  21. 21. OCR’s Other Findings• Failure to implement adequate policies and procedures to appropriately safeguard patient information• Failure to document any employee training on its policies and procedures on the Privacy and Security Rules• Failure to identify a security official and conduct a risk analysis• Failure to obtain business associate agreements with Internet-based email and calendar services that included storage of and access to its PHI 20
  22. 22. Outcome of Investigation• $100,000 Settlement• Corrective Action Plan includes: – Develop written policies and procedures, submitted to and approved by OCR and documented training for employees – “An accurate and thorough” risk assessment of the potential risks and vulnerabilities to PHI – Submission of Risk Management Plan to OCR – Identification of Security Official – Business Associates Agreements – Any violation of policies and procedures will be a Reportable events to OCR CAP available at: 21 agreement.pdf
  23. 23. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” - Leon Rodriguez Director of the Office for Civil Rights April 17th 2012, OCR Press Release 22
  24. 24. The Real Loss – Patient Trust Beyond Compliance and Return on Investment,Ensuring Patient Privacy is Just the Right Thing to Do 23
  25. 25. Good Business: Patient Trust The ROI for Breach Prevention Diminished productivity and financial consequences due to a breach can be severe. Organizations reported:• The potential result is patient churn; the average lifetime value of one lost patient is $113,400• Economic impact• Loss of time and productivity• Diminishment of brand or reputation• LOSS OF PATIENT GOODWILL - Ponemon, “Second Annual Benchmark Study 24
  26. 26. Developing a Privacy and Security CultureChallenges: • Providers and Staff may have little understanding of new technology and privacy and security issues • Providers and Staff are reticent about asking questions or for assistance • Adopting new software and workflow in the fast- moving healthcare culture is difficult • Vendors may assume that providers and staff understand privacy and not adequately train 25
  27. 27. Strategies• Executive Leadership Communicate Essential Value• Privacy and Security Metrics are included in Employee Performance Plans/Evaluations• Considered as part of physical environment, patient care, and all communications• Staff are made to feel comfortable in asking questions and for help, resources are widely and freely available• Training, is regular and updated and an essential part of the overall strategic plan• Continuous Improvement and audits completed and results communicated to all 26
  28. 28. ONC’s Office of the Chief Privacy OfficerRecent and Current Projects• Personal Health Record Roundtable• Mobile Device Roundtable• Small practice Risk Assessment – original and revised• HIE Privacy and Security Program Information Notice• Security Training and Video Games• Research project on security configurations of mobile devices• Mobile device good practices videos and materials• Website redesign:• Data Segmentation Project• Community College Curriculum Privacy and Security Review 27
  29. 29. Training Materials – Series of Security Video GamesDue for Release Summer of 2012 DRAFT 28
  30. 30. Sharing Responsibility for Ensuring Patient Privacy We all have a role to play in keeping health information private and secure. • Government establishes P/S policies that are affordable and workable • Vendors should create easy-to-use P/S features and communicate importance • Providers and staff should understand their role in protecting patient privacy • Patients understand their rights and basic means of securing their PHI 29
  31. 31. We Are All In This Together Office of the National Coordinator for4/30/2012 30 Health Information Technology
  32. 32. Conclusion Questions? 31
  33. 33. HIPAA/HITECH Resources• Privacy and Security Section of• Are you a Covered Entity?:• OCR HIPAA Privacy Rule Training Materials:• OCR Guidance on Significant Aspects of the HIPAA Privacy Rule:• OCR Settlement with Phoenix Cardiac Surgery:• Fast Facts about the HIPAA Privacy Rule:• The HHS Office of Civil Rights, HIPAA FAQs:• Guidance materials for Small Providers, Small Health Plans, and other Small Businesses:• OCR’s Sample Business Associate Contract Provisions: 32
  34. 34. Other Federal Law Resources• 42 CFR Pt. 2:• Title X Confidentiality: 42 C.F.R. § 59.11: idx?c=ecfr&sid=ce18bb9053f3b026e8983fd8ac27170c&rgn=div8&view=text&nod e=42:• GINA deferring to HIPAA: 29 C.F.R. §§ 1635.9(c) and 1635.11(d): idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod e=29: and idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod e=29: – GINA:• HIPAA deferring to FERPA; exceptions to “protected health information” under (2)(i) and (2)(ii) in 45 C.F.R. § 160.103: idx?c=ecfr&sid=35aa826589279b8cff00d53c641a609f&rgn=div8&view=text&node =45: – FERPA/HIPAA Guidance: guidance.pdf4/30/2012 ONC 33
  35. 35. Other Resources• For state privacy laws, see the National Conference of State Legislators (NCSL):• For state privacy law information:• National Governor’s Association (NAG) Report on state laws and HIE:• Health Information Security and Privacy Collaboration (HISPC) reports on state laws:• The Financial Management of Cyber Risk: “An Implementation Framework for CFOs” American National Standards Institute, 2010• Second Annual Benchmark Study on Patient Privacy and Data Security, 2011 Ponemon Institute• OCR’s Sample Business Associate Contract Provisions: Office of the National Coordinator for4/30/2012 34 Health Information Technology