1 the evolution of hipaa security – be careful what you ask for kirsten ruzic wild, rn, bsn, mba,...

1

THE EVOLUTION OF HIPAA SECURITY –

Be Careful What You Ask For

Kirsten Ruzic Wild, RN, BSN, MBA, CHC

September 11, 2009

2

Objectives

Gain insight into government’s enforcement efforts

Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey

Understand the recent ARRA changes and impact

3

A little background….. HIPAA Security

Establish national standards for the security of electronic health care information– Administrative safeguards– Physical safeguards– Technical safeguards

Enforcement Authority was CMS

4

A little background….. HIPAA Security

Rule Requirements

Establish national minimum standards for the security of electronic health care information

Published February 2003, deadline April 2005

Administrative, technical, and physical security procedures (18 standards)

Implementation specifications are either Required (14) or Addressable (22)

5

HIPAA Security Rule

Rule Goals Comprehensive, scaleable and technologically neutral

(flexible)

Protect the confidentiality, availability and integrity of electronic PHI (“ePHI”)

Assess YOUR risks and vulnerabilities

Improve Medicare/Medicaid through increased effectiveness and efficiency

6

HIPAA Security Rule

Rule Goals

“Improve efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information”

45 CFR Parts 160, 162, 164 – Final Rule

7

HIPAA Security Rule

Interpretation

Good Thing: Scaleable and flexible

Bad Thing: Scaleable and flexible

How do you know if you meet the standard?

Are you certain you are compliant?

8

HIPAA Security Rule

Interpretation

Lack of standard Constantly changing technologies Complexity and variety of clinical applications Limited IT budgets No CMS enforcement or oversight (years) Interpretation?

Why bother?

9

OIG Audits and Guidance

March 2007

Audit of Piedmont Hospital – Atlanta

Non-specific findings: significant vulnerabilities

Leaked checklist of 42 questions/documents

10


August 2007

Audit of CMS (Results of audit released in October 2008)

Findings– No compliance reviews had been conducted in 2 years– CMS had “not provided effective oversight or encouraged

enforcement of the HIPAA Security Rule”– CMS agreed to implement a formal audit process– Defense: voluntary compliance and complaint-driven

11


No findings released

OIG committed to ongoing audits of covered entities nationwide for next few months

Develop understanding of CE interpretation of flexible and scalable ???

12

CMS

CMS

Late 2007

Office of eHealth Standards and Services (OESS)

CMS website – HIPAA Security Standard

Sample document request list for audit - 42

First insight into federal interpretation

Conducting on-site reviews since January 2008

13

OCR/CMS Auditing/Enforcement

CMS Mid 2008 Audited Providence Health and Services In cooperation with OCR Failure to implement P&P to protect PHI Portable media First Resolution Agreement/CAP On OCR website Only CMS audit results released

14

OCR/CMS Auditing/Enforcement

Providence Audit

No civil monetary penalty for cooperating

Audited by OCR and CMS jointly

Complaint-triggered audit

15

CMS Enforcement

Enforcement Statistics – 3 largest number of complaints

Information Access Management (Administrative Standard 164.308(a)(4)(i))

Access Control (Technical Standard 164.312(a)(1))

Security Awareness and Training (Administrative Standard 164.308(a)(5)(i))

16

Conclusions

Uncoordinated guidance, interpretation and enforcement

Info on a variety of government websites OIG, CMS, OESS, OCR, Dept of Commerce - NIST

Not easy to find

Where do you go from here?

17

New Enforcement

As of August 3rd, OCR is responsible for enforcement of HIPAA Security – not CMS

“eliminate duplication and increase efficiencies”

18

HIPAA COW Security Networking Group

Benchmarking Survey

– March 2009

– Goals: » to provide benchmarking data to help organizations

across the State determine their level of compliance with the regulations in preparation for a federal audit

» Not to justify or support non-compliance» Determine if benchmarks (local?) exist

19

HIPAA COW Security Networking Group

Benchmarking Survey

56 questions 10 categories Average of 76 responses to each question Respondents include: acute care hospitals, clinics/physician

groups, long-term care facilities, payers, and integrated health care delivery networks

From <200 to >2000 employees– Size of an organization had little effect on level of compliance

20

HIPAA COW: Benchmarking Survey Results - Encryption

54% of respondents indicated they encrypt e-mail – 46% do not currently encrypt e-mail

34% of respondents indicated they encrypt laptop hard drives – 66% do not encrypt laptops

21

HIPAA COW: Benchmarking Survey Results - Encryption

30.7% (less than 1/3) are encrypting USBs and other mobile devises

26% indicated they do not encrypt any devices or data transmission

22

Committee Interpretation

Expected that organizations had implemented encryption techniques/solutions on more types of devises

Why not encrypting?– Budget limitations– Too difficult– IT not ready to administer– Organizational policies prohibit transmission of PHI in e-mail or on

portable devises– Organizations may be currently implementing or testing to find solutions– Believe it is impossible to enforce

23

Conclusions/Recommendations

All organizations should be capable of encryption– Well-established technology– Inexpensive – Easy to implement

“Addressable” standard? Per OIG Auditors presentation in April – lack of

encryption will fail an audit Provide proactive solutions to your users

24

HIPAA COW: Benchmarking Survey Results – Disaster Recovery

88.8% have a Disaster Recovery Plan– Those who didn’t tended to be smaller organizations

45.6% state their Plan covers every application

31.6% indicated their Disaster Recovery Plan covers only those applications that support basic business functions

89.4% state their Plan is documented

25

HIPAA COW: Benchmarking Survey Results – Disaster Recovery

50.6% test their Disaster Recovery Plan

39.5% did not answer the question

Of those that answered the question (open-ended) as to how often they test their Disaster Recovery Plan, majority stated annually

26


Why not meeting the Standard? – Challenging as not a static condition– Very complicated– Cost/benefit analysis– Lack of consequences– Productivity pressures

27


Are these really disaster recovery plans or just disaster response plans?

How does this compare or relate to plans for business continuity? Infrastructure recovery? Critical patient care systems?

Possibly handled by other departments? Is the Plan being used?

28


Required specification

Prioritize applications

Test in order of priority

Consider the time it takes for the entire system to recover

29


Recovery should be intrinsic to implementation of new applications

Get started, start small

Resolve with external resources – consultant

Consider the potential consequences

30

HIPAA COW: Benchmarking Survey Results – E-Mail Retention

48.2% have an E-mail Retention Policy

54.3% store all e-mail– 45.7% do not store all e-mail

73.1% store e-mail back-ups off-site

The length of retention is extremely variable– 2 weeks - forever– Dependent on application, retention policy, type of data, user

preference

31


Without a policy, in response to a legal discovery request, what would you produce?

If is discovered must now be kept

Implications of e-discovery law

32


Must have a Record Retention Policy

– Classify by data type or classification, not medium

– Decision for retention is “what” data is retained and for how long, regardless of what format the data is in

– Create a Records Retention Schedule

– Educate and enforce the policy

33

HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off

Network Level 54.3% employ automatic log-out at the network level Of those who employ automatic log-out at the network level:

– 58.1% implemented log-out times of 10-30 minutes– 34.9% implemented log-outs of less than 10 minutes

Which means:– 93% require log-out times to be less than 30 minutes – Only 7% have implemented log-out times at the network

level of greater than 30 minutes

34


Application Level 66.3% employ log-outs at the application level

Of those who employ automatic log-outs a the application level:– 52.8% have implemented log-out times of 10-30 minutes– 20% have implemented log-out times of less than 10 minutes

Which means:– 73.6% require lot-out times to be less than 30 minutes – 26.4% have implemented log-out times at the application level of greater

than 30 minutes

35


Physically secured

If work stations are in a physically secured area:– 65.4% still require an automatic log-out – 34.6% do not use automatic log-outs

36


Log-out times at the network or application level should be less than 30 minutes

Is this really a standard and is there really an increased risk?

Longer log-out times might be acceptable in physically secured workstations or controlled environments (Surgery) – some risk is mitigated

37


Log-out times at the network or application level should be less than 30 minutes

Even if you have work stations in areas considered to be physically secured, most organizations still require automatic log-out

Per OIG Auditors – use of generic accounts will fail an audit, unless proof this level of access is not to any PHI

Clinical applications must authenticate to the user Consider generic accounts to log on to network

38

HIPAA COW: Benchmarking Survey Results – Passwords

Network Passwords 46.9% require network passwords to be changed every 30-90

days– 37% require passwords to be changed after more than 90 days– 13.6% never require passwords to be changed

92.4% have a minimum password length at the network level– 84% require passwords to contain 6-8 characters– 5.3% require network passwords to contain 9-12 characters

Which means:– 89.3% require passwords to be at least 6 characters in length

39

HIPAA COW: Benchmarking Survey Results – Passwords

Application Passwords 45% require application passwords to be changed every 30-90

days– 33.8% require passwords to be changed after more than 90 days– 20% never require passwords to be changed at the application level

86.1% have a minimum password length for passwords at the application level – 86.4% require passwords to contain 6-8 characters– 1.5% require application passwords to contain 9-12 characters

Which means:– 87.9% require application passwords to be at least 6 characters in

length

40


There appear to be a clear agreement regarding password length

Are the users allowed to determine how frequently their password is changed?

Are password requirements for applications, dependent upon the application?

41


Consider the NIST recommendations

If you are an organization who does not ever require network passwords to be changed, it is highly recommended that you change your policy

If you are an organization that allows passwords to be less than 6 characters in length, it is highly recommended that you change your policy

42

HIPAA COW: Benchmarking Survey Results – Portable Media

63.8% indicate they have a policy covering portable/mobile devises– 36.3% have no policy

49.4% allow PHI to be loaded on portable media– 50.6% do not allow PHI to be loaded

Of those who allow PHI to be loaded on portable media:– 68.4% require the data to be password protected or encrypted– 31.6% have no requirements to password protect or encrypt the data

43

HIPAA COW: Benchmarking Survey Results – Portable Media

50% state their policy is that no PHI can be loaded on portable media

78.9% indicate they are not confident they know the number of portable devises used by their employees– 21.2% are confident they know the number of portable

devises used by employees

72% of those who took the survey did not answer this question

44


The Committee finds this scary!

Portable media containing PHI has triggered many of the initial complaints to federal agencies resulting in investigations

We want to meet the 21.2% are confident they know the number of portable devises used by employees

45


If your policy states that PHI cannot be loaded on portable media, how do you audit or enforce?

Without a policy, in response to a legal discovery request, what would you produce?

Does encrypting a laptop solve this?

46


We still recommend having a written policy in place to hold employees responsible and accountable and to help protect the organization from individual’s wrong-doing

Even if you are not sure how to enforce a policy or feel employees can still violate confidentiality rules

Don’t forget about your vendors

47

HIPAA COW: Benchmarking Survey Results – Remote Access

81.3% confirm they have a Remote Access Policy

86.1% also state they allow employees with remote access to access applications containing PHI

72.3% state they audit the remote access of employees

48


If you allow remote access, how do you monitor or prevent printing of PHI?

How do you protect internal networks from non-enterprise owned PCs?

Is limiting file transfers an option?

Results not dependent on the size of an organization

49


Really only 2 options:– Restrict the use of PCs not owned/controlled by organization– Run the risk and manage through policies, education and

enforcement - attestation

If you remove the driver on the terminal printer, users cannot print at home

Utilize a VPN Create good policies and enforce them Consider your business objectives/alternative

technologies

50

HIPAA COW: Benchmarking Survey Results – Auditing

53.9% responded that they conduct regularly scheduled audits to determine if PHI is accessed inappropriately– 46.1% do not audit for inappropriate access

– 86.8%, indicate they have a formal sanction policy for employees who inappropriately access PHI

51

HIPAA COW: Benchmarking Survey Results – Auditing

Dependent on the severity of the inappropriate access, these sanction policies include the following types of discipline:– 53.7% formal, documented discipline– 47.8% termination of the employee – 44.8% suspension of the employee– 9% formal prosecution– 49.3% all of the above– 4.5% utilize none of the above sanctions

52


Not really surprising

Auditing is very time consuming and resource-dependent

Results not dependent on the size of an organization

OIG auditors stressed the importance of having control over your systems; emphasis is on the integrity of the data first, and then on the confidentiality of the data

53


It is reassuring that so many organizations take discipline for violations so seriously

Old legacy systems – auditing virtually impossible

Do less auditing and do it well

54


You must have a formal sanction policy that addresses HIPAA violations

Must have audit log reports that capture any inappropriate activity

Given the amount of emphasis the OIG places on audit logs, we need to do a better job with regular auditing – only ½ audit

Establish thresholds for security – role-based access Document your restrictions

55


Old Technology– Must make a good faith effort with old technology– Prove and document limited capability – Standard of Reasonableness– Establish and policy, train and enforce

Determine real risks, audit based on risk

Don’t collect data unless going to do something with it

56

HIPAA COW: Benchmarking Survey Results – Training

How often/when is HIPAA training conducted:

– 72.5% hold training annually– 61.3% conduct this training at new employee orientation– 30% indicate they only conduct training as needed– 3.8% hold training semi-annually– 1.3% indicate they do not conduct training– 6.3% answered other

57


88.6% responded that they train 100% of their workforce– 11.4% indicate they do not train 100% of their workforce– The vast majority of those who do not, are very large

35.9% train vendors, contractors, or other non-employed members of their workforce– 64.1% do not train these members of their workforce

58


96.2% state that training is mandatory for workforce members

57.3% state training is not mandatory for all senior organizational leadership including members of the BOD – 42.7 % indicate training is mandatory for senior leadership

89.5% of organizations require workforce members to sign an attestation indicating their acknowledgment of HIPAA training

59


Disturbing to see that the majority of respondents do not train their senior leadership - “tone at the top”

BOD does not usually have access to PHI but they do need to understand the standards in the organization; requires a different level of training than the majority of the workforce.

60


ALL employees, vendors and members of BOD must be trained

Education must occur prior to a new employee accessing the system

Training must be truly mandatory, i.e., a condition of employment

Signed attestations or Confidentiality Agreements are highly recommended

“5 minutes of Security” Personal liability!!

61

HIPAA COW: Benchmarking Survey Results – E-Discovery Request

31.5% state they have a formal process in place to respond to an E-Discovery request– 68.5% indicate they do not have a process for responding to

an E-Discovery request

Only 19.2% respond that they have a written policy that addresses E-Discovery– 80.8% do not have a written policy

62

HIPAA COW: Benchmarking Survey Results – E-Discovery Request

For those who have a written E-Discovery policy:– 85% indicate the policy covers documents stored on the

network– 95% indicate the policy covers e-mail– 20% indicate the policy covers other types of data

63


Emerging issue

Huge!

Whitepaper

64


Know who leads this effort in your organization

Address with your retention policy to determine how you are classifying your data

65

Conclusions

Most significant risk: passive loss of data due to own inaction; failure to properly implement all the regulations resulting in non-compliant activity by authorized user

Increased government scrutiny

Target for audits still complaint-driven

66

American Recovery and Reinvestment Act (ARRA)

Goals

Stimulus Package

February 17, 2009

“Making supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal stabilization”

~One Hundred Eleventh Congress of the United States of America

67

HITECH

Health Information Technology for Economic and Clinical Health Act (“HITECH”)

Stimulus expenditures for development and adoption of Health Information Technology (“HIT”)

Through Medicare and Medicaid reimbursement systems Utilization of an electronic health record (“EHR”) for each

person in the United States by 2014 Adoption of EHR is critical to improvements in quality of

care and ultimate cost savings “Meaningful Use”

68

ARRA

Widespread adoption of EHR will not occur unless the public is assured that the privacy of their health information is secured

Strengthen privacy and security protections for health information

ARRA mandates increased enforcement

69

“A Computer lets you make more

mistakes faster than any invention

in human history –

with the possible exceptions of

handguns and tequila.”

Mitch Ratcliffe

70

Opportunity and Challenge

As we advance the use of health information technology

Increase in EHR and interoperability=

Increase risk to patient confidentiality=

Increase in risk to health care entities

71

ARRA Expansion of HIPAA Rules

Depends on who you are

Covered Entity

Business Associate

Vendor

72

ARRA Changes – Covered Entities

Data Breach Notification – when a CE discovers (defined) that a breach (defined) of unsecured (defined) PHI has occurred– notify each individual (state law)

» this includes timeliness and content provisions specifically spelled out in the law

» burden of proof in demonstrating notification, including any delay» how to notify each individual is specified

– Notification to the media if breach involves more than 500 individuals

– Notification to DHHS» <500 individuals - a log annually » >500 individuals - immediately notify DHHS who will post the name of the CE

on their website

73


If an organization has an EHR

Right to Access and obtain a copy of their electronic PHI and to have this information additionally transmitted to another party; limitation on fees

Right to request an Accounting of Disclosures of PHI, the CE must supply all disclosures, including those made by a BA or must provide a list of all BA and their contact information; compliance with this regulation is dependent upon date of implementation of an EHR

74


BA are now obligated to comply per regulation

Revision of Business Associate Agreement

– Ensure that BA has implemented the administrative, physical and technical safeguards of HIPAA Security

– Specify that BA must comply with use and disclosure rules in HIPAA Privacy Rule

– Negotiate security breach coordination– Agreement on reporting and dispute resolution

75


Minimum necessary or Limited Data Set

Right to Request Restrictions

Marketing communications and remuneration

76


Are your BA aware of their new regulatory obligations?

What if they are not compliant?

Can you contract with them?

77

ARRA Changes – Business Associates

BA are now obligated to comply per regulation– February 18, 2010

HIPAA Security Rules– As if a CE– Administrative, Physical and Technical Safeguards

Some provisions of the HIPAA Privacy Rules

78


Data Breach Notification - when a BA discovers (defined) that a breach (defined) of unsecured (defined) PHI has occurred, notify the Covered Entity with specific information– this includes timeliness provisions specifically spelled out in

the law– burden of proof in demonstrating notification, including any

delay– BA are now obligated to comply per regulation by February

18, 2010

79


New privacy and security requirements of ARRA– Minimum Necessary (defined) standards– Accounting of disclosures– Restrictions on disclosures– Access – if maintain patient information on behalf of CE– Marketing and remuneration

80


Subject to criminal and civil penalties

Also subject to penalties if fail to take action if aware that CE not in compliance with HIPAA

Subject to federal audits – If you are a CE, why do you care? – Are you willing to risk contracting with a BA if they are not in

compliance with HIPAA rules?

81

Heightened Enforcement

Level of Intent/Neglect Per Violation Maximum Penalty

Without Knowledge $100 $25,000

Based on reasonable cause $1000 $100,000

Willful neglect $10,000 $250,000

Willful neglect, not corrected $50,000 $1,500,000

Heightened enforcement – mandatory penalties for “willful neglect”

CE and BA

82

Heightened Enforcement

Private right of action

State attorney general enforcement authority to file suit on behalf of their residents

Courts can award damages, costs, and attorney’s fees related to HIPAA violations

Employees/individuals are subject to civil and criminal penalties

83

New Enforcement

Report by HIT Standards Committee Recommend that if under investigation for violation of HIPAA

Privacy or Security, CMS withhold meaningful use payment until the violation has been resolved

Intent to disallow IT incentive payments if confirmed HIPAA violation goes unresolved

Could any complaint trigger an investigation?

Missed payments for the length of the investigation?

84

What is your greatest risk?

Complaints from patients lead to investigations

Data breach notification

Most significant risk: passive loss of data due to own inaction; failure to properly implement all the regulations resulting in non-compliant activity by authorized user

85

ARRA Changes – Vendors

Non-CE or BA

Vendors of services related to Personal Health Records (“PHR”) – offer PHR– offer products or services through website– accesses info or sends info to a PHR

86

ARRA Changes –Vendors

Wisconsin Health Information Exchange (“WHIE”)

Regional Health Information Organizations (“RHIO”)

Maine HealthInfoNet - country's largest statewide health information exchange

Google Health/Health Vault – electronic health profile

E-prescribing gateways

87

ARRA Changes –Vendors

Breach notification requirements – Individuals– Federal Trade Commission (“FTC”)– FTC notifies HHS

“Unfair and deceptive act or practice”

Regulated by FTC – promulgate rule by February 2010

88

Much more to come……

Creation of governmental bodies– Office of National Coordinator for HIT (“ONCHIT”)– HIT Policy Committee– HIT Standards Committee– Privacy Advisors in regional offices of HHS– National education initiative

More than 20 guidances, regulations, reports and studies - coordinated through ONCHIT

89

Short “To Do” List

CE– Make sure you have a handle on your BAA – revisions

needed– Begin dialogue with BA– Make sure someone in your organization is staying informed– Educate, re-educate your staff– Educate your BA and vendors– HIPAA Hotline for patients– Check insurance coverage

90


BA– IMPLEMENT the REGS!– Make sure you have a handle on your BAA – revisions

needed– Begin dialogue with CE – business advantage– Make sure someone in your organization is staying informed– Educate, re-educate your staff– Implement a hotline– Check insurance coverage

91


Vendors– Implement Data Breach Requirements– Make sure someone in your organization is staying informed– Educate your staff

CE, BA, Vendors– Resources, resources, resources– Don’t wait any longer

92

Sinaiko Healthcare Consulting

Conduct comprehensive Risk Assessments

Assist in implementation of regulations

Interpretation of regulations

Development and implementation of Training Programs

Creation of or revisions to Policies and Procedures

Perform audits

Assist/support of governmental investigations

1 the evolution of hipaa security – be careful what you ask for kirsten ruzic wild, rn, bsn, mba,...

Documents

cms slide

hipaa security rule

final rule slide

efficiency slide

evolution of hipaa security

impact slide

questionsdocuments slide

cms enforcement