HIPAA: Introduction to the Security Rules Lorman Education ServiceAugust 22, 2007Tacoma, Washington
Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) [email protected]
Presentation By:
Stephen D. Rose, J.D., M.B.A.K&L Gates
925 Fourth Avenue, Suite 2900Seattle, Washington 98104
(206) [email protected]
HIPAA: Introduction to the Security Rules
The Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191)Signed August 21, 1996
Title IISubtitle F—Administrative Simplification
“HIPAA”
Pythagorean Theorem 24 WordsArchimedes’ Principle 67 WordsThe Ten Commandments 179 WordsLincoln’s Gettysburg Address 286 WordsU.S. Declaration of Independence 1,300 WordsHIPAA Privacy 401,034 Words
. . . the square of the hypotenuse is equal to the sum of the
squares of the other two sides: a2 + b2 = c2
Perspectives
HIPAA Health Insurance Portability and Accountability Act of 1996
HIPAA Health Insurance Portability and Accountability Act of 1996
TransactionsTransactions Code SetsCode Sets IdentifiersIdentifiers
Insurance Portability
Administrative
Simplification
Fraud and AbuseMedical Liability Reform
Title ITitle I Title IITitle II Title IIITitle III Title IVTitle IV Title VTitle V
SecuritySecurityPrivacyPrivacyEDIEDI
Tax RelatedHealth Provision
Group HealthPlan Requirements
RevenueOff-sets
HIPAA Administrative Simplification Law
Effective Dates of HIPAA Rules
Privacy Rules: April 14, 2003 Security Rules: April 21, 2005
Purpose of HIPAA Provisions
Improve efficiency and effectiveness of the health care system
by standardizing
the electronic exchange ofadministrative and financial data
Two Key Privacy Rule Goals
Provide strong Federal protections for privacy rights for health care information
Preserve (i.e., don’t interfere with) quality health care delivery
Privacy Rules focus on the rights and expectations of patients with respect to how their private medical information is handled by providers and organizations.
Security Standards provide guidance to organizations and providers on how to protect the integrity and confidentiality of medical information.
Privacy Rules vs. Security Standards
The Importance of Privacy and Security
In 2001 a NV woman purchased a used computer only to find its previous owner, a drugstore, left on it the pharmacy records of thousands of patients.
In 2000 a FL man purchased a laptop only to discover mental health records from a local institution on it – he contacted the news who interviewed patients about the matter.
The Importance of Privacy and Security
In 2000 a hacker downloaded medical records, health information, and social security numbers on more than 5,000 patients at the University of Washington Medical Center. The hacker was motivated by a desire to expose the vulnerability of electronic medical records. (R. O’Harrow, "Hacker Accesses Patient Records," The Washington Post, 9 December 2000, p. E1)
The hacker claimed all the records were taken via the Internet and that the Institution lacked firewalls. The cracker was able to capture user ID and passwords by capturing key strokes.
The Importance of Privacy and Security
In 2000 a teenage girl, while visiting her mother at work, retrieved the names and phone numbers of patients who had visited the ER from a hospital computer. As a prank, she called them and told them they were pregnant or had AIDS. One victim attempted suicide.
The Importance of Privacy and Security CD with Medical Data of 75,000 is Found
A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday
A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January
No way to track whether copies of the CD were made
The Importance of Privacy and Security
In 1994, administrators of a new computerized medical record system for an HMO in Oregon were shocked to find that 141 employees had peeked at the record of a celebrity who came in to be treated for a sprained wrist.
The Importance of Privacy and Security Most Data Breaches Traced to Company Errors
Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders
Looked at 550 data breaches that received media coverage between 1980 and 2006
Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors
Less than one-third of the breaches were the work of outside attackers
Washington State Data Breach Notification LawRCW 19.255.010 Businesses and individuals that own or license computerized data that includes “personal information” must notify state residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.
Notice of the data breach must be sent in “the most expedient time possible and without unreasonable delay.”
Other Federal Laws
The Computer Fraud and Abuse Act 18 U.S.C. § 1030 Penalizes intentionally accessing a computer without authorization (or exceeding authorization) and thereby causing damage.
Also contains a private right of action under 18 U.S.C. § 1030(g) designed to supplement the criminal sanctions under 18 U.S.C. § 1030(c).
Regulation Themes Scalability/Flexibility
Covered entities can take into account: Size Complexity Capabilities Technical Infrastructure Cost of procedures to comply Potential security risks
Compliance
162.530: a Covered Entity must develop and implement policies and procedures relating to PHI designed to comply with the [HIPAA] regulations.
Compliance is mandatory.
Duty to Safeguard PHI
HIPAA requires a Covered Entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI.
Assigning Responsibility
Privacy Officer 45 CFR 164.530(a)(1)(i)
Designated person to receive complaints 45 CFR 164.530(a)(1)(ii)
The Security Rules
Published: February 20, 2003
Effective Date: April 21, 2003
Compliance Date: April 21, 2005 for all covered entities except small health plans.
CIA
Confidentiality Integrity Availability
General Requirements164.306(a)
Confidentiality (only the right people see it)
Integrity (the information is what it is supposed to be – it hasn’t been changed)
Availability (the right people can see it when needed)
Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI.
Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required.
Additional Requirements of the Security Rule
Ensure compliance by the workforce.
Investigate, mitigate, and document the resolution of any inadvertent release.
Additional Requirements of the Security Rule
“Required” versus “Addressable”
The HIPAA Security Rule requires standard implementation through written policies and procedures.
These standards have “required” and “addressable” implementation specifications.
“Required”
Required implementation specifications are mandatory.
“Addressable”
WARNING: “addressable” does NOT mean “optional.”
If a given addressable implementation specification is determined to be reasonable and appropriate, the entity must adopt it.
“Addressable”
If a given “addressable” implementation specification is determined to be inappropriate or unreasonable, the entity may implement an alternative measure that accomplishes the same end.
This determination and its rationale must be documented.
HIPAA Security Standards
Administrative Safeguards (55%) 12 Required, 11 Addressable
Physical Safeguards (24%) 4 Required, 6 Addressable
Technical Safeguards (21%) 4 Required, 5 Addressable
Administrative Safeguards
This section is concerned with the policies, procedures, and processes relating to the “workforce” and not the physical and technical security which is the subject of later sections.
Administrative Safeguards
Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)
Risk AssessmentRisk Analysis Assess you own security risks Determine your risk tolerance or risk aversion
Devise, implement, and maintain appropriate security to address your business requirements
Document your decisions
Risk Analysis
Two types: Qualitative – (Easiest and most common) Rating risks on a scale such as:
Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations
Risk Calculations
The higher the number, the greater your risks. Im
pa
ct
Probability of Occurrence
H 7 8 9
M 4 5 6
L 1 2 3
L M H
Administrative Safeguards
Assign a Security Officer who is responsible for HIPAA Security Rule compliance.
Can be same person as the HIPAA Privacy Officer or a different person.
Administrative Safeguards
Workforce Security Authorization and/or Supervision (A) Workforce clearance procedures (A) Termination Procedures (A)
Administrative Safeguards
Information Access Management Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A)
Administrative Safeguards
Security Awareness and Training Security Reminders (A) Protection from malicious software (A) Log-In Monitoring (A) Password Management (A)
Administrative Safeguards
Security Incident Procedures Response and reporting (R)
Administrative Safeguards
Contingency Planning Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A)
Administrative Safeguards
Evaluation (R) Periodic review Non-technical review Technical review
Administrative Safeguards
Business Associate Agreements and Other Arrangements
The Physical Safeguards (§ 164.310) relate to the physical actions the practice must undertake to implement the Security Rule. Small practices will want to focus on limiting physical access to electronic information within the office by unauthorized personnel by simple means such as physical barriers, locks, and supervision.
Physical Safeguards
Physical Safeguards
Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A)
Maintenance Records (A)
Physical Safeguards
Workstation Use Workstation Security
Physical Safeguards
Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)
This section of the Security Rule (§164.312) addresses technical items that need to be implemented to meet the requirements of the Security Rule.
Technical Safeguards
Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)
Technical Safeguards
Audit Controls (R)
Technical Safeguards
Integrity Mechanism to Authenticate ePHI
Technical Safeguards
Person or Entity Authentication (R)
Technical Safeguards
Transmission Security Integrity Controls (A) Encryption (A)
Technical Safeguards
Documentation—A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule
Policies and Procedures and Documentation Requirements
Make the documentation available to those persons responsible for implementing the procedures to which the documentation pertains. This is a required implementation specification.
Retain the documentation required for 6 years from the date of its creation or the date it was last in effect, whichever is later in time. This is a required implementation specification.
Documentation
These materials are provided for educational purposes only, and are not legal advice or intended to be substituted for legal advice Parties affected by the issues discussed in these materials should consult with their legal counsel as the specific facts of any given case will greatly influence the legal advice given.
It is important to note that these materials address an area of the law that is volatile and expected to have significant changes in the very near future which may completely alter the applicability of these materials to any situation.
Disclaimer
Questions
Contact
Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126