security planning susan lincke complying with hipaa and hitech

Security PlanningSusan Lincke

Complying with HIPAA andHITECH

Security Planning: An Applied Approach | 04/21/23 | 2

Objectives:

Students shall be able to:Define HIPAA, Privacy Rule, Security Rule, CE, PHI.Define threat, vulnerability, threat agentDescribe what Privacy Rule covers at a high levelDescribe what Security Rule covers at a high levelDescribe the difference between Required and Addressable for the Security Rule.


HIPAA

Introduced by Senators Edward Kennedy & Nancy KassebaumPortability: Workers can continue health care between different employersGroup insurance cannot reject, not renew, or charge higher premiums of certain individualsSimplify administration by creating a health care transaction standard

Accountability: Penalties for non-compliance Tax provisions


HIPAA Titles

Title 1: Health Care Insurance Access, Portability, and RenewabilityTitle 2: Preventing Health Care Fraud & Abuse, Administrative Simplification, Medical Liability ReformTitle 3: Tax-related Health ProvisionsStandardizes medical savings accounts

Title 4: Application and Enforcement of Group Health Insurance RequirementsTitle 5: Revenue OffsetsDefines how employers can deduct company-owned life insurance premiums from income tax


Title 2 Has Three Rules

Transactions, Code Sets, and Identifiers: Standards for electronic transmission• Electronic Data Interchange: Standardized records for health

care transactions

The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information

The Security Rule: Security Standard for electronic patient health


Reasons for Legislation

Records of patients or insurance claims made publicly available by accidentEmail reminder to take Prozac sent to 600 (not blind cc’d)Woman fired from job after positive review but expensive illness35% of Fortune 500 companies admitted checking medical records before hiring or promotingPeople avoid using insurance when they have AIDS, cancer, STD, substance abuse or mental illness


Medical Identity Theft

When a person’s name and other parts of his/her medical identity are stolen for the purpose of getting medical services and goods.

Problems:

•Medical info is for wrong person

• Inaccurate health records

• Wrong diagnosis

• Fatal treatments

•Imposter claims health care

• Medical Insurance Fraud

• Inaccurate Credit History: Bills sent elsewhere


Medical Identity Thieves:Who can commit this crime?

Computer hackers

Members of organized crime rings

Health care providers (doctor’s, dentists, hospital employees)


Business Challenges Facing the Health Care Industry

Hospital computer systems contain notes from hospital employees and primary care physicians.Health Insurance Companies collect and compile patient data from different providers.

Organizations MUST maintain the security of computer systems that hold

health data.


Breach Notification Laws

State Laws, called Breach Notification Laws require CEs to notify patients when their PHI has been breached

If data is encrypted and laptop is lost, notification is not requiredThis often applies to any industry that uses personal information,

such as Social Security Numbers

The Oregonian, May 2006In one of Oregon’s largest security breaches, ProvidenceHealth System disclosed that a burglar stole unencrypted

medical records on 365,000 patients kept on disks and tapes left overnight in an employee’s van


HITECH: Health Information Technology for Economic and Clinical Health Act (2009)

Breach Notification Rule:Introduced notification requirements•Specifies how CE/BA should notify individuals and agencies if a breach of information occursPHI shall be encrypted in a way that is approved by HHS.PHI shall be shredded or destroyed and disposed of properly.


Criminal Penalties for HIPAA

$ Penalty Imprison-ment

Offense

Up to $50K Up to one year

Wrongful disclosure of individually identifiable health information

Up to $100K Up to 5 years …committed under false pretenses

Up to $500K Up to 10 years

… with intent to sell, achieve personal gain, or cause malicious harm

Then consider bad press, state audit, state law penalties, lost claims, …


HITECH Act (2009)

Each Violation

Max $ Per Year

CE/BA exercised reasonable diligence but did not learn about violation

$100-$50k $1.5 Million

Violation is due to reasonable cause $1k-$50k

$1.5 Million

CE/BA demonstrated willful neglect but corrected violation

$10k-$50k $1.5 Million

CE/BA demonstrated willful neglect and took no corrective action

$50k $1.5 Million

Penalties are prohibited if problem is corrected within 30 days and no willful neglectPenalties pay for enforcement and redress for harm caused


Health Care OrganizationCovered Entities (CE)

Health careClearinghouse

Health Care Provider(e.g., doctor, hospital)

Health plan(e.g., HMO, PPO)

Standardbills/records

Nonstandardbills/records

Standard bills/records


Health Care Organization

Health careClearinghouse

Health Care Provider

Health plan

Covered Entities (CE)

Business Associates (BA)

Performs: Claims ProcessingTranscription

BillingData Analysis

Independent organizationWork involves health infoNot bank or post office

Works

for


Protected Health Information (PHI)

HealthInformation

Relates to Physical or

Mental healthor past/present/future payment

Identifiers

NameSSNcity or countyzip codephone or faxmedical record #fingerprint

Individually IdentifiableHealth Information

Created or maintained byCE or BA

Protected Health Information

(PHI)Covered by HIPAA

& HITECH

If YOU had AIDS, how could such identifiersIdentify you?


Treatment, Payment & Health Care Operations (TPO)

Treatment

Provision & coordinationof health care amonghealth care providers,

including referral

Payment

Any activities involved in

compensationfor health care:

billing, determiningcoverage or eligibility

analyzing services

Health CareOperations

Administrativefunctions relatedto health care:

financial or legal orquality improvement,training, certification,case mgmt, business

planning

$


HIPAA Standard Transactions

Plan Sponsor(Employer)

Health Care Provider(e.g., doctor, hospital)

Health plan(e.g., HMO, PPO)

Health Plan Eligibility Inquiry Certification & Authorization of Referral Health Care Claim Health Care Claim Status Request

Enrollment or Disenrollment into Health Plan Health Plan Premium Payment

Health Care Claim Payment

Certification & Authorization of Referral


The Genetic Information Nondiscrimination Act of 2008

Protects against some types of genetic testing discrimination:Insurance companies can’t make eligibility decision based on genetic testing results.

Insurance companies can’t base cost of premiums on genetic testing results.

Employers can’t hire, fire or make job decisions based on the use genetic testing.

Employers/Health Insurance Plans can not requiring genetic testing.


The HIPAA Privacy Rule


Privacy Rule: Develop Policies

CE/BAs shall:Develop policies, procedures, and standards for how it will adhere to Privacy Rule. How will CE/BA:• use and disclose PHI?• protect patient rights?Regularly review policies and proceduresUpdate policies when new requirements emergeMonitor that policies/procedures are consistently applied throughout the organization


Privacy Rule:No NonHealth Usage of PHI

Health information is not to be used for nonhealth purposes, unless an individual gives explicit permission

The National Law Journal, May 30, 1994

A banker who also served on his county’s health boardcross-referenced customer accounts with patient

Information. He called due the mortgages of anyone suffering from cancer.


Privacy Rule:Need-to-Know Access

CE/BA Employees should have access only to what is absolutely required as part of their jobs.

What individuals should have access to PHI?What categories of PHI should individuals have access to?What conditions are required for access?How will Business Associates & Trading Partners be informed and controlled?

Washington Post, March 1, 1995

The 13-year-old daughter of a hospital employee took a list ofpatients’ names and phone numbers from the hospital when

visiting her mother at work. As a joke, she contacted patientsand told them they were diagnosed with HIV.


Privacy Rule:Protections against Marketing

CE must obtain permission before sending any marketing materials, with limited exceptions

Boston Globe, August 1, 2000

A patient at Brigham and Women’s Hospital in Bostonlearned that employees had accessed her medical

record more than 200 times.


Privacy Rule:Establish Privacy SafeguardsRequiredShut or locked doorsKeep voice downClear desk policyPrivacy curtainsPassword protectionAuto screen saversLocked cabinetsPaper shredders

Not RequiredSoundproof roomsRedesign office spacePrivate hospital rooms (semiprivate ok)OK for doctors to talk to nurses at nurse stations

Safeguards should be REASONABLE


Privacy Rule:Employee Training & Accountability

Each CE organization shall name one person who is accountable for Privacy Rule complianceEach employee, volunteer, contractor shall be trained in privacy policies and procedures• Full and Part-time

New York Times, Jan. 19, 2002

Eli Lilly and Co. inadvertently revealed over 600 patiente-mail addresses when it sent an all message to everyindividual registered to receive reminders about taking

Prozac.


Privacy Rule: Individual Privacy RightsPatients have the right to:See or obtain copies of medical information (except for psychotherapy notes)Request correction to health recordReceive a Notice of Privacy PracticesRequest restrictions as to who can see PHIRequest specific method of contact for sake of privacyKnow who has accessed PHIFile a complaint if their rights have been violatedAllow and withdraw authorizations for use and disclosure

CE must:Respond to requests within 30 daysMay extend delay with notice for another 30 daysKeep records of how PHI is disclosed


Notice of Privacy PracticesPrivacy Requirements:NPP must be available when asked forNPP must be displayed prominently in the officeHealth Plan must provide upon enrollmentHealth Provider must provide on first service deliveryBoth must request written acknowledgment of receipt of NPPAfter change, revised NPP must be issued to clients within 60 days

Electronic Requirements (if web page):Must be displayed prominently on web pageMust be emailed to customers after a change in NPP


Required & Permitted DisclosuresRequired Disclosure:Patient (or personal representative, e.g., parent, next of kin)

Office of Civil Rights Enforcement: Investigates potential violations to Privacy Rule

Permitted Disclosure:Minimum-Necessary PHI may be disclosed without authorization for: judicial proceedings, coroner/funeral, organ donation, approved research, military-related situations, government-provided benefits, worker’s compensation, domestic violence or abuse, some law enforcement activitiesID must be verified by proof of identity/badge and documentation


More DisclosuresRoutine Disclosure

Disclosures that happen periodically should be addressed in policies, procedures, forms

E.g.: Referral to another provider, school immunization, report communicable disease, medical transcription, births, deaths & other vital statistics

Non-routine Disclosure

CEs shall have reasonable criteria to review requests for non-routine PHI disclosures

E.g., Research disclosures

Incidental Disclosure

CEs shall have reasonable safeguardsE.g. Patient overhears advice given to another patient

Accidental Disclosure

Computer is stolen with PHI

Disclosures must be tracked for THREE years


Disclosures Requiring Authorization

Research project (special conditions may allow)Person outside health care systemEmployer• However, employer may require authorization for drug test before hiring

Other insurance companiesHealth care provider not involved in patient’s health careInsurance company not paying patient’s claimsLawyerPatient should get copy of authorization


Sample Authorization FormDisclosure Authorization Form

Description of Information:_____________________________________

Patient making authorized disclosure____________________________

Person receiving information:__________________________________

Purpose of the disclosure:

Authorization Expiration Date:________________

Patient Signature__________________________ Date:____________A form to revoke authorization must be completed to terminate authorization.

Must be retained by CE for 6 years


Implementing ‘Minimum Necessary’Minimum necessary: Just enough info to accomplish the main purposeE.g., Send prescription for glasses to optician, not medical history

Data Classification•Sensitivity of information•Type of treatment required

Questions to Answer•What parts of record can each user type access?•How will we constrain access to implement view?


Business Associates (BA)

Legal

Actuarial

Accounting & Finance

Consulting

Administration &Management

Accreditation

Must also be responsible with PHI Not Business Associates

JanitorialElectricalPhoneVendingCopyConduit: MailFinancial Institution: Banks


Business Associate Contract (BAC)CEs must request BA to sign a BAC:BA will not disclose PHIBA is liable for damage due to disclosure or misuseBA will use safeguards to prevent misuseBA will report any security incident or violation of agreementBA will destroy or protect PHI upon termination of contractCE can terminate contract if violation occursCE will provide BA copies of policies, procedures and materials for safeguardingEtc.

BAs are equally liable as CEs, under HITECH Act


HITECH: Health Information Technology for Economic and Clinical Health Act (2009)

BA’s must follow the HIPAA Security Rule.BA’s are held to the same standard as CE’s.Health & Human Services (HHS) can: • require BA’s to comply with HIPAA. • enforce penalties on noncompliant BA’s.


Violation of HIPAA Privacy Rule:WTHR Investigation Leads to Record $2.25M HIPAA Settlement, Indianapolis, IN, 2006:

Reported that CVS was “throwing sensitive personal information in the trash” (e.g.: unredacted pill bottles, prescription instruction sheets, pharmacy receipts with credit card information and health insurance account numbers.

After this, other CVS pharmacies were investigated and it was found that they also were improperly disposing of PHI.

In the settlement CVS was required to:•Create an information security program to protect personal information.•Requires that they get an independent audit every 2 years until 2029.•Pay $2.25 million to settle claims. CVS agreed to:•Implement a security plan that complies with HIPAA’s Privacy Rule.•Protect information during disposal.•Develop employee training programs.


The HIPAA Security Rule

+


Security Rule Enforces Privacy Rule on Computers

Privacy Rule Security RuleWith or w/o computer With computerProtect PHI Protect EPHI

Minimum Necessary Authentication & Access Control

Accounting of Disclosures Unique Login Credentials Authentication Track modifications to EPHI: Who did what when?


Security Vocabulary

Asset: DiamondsThreat: TheftVulnerability: Open door or windowsThreat agent: BurglarOwner: Those accountable or who value the assetRisk: Danger to assets


Security Rule Assures…


Security Services

AuthenticationAccess ControlData confidentialityData integrityData backup & recoveryNonrepudiation = Cannot say it wasn’t you who sent or received dataRisk Management


Risk Management

Risk assessmentPolicy & Procedures MaintenanceSecurity Program EnforcementAudit logs, vulnerability assessments, audit for procedure adherence and control effectivenessPatches are applied to softwareData is available, confidential, & integrity is protected


Security Rule Standards

AdministrativeControls

Physical Controls

Technical Controls

Comprehensive Technology Neutral Scalable

Smallor

Large

Look to Best Practicesfor Technology Answers

e.g. NIST

SecurityRule

SecurityRule


Three Areas of Safeguards

Security

Rule

Administrative: Administrative policies, procedures, and actions

to implement and maintain security controls to protect EPHI, includingrisk mgmt, access control, contingency plans, incident response.

Physical: Protection of the physical access to terminals, laptops,

servers, backup tapes, CDs, memory, including viewing,access, maintenance and disposal.

Technical: Protection using technology tools to protect EPHI,

including logs, encryption, authentication


Policies & Procedures

Policies and Procedures MUST BE:Retained for 6 years after date of creation or last effect

Available to workers responsible for them

Must be updated regularly accommodating changes in environment & operations


Security Rule Standard

DO IT!

This is recommended…Address this in some way…Implement equivalent alternative measure….If it doesn’t apply, document well why not…

We do this instead:…..


Administrative:Security Mgmt Process

Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the CIA of EPHI held by the CE.

R

Risk Mgmt: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule

R

Sanction Policy: Apply appropriate penalties against workforce members who fail to comply with the entity’s security policies and procedures

R

Info System Activity Review: Implement procedures to regularly review records of IS activity, such as audit logs, access reports, and security incident tracking reports

R


Security Mgmt Implications

The Sanction policy basically requires we all

sign a confidentiality

agreement and if someone breaks

the rule, they could be fired.

We will need an IT person to regularly check logs to

be sure our system was not broken into

Risk assessment must be ‘accurate and thorough’ –

that will be a challenge!

And all are Rs…

Security Mgmt Process


Administrative:Workforce Security

Authorization and/or Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed

A

Workforce Clearance Procedure: Implement procedures to determine that the access of a workforce member to EPHI is appropriate

A

Termination Procedures: Implement procedures for terminating access to EPHI when the employment of a workforce member ends…

A


Workforce Security Implications

.We must have procedures to

allocate authorization, periodically

check authorization, and

procedures to terminate someone

They are asking for checks and balances with

supervision or authorization

We are a three person operation, can we get away

with not doing this?Must we document

our situation?These are As.

WorkforceSecurity


Administrative:Information Access Mgmt

Isolating Health Care Clearinghouse (CH) Function: If a health care CH is part of a larger organization, the CH operation must implement policies and procedures that protect the EPHI of the CH from unauthorized access by the larger organization

R

Access Authorization: Implement policies and procedure for granting access to EPHI – e.g., through access to a workstation, transaction, program, process, or other mechanism

A

Access Establishment & Modification: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process.

A


Info Access Mgmt Implications

It is an implementation: We must define a data owner for

each major process

Isn’t this the same as the previous rule?

.And then our IT people must define

how they will grant access based upon

the data owner’s decisions.

Info AccessMgmt


Administrative:Security Awareness & Training

Security Reminders: Provide periodic security updates to members of the workforce

A

Protection from Malicious Software: Implement procedures for guarding against, detecting, and reporting malicious software

A

Login Monitoring: Implement procedures for monitoring login attempts and reporting discrepancies

A

Password Mgmt: Implement procedures for creating, changing and safeguarding passwords

A

What do you think these mean?


Administrative:Contingency Plan

Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of EPHI

R

Disaster Recovery Plan: Establish … procedures to restore any loss of data

R

Emergency Mode Operation Plan: The emergency mode operation plan requires CEs to establish … procedures to enable continuation of critical business processes, while maintaining the security of EPHI while operating in emergency mode

R

Testing & Revision Procedure: Implement procedures for periodic testing and revision of contingency plans.

A

Applications & Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components.

A


Administrative:One-Line Safeguards

Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this rule for the entity.

R

Security Incident Procedures: Implement policies & procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate … harmful effects of security incidents that are known to the CE; and document security incidents and their outcomes.

R


Administrative:More One-Line Safeguards

Evaluation: Perform a periodic technical and nontechical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of EPHI, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart

R

BA Contracts and Other Arrangements: A BA [may] create, receive, maintain, or transmit EPHI on the CE’s behalf only if the CE obtains satisfactory assurances that the BA will appropriately safeguard the information.

R


Info Access Mgmt Implications

That makes sense when technology

changes, but I guess we have to

do it periodically as well, since the

world changes.

According to Evaluation, we must self-test or be certified on a regular basis, to be sure we

follow the Security RuleWe need to know who, what, when,

where, why for incident response.

Who shall we name as our Security

Manager?Evaluation


Physical Safeguards: Facility Access ControlsFacility Access Controls: Implement policies and procedures to limit physical access to electronic info systems and areas where sensitive paper documents are stored and any facilities in which they are housed, while ensuring authorized access

Contingency Operations AFacility Security Plan AAccess Control & Validation Procedures AMaintenance Records A


Physical Safeguards:Facility Access ControlHow will physical access be restricted to sensitive paper documents, terminals, server, backup copies, laptops, contingency operations in copy, view, or modify forms?How are visitors controlled from accessing PHI/EPHI?

When repairs occur (to facility or systems) how will

PHI/EPHI be safeguarded?


Physical Safeguards: Workstations

Workstation Use: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can be used to access EPHI

R

Workstation Security: Implement physical safeguards for all workstations that can be used to access EPHI, to restrict access to authorized users

R


Workstation Use and Security

What functions will be performed on which workstations?How will workstation access be limited when the user leaves their station?How will theft of laptops be prevented?How will the workstations be positioned? What other physical safeguards (locked rooms, hoods) will be implemented to prevent shoulder surfing?


Physical Safeguards:Device & Media ControlsDevice and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media and devices that contain EPHI into and out of a worksite or facility, and the movement of these items within the worksite or facility.

Disposal RMedia Reuse RAccountability AData Backup and Storage A


Device & Media Controls

How will media be erased or damaged before disposal or reuse?Reformatting disk may not be adequate even for reuse

How, when and where has EPHI been moved or transferred? Documentation is necessaryHow is a backup made and where/how stored?


Technical Safeguards:Access ControlAccess Control: Implement technical policies and procedures for electronic info systems that maintain EPHI. These policies and procedures should contain access protocols that will establish and enforce the entity’s other access policies, and allow access only to those persons or software programs that have been granted access rights

Unique User Identification REmergency Access Procedure RAutomatic Logoff AEncryption and Decryption A


Technical Safeguards:Access ControlHow is each user uniquely identified to the system?How does authentication occur?In an emergency, what backup methods are used for authentication?How does automatic logoff occur after a period of inactivity?Which data is encrypted in storage and/or transmission?


Technical Safeguards:Transmission Security

Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network

Integrity Controls A

Encryption A


Technical Safeguards:Transmission SecurityHow are we sure that data is not modified or lost during transmission?

What encryption techniques are used to protect the security of EPHI transmitted over a public network?


Other Technical Safeguards

Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI

R

Integrity: Implement policies and procedures to protect EPHI at rest, meaning stored on organizational systems and applications, from improper alteration or destruction.

A

Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed

R


Other Technical Safeguards

For which devices will the logs be monitored?What log events should be archived for security purposes?How will potential attacks found in logs be recorded, reported, and acted upon?What techniques will be used to ensure stored data has not been modified (hashes, message digests?)What authentication mechanisms will be used to assure that approved entities (people or systems) are accessing EPHI?


Question

An example of a vulnerability is1. Theft2. Burglar3. Open door4. Diamonds


Question

Protected Health Information is:1. SSN, medical information2. Name, SSN, medical information3. Name, address, SSN, phone, medical information4. Medical information stored in a computer


Question

The Security Rule requires that:1. Logs are monitored2. An intrusion detection system is implemented3. Cabinets containing PHI must be locked4. Walls must be soundproof and all terminals outside of

waiting room


Question

The Privacy Rule requires that:1. Logs are monitored2. An intrusion detection system is implemented3. Cabinets containing PHI must be locked4. Walls must be soundproof and all terminals outside of the

waiting room


Question

The Addressable option for the Security Rule means:1. Smaller organizations need not implement if they can justify it

would be too expensive2. HIPAA discusses alternative means to accomplish this, and the

organization must select one3. The CE must document how they accomplish this provision4. This provision must be implemented or addressed in some

way, although alternative implementations are allowed


HIPAA protects Protected Health information (PHI)Applicable to Covered Entities and their Business AssociatesIn General:•Privacy Rule covers Need-to-know, Disclosures, Notice of Privacy Practice, non-electronic privacy•Security Rule covers Administrative, Physical and Technical Safeguards•HITECH increases penalties for non-complianceHIPAA is an example of state-of-the-art Privacy and Security regulationMost of each chapter of this book is required for HIPAA

Summary


Not Covered in this Presentation

Some specialized material is not being covered as part of this presentation, including:Hybrid Entities: Part Covered, Part NotOrganized Health Care Arrangement (OHCA): Group of doctorsJointly Administered Govt. ProgramTrading Partner: CEs exchange electronic transactions without clearinghouseCOBRA

security planning susan lincke complying with hipaa and hitech

Documents

applied approach

health data

health insurance companies

health care insurance

health care fraud abuse

security standard

elsewheresecurity planning

insurance claims