HIPAA & HITECH Briefing Information Security & Privacy Soumitra Sengupta, PhD Information Security Officer Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center Thursday, June 28, 2012
AGENDA Office for Civil Rights HIPAA Audit Program CUMC Risk Management Program Security Trends Information Security Office for Civil Rights Update Breach Notification Omnibus Regulations Business Associates Training & Education Privacy
Latest on HIPAA Information Security Increase in healthcare data breaches Higher fines from the Office of the Civil Rights (OCR) Cost of breaches at the healthcare organizations is higher Breaches are more likely with mobile devices and with business associates Unprotected Protected Health Information (PHI) on cloud has become a breach OCR has initiated the HIPAA audit program (More regulations are coming !)
HIPAA Privacy 2003 HIPAA Security 2005 HITECH 2009 Breach Notification (ARRA) First fine of $4.3M to Cignet Health Feb 2011 OIG letter to OCR and ONC May 2011 OCR HIPAA audit planning July 2011 Booz Allen Hamilton selects 150 audit candidates Dec 2011 KPMG completes first 20 audits Mar 2012 KPMG will complete 115 audits Dec 2012 HIPAA timeline of events
…77 bullet points for information security …88 bullet points for privacy OCR published Audit program protocol… June 2012 …to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
CUMC OCR Risk Management Process Initiated in Fall 2010 Center-wide PHI asset discovery processes A risk management (security) questionnaire based on HIPAA, HITECH, CoBIT, PCIDSS for PHI applications (HITRUST) Application owners and custodians fill the questionnaire Information security evaluates responses, conducts vulnerability scans (“hacking activity”) Critical and High risks are addressed with owners and custodians with urgency Application is certified and is permitted to operate officially Rinse and repeat
PHI leakage Improper access of PHI Unavailability of PHI Generic Use of personal mobile devices at workplace Inadequacy of business continuity plan for research Specific CUMC OCR Risk Management: New steps Risk analysis process identifies common, high risk areas Institution must have a Risk compliance committee consisting of senior management … which deliberates, discusses, addresses and mitigates PHI risks, helps prioritize risks and controls, allocates funds, and manages the risk management program Examples of risks include:
Information security trends The Bring Your Own Device (“BYOD”) revolution, …but, separate personal storage systems from work place data, and vice versa No gmail for PHI, period No personal tax forms in cubmail Share control of personal devices if used to access work place data Mobile Device Management Network Access Control
Information security trends How to hold 3 rd party (including Business Associates) responsible for security at their end - Cloud Contracts need to be specific for HITECH If BA’s are required to follow HIPAA explicitly, it will help Choose 3 rd party who understand HIPAA, and will sign the BAA Monitoring user behavior with institutional access and data Monitoring and Surveillance are related Try not to conduct personal business at workplace
Information security trends Application security is a big issue with SQL injection and Cross-site scripting It is important to hire a programmer who knows security It is important to hire system administrator who knows security It is crazy to hire a programmer who knows no security It is crazy to hire system administrator who knows no security Observation: We are in the midst of a culture change !!
Hot Topics and Potential Risk Areas 27 Security Breaches Security Incident Response Physical Security Disaster Recovery and Business Continuity Planning Increased Enforcement Privacy & Security Training Cyber Security Incidents Disposal of Device Security Mobile Healthcare Use of Social Media Cloud Computing Meeting Meaningful Use Requirements Business Associates, Vendors, Contractors
HIPAA/HITECH Fines, Penalties & Enforcement 2003 – 2010 - Minimal enforcement reported 2011 - OCR reaches four (4) settlements and issued one Civil Monitory Penalties (CMP) 2012 BCBS Tennessee fined $1.5 mil for stolen unencrypted hard drive (3/13/2012) HHS Settles Case with Phoenix Cardiac Surgery for lack of HIPAA safeguards fined $100,000 (4/13/2012) South Shore Hospital Mass fined $750,000 for unencrypted tapes (5/30/2012)
Business Associate 42 Business Associate - a person or entity that performs or assists with certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. 45 CFR 160.103. OCR proposed rule to apply HIPAA civil and criminal enforcement and penalties directly to BA’s in addition to contractual liability.
Business Associates Important for departments to identify when a business associate agreement is needed. Proposed new rule may require new agreement with existing business associates. Proposed rule includes e-Prescribing Gateways, Personal Health Records (PHR), subcontractors of Business Associates & Health Information Exchange (HIE) organizations.
Examples of Business Associates Billing organizations, collection vendors & claims processing companies Software Support / Data Administration (electronic applications with access to PHI) – examples include: CROWN, GE, Siemens & IDX Data analysis / processing – e.g. research Quality Assurance & Customer Satisfaction svs Medical record/information storage and destruction companies Accreditation organizations Consultants – business, financial, medical etc.
Basic Elements of a Privacy Program Controls Evaluate Monitor Enforce Consistent Corrective Action Areas of Risk Policies Sanctions Effective Communicated Enforced PoliciesTraining Audit Sanctions
Workforce Training & Education Faculty, staff & student education include both HIPAA Privacy & Information Security requirements 1. W elcome Program for new faculty & staff 2. New student education medical, nursing, dental & physical therapy 3. On-line training for new faculty, staff and students 4. Refresher /remedial HIPAA training 5. Department, role & program specific training 6. HIPAA training for research staff 7. Periodic Email reminders 8. Annual Officers & Faculty Briefing
COLUMBIA UNIVERSITY MEDICAL CENTER CONFIDENTIALITY AGREEMENT I understand that I may have access to electronic, printed, or spoken confidential information, which may include, but is not limited to, information relating to: Patients - including Protected Heath Information (PHI), records, conversations, patient financial information, etc.; Employees - including salaries, employment records, disciplinary actions, etc.; Students - including enrollment, grade and disciplinary information; Research - including PHI created, collected, or used for research purposes; CUMC - including but not limited to financial and statistical records, strategic plans, internal reports, memos, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.; Third party information - including computer programs, client and vendor proprietary information, source code, proprietary technology, etc.; PHI and Personal Identifying Information (PII) used in other contexts. Accordingly, as a condition of, and in consideration of my access to confidential information, I promise that: 1. I will use confidential information only as needed by me to perform my legitimate duties as defined by my relationship (faculty, employment, student, visitor, consulting, etc.) with CUMC. I will not access confidential information which I have no legitimate need to know. I will not in any way divulge, copy, release, alter, revise, or destroy any confidential information except as properly authorized within the scope of my relationship with CUMC. I will not misuse or carelessly handle confidential information. I understand that it is my responsibility to assure that confidential information in my possession is maintained in a physically secure environment. 2. I will safeguard and will not disclose to any other person my access code (password) or any other authorization code that allows me access to confidential information. I will be responsible for misuse or wrongful disclosure of confidential information that may arise from sharing access codes with another person and/or for failure appropriately to safeguard my access code or other authorization to access confidential information. I will log off computer systems after use. I will not log on to a system or access confidential information to allow another person access to use that system. I will report any suspicion or knowledge that my access code, authorization, or any confidential information has been misused or disclosed without CUMC authorization. I will not download or transfer computer files containing confidential information to any non-NYP/CUMC authorized computer, data storage device, portable device, telephone, or other device capable of storing digitized data. I will only print documents containing confidential information in a physically secure environment, will not allow other persons’ access to printed confidential information, will store all printed confidential information in a physically secure environment, and will destroy all printed confidential information when my legitimate need for that information ends in a way that protects the confidentiality of the information. 3. I will follow CUMC policies and procedures regarding the use of any portable devices that may contain confidential information including the use of encryption or other equivalent method of protection. 4. I acknowledge my obligation to report to the CUMC Privacy Officer any practice by another person that violates these obligations or puts CUMC, its personnel, or its patients at risk of a disclosure of confidential information. 5. I will only use my Columbia email account to send and receive message that may include confidential information and will not use email to send confidential information to other parties outside of Columbia/NYP without protection to prevent unauthorized access. 6. If I am involved in research, any research utilizing individually identifiable protected health information will be performed in accordance with federal, state, local and Institutional Review Board policies. 7. If I no longer need confidential information, I will dispose in a way that assures others cannot use or disclose it including following the Information Technology policy for disposal of printed confidential information or electronic equipment that may contain confidential information. 8. I understand that my communication using the Columbia University information network is not private and the content of my communication may be monitored to protect the confidentiality and security of the data. 9. I understand that my obligation under this Agreement will continue after termination of my relationship with CUMC. 10. I understand that I have no right or ownership interest in any confidential information referred to in this Agreement. CUMC may at any time revoke my access code, or access to confidential information. At all times during my relationship, I will act in the best interests of CUMC. May 2011
Additional Training Information Rocket Ready Implementation expected in 2013 New online training program to be purchased by Columbia University include HIPAA Privacy & IT training modules track staff completion produce reminders, reports etc. provide an effective method to deliver regular education for all workforce members The training program will
What is your responsibility? Evaluate education of your workforce Review / monitor high risk / problem areas – encryption, portable devices, paper record storage, business associates and access to medical information Enforce policies & procedures with staff Request assistance / additional guidance when indicated
Additional Resources HIPAA web page: Information Security web page: Office for Civil Rights web page: Research and HIPAA web page: http://privacyruleandresearch.nih.gov/research_repositories.asp http://www.hhs.gov/ocr/ http://www.cumc.columbia.edu/it/ http://www.cumc.columbia.edu/hipaa/index.html