2 HIPAA & HITECH Briefing Information Security & Privacy Soumitra Sengupta, PhD Information Security OfficerKaren Pagliaro-Meyer Privacy OfficerColumbia University Medical Center Thursday, June 28, 2012
3 AGENDA Information Security Privacy Office for Civil Rights HIPAA Audit ProgramCUMC Risk Management ProgramSecurity TrendsInformation SecurityOffice for Civil Rights UpdateBreach NotificationOmnibus RegulationsBusiness AssociatesTraining & EducationPrivacy
4 Latest on HIPAA Information Security Increase in healthcare data breachesHigher fines from the Office of the Civil Rights (OCR)Cost of breaches at the healthcare organizations is higherBreaches are more likely with mobile devices and with business associatesUnprotected Protected Health Information (PHI) on cloud has become a breachOCR has initiated the HIPAA audit program(More regulations are coming !)
6 HIPAA timeline of events HIPAA Privacy 2003HIPAA Security 2005HITECH 2009 Breach Notification (ARRA)First fine of $4.3M to Cignet Health Feb 2011OIG letter to OCR and ONC May 2011OCR HIPAA audit planning July 2011Booz Allen Hamilton selects 150 audit candidates Dec 2011KPMG completes first 20 audits Mar 2012KPMG will complete 115 audits Dec 2012
17 Established Performance Criteria OCR published Audit program protocol… June 2012SectionEstablished Performance CriteriaKey ActivityAudit ProceduresImplementation Specification§§ (a)(1): Security Management Process § (a)(1)(ii)(a) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health infor...Conduct Risk AssessmentInquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant doc...Required§ (a)(1)(i): Security Management Process - Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information. Consideration...Acquire IT Systems and ServicesInquire of management as to whether formal or informal policy and procedures exist covering the specific features of the HIPAA Security Rule information systems § (a) and (b). Obtain and review formal or informal policy and procedures and eval...§ (a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.Develop and Deploy the Information System Activity Review ProcessInquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and p...…to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.…77 bullet points for information security…88 bullet points for privacy
18 CUMC OCR Risk Management Process Initiated in Fall 2010Center-wide PHI asset discovery processesA risk management (security) questionnaire based on HIPAA, HITECH, CoBIT, PCIDSS for PHI applications (HITRUST)Application owners and custodians fill the questionnaireInformation security evaluates responses, conducts vulnerability scans (“hacking activity”)Critical and High risks are addressed with owners and custodians with urgencyApplication is certified and is permitted to operate officiallyRinse and repeat
19 CUMC OCR Risk Management: New steps Risk analysis process identifies common, high risk areasInstitution must have a Risk compliance committee consisting of senior management… which deliberates, discusses, addresses and mitigates PHI risks, helps prioritize risks and controls, allocates funds, and manages the risk management programExamples of risks include:GenericPHI leakageImproper access of PHIUnavailability of PHISpecificUse of personal mobile devices at workplaceInadequacy of business continuity plan for research
21 Information security trends The Bring Your Own Device (“BYOD”) revolution,…but, separate personal storage systems from work place data, and vice versaNo gmail for PHI, periodNo personal tax forms in cubmailShare control of personal devices if used to access work place dataMobile Device ManagementNetwork Access Control
22 Information security trends How to hold 3rd party (including Business Associates) responsible for security at their end - CloudContracts need to be specific for HITECHIf BA’s are required to follow HIPAA explicitly, it will helpChoose 3rd party who understand HIPAA, and will sign the BAAMonitoring user behavior with institutional access and dataMonitoring and Surveillance are relatedTry not to conduct personal business at workplace
23 Information security trends Application security is a big issue with SQL injection and Cross-site scriptingIt is important to hire a programmer who knows securityIt is important to hire system administrator who knows securityIt is crazy to hire a programmer who knows no securityIt is crazy to hire system administrator who knows no securityObservation: We are in the midst of a culture change !!
27 Hot Topics and Potential Risk Areas Cyber Security IncidentsDisposal of Device SecurityMobile HealthcareUse of Social MediaCloud ComputingMeeting Meaningful Use RequirementsBusiness Associates, Vendors, ContractorsSecurity BreachesSecurity Incident ResponsePhysical SecurityDisaster Recovery and Business Continuity PlanningIncreased EnforcementPrivacy & Security Training
40 HIPAA/HITECH Fines, Penalties & Enforcement 2003 – Minimal enforcement reportedOCR reaches four (4) settlements and issued one Civil Monitory Penalties (CMP)2012BCBS Tennessee fined $1.5 mil for stolen unencrypted hard drive (3/13/2012)HHS Settles Case with Phoenix Cardiac Surgery for lack of HIPAA safeguards fined $100,000 (4/13/2012)South Shore Hospital Mass fined $750,000 for unencrypted tapes (5/30/2012)
42 Business AssociateBusiness Associate - a person or entity that performs or assists with certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity CFROCR proposed rule to apply HIPAA civil and criminal enforcement and penalties directly to BA’s in addition to contractual liability.
43 Business AssociatesImportant for departments to identify when a business associate agreement is needed.Proposed new rule may require new agreement with existing business associates.Proposed rule includes e-Prescribing Gateways, Personal Health Records (PHR), subcontractors of Business Associates & Health Information Exchange (HIE) organizations.
44 Examples of Business Associates Billing organizations, collection vendors & claims processing companiesSoftware Support / Data Administration (electronic applications with access to PHI)examples include: CROWN, GE, Siemens & IDXData analysis / processing – e.g. researchQuality Assurance & Customer Satisfaction svsMedical record/information storage and destruction companiesAccreditation organizationsConsultants – business, financial, medical etc.
46 Basic Elements of a Privacy Program PoliciesEffectiveCommunicatedEnforcedTrainingAreas of RiskSanctionsAuditControlsEvaluateMonitorEnforceConsistentCorrective Action
47 Workforce Training & Education Faculty, staff & student education include both HIPAA Privacy & Information Security requirements Welcome Program for new faculty & staffNew student educationmedical, nursing, dental & physical therapy On-line training for new faculty, staff and studentsRefresher /remedial HIPAA trainingDepartment, role & program specific trainingHIPAA training for research staffPeriodic remindersAnnual Officers & Faculty Briefing
49 COLUMBIA UNIVERSITY MEDICAL CENTER CONFIDENTIALITY AGREEMENT I understand that I may have access to electronic, printed, or spoken confidential information, which may include, but is not limited to, information relating to:Patients - including Protected Heath Information (PHI), records, conversations, patient financial information, etc.;Employees - including salaries, employment records, disciplinary actions, etc.;Students - including enrollment, grade and disciplinary information;Research - including PHI created, collected, or used for research purposes;CUMC - including but not limited to financial and statistical records, strategic plans, internal reports, memos, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.;Third party information - including computer programs, client and vendor proprietary information, source code, proprietary technology, etc.;PHI and Personal Identifying Information (PII) used in other contexts.Accordingly, as a condition of, and in consideration of my access to confidential information, I promise that:1. I will use confidential information only as needed by me to perform my legitimate duties as defined by my relationship (faculty, employment, student, visitor, consulting, etc.) with CUMC.I will not access confidential information which I have no legitimate need to know.I will not in any way divulge, copy, release, alter, revise, or destroy any confidential information except as properly authorized within the scope of my relationship with CUMC.I will not misuse or carelessly handle confidential information.I understand that it is my responsibility to assure that confidential information in my possession is maintained in a physically secure environment.2. I will safeguard and will not disclose to any other person my access code (password) or any other authorization code that allows me access to confidential information. I will be responsiblefor misuse or wrongful disclosure of confidential information that may arise from sharing access codes with another person and/or for failure appropriately to safeguard my access code orother authorization to access confidential information.I will log off computer systems after use.I will not log on to a system or access confidential information to allow another person access to use that system.I will report any suspicion or knowledge that my access code, authorization, or any confidential information has been misused or disclosed without CUMC authorization.I will not download or transfer computer files containing confidential information to any non-NYP/CUMC authorized computer, data storage device, portable device, telephone, or other device capable of storing digitized data.I will only print documents containing confidential information in a physically secure environment, will not allow other persons’ access to printed confidential information, will store all printed confidential information in a physically secure environment, and will destroy all printed confidential information when my legitimate need for that information ends in a way that protects the confidentiality of the information.3. I will follow CUMC policies and procedures regarding the use of any portable devices that may contain confidential information including the use of encryption or other equivalent method ofprotection.4. I acknowledge my obligation to report to the CUMC Privacy Officer any practice by another person that violates these obligations or puts CUMC, its personnel, or its patients at risk of adisclosure of confidential information.5. I will only use my Columbia account to send and receive message that may include confidential information and will not use to send confidential information to other partiesoutside of Columbia/NYP without protection to prevent unauthorized access.6. If I am involved in research, any research utilizing individually identifiable protected health information will be performed in accordance with federal, state, local and Institutional ReviewBoard policies.7. If I no longer need confidential information, I will dispose in a way that assures others cannot use or disclose it including following the Information Technology policy for disposal of printedconfidential information or electronic equipment that may contain confidential information.8. I understand that my communication using the Columbia University information network is not private and the content of my communication may be monitored to protect the confidentialityand security of the data.9. I understand that my obligation under this Agreement will continue after termination of my relationship with CUMC.10. I understand that I have no right or ownership interest in any confidential information referred to in this Agreement. CUMC may at any time revoke my access code, or access to confidentialinformation. At all times during my relationship, I will act in the best interests of CUMC.May 2011
50 Additional Training Information New online training program to be purchased by Columbia UniversityRocket ReadyImplementation expected in 2013The training program willinclude HIPAA Privacy & IT training modulestrack staff completionproduce reminders, reports etc.provide an effective method to deliver regular education for all workforce members
51 What is your responsibility? Evaluate education of your workforceReview / monitor high risk / problem areasencryption, portable devices, paper record storage, business associates and access to medical informationEnforce policies & procedures with staffRequest assistance / additional guidance when indicated
52 Additional Resources HIPAA web page: Information Security web page: Office for Civil Rights web page:Research and HIPAA web page: