Presentation on theme: "HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013."— Presentation transcript:
HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013
Omnibus Rule Updates of 2013 to the HITECH Act under ARRA ARRA of 2009, Federal Stimulus Bill (February 17, 2009) HITECH requirements deadline was February 17, 2010 Omnibus Rule Updates of 2013 Final Ruling by HHS January 17, 2013 Detailed guidance with 500+ pages of legislation. Final rule was effective March 26, Covered Entities and Business Associates compliance deadline as September 23, 2013
What is the Security Rule? The HIPAA Security Rule is a technology neutral, federally mandated “floor” of protection whose primary objective is to protect the confidentiality, integrity and availability of individual identifiable health information in electronic form when it is stored, maintained, or transmitted. Confidentiality: ePHI concealed from people who do not have the right to see it Integrity: Information not improperly changed or deleted Availability: Information can be accessed when needed Federally Mandated “Floor” of Protection Comprehensive Scalable Technology Neutral
Flexibility in the Security Rule Technology Neutral (does not specify particular technologies to use) and organizations may use any security measures that will allow it to reasonably and appropriately implement the rule. Allows organizations to take into account: Their size, complexity and capabilities Their technical infrastructure, hardware, and software security capability The costs of security measures The probability and criticality of potential risks to ePHI Their access to and use of ePHI
Security Rule Objective Ensure the confidentiality, integrity and availability of all ePHI that an organization creates, receives, maintains or transmits Protect against reasonably anticipated hazards to the security or integrity of ePHI (floods, fires, etc.) Protect against any reasonably anticipated uses or disclosures of ePHI not permitted by the Privacy Rule Ensure compliance by the organization’s workforce.
What is protected by the Security Rule? Electronic Protected Health Information (ePHI) which is individually identifiable health information relating to the past, present or future health condition of the individual in electronic form when it is stored, maintained, or transmitted. Examples Electronic Claims Computer Databases with PHI s Paper printouts of electronic information
Who Must Comply with the Security Rule? Covered Entities Healthcare Providers Health Plans Health Insurance Companies, HMOs, Employer group health plans, Government programs: Medicare, Medicaid, VA programs Business Associates: All third party vendors and business partners that create, receive, maintain or transmit PHI on behalf of a Covered Entity Accountants, Lawyers, Consultants, Software Companies, Asset Recyclers, IT Consultants, PBMs A Broker is a Business Associate of their Employer Group Client’s health plan. An employer should have a signed Business Associate Agreement with their Broker.
Who Must Comply with the Security Rule? Any person or organization that stores or transmits individually identifiable health information electronically. This includes both Covered Entities and Business Associates. With the wide spread use of computers, most organizations will need to comply with the Security standards. The only organizations that won’t need to comply are those that only store individually identifiable health information on paper and do not utilize computer systems.
Required vs. Addressable Security Standards Covered Entities and Business Associates are required to comply with every Security Rule “Standard.” However, the Security Rule divides the implementation specifications within those standards into two types: Required Addressable ***It is important to emphasize that addressable does not mean optional!!!!!!!
Required vs. Addressable Implementation Specs Required –must be implemented by the organization Addressable – permits organizations to determine whether the addressable implementation specification is reasonable and appropriate for that organization. If a specification is reasonable and appropriate it must be implemented. If a specification is not reasonable and appropriate an organization has two options: Implement an equivalent alternative measure that accomplishes the same purpose as the addressable spec Document how the overall standard can be met without implementation of the standard and an alternative measure
Penalties for Non-Compliance Non-compliance is a civil offense that carries a penalty ranging from $100-$50,000 per violation with caps of $25,000 to $1.5 million for all identical violations of a single requirement in a calendar year. Enforced by Office of Civil Rights (OCR) within HHS. Unauthorized Disclosure or Misuse of Protected Health Information under false pretenses or with intent to sell, transfer, or use for personal gain, or malicious harm is a criminal offense. Penalties for criminal offenses can be up to $250,000 in fines and up to 10 years in prison. Enforced by the Department of Justice Penalties may apply to the individual violator but may also apply to an organization or even to its officers.
Penalties for Non-Compliance There are 4 categories for penalties Did Not Know This is when you did not know or would not have known through exercise of reasonable discretion that the disclosure or breach was a violation of HIPAA Rules. Reasonable Cause This is when you should have known what was going on, but you had a violation. Willful Neglect – Corrected This is when you ignored the Law, and you got caught, but you corrected the issue within 30 days. Willful Neglect – Not Corrected This is when you ignored the Law, your were caught, and you decided not to correct the issue.
Non-Compliance Penalties from Omnibus Ruling Violation Category 1176(a)(1) Each ViolationMaximum fine for an identical violation in a calendar year (A) Did Not Know$100-$50,000$1,500,000 (B) Reasonable Cause$1,000-$50,000$1,500,000 (C)(i) Willful Neglect-Corrected$10,000-$50,000$1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000$1,500,000
Criminal Penalties Direct at individuals Knowingly obtaining or disclosing PHI: Fine of up to $50,000 plus up to one year in prison Offenses committed under false pretenses: Fine up to $100,000 plus up to five years in prison Offenses committed with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm: Fines of $250,000, and up to ten years in prison
Implementation Lag Healthcare Industry in General 95 percent of organizations have internet connectivity 25 percent have no firewalls 65 percent intend to integrate web applications 24 percent conduct security awareness programs 71 percent provide internal system-wide computerized client information
General Requirements & Structure Increasing Security with each safeguard Privacy Rule Reasonable Safeguards for all PHI Administrative Safeguards P&Ps designed to show how the entity will comply with the security rule Physical Safeguards Controlling physical access to protect against inappropriate access to protected data Technical Safeguards Controlling access to computer systems and the protection of communications containing PHI transmitted electronically over open networks
General Requirements & Structure Within the security categories, there are 18 standards, 12 with implementation specifications, six without implementation specifications. A standard defines what an organization must do; Implementation specifications describe how it must be done.
Administrative Safeguards The Administrative Safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of the organization’s workforce in relation to the protection of that information.
Administrative Safeguards 9 Standards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts Examples: Assigning a Security Officer Security awareness training Internal audits Contingency plans for emergencies Procedures for reporting security incidents
Physical Safeguards Physical measures, policies and procedures to protect the organization’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Physical Safeguards 4 Standards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Examples: Computer servers in locked rooms Data backups stored offsite Employee Badges Door Locks Locked cabinets for records with PHI Screen savers/screen locks Fireproof storage for PHI records
Technical Safeguards Technology and the policy and procedures for its use that protect ePHI and control access to it.
Technical Safeguards 5 Standards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Examples Usernames and passwords Security logs Access controls Firewalls Data Encryption
Security Management Process Requires an organization to implement policies and procedures to prevent, detect and contain and correct security violations Risk Analysis Risk Management Sanction Policy Information System Activity Review All are required, not addressable. Risk analysis and sanction policy must be documented, retained for six years and should be periodically reassessed and updated as needed.
Assigned Security Responsibility Required, not Addressable Must designate a security official (one individual, not an organization) Responsible for development and implementation of the policies and procedures and having overall responsibility for the security of the organizations ePHI. HIPAA Privacy Officer generally the best candidate Do not just assign to IT department, it is much more than just a technical solution.
Information Access Management IAM standard requires an organization to implement P&Ps to access ePHI on when such access is appropriate based on a user’s or recipient’s role. Includes following implementation specifications Isolation of Healthcare Clearinghouse Function (required) Protect ePHI appropriate for access to a portion of a larger organization from unauthorized access by persons of that larger organization Access Authorizations (addressable) P&Ps with specific access levels for all personnel Access Establishment and Modifications (addressable) P&Ps to specify how to access to ePHI is granted and modified.
Information Access Management: Guidelines for Levels of Access Restrict access rights to the minimum necessary Define types of users, roles and access labels Verify the identity of individuals who attempt to access information Establish criteria for when access rights should change Never allow access rights to be transferred among users Communicate policies to every person that has access to ePHI Review policies and procedures annually
Security Awareness and Training Standard requires an organization to train all members or their workforce on its security policies and procedures and includes the following implementation specifications (all are addressable): Security Reminders Protection from Malicious Software Log-in Monitoring Password Management
Security Incident Procedures Requires an organization to implement policies and procedures to address security incidents (the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system) and includes a single implementation specifications, which is required: Response and Reporting Relates to internal reporting of security incidents and does not specifically require the organization to report the incident to any outside entity, except if they are dependent upon business or legal considerations. Develop P&Ps to identify and respond Mitigate harmful effects known to the organization Document security incidents and their outcomes
Contingency Plan Requires an organization to implement P&Ps for responding to an emergency or other occurrence (i.e. fire, vandalism, system failure, nature disaster) that damages systems that contain ePHI
Contingency Plan 5 Implementation Specs Data Backup Plan (required) Should be kept offsite to protect them from fire, flood or other disaster at the facility Disaster Recovery Plan (required) Emergency Mode Operation Plan (required) Testing & Revision Procedure (addressable) Applications and Data Criticality Analysis (addressable)
Evaluation (Required) Perform periodic technical and non-technical evaluations that determine the extent to which the organization meets the ongoing requirements of the Security Rule. Organization must: Verify adherence to the HIPAA Security Rule Verify that the necessary P&Ps have been developed Verify that the employees have been trained Verify that contingency plans are in place Verify that adequate access rights are in place Periodically evaluate computer systems and/or network design to ensure proper security has been applied
Business Associate Contracts/Agreements Implement contracts/agreements that ensure vendors and subcontractors that create, receive, maintain or transmit ePHI on the organization’s behalf will appropriately safeguard the information and includes the following implementation specifications: Written Contract or Other Arrangement (required)
Physical Safeguards Physical measures and P&Ps to protect electronic information systems and related buildings and equipment from natural/environmental hazards and unauthorized intrusions.
Physical Safeguards 4 Standards Facility Access Control Workstation Use Workstation Security Device & Media Controls Examples: Computer servers in locked rooms Data backups stored offsite Employee badges Door locks Locked cabinets Screen savers/screen locks Fireproof storage
Facility Access Controls Limit physical access to facilities ensuring authorized access is allowed and includes: Contingency Operations (addressable) Facility Security Plan (addressable) Access Control and Validation Procedures (addressable) Maintenance Records (addressable)
Workstation Use (Required) Develop P&Ps to specify: The proper functions to be performed The manner in which those functions are to be performed The physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI Encompasses portable devices, such as tablets, PDAs, laptops Conventional desktop – could include log-off requirement, updating anti-virus For portable devices – can limit what can be stored on these devices
Workstation Security (Required) Implement physical safeguards for all workstations that can access ePHI in order to restrict access to authorized users. Examples: Positioning monitors so they cannot be viewed by passers by Using password-protected screen savers Limiting access to buildings, offices, workstations, printers, faxes and remote devices
Device and Media Controls Implement P&Ps that control the receipt and removal of hardware and electronic media that contain ePHI and includes the following implementation specifications Disposal (Required) Media Re-Use (Required) Accountability (Addressable) Data Backup and Storage (Addressable)
Technical Safeguards Technology and the P&Ps for its use that protect ePHI and control access to it. 5 Standards Access Control Audit Control Integrity Person or Entity Authentication Transmission Security Examples Usernames and passwords Security logs Firewalls Data Encryption
Access Control Implement technical P&Ps that allow authorized persons or software programs to access ePHI and includes the following specifications: Unique User ID (required) Emergency Access Procedure (required) Automatic Logoff (addressable) Encryption and Decryption (addressable)
Audit Controls (Required) Requires an organization to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Create a process to monitor data access that includes reviews of audit logs for failed logon attempts or security incidents, the frequency of such reviews and the desired escalation process.
Integrity Implement security measures that ensure that ePHI is not improperly modified without detection until disposed of and includes the following implementation specifications: Mechanism to Authenticate Electronic Protected Health Information (addressable) P&Ps to protect ePHI from improper alteration or destruction For most operating systems and hardware, integrity is already built in as standard features such as error-correcting memory and magnetic disc storage.
Person or Entity Authentication (Required) Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. Simple approach = password at login More sophisticated approach = biometric ID system, digital signatures
Transmission Security Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network and includes the following implementation specifications: Integrity Controls (addressable) Encryption (addressable) Applies when using an open network such as internet and when deemed appropriate.
Implementation: Implications of Non-compliance Increased operating costs Financial penalties Public exposure leading to loss of customers Loss of Accreditations / Licenses Litigation Damages Imprisonment
Making an Organization HIPAA Security Compliant Typical High-Level Steps Determine if organization is subject to HIPAA Security Rule (store or transmit ePHI?) Appoint a HIPAA Security Officer Detailed HIPAA Security Training Course for HIPAA Security Officer and technical IT staff Perform risk assessment Develop risk management plan Draft necessary P&Ps required by the Security standards Work with IT to implement security standards contained in new policies and procedures Train employees on new security P&Ps and systems Monitor compliance, perform periodic evaluation of security systems and take corrective actions, as needed.
Reasonable, Scalable and Common Sense Privacy & Security rules specified by HIPAA are reasonable and scalable to account for the nature of each organization’s culture, size and resources. Each organization will determine its own privacy policies and security practices within the context of the HIPAA requirements and its own capabilities and needs. A good rule of thumb to remember is “when in doubt, use common sense.”
Embracing HIPAA Many HIPAA requirements are just best practices already implemented in other industries. HIPAA can be considered a common federal “floor” for everyone to achieve. Many HIPAA requirements would be things you would want the implement anyway to safeguard the confidentiality of your clients’ records and protect your organization data from loss or theft. We are all patients with our own PHI and would want many of the same protections for our own personal health information. With the move toward electronic records management, it is even more critical that we all come to terms with securing our organization’s information as it is all too easy for data to be stolen by hackers or for an organization to lose its records because regular backups were not performed.