Presentation on theme: "HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of."— Presentation transcript:
HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of Medicine March 12, 2007
Agenda Overview of HIPAA Overview of the Privacy Regulation Protected Health Information Parts of the Privacy Regulation Patient Rights Penalties HIPAA Security Regulations Implementation at UNC School of Medicine
What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries.
HIPAA Parts HIPAA has several parts: »Electronic Transactions and Code Sets Standards »Privacy Requirements »Security Requirements »National Identifier Requirements (NPI) This presentation will focus on the Privacy and Security Requirements.
Who Is Subject to HIPAA? Health Care Providers »Any provider of health care or other health services, or supplies, who transmits health information in electronic form in connection with a transaction for which standard requirements have been adopted. Health Plans »Any individual or group plan that provides or pays the cost of health care. Health Care Clearinghouses »A public or private entity that transforms health care transactions from one format to another. 4/28/20155
Affiliated Covered Entities Any organization that provides patient care and bills electronically is subject to HIPAA. Those organizations are classed as “Covered Entities” UNC Health Care is a Single Affiliated Covered Entity, consisting of: »UNC Hospitals »UNC Physicians and Associates »UNC School of Medicine »Rex Hospital 4/28/20156
HIPAA Cost Neutral (????) Streamlining codes and transactions sets theoretically offsets the overhead costs incurred to support privacy and security. No real savings have yet been realized from codes and transaction sets. Many organizations do not benefit from codes and transactions savings. 4/28/20157
HIPAA Privacy Rule Went into effect April 14, 2003 The main goal of the Privacy Regulation is to protect the use and sharing of Protected Health Information (PHI).
What is PHI? Protected Health Information PHI is any health information that can be used to identify a patient and which relates to the patient, healthcare services provided to the patient, or the payment for these services.
Examples of PHI Identifiers Employer Relatives’ Names Telephone Numbers Fax Numbers E-Mail Address Medical Record Number Social Security Number Codes Fingerprints Occupation Photographs Certificate Numbers
Privacy Regulation Requires We cannot use or disclose PHI unless it is required or allowed by law, or when the patient has given permission.
Privacy Rule Principles The Privacy Regulation, or Privacy Rule, is made up of several parts. These include the following: Accountability: »Anyone who misuses PHI will be subject to losing their job along with civil and/or criminal penalties.
Privacy Rule Principles cont… Responsibility to the public: »Addresses the need to keep the public healthy and safe, but at the same time protect the privacy of all patients. Boundaries: »PHI should be used for healthcare purposes only.
Privacy Rule Principles cont… Security: »PHI needs to be kept confidential and accessed on a need to know basis. Patient Control: »The Patient has the right to ask us for a listing showing when and to whom their PHI has been shared. (Accounting for Disclosures.)
Patient Rights The Privacy Rule calls for letting patients know their privacy rights. These rights are as follows: The patient has the right to obtain a copy of our Notice of Privacy Practices. The patient has the right to access their PHI. It’s their information, not ours. The patient has the right to ask for corrections in their own PHI.
Patient Rights (cont’d) The patient has the right to control how PHI about them is shared. The patient has the right to “opt out” of being listed in hospital directories. The patient has the right to file a complaint if we do not follow our privacy policies.
Penalties There are penalties for not following HIPAA requirements. You can lose your job. You and your facility can be forced to pay up to $250,000 and spend up to 10 years in jail.
Final Security Rule Published in Federal Register on February 20, 2003 Effective Date: April 21, 2005 Scope narrowed to Electronic PHI Only All other PHI covered by Privacy Rule
Protected Health Information (PHI) Identifiable Health Information that is »Transmitted by electronic media »Maintained in electronic media »Transmitted or maintained in any other form or medium Excludes health information in »Education records covered by Family Educational Rights and Privacy Act »Employment records held by a covered entity in its role as employer
Definitions Standards Required Implementation »Covered entity must implement the implementation specifications Addressable Implementation »Entity must assess whether implementation specification is reasonable and appropriate safeguard »Implement if reasonable »If not reasonable Document why Implement alternative measure if reasonable and appropriate
Security Standards Matrices Administrative Safeguards Physical Safeguards Technical Safeguards Security Standards are required to be implemented Implementation Specification is either »Required or »Addressable
Administrative Safeguards Information Access Management »Isolating Healthcare Clearinghouse FunctionRequired »Access AuthorizationAddressable »Access Establishment and ModificationAddressable Security Awareness and TrainingRequired »Security RemindersAddressable »Protection form Malicious SoftwareAddressable »Login MonitoringAddressable »Password ManagementAddressable
Administrative Safeguards Security Incident ProceduresRequired Contingency Plan »Data Backup PlanRequired »Disaster Recovery PlanRequired »Emergency Mode Operation PlanRequired »Testing and Revision ProcedureAddressable »Applications and Data Criticality Analysis Addressable Evaluation (replaces Certification)Required Business Associate Contracts (Written) Required
Physical Safeguards Facility Access ControlsRequired »Contingency OperationsAddressable »Facility Security PlanAddressable »Access Control and Validation Procedures Addressable »Maintenance RecordsAddressable Workstation UseRequired Workstation SecurityRequired Device and Media Controls »DisposalRequired »Media Re-useRequired »AccountabilityAddressable »Data Backup and StorageAddressable
Technical Safeguards Access Control »Unique User IDRequired »Emergency Access ProcedureRequired »Automatic LogoffAddressable »Encryption and DecryptionAddressable Audit ControlsRequired IntegrityRequired »Mechanism to Authenticate Electronic PHI Addressable Person or Entity Authentication Required Transmission Security »Integrity ControlsAddressable »EncryptionAddressable
“Due Diligence” HIPAA expects entities to use Due Diligence when protecting PHI. Definition of Due Diligence is constantly changing/evolving and subject to interpretation. Your definition of Due Diligence may be different from a plaintiff’s definition. Following industry standards probably fits in Due Diligence – but that’s just MY interpretation. 4/28/201528
Implementation Structure UNC HCS HIPAA Oversight Committee UNC HCS HIPAA Policy Committee HIPAA Implementation Teams »UNC Hospitals »Rex Healthcare »UNC P&A »UNC School of Medicine
HIPAA Committees UNC HCS »HIPAA Oversight Committee »HIPAA Policy Committee »HIPAA Education Committee »HIPAA Privacy Subcommittee »HIPAA Security Subcommittee »HCS Physical Inspection Team »Security Incident Response Team (SIRT) SOM »HIPAA Planning and Oversight Counsel »HIPAA Security Team UNC »HIPAA Security Liaisons »HIPAA Planning Committee 4/28/201531
HIPAA Implementation Approach Health Care System Approach »Standard Policies Across HCS UNC Hospitals UNC Physicians & Associates Rex Hospital School of Medicine
Implementation Tasks Inventory of individually identifiable electronic health information, including information kept on personal computers and research databases Risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information Collect and review existing privacy and security policies Create new, compliant UNC HCS privacy and security policies
Implementation Tasks cont. Review and revise admission, treatment, and consent forms Create additional HIPAA-required forms (including Notice of Privacy Practices, Business Associate Agreements, Chain of Trust Agreements) Educate staff about privacy and security policies, including sanctions for violations - incorporate into compliance program
Implementation Tasks cont. Designate privacy and security officers in each entity Review and revise vendor contracts to ensure that business associates protect privacy of identifiable health information Enter into Business Associate Agreements with business associates Evaluate audit trails and develop additional tracking techniques to ensure a record of all use/disclosure of patient information
High Level Assessment & Gap Analysis »Inventory of Patient Information (PHI) Information Flow Assessment »Detailed Security Assessment and Risk Analysis Must be done by Every Department/Division Risk Doctor Implementation Tasks cont.
Education & Training – Entire Workforce »On-line Modules developed by UNC HCS »Initial Module – HIPAA 101 for all »Follow on Modules based on job function »Training to be conducted and tracked by Departments/Divisions Implementation Tasks cont.
Security Related Requirements »Formal mechanism for processing records Creation, receipt, storage, transfer, disposal of PHI »Personnel Security Clearance Process »Written procedures for access to PHI »Documented termination procedures to include notification of IS organizations »Workstation controls »Disaster Recovery Plan Implementation Tasks cont.
SOM HIPAA Policies UNC HCS Information Security Policy UNC HCS Privacy/Confidentiality of PHI Electronic Media Disposal Policy End User Account Policy Orientation and Termination Checklists Network Security Policy Desktop Configuration Policy Password Policy Remote Access Policy Handheld Computing Devices Policy Audit Policy Web Security Policy 4/28/201539
Implementation Team Responsibilities Education & Training Coordinate assessments and information gathering Participate on HIPAA workgroups Develop and implement unit-specific policies Assist in the development and dissemination of new global policies and procedures Assess physical security (higher level policies anticipated) Ongoing…..
Specific Issues & Concerns with HIPAA Implementation 4/28/201541
Documentation To prepare for HIPAA, we did not make many changes to our architecture or procedures. We just had to document what we were already doing. 4/28/201542
People Do Not Like Change “When an opportunity comes to consign you all to the nether regions there will be a rush to make it so.” -Basic Sciences PHD in response to password change requirement “…if this was the private world, I would FIRE YOU…and if I saw you in the hall I would tell you to ‘flip off!’” - Physician in response to password change requirement
HIPAA Extends Well Beyond IT Protect information regardless of media Provide physical safeguards Personnel issues (training, sanctions) Liability protections (contracts, insurance) Revise business & clinical processes to comply
Policy Development Wrote higher level Information Security Policy to cover all of HCS Formed numerous committees to help write lower level policies for School of Medicine Important to get user “buy-in” Enforcement is still an issue »Not enough resources to audit units Policies approved by the Dean ‘s Office 4/28/201546
Media Disposal Policy First HIPAA related policy Requires all media (hard drives, etc.) to be sanitized properly with disk wiping software before leaving university control. Written by School of Medicine, adopted by UNC and UNC Hospitals. Developed in response to actual incident.
Password Policy New requirements: »Strong passwords »Change every 90 days »No “group” accounts Most significant HIPAA change for our users 4/28/201548
Risk Assessments Very resource intensive Difficult to get units to do their own Used Raytheon “Risk Doctor” for first round Purchased “HIPAA Watch” for second round »Allowed us to push questions out electronically to departments On going risk assessments are constant resource drain. 4/28/201549
Disaster Recovery Plans Very difficult to do Using Living Disaster Recovery Plan System (LDRPS) 4/28/201550
Encryption Addressable item in HIPAA Security Rule Currently using “other” means of protection Exploring encryption solution for laptops and desktops Due Diligence has evolved to now include encryption of data. 4/28/201551
Changes in Network Security Additional Router filters for firewall like protection Tipping Point intrusion prevention »Early detection of malicious activity »Blocking Peer to Peer traffic in SOM »Blocking Skype traffic in SOM VPN Firewalled Secure Zone Expanded VLAN (802.1Q) technology Switches and routers in private IP space 4/28/201552
Physical Security All School of Medicine buildings are alarmed and card swipe access after hours Sensitive floors are card swipe access 24/7 ID Badge policy Additional secure server rooms for departmental servers 4/28/201553
Patient E-mail Tumbleweed Secure Server Activated when user puts (secure) in subject line. Stores message on secure server Sends “you’ve got mail” link to recipient Recipient clicks on link to read secure message Weak security if users are not authenticated when viewing message 4/28/201554
Mobile Memory Devices Wide scale proliferation of Mobile Memory Devices (PDAs, Smartphones, Blackberries, etc.) is major problem in Health Care organizations Easily lost or misplaced. Lack of centralized control Task force formed by NCHICA (North Carolina Healthcare Information and Communications Alliance, Inc.) to address the problem
HIPAA Resources www.hhs.gov/ocr/hipaa/ www.med.unc.edu/hipaa www.nchica.org Academic Medical Center Conference on Privacy & Security »Friday Center, Chapel Hill »June 10-13