1HIPAA HITECH Briefing IRB Monthly Investigator Meeting Karen Pagliaro-MeyerPrivacy OfficerColumbia University Medical CenterJune 2010
2Portability and Accountability Act (HIPAA) Health InsurancePortability and Accountability Act (HIPAA)Fraud and Abuse (Accountability)Administrative Simplification[Accountability]InsuranceReform[Portability]For today’s session, I will concentrate on the two blue boxes at the bottom of this slide. The HIPAA Privacy legislation that went into effect in April of 2003 and the HIPAA Security legislation that went into effect in April Note that it took 2 full years for the regulators to complete the Security legislation, due to the complexity of protecting the electronic sources of medical information.Transactions, Code Sets, & IdentifiersCompliance Date: 10/16/2002and 10/16/03PrivacyCompliance Date: 4/14/2003SecurityCompliance Date:4/20/2005HITECHHealth Information Technology for Economic and ClinicalHealth9/18/2009
3REQUIREMENT COMPLIANCE DATE HITECH (ARRA) Health Information Technology for Economic & Clinical HealthREQUIREMENT COMPLIANCE DATEBreach Notification September 2009Self-Payment Disclosures February 2010Business Associates February 2010Minimum Necessary August 2010Accounting of Disclosures January 2011/2014Performance Measures for EHRenhanced reimbursement rate
4HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health New Federal Breach Notification Law – Effective Sept 2009Applies to all electronic “unsecured PHI”Requires immediate notification to the Federal Government if more than 500 individuals effectedAnnual notification if less that 500 individuals effectedRequires notification to a major media outletBreach will be listed on a public websiteRequires individual notification to patientsCriminal penalties - apply to individual or employee of a covered entity
5HITECH Act (ARRA) Enforcement Increased penalties for HIPAA Violations (tiered civil monetary penalties)Required Audits and InvestigationsIncreased enforcement and oversight activitiesState Attorneys General will have enforcement authority and may sue for damages and injunctive relief.Tiered Civil PenaltiesWhen the person did not know about the violation$100 per violation (max $25,000) to $50,000 (max $1.5 mil)Where the violation was due to reasonable cause and not to willful neglect$1,000 per violation (max $100,000) to $50,000 (max $1.5 mil)Where the violation was due to willful neglect$10,000 per violation (max $250,000) and $50,000 (max $1.5 mil)
6Laptops.Of the 95 breaches on the Office for Civil Rights (OCR) website as of June 17, 32, or 34%, involved laptop computers. Another 11 incidents involved the loss or theft of portable devices.HITECH mandates that OCR to post the breaches on its website. In its first public posting in February, OCR listed 32 entities that reported the egregious breaches.
7HITECH Act (ARRA) Self Payment Disclosures Business Associates If patient pays for service – has the right to limit the disclosure of that informationBusiness AssociatesStandards apply directly to Business AssociatesStatutory obligation to comply with restrictions on use and disclosure of PHINew HITECH Privacy provisions must be incorporated into BAAMinimum Necessary StandardsNew Definition of Minimum Necessary, determined by the disclosing party, encourage the use of limited data sets
8HITECH ACT (ARRA) Electronic Health Record Accounting of Disclosures Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical informationElectronic Health RecordPerformance Measures for EHR enhanced reimbursementPatient has a right to electronic copy of recordsElectronic copy transmissionDelivery options96 hours to make information available to the patientMeet Meaningful Use Standards
9Who is a Business Associate? Individuals who do business with CUMC and have access to protected health information.Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.Examples of BAAs include:billing companies or claims processingvoice mail or appointment reminder service managementtranscription services or coding companiesaccreditationconsultantsSoftware used for medical data
13New York State SSN/PII Laws Information Security Breach and Notification ActEffective December 2005IF… Breach of Personally Identifiable Information occursSSNCredit CardDriver’s LicenseTHEN… Must notifypatients / customers / employeesNY State Attorney GeneralConsumer reporting agenciesRED FLAG REGULATIONSNew enforcement date June 1, 2010Medical Identity Theft accounted for 7% of all IDTheft – up from 3% - new threat
14Types of confidential electronic information: ePHI = Electronic Protected Health InformationMedical record number, account number or SSNPatient demographic data, e.g., address, date of birth, date of death, sex, / web addressDates of service, e.g., date of admission, dischargeMedical records, reports, test results, appointment datesPII = Personally Identified InformationIndividual’s name + SSN number or Driver’s License # or credit card #Electronic media = computers, laptops, disks, memory sticks, PDAs, servers, networks, dial-modems, cell phones, , web-sites, etc.
15Types of Security Failures Failing to encrypt protected health information (PHI)Sending EPHI outside the institution without encryptionUnder HITECH you may be personally liable for losing EPHI dataLosing Laptop or other portable device in transit with unencrypted PHI or PIIUnder HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PIIFailing to follow basic Security RequirementsSharing passwords, signing on to applications for another user, failing to sign off a workstation
16Types of Security Failure Social Security NumbersFirst avoid SSN (and Driver’s License, Credit Card Numbers) REFUSE to take files or reports with SSN if not neededDo not store SSN long-term DESTROY the file/report as soon as you are done with it. Delete the file from your computer, delete the that brought the file, etc. Or, using an editor program, cut out SSN from the file.Do not keep the complete SSN ERASE first 5 digits of SSN.Encrypt SSN, and Obfuscate SSN If you must keep it, keep SSN in an encrypted file or folder.Do not show the SSN in an application, or show only the last 4 digits if that meets the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the SSN. Ask why SSN needed.
17Good Computing Practices: 10 Safeguards for Users User Access Controls (Sign on, restricted access)PasswordsWorkstation SecurityPortable Device Security – USB, LaptopsData Management, e.g., back-up, archive, restoreRemote Access - VPNRecycling Electronic Media & Computers– Columbia/NYP account ONLYSafe Internet UseReporting Security Incidents / Breach
18Safeguard #1 Unique User Log-In / User Access Controls Users are assigned a unique “User ID” for log-in purposesEach individual user’s access to ePHI system(s) is appropriate and authorizedAccess is “role-based”, e.g., access is limited to the minimum information needed to do your jobUser access to information systems is logged and audited for inappropriate access or useUnauthorized access to ePHI by former employees is prevented by terminating access
19Safeguard #2 Password Protection To safeguard YOUR computing accounts, YOU needto take steps to protect your passwordDon't share your password — protect it the same as you would the key to your home. After all, it is a "key" to your identity.Do not write down your user ID /password and leave unsecuredDon't use a word that can easily be found in a dictionary — English or otherwise.Use at least eight characters (letters, numbers, symbols).Don't let your Web browser remember your passwords. Public or shared computers allow others access to your password.
20Safeguard #3 Workstation Security “Workstations” include any electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.Log-off before leaving a workstation unattended.This will prevent other individuals from accessing EPHI under your User-ID and limit access by unauthorized users.Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000Do not leave sensitive information on remote printers or copier.
21Safeguard #4 Security for USB drives & Storage Devices USB drives are new devices which packa lot of data in tiny packages.e.g., 256MB, 512MB, 1GB.Approved encrypted devices include: Lexar or Kingston Data TravelerSafeguards:Don’t store ePHI on USB drivesIf you do store it, either de-identify it or use encryption softwareDelete the ePHI when no longer neededDelete temporary ePHI files from local drives & portable media too!These safeguards applies to all portable devices which contain ePHI or PII. Apply same safeguards to zip disks, floppy disks, CDs, and local drives on computers!
24Safeguard #6 Secure Remote Access Standards for remote network access by laptops, home computers and PDAs (same standard as desktops at work):Minimum network security standards are:Software security patch up-to-dateAnti-virus software running and up-to-date on every deviceTurn-off unnecessary services & programsPhysical security safeguards to prevent unauthorized accessConsider these also:Host-based firewall software – running & configuredPlacement to conceal screen contentNo downloads from lesser known web sitesNo peer-to-peer software, use only work related softwareApply these same standards to all portable devices & home PCs.
25Safeguard # 7 Data Disposal: Clean devices before recycling Destroy ePHI data which is no longer needed:“Clean” hard-drives, CDs, zip disks, or back-up tapes before recycling or re-using electronic media.Have an IT professional overwrite or destroy your digital media before discarding – via magnets or special software tools; and/orKnow where to take these items for appropriate safe disposalDo not just donate an old workstation without cleaning the disks
26Safeguard #8 E-Mail Security is like a “postcard”. may potentially be viewed in transit by many individuals, since it may pass through several switches enroute to its final destination or never arrive at all!s containing ePHI needs a higher level of securityDo not use personal accounts to communicate any information related to CUMC.Do not send or forward s with ePHI from secure addresses to non-institutional accounts, e.g., Hot Mail, Google, Yahoo, etc.Use secure, encrypted software, if available (e.g. WINZIP)Security at the Subject Line: Avoid using individual names, medical record numbers or account numbers in unencrypted s
27Safeguard #10 Report Information Security Incidents You are responsible to:Report and respond to security incidents and security breaches.Know what to do in the event of a security breach or incident related to ePHI and/or Personal Information.Report security incidents & breaches to:Help Desk 305-HELP (ext )
28Sanctions for Violators Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to corrective & disciplinary action.Actions taken may include:Department/Grant responsible for fines, penalties, notification costs etc.Counseling & additional trainingSuspensionTermination of access to applicationsViolation of City, State and Federal laws may carry additional consequences of prosecution under the lawKnowing, malicious intent can = Penalties, fines, jail!
30Information Security Reminders Password protect computer/dataENCRYPT!Use Encryption for Portable Devices with PHIRun Anti-virus &Anti-spam software,Anti-spywareUse institutionalKeep office secured
31HIPAA and Research HIPAA Research Use & Disclosures Form C Authorization signedby patient forall clinical researchForm AWaiver Criteriaapplied beforerecords researchForm BExceptions DocumentedPreparatory to researchResearch on decedentsForm D & ELimiteddata-setForm FDe-identifiedForm GForm CRecruitment Waiver
32HIPAA Form A Authorization signed by patient for all clinical research TWO signatures requiredConsent to participate in researchAuthorization to USE information collectedIf Consent is being obtain then HIPAA Authorization must also be obtainedInformation Sheet – must include HIPAA languageSingle signature - Combined consent and HIPAA authorizationInternational Research
33HIPAA Form B Waiver Criteria applied before records research Mostly retrospective medical record reviewsAll 5 questions must be answered and must explain why subject consent/authorization is not practical.Partial waiver of signed authorization is required when information sheet will be usedCan not waive authorization for records that do not belong to CUMC/NYP
34HIPAA Form D & E Exceptions Documented Prepatory to Research & Decedent Data Research Form D should be attached when investigator will review multiple records, schedules, or other items to identify potential candidates or if involved in preliminary research to establish a thesisForm E - Research on decedents – Really only needed when research will focus exclusively on decedents.
35HIPAA Form F Limited Data-set SIGNED agreement when research will include DOB, Date of admission, surgery, event, MRNMulti Center studies – whose Data Use AgreementHIPAA form F is written to reflect that CUMC is the data owner.Data sharing should not be initiated until document is fully executedA lab not involved in research performing a paid function is a Business Associate not a research collaborator.
36Form G De-identified Data Assumes NONE of the 18 identifiers will be COLLECTED during researchName, address, , telephone, photo, ss#, DOB, credit card numberA code or link back to source data is not permittedInternational research may qualify for de-identified data if the code/link to identifiers is not brought back to CUMC / USA