1. HIPAA HITECH Briefing IRB Monthly Investigator Meeting
Karen Pagliaro-Meyer
Privacy Officer
Columbia University Medical Center
June 2010

2. Portability and Accountability Act (HIPAA)
Health Insurance
Portability and Accountability Act (HIPAA)
Fraud and Abuse (Accountability)
Administrative Simplification
[Accountability]
Insurance
Reform
[Portability]
For today’s session, I will concentrate on the two blue boxes at the bottom of this slide. The HIPAA Privacy legislation that went into effect in April of 2003 and the HIPAA Security legislation that went into effect in April Note that it took 2 full years for the regulators to complete the Security legislation, due to the complexity of protecting the electronic sources of medical information.
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002
and 10/16/03
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date:
4/20/2005
HITECH
Health Information Technology for Economic and Clinical
Health
9/18/2009

3. REQUIREMENT COMPLIANCE DATE
HITECH (ARRA) Health Information Technology for Economic & Clinical Health
REQUIREMENT COMPLIANCE DATE
Breach Notification September 2009
Self-Payment Disclosures February 2010
Business Associates February 2010
Minimum Necessary August 2010
Accounting of Disclosures January 2011/2014
Performance Measures for EHR
enhanced reimbursement rate

4. HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health
New Federal Breach Notification Law – Effective Sept 2009
Applies to all electronic “unsecured PHI”
Requires immediate notification to the Federal Government if more than 500 individuals effected
Annual notification if less that 500 individuals effected
Requires notification to a major media outlet
Breach will be listed on a public website
Requires individual notification to patients
Criminal penalties - apply to individual or employee of a covered entity

5. HITECH Act (ARRA) Enforcement
Increased penalties for HIPAA Violations (tiered civil monetary penalties)
Required Audits and Investigations
Increased enforcement and oversight activities
State Attorneys General will have enforcement authority and may sue for damages and injunctive relief.
Tiered Civil Penalties
When the person did not know about the violation
$100 per violation (max $25,000) to $50,000 (max $1.5 mil)
Where the violation was due to reasonable cause and not to willful neglect
$1,000 per violation (max $100,000) to $50,000 (max $1.5 mil)
Where the violation was due to willful neglect
$10,000 per violation (max $250,000) and $50,000 (max $1.5 mil)

6. Laptops.
Of the 95 breaches on the Office for Civil Rights (OCR) website as of June 17, 32, or 34%, involved laptop computers. Another 11 incidents involved the loss or theft of portable devices.
HITECH mandates that OCR to post the breaches on its website. In its first public posting in February, OCR listed 32 entities that reported the egregious breaches.

7. HITECH Act (ARRA) Self Payment Disclosures Business Associates
If patient pays for service – has the right to limit the disclosure of that information
Business Associates
Standards apply directly to Business Associates
Statutory obligation to comply with restrictions on use and disclosure of PHI
New HITECH Privacy provisions must be incorporated into BAA
Minimum Necessary Standards
New Definition of Minimum Necessary, determined by the disclosing party, encourage the use of limited data sets

8. HITECH ACT (ARRA) Electronic Health Record Accounting of Disclosures
Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical information
Electronic Health Record
Performance Measures for EHR enhanced reimbursement
Patient has a right to electronic copy of records
Electronic copy transmission
Delivery options
96 hours to make information available to the patient
Meet Meaningful Use Standards

9. Who is a Business Associate?
Individuals who do business with CUMC and have access to protected health information.
Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.
Examples of BAAs include:
billing companies or claims processing
voice mail or appointment reminder service management
transcription services or coding companies
accreditation
consultants
Software used for medical data

13. New York State SSN/PII Laws
Information Security Breach and Notification Act
Effective December 2005
IF… Breach of Personally Identifiable Information occurs
SSN
Credit Card
Driver’s License
THEN… Must notify
patients / customers / employees
NY State Attorney General
Consumer reporting agencies
RED FLAG REGULATIONS
New enforcement date June 1, 2010
Medical Identity Theft accounted for 7% of all ID
Theft – up from 3% - new threat

14. Types of confidential electronic information:
ePHI = Electronic Protected Health Information
Medical record number, account number or SSN
Patient demographic data, e.g., address, date of birth, date of death, sex, / web address
Dates of service, e.g., date of admission, discharge
Medical records, reports, test results, appointment dates
PII = Personally Identified Information
Individual’s name + SSN number or Driver’s License # or credit card #
Electronic media = computers, laptops, disks, memory sticks, PDAs, servers, networks, dial-modems, cell phones, , web-sites, etc.

15. Types of Security Failures
Failing to encrypt protected health information (PHI)
Sending EPHI outside the institution without encryption
Under HITECH you may be personally liable for losing EPHI data
Losing Laptop or other portable device in transit with unencrypted PHI or PII
Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII
Failing to follow basic Security Requirements
Sharing passwords, signing on to applications for another user, failing to sign off a workstation

16. Types of Security Failure
Social Security Numbers
First avoid SSN (and Driver’s License, Credit Card Numbers) REFUSE to take files or reports with SSN if not needed
Do not store SSN long-term DESTROY the file/report as soon as you are done with it. Delete the file from your computer, delete the that brought the file, etc. Or, using an editor program, cut out SSN from the file.
Do not keep the complete SSN ERASE first 5 digits of SSN.
Encrypt SSN, and Obfuscate SSN If you must keep it, keep SSN in an encrypted file or folder.
Do not show the SSN in an application, or show only the last 4 digits if that meets the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the SSN. Ask why SSN needed.

17. Good Computing Practices: 10 Safeguards for Users
User Access Controls (Sign on, restricted access)
Passwords
Workstation Security
Portable Device Security – USB, Laptops
Data Management, e.g., back-up, archive, restore
Remote Access - VPN
Recycling Electronic Media & Computers
– Columbia/NYP account ONLY
Safe Internet Use
Reporting Security Incidents / Breach

18. Safeguard #1 Unique User Log-In / User Access Controls
Users are assigned a unique “User ID” for log-in purposes
Each individual user’s access to ePHI system(s) is appropriate and authorized
Access is “role-based”, e.g., access is limited to the minimum information needed to do your job
User access to information systems is logged and audited for inappropriate access or use
Unauthorized access to ePHI by former employees is prevented by terminating access

19. Safeguard #2 Password Protection
To safeguard YOUR computing accounts, YOU need
to take steps to protect your password
Don't share your password — protect it the same as you would the key to your home. After all, it is a "key" to your identity.
Do not write down your user ID /password and leave unsecured
Don't use a word that can easily be found in a dictionary — English or otherwise.
Use at least eight characters (letters, numbers, symbols).
Don't let your Web browser remember your passwords. Public or shared computers allow others access to your password.

20. Safeguard #3 Workstation Security
“Workstations” include any electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
Log-off before leaving a workstation unattended.
This will prevent other individuals from accessing EPHI under your User-ID and limit access by unauthorized users.
Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.
Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000
Do not leave sensitive information on remote printers or copier.

21. Safeguard #4 Security for USB drives & Storage Devices
USB drives are new devices which pack
a lot of data in tiny packages.
e.g., 256MB, 512MB, 1GB.
Approved encrypted devices include: Lexar or Kingston Data Traveler
Safeguards:
Don’t store ePHI on USB drives
If you do store it, either de-identify it or use encryption software
Delete the ePHI when no longer needed
Delete temporary ePHI files from local drives & portable media too!
These safeguards applies to all portable devices which contain ePHI or PII. Apply same safeguards to zip disks, floppy disks, CDs, and local drives on computers!

24. Safeguard #6 Secure Remote Access
Standards for remote network access by laptops, home computers and PDAs (same standard as desktops at work):
Minimum network security standards are:
Software security patch up-to-date
Anti-virus software running and up-to-date on every device
Turn-off unnecessary services & programs
Physical security safeguards to prevent unauthorized access
Consider these also:
Host-based firewall software – running & configured
Placement to conceal screen content
No downloads from lesser known web sites
No peer-to-peer software, use only work related software
Apply these same standards to all portable devices & home PCs.

25. Safeguard # 7 Data Disposal: Clean devices before recycling
Destroy ePHI data which is no longer needed:
“Clean” hard-drives, CDs, zip disks, or back-up tapes before recycling or re-using electronic media.
Have an IT professional overwrite or destroy your digital media before discarding – via magnets or special software tools; and/or
Know where to take these items for appropriate safe disposal
Do not just donate an old workstation without cleaning the disks

26. Safeguard #8 E-Mail Security
is like a “postcard”. may potentially be viewed in transit by many individuals, since it may pass through several switches enroute to its final destination or never arrive at all!
s containing ePHI needs a higher level of security
Do not use personal accounts to communicate any information related to CUMC.
Do not send or forward s with ePHI from secure addresses to non-institutional accounts, e.g., Hot Mail, Google, Yahoo, etc.
Use secure, encrypted software, if available (e.g. WINZIP)
Security at the Subject Line: Avoid using individual names, medical record numbers or account numbers in unencrypted s

27. Safeguard #10 Report Information Security Incidents
You are responsible to:
Report and respond to security incidents and security breaches.
Know what to do in the event of a security breach or incident related to ePHI and/or Personal Information.
Report security incidents & breaches to:
Help Desk 305-HELP (ext )

28. Sanctions for Violators
Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to corrective & disciplinary action.
Actions taken may include:
Department/Grant responsible for fines, penalties, notification costs etc.
Counseling & additional training
Suspension
Termination of access to applications
Violation of City, State and Federal laws may carry additional consequences of prosecution under the law
Knowing, malicious intent can = Penalties, fines, jail!

30. Information Security Reminders
Password protect computer/data
ENCRYPT!
Use Encryption for Portable Devices with PHI
Run Anti-virus &
Anti-spam software,
Anti-spyware
Use institutional
Keep office secured

31. HIPAA and Research HIPAA Research Use & Disclosures Form C
Authorization signed
by patient for
all clinical research
Form A
Waiver Criteria
applied before
records research
Form B
Exceptions Documented
Preparatory to research
Research on decedents
Form D & E
Limited
data-set
Form F
De-identified
Form G
Form C
Recruitment Waiver

32. HIPAA Form A Authorization signed by patient for all clinical research
TWO signatures required
Consent to participate in research
Authorization to USE information collected
If Consent is being obtain then HIPAA Authorization must also be obtained
Information Sheet – must include HIPAA language
Single signature - Combined consent and HIPAA authorization
International Research

33. HIPAA Form B Waiver Criteria applied before records research
Mostly retrospective medical record reviews
All 5 questions must be answered and must explain why subject consent/authorization is not practical.
Partial waiver of signed authorization is required when information sheet will be used
Can not waive authorization for records that do not belong to CUMC/NYP

34. HIPAA Form D & E Exceptions Documented Prepatory to Research & Decedent Data Research
Form D should be attached when investigator will review multiple records, schedules, or other items to identify potential candidates or if involved in preliminary research to establish a thesis
Form E - Research on decedents – Really only needed when research will focus exclusively on decedents.

35. HIPAA Form F Limited Data-set
SIGNED agreement when research will include DOB, Date of admission, surgery, event, MRN
Multi Center studies – whose Data Use Agreement
HIPAA form F is written to reflect that CUMC is the data owner.
Data sharing should not be initiated until document is fully executed
A lab not involved in research performing a paid function is a Business Associate not a research collaborator.

36. Form G De-identified Data
Assumes NONE of the 18 identifiers will be COLLECTED during research
Name, address, , telephone, photo, ss#, DOB, credit card number
A code or link back to source data is not permitted
International research may qualify for de-identified data if the code/link to identifiers is not brought back to CUMC / USA

37. FOR ADDITIONAL INFORMATION: