"I haven't heard of HIPAA, but I can hip hop."

Some Tips & Updates for HME/Rehab Providers HIPAA Security Standards Final Rule Some Tips & Updates for HME/Rehab Providers Mark J. Higley Vice President - Development The VGM Group

In this Presentation… Privacy Rule Status Quick Update on TCS Introduction to the Security Standards

Let’s Get Started!

By Now, You All Know what HIPAA is…right? Healthcare In Pain And Agony (again)

The Big Picture HIPAA implementation of the standards does not have to be any type of major burden on the average HME/Rehab provider, especially not an economic burden.

Privacy Rule In Effect The Privacy compliance date is now effective (April 14, 2003). Many providers are not yet compliant. As of February 2004, OCR, the HHS division responsible for HIPAA Privacy, received 4,266 complaints of HIPAA privacy violations since the law took effect.

Primary reasons for the violations Incidental disclosure of individually identifiable health information Lack of adequate safeguards Not providing a copy of records to patients Disclosure of more than necessary information Failure to give notice of privacy practice

But… OCR has closed 42% of these cases. Most situations were resolved, a course of action was taken, or an investigation took place but no violation was found. Bottom Line: No fines have been levied as a result of a HIPAA privacy violation!

Confused by some of the details of the Privacy Rule? The HIPAA Privacy Rule remains as a source of great confusion among providers and others within the health care community. VGM can help! Just call or . Consultation is free to all!

Training is Required! All employees and members of your work force who have access to protected health information need HIPAA training! This PowerPoint will assist you in satisfying the training requirement!

For governmental information on HIPAA…… your questions to Call the CMS HIPAA HOTLINE Log onto the CMS HIPAA web site: For Privacy inquiries only: Log check out: Call :

For information on HIPAA that you can understand (!!)… your questions to Call :

Before we discuss the Security Standards…. Let’s Get A Quick Update on TCS (that’s electronic transactions and code sets).

October 16, 2003 Electronic Transactions…Many Months Later As many expected, there is trouble in the government's “paradise of standardization”. Slower payments, poor customer service and confusion over what is or is not allowed in terms of paper claims are just a smidgen of reported problems

It will take more time to sort out exactly what is going on and where the problems lie. Examples: Published companion documents that never came Lack of published contingency plans One large payer has stopped accepting electronic claims due to discrepancies in formats.

This has a negative impact on HME providers who have been used to submitting electronically Some are dropping back to paper claims…and cash flows suffer as the paper claims are processed.

But… As You Know… Medicare & most state Medicaid agencies still accept electronic claims in a proprietary format (operating under a “contingency plan”). For the latest information on your particular state’s contingency plan please review its “HIPAA Implementation Status Update and Contingency Plan Information” at the appropriate Medicaid website.

Let’s Discuss Medicaid State contingency plans include the capability to continue to accept and process existing formats, including data values and codes within these formats.

Old Formats OK States will continue to accept existing formats and codes for a period of time until its individual trading partners have successfully completed testing the HIPAA compliant electronic transactions. State contingency plans also include accepting existing formats that have been generated by converting HIPAA compliant formats.

Testing Update To date, testing of these transactions has been limited. Consequently, the conversion of data in these formats will depend on the ability of the clearinghouse or software vendor to correctly translate the data required for adjudication in a timely fashion..

Formats & Codes Medicaid strongly encourages providers to instruct their billing services and software vendors to continue using current formats and codes, until these entities have demonstrated to the providers successful HIPAA testing results with all parties involved in transmitting electronic claims to payers.

Let’s get back to the Security Standards!

Introduction To a great extent, the Security Rule puts the HIPAA spotlight on your information technology/systems staff. Whether you have just one information system manager or a full CIO with I/T staff, these “technical executives” must develop and implement cost-effective organization-wide security programs.

Of course, your entire management team should play an important strategic planning role before practical measures are implemented. As healthcare organizations look toward developing annual budgets, the executive team should be asking such questions as:

What are the security risks to my organization - and which are the highest priority? What measures should be considered for our plan to reduce risk and become HIPAA Security compliant? How much should we budget (money, resources) for security?

Why Comply with the Security Rule? HIPAA and good business practices dictate that we safeguard patient information entrusted to us. But…perhaps just as importantly, the standards address security risks that could severely affect your business operations!

Potential Risks: Loss of financial cash flow Permanent loss or corruption of electronic protected health information (ePHI) Temporary loss or unavailability of medical records Loss of physical assets (computers, etc.) Damage to reputation and public confidence Threats to patient safety Threats to employee safety

The Standards… Will will be effective April 21, 2005 for healthcare providers Applies only to “Electronic Protected Health Information” (EPHI) that a healthcare provider - and all covered entities - “creates, receives, maintains, or transmits”

The Standards… Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards.

Less Specific Than the Privacy Rule! The final Security standards are essentially a model for information security, with less specific guidance on how to implement it.

General Requirements of the Standards… Ensure: Confidentiality (only the right people see it) Integrity (the information is what it is supposed to be – it hasn’t been changed) Availability (the right people can see it when needed)

General Requirements Protect against reasonably anticipated threats or hazards to the security or integrity of information; Protect against reasonably anticipated uses and disclosures not permitted by privacy rules Ensure compliance by workforce

Regulation “Themes” Scalability/Flexibility (*) Healthcare providers can take into account: Size Complexity Capabilities Technical Infrastructure Cost of procedures to comply Potential security risks (*) Remember these terms from the Privacy Rule???)

Regulation “Themes” Technologically Neutral What needs to be done, not how Comprehensive Not just technical aspects, but behavioral as well

How HHS Is Attempting To Accomplished This Develop Standards That Are Required and Include: “Implementation specifications” which provide additional detail and can be either required or addressable.

What did you just say??? (OK, We thought that might confuse some of you. Let’s try it again!)

Try again: The new Security rules, just like the Privacy rules, have "standards" - what must be done by healthcare providers to comply…. And "implementation specifications" – which include “how to do it”.

Before we get too detailed…. Q. What about some model forms, policies and procedures - like we had for the Privacy Rules??? A. Good question!. HHS has promised more specifics in the future and to provide model guidance documents.

And… VGM will compile these documents, adapt them to HME/Rehab, and will make them available to providers…probably on the Web site. As the compliance date is not until 2005, we have a little time!

OK…Back to the specifics…what’s “Addressable”? If an implementation specification is addressable, a healthcare provider can: Implement it…if it is reasonable and appropriate Implement an equivalent measure, if that is reasonable and appropriate Not implement it at all

Again…the standards are separated into three groups: Again…the standards are separated into three groups: (*) Administrative Safeguards Physical Safeguards Technical Safeguards. (*) We’ve developed a chart that lists all of the standards and includes whether implementation is required or “addressable”. See your handouts!

Administrative Safeguards… Make up 50% of the Security Rule's standards. In general, they require documented policies and procedures for day-to-day operations; managing the conduct of employees with PHI; and managing the selection, development, and use of security controls.

Give me an example of an Administrative Safeguard OK. All healthcare providers must designate a "security official," to be "responsible for the development and implementation of the policies and procedures" required by the Security Rule

Physical Safeguards… Are a series of security measures meant to protect a healthcare provider’s electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. The measures include both administrative policies and physical controls.

Give me an example of a Physical Safeguard OK. Workstation security. This standard "implementation of physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users."

Technical Safeguards… Are made up of several security measures that specify how to use technology to protect EPHI.

Give me an example of a Technical Safeguard OK. “Access controls”, which are your technical policies and procedures for electronic information systems access that maintain EPHI to allow access only to those persons or software programs that have been granted access rights.

“Implementation Specifications” As noted before, these three safeguard categories are further divided into "implementation specifications" that define how each of the standards is to be implemented. In some cases, the standard itself contains enough information to describe implementation requirements, so there is no separate specification.

I Heard We Must Purchase Encryption Software!! First of all…encryption is addressed in the Technical Safeguards under the “transmission security” standards. These include technical security mechanisms to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

… The standard has two implementation specifications, both of which are addressable: integrity controls, and encryption. The first includes "security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of." The second embraces "mechanisms to encrypt electronic [PHI] deemed appropriate."

Encryption not required!! The standard does not mandate any particular set of integrity controls, such as encryption, for all transmissions. Now the healthcare provider must decide, following its own risk analyses (*), what degree or protection is appropriate in each circumstance. (*) We’ll discuss “risk analysis next…

Risk Analysis The HIPAA Security Rule requires healthcare providers to have a risk management program in place to evaluate the value of the assets, the potential for a loss or disclosure, and the cost of additional countermeasures.

Risk Analysis It is a Required specification! Possible Resource: NIST Risk Management Guide (#800-30)

Risk Analysis Steps (we’ll go through each one of these in a minute…) Review data systems Identify threats/vulnerabilities Evaluate security controls Assess likelihood Consider impact Determine risk

Review Data Systems Hardware Software Data storage locations Modes of data transit Data sensitivity Primary Users

Identify Threats Natural/Environmental disasters, such as electrical storms, flood, tornado, chemical spills Human threats, such as accidental data erasure or entry, hackers, computer viruses, theft Vulnerabilities, such as internal weaknesses or flaws

Evaluate Security Controls Preventive: Access restrictions Password authentication Effective staff training Environmental controls Detective: Audit trails Alarms

Assess likelihood Of each identified threat With consideration to controls Accidental data erasure but files are backed up every night?? High, Moderate, Low ?

Consider Impact Of data release manipulation temporary or permanent inaccessibility Temporary data erasure but files are backed up every night?? High, Moderate, Low ?

Determine Risk Likelihood Determination Impact Assessment Moderate likelihood, low impact Sufficient controls in place? High likelihood, high impact Additional protections needed.

Quick review of standards

Administrative Standards Security Management Risk analysis (R) Risk management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Responsibility

Administrative Standards Workforce Security Authorization and/or Supervision (A) Clearance Procedures (A) Termination procedures (A) Information Access Management Isolate Clearinghouse Function (R) Access Authorization (A) Access Establishment/Modification (A)

Administrative Standards Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures Response and Reporting (R)

Administrative Standards Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Operations Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality (A)

Administrative Standards Evaluation Business Associate Contracts Written Contract (or other arrangement) (R)

Physical Standards Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control & Validation Procedures (A) Maintenance Records (A) Workstation Use

Physical Standards Workstation Security Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup & Storage (A)

Technical Standards Access Control Unique User Id (R) Emergency Access (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls

Technical Standards Integrity Mechanism to Authenticate ePHI (A) Person or Entity Authentication Transmission Security Integrity Controls (A) Encryption (A)

Regulation Dates Published February 20, Compliance Date: April 21, 2005 for all covered entities except small health plans April 21, 2006 for small health plans

Implementation Approach Do Risk Analysis – Document Based on Analysis, determine how to implement each standard and implementation specification – Document! Develop Security Policies and Procedures– Document! Train Workforce Implement Policies and Procedures Periodic Evaluation

Security Summary Scalable, flexible approach Standards that make good business sense One year, one month to implementation!

You will want to begin to…  Establish and document policies and procedures relating to information security  Establish physical safeguards of computer systems, equipment and buildings  Review technical security to protect the confidentiality and integrity of information and control and monitor access  Safeguard systems against external threats

Important! You should not panic and think Security is going to cost you a fortune. Don’t let vendors talk you into purchasing encryption and other “safeguards”. Think before you buy and let common sense and reason be your other guide !

FINAL COMMENTS

And finally, remember : Be Flexible Be Scalable (& Don’t forget reasonable!)

It is Remember the Privacy Rule Is Now Effective!

START NOW!