Overview: HIPAA Guidelines for Security and Privacy July, 2001 Jack Buchanan, MSEE MD University of Tennessee Health Science Center
HIPAA Security and Privacy Regulations Mandated by Congress via Health Insurance Portability and Accountability Act of Requirements for: Data Interchange Standards Data Security Patient Privacy
HIPAA Security and Privacy Regulations Regulations were to have been established by separate Congressional act Escape clause mandated HHS to write regulations if Congress didn’t act by a deadline Regulations issued during final days of Clinton administration. Delayed, then affirmed by Bush administration We now have “final” Privacy Regulations, “preliminary” Security Regulations
HIPAA Security and Privacy Regulations-Purpose To prevent inappropriate use of health information associated with an individual patient To require organizations which use health information to protect the information and the systems which store, transmit, and process it Explicitly includes systems and procedures belonging to associates and subcontractors; Requires “Chain of Trust” agreements
HIPAA Security and Privacy Regulations-Who? Definitely apply if you are (or have a unit which is) a: Health provider Health plan Healthcare clearinghouse
HIPAA Security and Privacy Regulations-Who? Maybe (probably) apply, if you are affiliated with above as: Business Associate Contractor Consultant Researcher, if data personally identifiable
HIPAA Security and Privacy Regulations-When? Politics has made this a little difficult to determine The argument that they will NEVER go into effect has become MUCH less credible Working Deadline: Mid 2003
HIPAA Security and Privacy Regulations What’s a covered entity to do? Many requirements are specifically spelled out: Assign responsibility for security to a person or an organization Assess risks and determine the major threats to the security and privacy of protected health information
HIPAA Security and Privacy Regulations What’s a covered entity to do? Establish a security management program that addresses: physical security personnel security technical security controls security incident response disaster recovery
HIPAA Security and Privacy Regulations What’s a covered entity to do? Certify the effectiveness of new or existing security controls Appoint a privacy officer and a point of contact for receiving privacy complaints Adopt a privacy policy and publicize the policy by giving notice to patients/partners
HIPAA Security and Privacy Regulations What’s a covered entity to do? Privacy policies must have specific provisions for Gaining consent and authorization, Restricting use and disclosure, Receiving and resolving complaints, as regards protected health information
HIPAA Security and Privacy Regulations What’s a covered entity to do? Change contracts and business partner agreements to include a contractual requirement that partners handle protected health information properly Train the covered entity’s workforce and business associates who work on the covered entity’s premises to follow proper security and privacy policies and procedures
HIPAA Security and Privacy Regulations What’s a covered entity to do? Document security and privacy policies and procedures, as well as actions taken to ensure that policies and procedures are enforced Minimum necessary information to be provided to fulfill purpose of request Provision of patient care is exempted Clinical research information is NOT exempt
HIPAA Security and Privacy Regulations Penalties for non-compliance Civil monetary penalties on a per-person, per- violation basis Very strong penalties for misuse with knowledge Significant fines Prison Penalties potentially apply to Individual violator Organization Officers of organization
What are the Guidelines ? A document meant to help people in AMCs who must form and run HIPAA-compliant operations. The guidelines contain a section for each point of compliance in the HIPAA Privacy and Security regulations Each “point” section focuses on explaining the regulation point and guiding an analysis of impact on AMCs with guidance for compliance. Other sections focus on overall impact of the regulations for AMCs Part of the intended value of the work is that it is a product of the key HIPAA leaders at several Academic Medical Centers and several related organizations. (i.e. This comes from the people who will have to make their organizations compliant.)
Key motivations for creating the Guidelines HIPAA Security/Privacy is a complex regulatory regime; Having several interested parties analyze the regs helps ensure a thoughtful analysis. AMCs are complex organizations in which to implement HIPAA; Having several parties who are knowledgeable of this environment do the analysis helps ensure a relevant analysis that is sensitive to the variety of circumstances in AMCs
Key motivations for creating the Guidelines AMCs need an AMC group norm for what is “reasonable”; This would help ensure high-quality rational cost implementations that are in the spirit of the “adoption” principle in the HIPAA law. (WEDI is being asked to recommend the Guidelines to HHS.) Walking the talk; The participating AMCs wanted the guidelines for themselves and for the wider industry. The document is available at the website (amc-hipaa.org).
Why are AMC environments worthy of special attention? AMCs typically have operations that provide challenges to security and privacy management due to several factors. AMCs typically have: DECENTRALIZED MANAGEMENT: are composed of facilities that are managed by a diverse group of people and interests, DIVERSE MISSIONS: are combined clinical, educational, and research efforts, HIGH PROFILE PATIENTS: care for VIPs, celebrities, and other people at times when their health status is of public interest, LARGE : are physically large and have a large staff, SPECIALIZED: tend to have large numbers of people involved in a single patient’s care, MULTI-PARTNERED: have partnerships and special programs with industry, government, and other AMCs that bear on activity in the clinical area. do implementation points -compliance ofcr scope change -controversy vs not. -20 minutes each -best practice -make slides
How were the Guidelines formed? The idea: evolved from discussions among people working with AAMC, WEDI, NLM, and Internet2 to bring representatives from several academic medical centers together in a series of workshops to create guidelines for implementing HIPAA Privacy and Security regulations in AMCs. Also, use the workshops to explore what AMC needs were in this area and how relevant organizations might find common cause with the AMCs on this issue. The result: A series of workshops with many nationally known AMCs and related organizations represented in which the guidelines have been developed.
Participating AMCs Duke University Health System Emory University Johns Hopkins Medical Institutions Kaiser Permanente Mayo Clinic Oregon Health Sciences University Osaka Medical College Texas A&M University System Health Science Center Texas A&M University University of Alabama at Birmingham University of Arizona Medical Center University of Michigan Health System University of Pennsylvania University of Tennessee Health Science Center University of Texas Southwestern Medical Center Veterans Health Administration Yale University School of Medicine
Sponsoring Organizations Association of American Medical Colleges (AAMC) Internet2 National Library of Medicine (NLM) Object Management Group (OMG)
Supporting Organizations CPRI-HOST North Carolina Healthcare Information and Communications (NCHICA) Health Care Financing Administration (HCFA) Healthcare Computing Strategies, Inc. (HCS) Southeastern University Research Association (SURA) Workgroup on Electronic Data Interchange (WEDI)
The Goals of the Workshop Process Develop: To develop guidelines for implementation of HIPAA Security and Privacy regulations which AMC HIPAA leaders could use to guide their institutional approach. Share: To share the load and improve the result in an area that we’d otherwise have to take up independently. Focus: To ensure focus on the special issues that AMCs have with security and privacy. Self-regulate: To have the guidelines submitted to WEDI for recommendation as part of their regulatory role in HIPAA Norm: To foster a reasonable group norm on HIPAA compliance for AMCs by creating and sharing guidelines that AMCs may implement. Collaborate: To further develop the of points of collaboration with related national groups. Guidance only: The process was designed to provide guidance only; no advocacy for “stronger” or “weaker” regs is included.
What’s Next for this work/group? Evolution – There is a general expectation that changes in the regs and improvements in the content will emerge over the next couple of years as others read and use the material. Use of materials: Anyone is free to use the material provided that they preserve the copyright and note to prospective users/customers of derivative material that the original document and any updates will be freely available at amc-hipaa.org Follow-on activities – We expect there to be value in having a group with continuing activities for AMCs in privacy and security at the national level and are pursuing opportunities related to this.
What’s next here? A tour of the document to give you a better feel for the content and it utility. Thanks!