1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

2 Agenda  Role of CMS  Security Rule Overview  CMS’ HIPAA Security Strategy  Providence Resolution Agreement  Summary & Conclusion  Q&A

3 Role of CMS  CMS has delegated authority to enforce the non-privacy provisions of the HIPAA regulations:  Transactions and Code Sets  Identifiers (NPI, EIN)  Security  CMS is responsible for HIPAA enforcement as well as:  Regulatory/Policy Interpretation  Outreach and Education  Guidance and FAQs  New Regulations (including other ehealth related issues e.g. eRx)

4 Security Rule Overview  Applies to Electronic Protected Health Information (EPHI) that a covered entity creates, receives, maintains, or transmits  Scalability/Flexibility  Based on organization size, complexity, technical capabilities and infrastructure, cost of security measures and potential security risks  Technologically Neutral  Describes “what” needs to be done vs. “how” it is to be done  Standards are required but the implementation specifications may be either required or addressable

5 CMS’ HIPAA Security Strategy  CMS takes a three-prong approach to HIPAA Security. The three prongs are:  Outreach & Education  Enforcement  Compliance Reviews

6 Outreach and Education Efforts  Federal and Non-Federal Collaboration  Develop/Disseminate Educational & Guidance Materials  Security Papers 1. Administrative, Physical and Technical Safeguards 2. Basics of Risk Analysis and Risk Management 3. Implementation for the Small Provider  Frequently Asked Questions  Security Compliance Review Checklist  Remote Use and Access Guidance  The materials can be found on the CMS Website at: (under the link for Regulations and Guidance).

7 Outreach & Education - Remote Use & Access Guidance Rationale  Increased risk to protected health information  Associated with increased remote access to EPHI  Increase in workforce mobility  Increase in use of portable media storage devices  Recent security related incidents  Reported loss or theft of devices containing EPHI  Reported access to health information by unauthorized users

8  Published December 28, 2006  Reiterates requirements of the HIPAA Security Rule  Identifies strategies consistent with organizational capabilities (Scalable and Flexible)  Pertains to Access, Storage and Transmission of EPHI  Three categories of action highlighted: 1. Conducting Security Risk Assessment 2. Developing and Implementing Policies and Procedures 3. Implementing Mitigation Strategies Outreach & Education - Highlights of Remote Access Guidance

9 HIPAA Security Enforcement – Current Process  Review complaint to determine validity and scope  Notify “Filed Against Entity” (FAE) of complaint  Request specific documents from the FAE  Assess documents to determine if they: 1. Demonstrate compliance 2. Demonstrate the need for a Corrective Action Plan (CAP)  Monitor CAPs to completion  Close complaint upon demonstration of compliance  Issue closure correspondence to all parties

10 HIPAA Security Enforcement – Overlapping Complaints  CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules  Approximately 70% of the CMS Security cases are referrals from OCR  Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure

11 HIPAA Security Enforcement - Complaint Categories  Unauthorized access to EPHI  Employees or relatives accessing EPHI  Loss or theft of devices containing EPHI  Small volume of complaints; large volume of records  Insufficient access controls for systems containing EPHI  Shared passwords  Encryption  CMS has received 350 Security Rule complaints  102 cases are open  248 case have been resolved

12 Onsite HIPAA Security Compliance Reviews  Contracted with Price Waterhouse Coopers (PwC) for 10 reviews in 2008  Reviews place emphasis on remote use and access issues  CMS publishes de-identified post-review information  Initial target:  Entities against whom a complaint has been filed and  Reported risk to security of large volume of records  The compliance reviews will be used as a tool to achieve voluntary compliance

13  Compliance reviews have revealed several key areas of vulnerability to include: 1. Lack of encryption for portable devices and media 2. Lack of verification of role-based access privileges  Reviews have resulted in CAPs that include: 1. Policies and procedures for remote use/access 2. Designation of internal security audit personnel  Compliance review cases are generally closed when CMS verifies completion of CAP Onsite HIPAA Security Compliance Reviews - Continued

14 OIG Security Audit Initiative  Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule  The recent OIG review of Piedmont Hospital highlighted issues related to:  Technical safeguard vulnerabilities for wireless communications  Vulnerabilities involving physical access to electronic information systems and the facilities  Administrative safeguard vulnerability related to business associate contracts

15 Providence Resolution Agreement – What Does it Mean?  Background:  Case involved 386,000 unencrypted patient records  $100,000 resolution amount paid to HHS  3 year corrective action monitoring  Significance:  Landmark case – First resulting in monetary fine  Sets the stage for similar action for similar cases  Represents the evolution of CMS’ enforcement efforts

16 Summary & Conclusion  Security provides opportunity and obligation  CMS’ three-pronged approach:  Outreach and Education  Enforcement  Compliance Review  Consequences of non-compliance:  Loss of resources  Loss of time  Loss of TRUST

17 Discussion and Questions