1 THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For Kirsten Ruzic Wild, RN, BSN, MBA, CHC September 11, 2009

2 Objectives Gain insight into government’s enforcement efforts Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey Understand the recent ARRA changes and impact

3 A little background….. HIPAA Security Establish national standards for the security of electronic health care information –Administrative safeguards –Physical safeguards –Technical safeguards Enforcement Authority was CMS

4 A little background….. HIPAA Security Rule Requirements Establish national minimum standards for the security of electronic health care information Published February 2003, deadline April 2005 Administrative, technical, and physical security procedures (18 standards) Implementation specifications are either Required (14) or Addressable (22)

5 HIPAA Security Rule Rule Goals Comprehensive, scaleable and technologically neutral (flexible) Protect the confidentiality, availability and integrity of electronic PHI (“ePHI”) Assess YOUR risks and vulnerabilities Improve Medicare/Medicaid through increased effectiveness and efficiency

6 HIPAA Security Rule Rule Goals “ Improve efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information” 45 CFR Parts 160, 162, 164 – Final Rule

7 HIPAA Security Rule Interpretation Good Thing:Scaleable and flexible Bad Thing: Scaleable and flexible How do you know if you meet the standard? Are you certain you are compliant?

8 HIPAA Security Rule Interpretation Lack of standard Constantly changing technologies Complexity and variety of clinical applications Limited IT budgets No CMS enforcement or oversight (years) Interpretation? Why bother?

9 OIG Audits and Guidance March 2007 Audit of Piedmont Hospital – Atlanta Non-specific findings: significant vulnerabilities Leaked checklist of 42 questions/documents

10 OIG Audits and Guidance August 2007 Audit of CMS (Results of audit released in October 2008) Findings –No compliance reviews had been conducted in 2 years –CMS had “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule” –CMS agreed to implement a formal audit process –Defense: voluntary compliance and complaint-driven

11 OIG Audits and Guidance No findings released OIG committed to ongoing audits of covered entities nationwide for next few months Develop understanding of CE interpretation of flexible and scalable ???

12 CMS Late 2007 Office of eHealth Standards and Services (OESS) CMS website – HIPAA Security Standard Sample document request list for audit - 42 First insight into federal interpretation Conducting on-site reviews since January 2008

13 OCR/CMS Auditing/Enforcement CMS Mid 2008 Audited Providence Health and Services In cooperation with OCR Failure to implement P&P to protect PHI Portable media First Resolution Agreement/CAP On OCR website Only CMS audit results released

14 OCR/CMS Auditing/Enforcement Providence Audit No civil monetary penalty for cooperating Audited by OCR and CMS jointly Complaint-triggered audit

15 CMS Enforcement Enforcement Statistics – 3 largest number of complaints Information Access Management (Administrative Standard (a)(4)(i)) Access Control (Technical Standard (a)(1)) Security Awareness and Training (Administrative Standard (a)(5)(i))

16 Conclusions Uncoordinated guidance, interpretation and enforcement Info on a variety of government websites OIG, CMS, OESS, OCR, Dept of Commerce - NIST Not easy to find Where do you go from here?

17 New Enforcement As of August 3 rd, OCR is responsible for enforcement of HIPAA Security – not CMS “eliminate duplication and increase efficiencies”

18 HIPAA COW Security Networking Group Benchmarking Survey –March 2009 –Goals: »to provide benchmarking data to help organizations across the State determine their level of compliance with the regulations in preparation for a federal audit »Not to justify or support non-compliance »Determine if benchmarks (local?) exist

19 HIPAA COW Security Networking Group Benchmarking Survey 56 questions 10 categories Average of 76 responses to each question Respondents include: acute care hospitals, clinics/physician groups, long-term care facilities, payers, and integrated health care delivery networks From 2000 employees –Size of an organization had little effect on level of compliance

20 HIPAA COW: Benchmarking Survey Results - Encryption 54% of respondents indicated they encrypt –46% do not currently encrypt 34% of respondents indicated they encrypt laptop hard drives –66% do not encrypt laptops

21 HIPAA COW: Benchmarking Survey Results - Encryption 30.7% (less than 1/3) are encrypting USBs and other mobile devises 26% indicated they do not encrypt any devices or data transmission

22 Committee Interpretation Expected that organizations had implemented encryption techniques/solutions on more types of devises Why not encrypting? –Budget limitations –Too difficult –IT not ready to administer –Organizational policies prohibit transmission of PHI in or on portable devises –Organizations may be currently implementing or testing to find solutions –Believe it is impossible to enforce

23 Conclusions/Recommendations All organizations should be capable of encryption –Well-established technology –Inexpensive –Easy to implement “Addressable” standard? Per OIG Auditors presentation in April – lack of encryption will fail an audit Provide proactive solutions to your users

24 HIPAA COW: Benchmarking Survey Results – Disaster Recovery 88.8% have a Disaster Recovery Plan –Those who didn’t tended to be smaller organizations 45.6% state their Plan covers every application 31.6% indicated their Disaster Recovery Plan covers only those applications that support basic business functions 89.4% state their Plan is documented

25 HIPAA COW: Benchmarking Survey Results – Disaster Recovery 50.6% test their Disaster Recovery Plan 39.5% did not answer the question Of those that answered the question (open-ended) as to how often they test their Disaster Recovery Plan, majority stated annually

26 Committee Interpretation Why not meeting the Standard? –Challenging as not a static condition –Very complicated –Cost/benefit analysis –Lack of consequences –Productivity pressures

27 Committee Interpretation Are these really disaster recovery plans or just disaster response plans? How does this compare or relate to plans for business continuity? Infrastructure recovery? Critical patient care systems? Possibly handled by other departments? Is the Plan being used?

28 Conclusions/Recommendations Required specification Prioritize applications Test in order of priority Consider the time it takes for the entire system to recover

29 Conclusions/Recommendations Recovery should be intrinsic to implementation of new applications Get started, start small Resolve with external resources – consultant Consider the potential consequences

30 HIPAA COW: Benchmarking Survey Results – Retention 48.2% have an Retention Policy 54.3% store all – 45.7% do not store all 73.1% store back-ups off-site The length of retention is extremely variable –2 weeks - forever –Dependent on application, retention policy, type of data, user preference

31 Committee Interpretation Without a policy, in response to a legal discovery request, what would you produce? If is discovered must now be kept Implications of e-discovery law

32 Conclusions/Recommendations Must have a Record Retention Policy –Classify by data type or classification, not medium –Decision for retention is “what” data is retained and for how long, regardless of what format the data is in –Create a Records Retention Schedule –Educate and enforce the policy

33 HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Network Level 54.3% employ automatic log-out at the network level Of those who employ automatic log-out at the network level: –58.1% implemented log-out times of minutes –34.9% implemented log-outs of less than 10 minutes Which means: – 93% require log-out times to be less than 30 minutes –Only 7% have implemented log-out times at the network level of greater than 30 minutes

34 HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Application Level 66.3% employ log-outs at the application level Of those who employ automatic log-outs a the application level: –52.8% have implemented log-out times of minutes –20% have implemented log-out times of less than 10 minutes Which means: –73.6% require lot-out times to be less than 30 minutes –26.4% have implemented log-out times at the application level of greater than 30 minutes

35 HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Physically secured If work stations are in a physically secured area: –65.4% still require an automatic log-out –34.6% do not use automatic log-outs

36 Committee Interpretation Log-out times at the network or application level should be less than 30 minutes Is this really a standard and is there really an increased risk? Longer log-out times might be acceptable in physically secured workstations or controlled environments (Surgery) – some risk is mitigated

37 Conclusions/Recommendations Log-out times at the network or application level should be less than 30 minutes Even if you have work stations in areas considered to be physically secured, most organizations still require automatic log-out Per OIG Auditors – use of generic accounts will fail an audit, unless proof this level of access is not to any PHI Clinical applications must authenticate to the user Consider generic accounts to log on to network

38 HIPAA COW: Benchmarking Survey Results – Passwords Network Passwords 46.9% require network passwords to be changed every days –37% require passwords to be changed after more than 90 days –13.6% never require passwords to be changed 92.4% have a minimum password length at the network level –84% require passwords to contain 6-8 characters –5.3% require network passwords to contain 9-12 characters Which means: –89.3% require passwords to be at least 6 characters in length

39 HIPAA COW: Benchmarking Survey Results – Passwords Application Passwords 45% require application passwords to be changed every days –33.8% require passwords to be changed after more than 90 days –20% never require passwords to be changed at the application level 86.1% have a minimum password length for passwords at the application level –86.4% require passwords to contain 6-8 characters –1.5% require application passwords to contain 9-12 characters Which means: – 87.9% require application passwords to be at least 6 characters in length

40 Committee Interpretation There appear to be a clear agreement regarding password length Are the users allowed to determine how frequently their password is changed? Are password requirements for applications, dependent upon the application?

41 Conclusions/Recommendations Consider the NIST recommendations If you are an organization who does not ever require network passwords to be changed, it is highly recommended that you change your policy If you are an organization that allows passwords to be less than 6 characters in length, it is highly recommended that you change your policy

42 HIPAA COW: Benchmarking Survey Results – Portable Media 63.8% indicate they have a policy covering portable/mobile devises –36.3% have no policy 49.4% allow PHI to be loaded on portable media –50.6% do not allow PHI to be loaded Of those who allow PHI to be loaded on portable media: –68.4% require the data to be password protected or encrypted –31.6% have no requirements to password protect or encrypt the data

43 HIPAA COW: Benchmarking Survey Results – Portable Media 50% state their policy is that no PHI can be loaded on portable media 78.9% indicate they are not confident they know the number of portable devises used by their employees –21.2% are confident they know the number of portable devises used by employees 72% of those who took the survey did not answer this question

44 Committee Interpretation The Committee finds this scary! Portable media containing PHI has triggered many of the initial complaints to federal agencies resulting in investigations We want to meet the 21.2% are confident they know the number of portable devises used by employees

45 Committee Interpretation If your policy states that PHI cannot be loaded on portable media, how do you audit or enforce? Without a policy, in response to a legal discovery request, what would you produce? Does encrypting a laptop solve this?

46 Conclusions/Recommendations We still recommend having a written policy in place to hold employees responsible and accountable and to help protect the organization from individual’s wrong- doing Even if you are not sure how to enforce a policy or feel employees can still violate confidentiality rules Don’t forget about your vendors

47 HIPAA COW: Benchmarking Survey Results – Remote Access 81.3% confirm they have a Remote Access Policy 86.1% also state they allow employees with remote access to access applications containing PHI 72.3% state they audit the remote access of employees

48 Committee Interpretation If you allow remote access, how do you monitor or prevent printing of PHI? How do you protect internal networks from non- enterprise owned PCs? Is limiting file transfers an option? Results not dependent on the size of an organization

49 Conclusions/Recommendations Really only 2 options: –Restrict the use of PCs not owned/controlled by organization –Run the risk and manage through policies, education and enforcement - attestation If you remove the driver on the terminal printer, users cannot print at home Utilize a VPN Create good policies and enforce them Consider your business objectives/alternative technologies

50 HIPAA COW: Benchmarking Survey Results – Auditing 53.9% responded that they conduct regularly scheduled audits to determine if PHI is accessed inappropriately –46.1% do not audit for inappropriate access –86.8%, indicate they have a formal sanction policy for employees who inappropriately access PHI

51 HIPAA COW: Benchmarking Survey Results – Auditing Dependent on the severity of the inappropriate access, these sanction policies include the following types of discipline: –53.7% formal, documented discipline –47.8% termination of the employee –44.8% suspension of the employee –9% formal prosecution –49.3% all of the above –4.5% utilize none of the above sanctions

52 Committee Interpretation Not really surprising Auditing is very time consuming and resource- dependent Results not dependent on the size of an organization OIG auditors stressed the importance of having control over your systems; emphasis is on the integrity of the data first, and then on the confidentiality of the data

53 Committee Interpretation It is reassuring that so many organizations take discipline for violations so seriously Old legacy systems – auditing virtually impossible Do less auditing and do it well

54 Conclusions/Recommendations You must have a formal sanction policy that addresses HIPAA violations Must have audit log reports that capture any inappropriate activity Given the amount of emphasis the OIG places on audit logs, we need to do a better job with regular auditing – only ½ audit Establish thresholds for security – role-based access Document your restrictions

55 Conclusions/Recommendations Old Technology –Must make a good faith effort with old technology –Prove and document limited capability –Standard of Reasonableness –Establish and policy, train and enforce Determine real risks, audit based on risk Don’t collect data unless going to do something with it

56 HIPAA COW: Benchmarking Survey Results – Training How often/when is HIPAA training conducted: –72.5% hold training annually –61.3% conduct this training at new employee orientation –30% indicate they only conduct training as needed –3.8% hold training semi-annually –1.3% indicate they do not conduct training –6.3% answered other

57 HIPAA COW: Benchmarking Survey Results – Training 88.6% responded that they train 100% of their workforce – 11.4% indicate they do not train 100% of their workforce –The vast majority of those who do not, are very large 35.9% train vendors, contractors, or other non- employed members of their workforce – 64.1% do not train these members of their workforce

58 HIPAA COW: Benchmarking Survey Results – Training 96.2% state that training is mandatory for workforce members 57.3% state training is not mandatory for all senior organizational leadership including members of the BOD –42.7 % indicate training is mandatory for senior leadership 89.5% of organizations require workforce members to sign an attestation indicating their acknowledgment of HIPAA training

59 Committee Interpretation Disturbing to see that the majority of respondents do not train their senior leadership - “tone at the top” BOD does not usually have access to PHI but they do need to understand the standards in the organization; requires a different level of training than the majority of the workforce.

60 Conclusions/Recommendations ALL employees, vendors and members of BOD must be trained  Education must occur prior to a new employee accessing the system Training must be truly mandatory, i.e., a condition of employment Signed attestations or Confidentiality Agreements are highly recommended “5 minutes of Security” Personal liability!!

61 HIPAA COW: Benchmarking Survey Results – E-Discovery Request 31.5% state they have a formal process in place to respond to an E-Discovery request – 68.5% indicate they do not have a process for responding to an E-Discovery request Only 19.2% respond that they have a written policy that addresses E-Discovery – 80.8% do not have a written policy

62 HIPAA COW: Benchmarking Survey Results – E-Discovery Request For those who have a written E-Discovery policy: –85% indicate the policy covers documents stored on the network –95% indicate the policy covers –20% indicate the policy covers other types of data

63 Committee Interpretation Emerging issue Huge! Whitepaper

64 Conclusions/Recommendations Know who leads this effort in your organization Address with your retention policy to determine how you are classifying your data

65 Conclusions Most significant risk: passive loss of data due to own inaction; failure to properly implement all the regulations resulting in non-compliant activity by authorized user Increased government scrutiny Target for audits still complaint-driven

66 American Recovery and Reinvestment Act (ARRA) Goals Stimulus Package February 17, 2009 “Making supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal stabilization” ~One Hundred Eleventh Congress of the United States of America

67 HITECH Health Information Technology for Economic and Clinical Health Act (“HITECH”) Stimulus expenditures for development and adoption of Health Information Technology (“HIT”) Through Medicare and Medicaid reimbursement systems Utilization of an electronic health record (“EHR”) for each person in the United States by 2014 Adoption of EHR is critical to improvements in quality of care and ultimate cost savings “Meaningful Use”

68 ARRA Widespread adoption of EHR will not occur unless the public is assured that the privacy of their health information is secured Strengthen privacy and security protections for health information ARRA mandates increased enforcement

69 “A Computer lets you make more mistakes faster than any invention in human history – with the possible exceptions of handguns and tequila.” Mitch Ratcliffe

70 Opportunity and Challenge As we advance the use of health information technology Increase in EHR and interoperability = Increase risk to patient confidentiality = Increase in risk to health care entities

71 ARRA Expansion of HIPAA Rules Depends on who you are Covered Entity Business Associate Vendor

72 ARRA Changes – Covered Entities Data Breach Notification – when a CE discovers (defined) that a breach (defined) of unsecured (defined) PHI has occurred –notify each individual (state law) »this includes timeliness and content provisions specifically spelled out in the law »burden of proof in demonstrating notification, including any delay »how to notify each individual is specified –Notification to the media if breach involves more than 500 individuals –Notification to DHHS »<500 individuals - a log annually »>500 individuals - immediately notify DHHS who will post the name of the CE on their website

73 ARRA Changes – Covered Entities If an organization has an EHR Right to Access and obtain a copy of their electronic PHI and to have this information additionally transmitted to another party; limitation on fees Right to request an Accounting of Disclosures of PHI, the CE must supply all disclosures, including those made by a BA or must provide a list of all BA and their contact information; compliance with this regulation is dependent upon date of implementation of an EHR

74 ARRA Changes – Covered Entities BA are now obligated to comply per regulation Revision of Business Associate Agreement –Ensure that BA has implemented the administrative, physical and technical safeguards of HIPAA Security –Specify that BA must comply with use and disclosure rules in HIPAA Privacy Rule –Negotiate security breach coordination –Agreement on reporting and dispute resolution

75 ARRA Changes – Covered Entities Minimum necessary or Limited Data Set Right to Request Restrictions Marketing communications and remuneration

76 ARRA Changes – Covered Entities Are your BA aware of their new regulatory obligations? What if they are not compliant? Can you contract with them?

77 ARRA Changes – Business Associates BA are now obligated to comply per regulation –February 18, 2010 HIPAA Security Rules –As if a CE –Administrative, Physical and Technical Safeguards Some provisions of the HIPAA Privacy Rules

78 ARRA Changes – Business Associates Data Breach Notification - when a BA discovers (defined) that a breach (defined) of unsecured (defined) PHI has occurred, notify the Covered Entity with specific information –this includes timeliness provisions specifically spelled out in the law –burden of proof in demonstrating notification, including any delay –BA are now obligated to comply per regulation by February 18, 2010

79 ARRA Changes – Business Associates New privacy and security requirements of ARRA –Minimum Necessary (defined) standards –Accounting of disclosures –Restrictions on disclosures –Access – if maintain patient information on behalf of CE –Marketing and remuneration

80 ARRA Changes – Business Associates Subject to criminal and civil penalties Also subject to penalties if fail to take action if aware that CE not in compliance with HIPAA Subject to federal audits –If you are a CE, why do you care? –Are you willing to risk contracting with a BA if they are not in compliance with HIPAA rules?

81 Heightened Enforcement Level of Intent/NeglectPer ViolationMaximum Penalty Without Knowledge$100$25,000 Based on reasonable cause$1000$100,000 Willful neglect$10,000$250,000 Willful neglect, not corrected$50,000$1,500,000 Heightened enforcement – mandatory penalties for “willful neglect” CE and BA

82 Heightened Enforcement Private right of action State attorney general enforcement authority to file suit on behalf of their residents Courts can award damages, costs, and attorney’s fees related to HIPAA violations Employees/individuals are subject to civil and criminal penalties

83 New Enforcement Report by HIT Standards Committee Recommend that if under investigation for violation of HIPAA Privacy or Security, CMS withhold meaningful use payment until the violation has been resolved Intent to disallow IT incentive payments if confirmed HIPAA violation goes unresolved Could any complaint trigger an investigation? Missed payments for the length of the investigation?

84 What is your greatest risk? Complaints from patients lead to investigations Data breach notification Most significant risk: passive loss of data due to own inaction; failure to properly implement all the regulations resulting in non-compliant activity by authorized user

85 ARRA Changes – Vendors Non-CE or BA Vendors of services related to Personal Health Records (“PHR”) –offer PHR –offer products or services through website –accesses info or sends info to a PHR

86 ARRA Changes –Vendors Wisconsin Health Information Exchange (“WHIE”) Regional Health Information Organizations (“RHIO”) Maine HealthInfoNet - country's largest statewide health information exchange Google Health/Health Vault – electronic health profile E-prescribing gateways

87 ARRA Changes –Vendors Breach notification requirements –Individuals –Federal Trade Commission (“FTC”) –FTC notifies HHS “Unfair and deceptive act or practice” Regulated by FTC – promulgate rule by February 2010

88 Much more to come…… Creation of governmental bodies –Office of National Coordinator for HIT (“ONCHIT”) –HIT Policy Committee –HIT Standards Committee –Privacy Advisors in regional offices of HHS –National education initiative More than 20 guidances, regulations, reports and studies - coordinated through ONCHIT

89 Short “To Do” List CE –Make sure you have a handle on your BAA – revisions needed –Begin dialogue with BA –Make sure someone in your organization is staying informed –Educate, re-educate your staff –Educate your BA and vendors –HIPAA Hotline for patients –Check insurance coverage

90 Short “To Do” List BA –IMPLEMENT the REGS! –Make sure you have a handle on your BAA – revisions needed –Begin dialogue with CE – business advantage –Make sure someone in your organization is staying informed –Educate, re-educate your staff –Implement a hotline –Check insurance coverage

91 Short “To Do” List Vendors –Implement Data Breach Requirements –Make sure someone in your organization is staying informed –Educate your staff CE, BA, Vendors –Resources, resources, resources –Don’t wait any longer

92 Sinaiko Healthcare Consulting Conduct comprehensive Risk Assessments Assist in implementation of regulations Interpretation of regulations Development and implementation of Training Programs Creation of or revisions to Policies and Procedures Perform audits Assist/support of governmental investigations