Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA & HITECH Briefing Information Security & Privacy

Published byAllan Paternoster Modified over 10 years ago

Similar presentations

Presentation on theme: "HIPAA & HITECH Briefing Information Security & Privacy"— Presentation transcript:

1

2 HIPAA & HITECH Briefing Information Security & Privacy
Soumitra Sengupta, PhD Information Security Officer Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center Thursday, June 28, 2012

3 AGENDA Information Security Privacy
Office for Civil Rights HIPAA Audit Program CUMC Risk Management Program Security Trends Information Security Office for Civil Rights Update Breach Notification Omnibus Regulations Business Associates Training & Education Privacy

4 Latest on HIPAA Information Security
Increase in healthcare data breaches Higher fines from the Office of the Civil Rights (OCR) Cost of breaches at the healthcare organizations is higher Breaches are more likely with mobile devices and with business associates Unprotected Protected Health Information (PHI) on cloud has become a breach OCR has initiated the HIPAA audit program (More regulations are coming !)

5

6 HIPAA timeline of events
HIPAA Privacy 2003 HIPAA Security 2005 HITECH 2009 Breach Notification (ARRA) First fine of $4.3M to Cignet Health Feb 2011 OIG letter to OCR and ONC May 2011 OCR HIPAA audit planning July 2011 Booz Allen Hamilton selects 150 audit candidates Dec 2011 KPMG completes first 20 audits Mar 2012 KPMG will complete 115 audits Dec 2012

7

8

9 Level 1 > $1B, Level 2 between $300M and $1B, Level 3 between $50-300M, Level 4 Small practices
Providers: 3 Physicians, 3 Hospitals, 1 Lab, 1 Dental, 1 Nursing facility, 1 Pharmacy

10 Initial 20 Findings Analysis

11

12

13 Security: Initial 20 Findings Analysis

14

15

16

17 Established Performance Criteria
OCR published Audit program protocol… June 2012 Section Established Performance Criteria Key Activity Audit Procedures Implementation Specification § § (a)(1): Security Management Process § (a)(1)(ii)(a) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health infor... Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant doc... Required § (a)(1)(i): Security Management Process - Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information. Consideration... Acquire IT Systems and Services Inquire of management as to whether formal or informal policy and procedures exist covering the specific features of the HIPAA Security Rule information systems § (a) and (b). Obtain and review formal or informal policy and procedures and eval... § (a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop and Deploy the Information System Activity Review Process Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and p... …to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. …77 bullet points for information security …88 bullet points for privacy

18 CUMC OCR Risk Management Process
Initiated in Fall 2010 Center-wide PHI asset discovery processes A risk management (security) questionnaire based on HIPAA, HITECH, CoBIT, PCIDSS for PHI applications (HITRUST) Application owners and custodians fill the questionnaire Information security evaluates responses, conducts vulnerability scans (“hacking activity”) Critical and High risks are addressed with owners and custodians with urgency Application is certified and is permitted to operate officially Rinse and repeat

19 CUMC OCR Risk Management: New steps
Risk analysis process identifies common, high risk areas Institution must have a Risk compliance committee consisting of senior management … which deliberates, discusses, addresses and mitigates PHI risks, helps prioritize risks and controls, allocates funds, and manages the risk management program Examples of risks include: Generic PHI leakage Improper access of PHI Unavailability of PHI Specific Use of personal mobile devices at workplace Inadequacy of business continuity plan for research

20 CUMC Application Risk Analysis status

21 Information security trends
The Bring Your Own Device (“BYOD”) revolution, …but, separate personal storage systems from work place data, and vice versa No gmail for PHI, period No personal tax forms in cubmail Share control of personal devices if used to access work place data Mobile Device Management Network Access Control

22 Information security trends
How to hold 3rd party (including Business Associates) responsible for security at their end - Cloud Contracts need to be specific for HITECH If BA’s are required to follow HIPAA explicitly, it will help Choose 3rd party who understand HIPAA, and will sign the BAA Monitoring user behavior with institutional access and data Monitoring and Surveillance are related Try not to conduct personal business at workplace

23 Information security trends
Application security is a big issue with SQL injection and Cross-site scripting It is important to hire a programmer who knows security It is important to hire system administrator who knows security It is crazy to hire a programmer who knows no security It is crazy to hire system administrator who knows no security Observation: We are in the midst of a culture change !!

24 Information security trends
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! We better encrypt (with strong passwords) !!

25 Privacy Information Security HIPAA Program

26

27 Hot Topics and Potential Risk Areas
Cyber Security Incidents Disposal of Device Security Mobile Healthcare Use of Social Media Cloud Computing Meeting Meaningful Use Requirements Business Associates, Vendors, Contractors Security Breaches Security Incident Response Physical Security Disaster Recovery and Business Continuity Planning Increased Enforcement Privacy & Security Training

28

29

30

31

32

33

34

35

36

37

38

39

40 HIPAA/HITECH Fines, Penalties & Enforcement
2003 – Minimal enforcement reported OCR reaches four (4) settlements and issued one Civil Monitory Penalties (CMP) 2012 BCBS Tennessee fined $1.5 mil for stolen unencrypted hard drive (3/13/2012) HHS Settles Case with Phoenix Cardiac Surgery for lack of HIPAA safeguards fined $100,000 (4/13/2012) South Shore Hospital Mass fined $750,000 for unencrypted tapes (5/30/2012)

41 June 25, 2012

42 Business Associate Business Associate - a person or entity that performs or assists with certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity CFR OCR proposed rule to apply HIPAA civil and criminal enforcement and penalties directly to BA’s in addition to contractual liability.

43 Business Associates Important for departments to identify when a business associate agreement is needed. Proposed new rule may require new agreement with existing business associates. Proposed rule includes e-Prescribing Gateways, Personal Health Records (PHR), subcontractors of Business Associates & Health Information Exchange (HIE) organizations.

44 Examples of Business Associates
Billing organizations, collection vendors & claims processing companies Software Support / Data Administration (electronic applications with access to PHI) examples include: CROWN, GE, Siemens & IDX Data analysis / processing – e.g. research Quality Assurance & Customer Satisfaction svs Medical record/information storage and destruction companies Accreditation organizations Consultants – business, financial, medical etc.

45 Breaches Affecting Over 500 Individuals

46 Basic Elements of a Privacy Program
Policies Effective Communicated Enforced Training Areas of Risk Sanctions Audit Controls Evaluate Monitor Enforce Consistent Corrective Action

47 Workforce Training & Education
Faculty, staff & student education include both HIPAA Privacy & Information Security requirements  Welcome Program for new faculty & staff New student education medical, nursing, dental & physical therapy       On-line training for new faculty, staff and students Refresher /remedial HIPAA training Department, role & program specific training HIPAA training for research staff Periodic reminders Annual Officers & Faculty Briefing

48 Mark McDougle

49 COLUMBIA UNIVERSITY MEDICAL CENTER CONFIDENTIALITY AGREEMENT
I understand that I may have access to electronic, printed, or spoken confidential information, which may include, but is not limited to, information relating to: Patients - including Protected Heath Information (PHI), records, conversations, patient financial information, etc.; Employees - including salaries, employment records, disciplinary actions, etc.; Students - including enrollment, grade and disciplinary information; Research - including PHI created, collected, or used for research purposes; CUMC - including but not limited to financial and statistical records, strategic plans, internal reports, memos, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.; Third party information - including computer programs, client and vendor proprietary information, source code, proprietary technology, etc.; PHI and Personal Identifying Information (PII) used in other contexts. Accordingly, as a condition of, and in consideration of my access to confidential information, I promise that: 1. I will use confidential information only as needed by me to perform my legitimate duties as defined by my relationship (faculty, employment, student, visitor, consulting, etc.) with CUMC. I will not access confidential information which I have no legitimate need to know. I will not in any way divulge, copy, release, alter, revise, or destroy any confidential information except as properly authorized within the scope of my relationship with CUMC. I will not misuse or carelessly handle confidential information. I understand that it is my responsibility to assure that confidential information in my possession is maintained in a physically secure environment. 2. I will safeguard and will not disclose to any other person my access code (password) or any other authorization code that allows me access to confidential information. I will be responsible for misuse or wrongful disclosure of confidential information that may arise from sharing access codes with another person and/or for failure appropriately to safeguard my access code or other authorization to access confidential information. I will log off computer systems after use. I will not log on to a system or access confidential information to allow another person access to use that system. I will report any suspicion or knowledge that my access code, authorization, or any confidential information has been misused or disclosed without CUMC authorization. I will not download or transfer computer files containing confidential information to any non-NYP/CUMC authorized computer, data storage device, portable device, telephone, or other device capable of storing digitized data. I will only print documents containing confidential information in a physically secure environment, will not allow other persons’ access to printed confidential information, will store all printed confidential information in a physically secure environment, and will destroy all printed confidential information when my legitimate need for that information ends in a way that protects the confidentiality of the information. 3. I will follow CUMC policies and procedures regarding the use of any portable devices that may contain confidential information including the use of encryption or other equivalent method of protection. 4. I acknowledge my obligation to report to the CUMC Privacy Officer any practice by another person that violates these obligations or puts CUMC, its personnel, or its patients at risk of a disclosure of confidential information. 5. I will only use my Columbia account to send and receive message that may include confidential information and will not use to send confidential information to other parties outside of Columbia/NYP without protection to prevent unauthorized access. 6. If I am involved in research, any research utilizing individually identifiable protected health information will be performed in accordance with federal, state, local and Institutional Review Board policies. 7. If I no longer need confidential information, I will dispose in a way that assures others cannot use or disclose it including following the Information Technology policy for disposal of printed confidential information or electronic equipment that may contain confidential information. 8. I understand that my communication using the Columbia University information network is not private and the content of my communication may be monitored to protect the confidentiality and security of the data. 9. I understand that my obligation under this Agreement will continue after termination of my relationship with CUMC. 10. I understand that I have no right or ownership interest in any confidential information referred to in this Agreement. CUMC may at any time revoke my access code, or access to confidential information. At all times during my relationship, I will act in the best interests of CUMC. May 2011

50 Additional Training Information
New online training program to be purchased by Columbia University Rocket Ready Implementation expected in 2013 The training program will include HIPAA Privacy & IT training modules track staff completion produce reminders, reports etc. provide an effective method to deliver regular education for all workforce members

51 What is your responsibility?
Evaluate education of your workforce Review / monitor high risk / problem areas encryption, portable devices, paper record storage, business associates and access to medical information Enforce policies & procedures with staff Request assistance / additional guidance when indicated

52 Additional Resources HIPAA web page: Information Security web page:
Office for Civil Rights web page: Research and HIPAA web page:

53 Soumitra Sengupta Karen Pagliaro-Meyer
Information Security Officer Privacy Officer (212) (212)

Download ppt "HIPAA & HITECH Briefing Information Security & Privacy"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.

H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.

Similar presentations

Ads by Google