1. 1 HIPAA Privacy and Security Update June 2009 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035

2. 2 1.In the News - Privacy and Security Problems 2.Recent theft of electronic devices at CUMC 3.New Regulations - Privacy and Security 4.What you need to know about Patient Privacy 5.What you need to know about Information Security HIPAA Privacy and Security Update

3. 3  Disruption of Patient Care  Increased cost to the institution  Legal liability and lawsuits  Negative Publicity  Negative Patient perception  Identity theft (monetary loss, credit fraud)  Disciplinary action Consequences of Privacy or Security Failure

4. 4 In the News: Providence Health System  Lost 365,000 patient records when 10 backup tapes/disks were stolen from an employee’s minivan in 2006  Agreed to pay $100,000 in fines to the DOJ and implement a detailed Corrective Action Plan to safeguard electronic patient information  Providence reports they have spent over $7 million to respond to the breach including: Free credit monitoring for patients Hiring an independent forensic firm to investigate and make recommendations to improve the security of electronically stored patient information Negative media attention very damaging to their reputation

5.  A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them.  The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers--fertile ground for identity theft.  McPherson told investigators that a Brooklyn man offered him money in exchange for personal information on male patients born between 1950 and 1970.  McPherson then sold the man 1,000 files for $750. In the News: NewYork-Presbyterian

6. NNYP sent letters and offered free 2 year credit monitoring to all patients 50,000 * $15 = $750,000 +++ NNYP senior management were summoned by District Attorney’s office for explanation and steps to improve AAn Information Security Enhancement Task Force led by the COO was established, and a consultant was engaged to evaluate NYP security posture NNYP is currently implementing measures to improve information security

7. 7 Recent theft of electronic devices at CUMC  A large fire in a NYP/CUMC building with immediate evacuation of the entire building  An outside firm was hired to assist with the clean-up and repair of the building  When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen  Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted.  Consider installing software like PC phone home that may assist in locating stolen portable devices

8. 8 New Regulations: HITECH Act (ARRA) (Health Information Technology for Economic and Clinical Health)  New Federal Breach Notification Law – Effective Sept 2009  Applies to all electronic “unsecured PHI”  Requires immediate notification to the Federal Government if more than 500 individuals effected  Requires notification to a major media outlet  Will be listed on a public website  Requires individual notification to patients  Criminal penalties apply to individual or employee of a covered entity

9. 9  Business Associates  Standards apply directly to Business Associates  Statutory obligation to comply with restrictions on use and disclosure of PHI  New HITECH Privacy provisions must be incorporated into BAA  Enforcement  Increased penalties for HIPAA Violations (tiered civil monetary penalties)  Increased enforcement and oversight activities  State Attorneys General will have enforcement authority and may sue for damages and injunctive relief. New Regulations: HITECH Act (ARRA)

10. 10 New York State SSN/PII Laws Social Security Number Protection Law  Effective December 2007  Recognizes SSN to be a primary identifier for identity theft  It is Illegal to communicate this information to the general public  Access cards, tags, etc. may not have SSN  SSN may not be transmitted over Internet without encryption  SSN may not be used as a password  SSN may not be printed on envelopes with see-through windows  SSN may not be requested unless required for a business purpose  Fines and Penalties

11. Information Security Breach and Notification Act  Effective December 2005  IF… Breach of Personally Identifiable Information occurs o SSN o Credit Card o Driver’s License  THEN… Must notify o patients / customers / employees o NY State Attorney General o Consumer reporting agencies 11 New York State SSN/PII Laws

12. 12 New Regulations – Red Flag rule Red Flag – Identity Theft Prevention Program  Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft  Educate all staff how to identify Red Flags and report them  Appoint program administrator & Report to leadership  FTC law includes fines and penalties $2,500 per violation  Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data

13. 13 4. What you need to know about Patient Privacy  Notice of Privacy Practices  Business Associates  Authorization to Release Medical Information  Privacy Breaches  HIPAA and Research  HIPAA Education and Training

14. 14

15. 15

16. 16 Who is a Business Associate? Examples include:  billing  claims processing or administration  call service management  quality assurance  data processing or analysis  transcription services  utilization review  design or manage an electronic records system  accounting  accreditation  administrative  data aggregation  consulting  financial services  management

17. 17 Authorization to Release Medical Information Written Authorization required to release medical information Physician may share information with referring physician without an authorization “patient in common” All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review CUMC or NYP Authorization form

18. 18

19. 19 Privacy Breach  Privacy Breaches do not usually involve high profile patients  Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers  Implementation of CROWN (electronic medical record) will improve the availability of treatment information, but it will also make patient information more available  It is important that staff are aware that ANY access of medical information WITHOUT a business purpose will result in disciplinary action

20. 20 HIPAA and Research  In 2008 combined the Privacy Board and IRB review process  Improved communication between researchers, the IRB and the HIPAA research during the review process  Conducted several educational sessions with researchers and research staff to inform them of the review process and respond to questions  RASCAL research training program updated to include the HIPAA review process and respond to FAQ’s

21. 21 Professional and Support Staff Education Privacy and Security Education  New Hire Welcome Program Staff Education  On-line HIPAA Education (Professional Staff)  HIPAA for Researchers (RASCAL)  Email reminders / alerts  Department specific – as requested  HIPAA Web Site  HIPAA training for all staff will be increased

22. 22 What you need to know in Information Security

23. 23 Security Controls Laptop and File Encryption WinZip (password protect + encrypt) 7-zip (free, password protect + encrypt) Truecrypt (free, complete folder encryption) FileVault (folder encryption on Macintosh) Encrypted USB Drives Kingston Data Traveler Iron Key (Fully encrypted)

24. 24  Sharing Passwords –You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access  Not signing off systems –You are responsible and will be disciplined if another person uses your ‘not-signed-off’ system and application  Downloading and executing unknown software –If the software is malicious, you will lose your passwords and data. If the machine misbehaves, your machine will be disconnected from the network Types of Security Failure

25. 25 Digital Piracy statistics for Top Universities 2007 Rank Organization NameTotal 1MIT2,593 16University of Washington1,888 5Boston University1,408 2Columbia University985 6University Of Pennsylvania961 14Vanderbilt University886 10University of Massachusetts803 4Purdue University784 26Iowa State University719 -- BAY TSP 2008 Report BitTorrent & eDonkey are used the most !

26. 26  Sending EPHI outside the institution without encryption –Under HITECH you may be personally liable for losing EPHI data  Losing PDA and Laptop in transit with unencrypted PHI or PII –Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII  Not questioning, reporting, or challenging suspicious or improper behavior –You put the institution and areas under your supervision at risk Types of Security Failure

27. 27  Not being extremely careful with Social Security Numbers  First avoid SSN (and Driver’s License, Credit Card Numbers) REFUSE to take files or reports with SSN if you do not need them. Tell the sender to take SSN out before you will accept file or report.  Do not store SSN long-term DESTROY the file/report as soon as you are done with it. Delete the file from your computer, delete the email that brought the file, etc. Or, using an editor program, cut out SSN from the file. Types of Security Failure

28. 28  Not being extremely careful with Social Security Numbers (contd.)  Do not keep the complete SSN ERASE first 5 digits of SSN.  Encrypt SSN, and Obfuscate SSN If you must keep it, keep SSN in an encrypted file or folder. Do not show the SSN in an application, or show only the last 4 digits if that meets the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the SSN. Ask why they must see the SSN. Types of Security Failure

29. 29  Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously)  Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination  Do not copy, duplicate, or move EPHI without a proper authorization  Do not email EPHI without encryption to addresses outside the institution Methods to Protect against Failures

30. 30  Install anti-virus, anti-spyware solutions, update definitions daily  Install security patches  Use caution when viewing web pages, e-mail attachments, and using games and programs  Chose strong passwords, refuse to share it, change if you suspect a breach  Protect your laptop or PDA with a password, and turn on encryption on sensitive folders, including copies in CD, Floppy, USB storage devices, etc. Methods to Protect against Failures

31. 31

32. 32 PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own