1. 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035

2. 2 PRIVACY WHAT Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information HIPAA: PRIVACY vs. SECURITY What’s the Difference? SECURITY SECURITY HOW Refers to HOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss

3. 3 HIPAA Privacy and Security Update Security Update 1. Policy & Procedure Update 2. HIPAA & SSN Asset Identification 3. Other Security Information Privacy Update 1.Policy & Procedure Update 2.HIPAA Staff Education 3.Business Associate Agreements

4. 4 Why do we care about HIPAA?  Privacy Breaches  George Clooney  Information Security  V.A. Hospital lost hard drive with patient medical and physician information  Identity Theft  Social Security Notification Act

5. 5 1. Privacy Policy and Procedure Update Notice of Privacy Practices Notice – English and Spanish Acknowledgement form Posters Release of patient information Privacy and Security Audit tools Reporting Privacy Breach Allegation

6. 6

7. 7

8. 8

9. 9

10. 10

11. 11 2.Staff Education Current Privacy and Security Education –New Hire Staff Education –On-line HIPAA Education (Professional Staff) –HIPAA for Researchers (RASCAL) Additional Education Planned –Quarterly HIPAA Training for managers (refresher and new hire) –Quarterly HIPAA Training for staff (refresher) –Quarterly Email reminders / alerts –Department specific – as requested –Web Site

12. 12 3.Business Associate Definition: A person or organization: who is not a member of your staff; And not another healthcare provider, receives, uses, or discloses protected health information (patient information); in connection with providing any of the following services to or for your practice

13. 13 3.Who is a Business Associate? Examples include: billing claims processing or administration call service management quality assurance data processing or analysis transcription services utilization review design or manage an electronic records system accounting accreditation administrative data aggregation consulting financial services management

14. 14 HIPAA Information Security Recap Confidentiality Prevent unauthorized access or release of EPHI Prevent abuse of access (identity theft, gossip) Integrity Prevent unauthorized changes to EPHI Availability Prevent service disruption due to malicious or accidental actions, or natural disasters.

15. 15 Administrative Safeguards Policies and Procedures Responsibility Awareness and Training Incident Processing, Sanctions Physical Safeguards Workstation Use and Security Facility Access Control Device and Media Control Technical Safeguards Access Control Audit Control Encryption and Integrity control Regulation specification

16. 16  Information Security Mgmt Process  Information Access Mgmt & Control  General Info Security  Info Sec: Audit and Evaluation  Workstation Use and Security  Workforce Security Clearance, Term and Auth  Info Sec: Backup, Device & Media Control  Info Sec: Facility Access Control & Security  Info Sec: Disaster Contingency & Recovery Plan  Info Sec: Security Incident Procedure Policies and Procedures Information Security Best Practices

17. 17 Information Asset Owner responsibility –Risk Assessment and management –Implementation of Security Controls Access, Authorization, Termination –Audit and evaluation –Disaster Contingency and Recovery Plan –Additional information in Policy documents Responsibility action items

18. 18 Manager responsibility –Workforce Clearance, Termination and Authorization –Facilities access to sensitive information assets –Education, security reminders, sanctions End User responsibility –“Acceptable Use” –Safe practices –Sensitivity towards patient privacy Responsibility action items

19. 19 Disruption of Patient Care Increased cost to the institution Legal liability and lawsuits Negative Publicity Identity theft (monetary loss, credit fraud) Disciplinary action Consequences of Security Failure

20. 20 Intentional Attacks –Malicious Software (Bots, Spyware) –Theft of copyrighted material (Torrent, Limewire, Emule, etc.) –Stolen Passwords (Keyloggers, Trojans) –Impostors e-mailing to infect and steal info (Phishing) –Abuse of privilege (Employee/VIP clinical data) …and an important development… Types of Security Failure

21. 21 Privacy & Security Concerns Risk to Clinical Information Loss of Laptops, USB/flash drives, CD/DVD, Blackberry/Palm, etc. Failure to safeguard equipment Physically locked / secured ? Password protected ? Encrypted ? Eg. Kingston DataTraveler Secure Privacy Edition USB Flash drive

22. 22 Employee Carelessness –Sharing Passwords –Not signing off systems –Downloading and executing unknown software –Sending EPHI outside the institution without encryption –Losing PDA and Laptop in transit –Pursuing risky behavior – Improper web surfing, and instant messaging –Not questioning, reporting, or challenging suspicious or improper behavior Types of Security Failure

23. 23 Install anti-virus, anti-spyware solutions, Install security patches Update definitions daily Use caution when viewing web pages, e-mail attachments, and using games and programs Chose strong passwords, refuse to share it, change if you suspect a breach Protect your laptop or PDA with a password, and turn on encryption on sensitive folders, including copies in CD, Floppy, USB storage devices, etc. Methods to Protect against Failures

24. 24 Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously) Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination Do not copy, duplicate, or move EPHI without a proper authorization Do not email EPHI without encryption to addresses outside the institution Methods to Protect against Failures

25. 25 Strictly follow principles of ‘Minimum necessary’ and ‘Need-to-know’ for all accesses– the 3 fundamental missions of the institution are Care, Education and Research. Challenge improper behavior, question suspicious behavior, report violations and security problems to proper authorities – email to hipaa@columbia.edu or security@cumc.columbia.edu or call Privacy Office (1- 212-305-7315) or call CUMC IT Helpdesk (1-212-305- HELP) Communicate with colleagues and staff about secure and ethical behavior Methods to Protect against Failures

26. 26 HIPAA & SSN Asset Identification Project Identify electronic storage of patient information and of any SSN (patient, provider, employee) Storage includes –Applications, Databases, Files. –Application/Database/File servers, Workstations/PC/Laptops, USB/Flash devices, CD/DVDs, Home computers Started on 12/7 by Bob Sideli, CIO, CUMC (cc to Chairs). So far: –43% of departments / centers have responded –83 assets with Social Security Numbers –70 assets with Protected Health Information

27. 27 Information Systems Security

28. 28 New York State SSN Laws Information Security Breach and Notification Act –December 2005 –If… Breach of Personally Identifiable Information SSN Credit Card Driver’s License –Then… Notify consumers, NY State, consumer reporting agencies –Loss of 100s of thousands for notification and credit report help –Penalties

29. 29 New York State SSN Laws Social Security Number Protection Law –December 2007 –Recognizes SSN to be primary identifier for identity theft –Illegal to communicate to general public –Access cards, tags, etc. may not have SSN –SSN may not be transmitted over Internet without encryption –SSN may not be used as password –SSN may not be printed on envelopes with see-through windows –Penalties Identification of SSN assets is the first step towards reducing the risk of violating laws.

30. 30

31. 31