Health Insurance
Portability &
Accountability
Act (HIPAA) 1996
Introduction
Privacy Rule
Security Rule
Acknowledgments
Material is from:
HIPAA Compliance, Carlene Dalgleish
Legal Issues in Information Security, Joanna Lyn Grama
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Contributor:
Misty Lowery
Reviewers:
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Reasons for Legislation
Records of patients or insurance claims made publicly
available by accident
Email reminder to take Prozac sent to 600 (not blind
cc‟d)
Woman fired from job after positive review but expensive
illness
35% of Fortune 500 companies admitted checking
medical records before hiring or promoting
People avoid using insurance when they have AIDS,
cancer, STD, substance abuse or mental illness
Medical Identity Theft:
When a person‟s name and other parts of
his/her medical identity are stolen for the
purpose of getting medical services and
goods.
Medical Identity Theft:
Problems:
Medical info is for wrong person
Inaccurate health records
Wrong diagnosis
Fatal treatments
Imposter claims health care
Medical Insurance Fraud
Inaccurate Credit History: Bills sent elsewhere
Medical Identity Thieves:
Who can commit this crime?
Computer hackers
Members of organized crime rings
Health care providers (doctor‟s, dentists, hospital employees)
2003: An employee at a cancer center stole the identity of a center
patient. The identity thief was sentenced to 16 mos. In prison and
ordered to pay restitution.
2006: A desk clerk at a Florida clinic stole the health info of over 1,000
patients. The clerk sold the data to another person. That person used
the information to submit $2.8M in fraudulent Medicare claims to the
U.S. government.
Business Challenges Facing the
Health Care Industry
Hospital computer systems contain notes
from hospital employees and primary care
physicians.
Health Insurance Companies collect and
compile patient data from different providers.
Organizations MUST maintain
the security of computer systems
that hold health data.
HIPAA
Introduced by Senators Edward Kennedy &
Nancy Kassebaum
Portability: Workers can continue health care
between different employers
Group insurance cannot reject, not renew, or charge
higher premiums of certain individuals
Simplify administration by creating a health care
transaction standard
Accountability:
Penalties for non-compliance
Tax provisions
HIPAA Titles
Title 1: Health Care Insurance Access, Portability, and
Renewability
Title 2: Preventing Health Care Fraud & Abuse,
Administrative Simplification, Medical Liability Reform
Title 3: Tax-related Health Provisions
Standardizes medical savings accounts
Title 4: Application and Enforcement of Group Health
Insurance Requirements
Title 5: Revenue Offsets
Defines how employers can deduct company-owned life
insurance premiums from income tax
Title 2 Has Three Rules
Transactions, Code Sets, and Identifiers:
Standards for electronic transmission
Electronic Data Interchange: Standardized
records for health care transactions
The Privacy Rule: Standard for Privacy of
Individually Identifiable Health Information
The Security Rule: Security Standard for
electronic patient health
Criminal Penalties
$ Penalty Imprison- Offense
ment
Up to $50K Up to one Wrongful disclosure of
year individually identifiable health
information
Up to Up to 5 …committed under false
$100K years pretenses
Up to Up to 10 … with intent to sell, achieve
$500K years personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Health Care Organization
Covered Entities (CE)
Health plan
(e.g., HMO, PPO)
Standard
bills/records
Standard
bills/records
Health care
Clearinghouse Nonstandard
bills/records
Health Care Provider
(e.g., doctor, hospital)
Health Care Organization
Business Associates (BA)
Covered
Works Entities (CE)
for Health plan
Performs: Claims Processing
Transcription
Billing
Data Analysis
Independent organization
Work involves health info Health care
Not bank or post office Clearinghouse
Health Care Provider
Protected Health Information (PHI)
Health Individually Identifiable
Identifiers
Information Health Information
Name
Relates to
SSN
Physical or
city or county
Mental health
zip code
or past/present/ Created or maintained by
phone or fax
future payment CE or BA
medical record #
fingerprint
Protected Health
If YOU had Aids, how could such identifiers Information
Identify you? (PHI)
Covered by HIPAA
Treatment, Payment & Health Care
Operations (TPO)
Health Care
Treatment Payment Operations
Provision & coordination Any activities Administrative
of health care among involved in functions related
health care providers, compensation to health care:
including referral for health care: financial or legal or
billing, determining quality improvement,
coverage or eligibility training, certification,
analyzing services case mgmt, business
planning
$
HIPAA Standard Transactions
Health plan
(e.g., HMO, PPO)
Health Plan Eligibility Inquiry
Health Plan Premium Payment Certification & Authorization
Enrollment or Disenrollment into of Referral
Health Plan Health Care Claim
Health Care Claim Status Request
Health Care
Claim Payment
Certification & Authorization
of Referral Health Care Provider
Plan Sponsor
(e.g., doctor, hospital)
(Employer)
Breach Notification Laws
The Oregonian, May 2006
In one of Oregon‟s largest security breaches, Providence
Health System disclosed that a burglar stole unencrypted
medical records on 365,000 patients kept on disks and
tapes left overnight in an employee‟s van
State Laws, called Breach Notification Laws require CEs to
notify patients when their PHI has been breached
If data is encrypted and laptop is lost, notification is not
required
This often applies to any industry that uses personal
information, such as Social Security Numbers
HITECH: Health Information Technology for
Economic and Clinical Health Act (2009)
Breach Notification Rule
Introduced notification requirements
PHI shall be encrypted in a way that is
approved by HHS.
PHI shall be shredded or destroyed and
disposed of properly.
Specifies how to notify individuals and
agencies if a breach of information occurs
The Genetic Information
Nondiscrimination Act of 2008
Protects against some types of genetic
testing discrimination.
Insurance companies can‟t make eligibility
decision based on genetic testing results.
Insurance companies can‟t base cost of
premiums on genetic testing results.
Employers can‟t hire, fire or make job
decisions based on the use genetic testing.
Employers/Health Insurance Plans can not
requiring genetic testing.
The HIPAA
Privacy Rule
Privacy Rule:
CEs Shall Develop Policies
CEs shall develop policies, procedures, and
standards for how it will adhere to Privacy Rule.
How will CE:
use and disclose PHI?
protect patient rights?
CEs shall regularly review policies and
procedures
CEs shall update policies when new
requirements emerge
CEs shall monitor that policies/procedures are
consistently applied throughout the organization
Privacy Rule:
No NonHealth Usage of PHI
The National Law Journal, May 30, 1994
A banker who also served on his county‟s health board
cross-referenced customer accounts with patient
Information. He called due the mortgages of anyone
suffering from cancer.
Health information is not to be used for nonhealth
purposes, unless an individual gives explicit
permission
Privacy Rule:
Need-to-Know Access
Washington Post, March 1, 1995
The 13-year-old daughter of a hospital employee took a list of
patients’ names and phone numbers from the hospital when
visiting her mother at work. As a joke, she contacted patients
and told them they were diagnosed with HIV.
Employees should have access only to what is absolutely
required as part of their jobs.
What individuals should have access to PHI?
What categories of PHI should individuals have access to?
What conditions are required for access?
How will Business Associates & Trading Partners be informed and
controlled?
Privacy Rule:
Protections against Marketing
Boston Globe, August 1, 2000
A patient at Brigham and Women‟s Hospital in Boston
learned that employees had accessed her medical
record more than 200 times.
CE must obtain permission before sending any
marketing materials, with limited exceptions
Privacy Rule:
Establish Privacy Safeguards
Required Not Required
Shut or locked doors Soundproof rooms
Keep voice down Redesign office space
Clear desk policy
Private hospital rooms
Password protection (semiprivate ok)
Auto screen savers
OK for doctors to talk to
Privacy curtains nurses at nurse stations
Locked cabinets
Paper shredders
Safeguards should be REASONABLE
Privacy Rule:
Employee Training & Accountability
New York Times, Jan. 19, 2002
Eli Lilly and Co. inadvertently revealed over 600 patient
e-mail addresses when it sent an all message to every
individual registered to receive reminders about taking
Prozac.
Each CE organization shall name one person who is
accountable for Privacy Rule compliance
Each employee, volunteer, contractor shall be trained in
privacy policies and procedures
Full and Part-time
Privacy Rule: Individual Privacy
Rights
Patients have the Right to:
See or obtain copies of medical information (except for
psychotherapy notes)
Request correction to health record
Receive a Notice of Privacy Practices
Request restrictions as to who can see PHI
Request specific method of contact for sake of privacy
Know who has accessed PHI
File a complaint if their rights have been violated
Allow and withdraw authorizations for use and disclosure
CE must:
Respond to requests within 30 days
May extend delay with notice for another 30 days
Keep records of how PHI is disclosed
Notice of Privacy Practices
Privacy
NPP must be available when asked for
NPP must be displayed prominently in the office
Health Plan must provide upon enrollment
Health Provider must provide on first service delivery
Both must request written acknowledgment of receipt of
NPP
After change, revised NPP must be issued to clients
within 60 days
Electronic
Must be displayed prominently on web page
Must be emailed to customers after a change in NPP
Required & Permitted Disclosures
Required Disclosure:
Patient
or personal representative, e.g., parent, next of kin
Office of Civil Rights Enforcement: Investigates potential
violations to Privacy Rule
Permitted Disclosure:
Minimum-Necessary PHI may be disclosed without
authorization for: judicial proceedings, coroner/funeral,
organ donation, approved research, military-related
situations, government-provided benefits, worker‟s
compensation, domestic violence or abuse, some law
enforcement activities
ID must be verified by proof of identity/badge and
documentation
More Disclosures
Routine Disclosure
Disclosures that happen periodically should be addressed in
policies, procedures, forms
E.g.: Referral to another provider, school immunization, report
communicable disease, medical transcription, births, deaths & other
vital statistics
Non-routine Disclosure
CEs shall have reasonable criteria to review requests for non-routine
PHI disclosures
E.g., Research disclosures
Incidental Disclosure
CEs shall have reasonable safeguards
E.g. Patient overhears advice given to another patient
Accidental Disclosure
Computer is stolen with PHI
Disclosures Requiring
Authorization
Research project (special conditions may allow)
Person outside health care system
Employer
However, employer may require authorization for drug test
before hiring
Other insurance companies
Health care provider not involved in patient‟s health care
Insurance company not paying patient‟s claims
Lawyer
Patient should get copy of authorization
Sample Authorization Form
Disclosure Authorization Form
Description of Information:_____________________________________
Patient making authorized disclosure____________________________
Person receiving information:__________________________________
Purpose of the disclosure:
Authorization Expiration Date:________________
Patient Signature__________________________ Date:____________
A form to revoke authorization must be completed to terminate authorization.
Must be retained by CE for 6 years
Implementing „Minimum Necessary‟
Minimum necessary: Just enough info to
accomplish the main purpose
E.g.,
Send prescription for glasses to optician, not
medical history
Data Classification
Sensitivityof information
Type of treatment required
Questions to Answer
Whatparts of record can each user type access?
How will we constrain access to implement view?
Business Associates (BA)
Not Business
Must also be responsible with PHI
Associates
Accreditation Janitorial
Electrical
Phone
Vending
Copy
Conduit: Mail
Consulting Financial Institution:
Banks
Actuarial
Business Associate Contract
(BAC)
CEs must request BA to sign a BAC:
BA will not disclose PHI
BA is liable for damage due to disclosure or misuse
BA will use safeguards to prevent misuse
BA will report any security incident or violation of
agreement
BA will destroy or protect PHI upon termination of
contract
CE can terminate contract if violation occurs
CE will provide BA copies of policies, procedures and
materials for safeguarding
Etc.
BA Violates BAC
CE is not required to actively monitor BA
If BA is violating contract
CE must take reasonable steps to correct
If CE takes no action then
CE=willful neglect, subject to penalties
If BA takes no action
CE must terminate relationship OR
Contact Health & Human Services
HITECH: Health Information
Technology for Economic and Clinical
Health Act (2009)
BA‟s must follow the HIPAA Security Rule.
BA‟s are held to the same standard as
CE‟s.
Health & Human Services (HHS) can:
requireBA‟s to comply with HIPAA.
enforce penalties on noncompliant BA‟s.
Violation of HIPAA Privacy
Rule:
WTHR Investigation Leads to Record $2.25M HIPAA Settlement,
Indianapolis, IN, 2006:
Reported that CVS was “throwing sensitive personal information in the
trash” (e.g.: unredacted pill bottles, prescription instruction sheets,
pharmacy receipts with credit card information and health insurance
account numbers.
After this, other CVS pharmacies were investigated and it was found
that they also were improperly disposing of PHI.
To see the above article, go to:
http://www.wthr.com/global/Category.asp?c=83157
The HIPAA
Security Rule
+
Security Rule Enforces
Privacy Rule on Computers
Privacy Rule Security Rule
With or w/o computer With computer
Protect PHI Protect EPHI
Minimum Necessary Authentication &
Access Control
Accounting of Disclosures Unique Login Credentials
Authentication
Track modifications to EPHI:
Who did what when?
Security Vocabulary
Asset: Diamonds
Threat: Theft
Vulnerability: Open
door or windows
Threat agent: Burglar
Owner: Those
accountable or who
value the asset
Risk: Danger to assets
Security Rule Assures…
Security Services
Authentication
Access Control
Data confidentiality
Data integrity
Data backup & recovery
Nonrepudiation = Cannot say it wasn‟t you
who sent or received data
Risk Management
Risk Management
Risk assessment
Policy & Procedures Maintenance
Security Program Enforcement
Audit logs, vulnerability assessments, audit
for procedure adherence and control
effectiveness
Patches are applied to software
Data is available, confidential, & integrity is
protected
Security Rule Standards
Comprehensive Technology Neutral Scalable
Administrative
Controls
Security
Rule
Small
Physical Controls or
Large
Security
Technical Controls Look to Best Practices Rule
for Technology Answers
e.g. NIST
Three Areas of Safeguards
Administrative: Administrative policies, procedures, and actions
to implement and maintain security controls to protect EPHI, including
risk mgmt, access control, contingency plans, incident response.
Security Physical: Protection of the physical access to terminals, laptops,
Rule servers, backup tapes, CDs, memory, including viewing,
access, maintenance and disposal.
Technical: Protection using technology tools to protect EPHI,
including logs, encryption, authentication
Policies & Procedures
Policies and Procedures MUST BE:
Retained for 6 years after date of creation
or last effect
Available to workers responsible for them
Must be updated regularly accommodating
changes in environment & operations
Security Rule Standard
This is recommended…
Address this in some way…
Implement at least some
alternatives….
If it doesn‟t apply, document well
why not…
DO IT!
We do this instead:
…..
Administrative:
Security Mgmt Process
Risk Analysis: Conduct an accurate and thorough assessment R
of the potential risks and vulnerabilities to the CIA of EPHI held
by the CE.
Risk Mgmt: Implement security measures sufficient to reduce R
risks and vulnerabilities to a reasonable and appropriate level to
comply with the Security Rule
Sanction Policy: Apply appropriate penalties against workforce R
members who fail to comply with the entity‟s security policies
and procedures
Info System Activity Review: Implement procedures to R
regularly review records of IS activity, such as audit logs,
access reports, and security incident tracking reports
Security Mgmt Implications
We will need an IT person
to regularly check logs to
be sure our system was not
broken into
Risk assessment
must be ‘accurate
and thorough‟ –
The Sanction that will be a
policy basically challenge!
requires we all And all are Rs…
sign a
confidentiality Security Mgmt
Process
agreement and if
someone breaks
the rule, they
could be fired.
Administrative:
Workforce Security
Authorization and/or Supervision: Implement A
procedures for the authorization and/or supervision of
workforce members who work with EPHI or in
locations where it might be accessed
Workforce Clearance Procedure: Implement A
procedures to determine that the access of a
workforce member to EPHI is appropriate
Termination Procedures: Implement procedures for A
terminating access to EPHI when the employment of a
workforce member ends…
Workforce Security Implications
They are asking for checks
and balances with
supervision or
authorization
We are a three
person operation,
can we get away
.We must have with not doing this?
procedures to Must we document
allocate our situation?
authorization, These are As.
periodically Workforce
Security
check
authorization, and
procedures to
terminate
someone
Administrative:
Information Access Mgmt
Isolating Health Care Clearinghouse (CH) Function: If a R
health care CH is part of a larger organization, the CH operation
must implement policies and procedures that protect the EPHI of
the CH from unauthorized access by the larger organization
Access Authorization: Implement policies and procedure for A
granting access to EPHI – e.g., through access to a workstation,
transaction, program, process, or other mechanism
Access Establishment & Modification: Implement policies and A
procedures that, based upon the entity‟s access authorization
policies, establish, document, review, and modify a user’s right
of access to a workstation, transaction, program or process.
Info Access Mgmt Implications
Isn‟t this the same as the
previous rule?
.And then our IT
people must define
how they will grant
It is an access based upon
implementation: the data owner‟s
We must define a decisions.
data owner for
each major Info Access
Mgmt
process
Administrative:
Security Awareness & Training
Security Reminders: Provide periodic security A
updates to members of the workforce
Protection from Malicious Software: Implement A
procedures for guarding against, detecting, and
reporting malicious software
Login Monitoring: Implement procedures for A
monitoring login attempts and reporting discrepancies
Password Mgmt: Implement procedures for A
creating, changing and safeguarding passwords
What do you think these mean?
Administrative:
Contingency Plan
Data Backup Plan: Establish and implement procedures to create R
and maintain retrievable exact copies of EPHI
Disaster Recovery Plan: Establish … procedures to restore any R
loss of data
Emergency Mode Operation Plan: The emergency mode R
operation plan requires CEs to establish … procedures to enable
continuation of critical business processes, while maintaining the
security of EPHI while operating in emergency mode
Testing & Revision Procedure: Implement procedures for periodic A
testing and revision of contingency plans.
Applications & Data Criticality Analysis: Assess the relative A
criticality of specific applications and data in support of other
contingency plan components.
Administrative:
One-Line Safeguards
Assigned Security Responsibility: Identify the R
security official who is responsible for the
development and implementation of the policies and
procedures required by this rule for the entity.
Security Incident Procedures: Implement policies & R
procedures to address security incidents. Identify
and respond to suspected or known security
incidents; mitigate … harmful effects of security
incidents that are known to the CE; and document
security incidents and their outcomes.
Administrative:
More One-Line Safeguards
Evaluation: Perform a periodic technical and nontechical R
evaluation, based initially upon the standards implemented
under this rule and subsequently, in response to
environmental or operations changes affecting the security
of EPHI, that establishes the extent to which an entity‟s
security policies and procedures meet the requirements of
this subpart
BA Contracts and Other Arrangements: A BA [may] R
create, receive, maintain, or transmit EPHI on the CE‟s
behalf only if the CE obtains satisfactory assurances that
the BA will appropriately safeguard the information.
Info Access Mgmt Implications
According to Evaluation, we
must self-test or be certified on
a regular basis, to be sure we
follow the Security Rule
We need to know
who, what, when,
where, why for
That makes sense incident response.
when technology
changes, but I Who shall we name
guess we have to as our Security
do it periodically as Evaluation
Manager?
well, since the
world changes.
Physical Safeguards:
Facility Access Controls
Facility Access Controls: Implement
policies and procedures to limit physical
access to electronic info systems and areas
where sensitive paper documents are stored
and any facilities in which they are housed,
while ensuring authorized access
Contingency Operations A
Facility Security Plan A
Access Control & Validation Procedures A
Maintenance Records A
Physical Safeguards:
Facility Access Control
How will physical access be restricted to
sensitive paper documents, terminals, server,
backup copies, laptops, contingency operations
in copy, view, or modify forms?
How are visitors controlled from accessing
PHI/EPHI?
When repairs occur (to facility or systems) how
will PHI/EPHI be safeguarded?
Physical Safeguards: Workstations
Workstation Use: Implement policies and R
procedures that specify the proper functions to be
performed, the manner in which those functions are
to be performed, and the physical attributes of the
surroundings of a specific workstation or class of
workstation that can be used to access EPHI
Workstation Security: Implement physical R
safeguards for all workstations that can be used to
access EPHI, to restrict access to authorized users
Workstation Use and Security
What functions will be performed on which
workstations?
How will workstation access be limited when the
user leaves their station?
How will theft of laptops be prevented?
How will the workstations be positioned?
What other physical safeguards (locked rooms,
hoods) will be implemented to prevent shoulder
surfing?
Physical Safeguards:
Device & Media Controls
Device and Media Controls: Implement policies and
procedures that govern the receipt and removal of
hardware and electronic media and devices that
contain EPHI into and out of a worksite or facility, and
the movement of these items within the worksite or
facility.
Disposal R
Media Reuse R
Accountability A
Data Backup and Storage A
Device & Media Controls
How will media be erased or damaged before
disposal or reuse?
Reformatting disk may not be adequate even for
reuse
How, when and where has EPHI been moved or
transferred? Documentation is necessary
How is a backup made and where/how stored?
Technical Safeguards:
Access Control
Access Control: Implement technical policies and
procedures for electronic info systems that maintain
EPHI. These policies and procedures should contain
access protocols that will establish and enforce the
entity‟s other access policies, and allow access only to
those persons or software programs that have been
granted access rights
Unique User Identification R
Emergency Access Procedure R
Automatic Logoff A
Encryption and Decryption A
Technical Safeguards:
Access Control
How is each user uniquely identified to the
system?
How does authentication occur?
In an emergency, what backup methods are
used for authentication?
How does automatic logoff occur after a period
of inactivity?
Which data is encrypted in storage and/or
transmission?
Technical Safeguards:
Transmission Security
Transmission Security: Implement technical
security measures to guard against
unauthorized access to EPHI that is being
transmitted over an electronic communications
network
Integrity Controls A
Encryption A
Technical Safeguards:
Transmission Security
How are we sure that data is not modified
or lost during transmission?
What encryption techniques are used to
protect the security of EPHI transmitted
over a public network?
Other Technical Safeguards
Audit Controls: Implement hardware, software, and/or R
procedural mechanisms that record and examine
activity in information systems that contain or use EPHI
Integrity: Implement policies and procedures to A
protect EPHI at rest, meaning stored on organizational
systems and applications, from improper alteration or
destruction.
Person or Entity Authentication: Implement R
procedures to verify that a person or entity seeking
access to EPHI is the one claimed
Other Technical Safeguards
For which devices will the logs be monitored?
What log events should be archived for security
purposes?
How will potential attacks found in logs be recorded,
reported, and acted upon?
What techniques will be used to ensure stored data has
not been modified (hashes, message digests?)
What authentication mechanisms will be used to assure
that approved entities (people or systems) are accessing
EPHI?
Question
An example of a vulnerability is
1. Theft
2. Burglar
3. Open door
4. Diamonds
Question
Protected Health Information is:
1. SSN, medical information
2. Name, SSN, medical information
3. Name, address, SSN, phone, medical
information
4. Medical information stored in a computer
Question
The Security Rule requires that:
1. Logs are monitored
2. An intrusion detection system is
implemented
3. Cabinets containing PHI must be locked
4. Walls must be soundproof and all
terminals outside of waiting room
Question
The Privacy Rule requires that:
1. Logs are monitored
2. An intrusion detection system is
implemented
3. Cabinets containing PHI must be locked
4. Walls must be soundproof and all
terminals outside of the waiting room
Question
The Addressable option for the Security Rule means:
1. Smaller organizations need not implement if they can
justify it would be too expensive
2. HIPAA discusses alternative means to accomplish this,
and the organization must select one
3. The CE must document how they accomplish this
provision
4. This provision must be implemented or addressed in
some way, although alternative implementations are
allowed
To Study:
Define HIPAA, Privacy Rule, Security Rule, CE,
PHI.
Define threat, vulnerability, threat agent
Describe what Privacy Rule covers at a high
level
Describe what Security Rule covers at a high
level
Describe the difference between Required and
Addressable for the Security Rule.
Not Covered in this Presentation
Some specialized material is not being covered as
part of this presentation, including:
Hybrid Entities: Part Covered, Part Not
Organized Health Care Arrangement (OHCA):
Group of doctors
Jointly Administered Govt. Program
Trading Partner: CEs exchange electronic
transactions without clearinghouse
COBRA
The Consolidated Omnibus Budget
Reconciliation Act of 1986.
This allows some types of employees (and
their families) to continue health coverage
when they change/lose a job for a
maximum of 18 mos.