HIPAA Health Insurance Portability Accountability Act by shimeiyan

VIEWS: 188 PAGES: 74

									Health Insurance Portability & Accountability Act (HIPAA)
Introduction Privacy Rule Security Rule

Acknowledgments
Material is from:  HIPAA Compliance, Carlene Dalgleish  All-in-One CISSP Certification Exam Guide, 2nd Edition

Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers: Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Reasons for Legislation








Records of patients or insurance claims made publicly available by accident Email reminder to take Prozac sent to 600 (not blind cc’d) Woman fired from job after positive review but expensive illness 35% of Fortune 500 companies admitted checking medical records before hiring or promoting People avoid using insurance when they have AIDS, cancer, STD, substance abuse or mental illness

HIPAA




Introduced by Senators Edward Kennedy & Nancy Kassebaum Portability: Workers can continue health care between different employers
insurance cannot reject, not renew, or charge higher premiums of certain individuals  Simplify administration by creating a health care transaction standard
 Group



Accountability:
 Penalties

for non-compliance  Tax provisions

HIPAA Titles





Title 1: Health Care Insurance Access, Portability, and Renewability Title 2: Preventing Health Care Fraud & Abuse, Administrative Simplification, Medical Liability Reform Title 3: Tax-related Health Provisions


Standardizes medical savings accounts

 

Title 4: Application and Enforcement of Group Health Insurance Requirements Title 5: Revenue Offsets


Defines how employers can deduct company-owned life insurance premiums from income tax

Title 2 Has Three Rules
Transactions, Code Sets, and Identifiers: Standards for electronic transmission
 Electronic

Data Interchange: Standardized records for health care transactions

The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information The Security Rule: Security Standard for electronic patient health

Criminal Penalties
$ Penalty Imprisonment
Up to $50K Up to one year Up to 5 years Up to 10 years

Offense
Wrongful disclosure of individually identifiable health information …committed under false pretenses … with intent to sell, achieve personal gain, or cause malicious harm

Up to $100K Up to $500K

Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

Health Care Organization Covered Entities (CE)
Health plan (e.g., HMO, PPO)

Standard bills Health care Clearinghouse

Standard bills

Nonstandard bills Health Care Provider (e.g., doctor, hospital)

Health Care Organization
Business Associates (BA) Covered Entities (CE)
Health plan

Works for Performs: Claims Processing Transcription Billing Data Analysis Independent organization Work involves health info Not bank or post office

Health care Clearinghouse

Health Care Provider

Protected Health Information (PHI)
Health Information Relates to Physical or Mental health or past/present/ future payment
Identifiers

Individually Identifiable Health Information

Name SSN city or county zip code phone or fax medical record # fingerprint

Created or maintained by CE or BA

If YOU had Aids, how could such identifiers Identify you?

Protected Health Information (PHI) Covered by HIPAA

Treatment, Payment & Health Care Operations (TPO)
Treatment Payment Health Care Operations Administrative functions related to health care: financial or legal or quality improvement, training, certification, case mgmt, business planning

Provision & coordination of health care among health care providers, including referral

Any activities involved in compensation for health care: billing, determining coverage or eligibility analyzing services

$

HIPAA Standard Transactions
Health plan (e.g., HMO, PPO)
Health Plan Eligibility Inquiry Certification & Authorization of Referral Health Care Claim Health Care Claim Status Request Health Care Claim Payment

Health Plan Premium Payment Enrollment or Disenrollment into Health Plan

Plan Sponsor (Employer)

Certification & Authorization of Referral

Health Care Provider (e.g., doctor, hospital)

Breach Notification Laws
The Oregonian, May 2006
In one of Oregon’s largest security breaches, Providence Health System disclosed that a burglar stole unencrypted medical records on 365,000 patients kept on disks and tapes left overnight in an employee’s van

State Laws, called Breach Notification Laws require CEs to notify patients when their PHI has been breached If data is encrypted and laptop is lost, notification is not required This often applies to any industry that uses personal information, such as Social Security Numbers

The Privacy Rule

Privacy Rule: CEs Shall Develop Policies


CEs shall develop policies, procedures, and standards for how it will adhere to Privacy Rule. How will CE:
and disclose PHI?  Protect patient rights?
 use



 

CEs shall regularly review policies and procedures CEs shall update policies when new requirements emerge CEs shall monitor that policies/procedures are consistently applied throughout the organization

Privacy Rule: No NonHealth Usage of PHI
The National Law Journal, May 30, 1994
A banker who also served on his county’s health board cross-referenced customer accounts with patient Information. He called due the mortgages of anyone suffering from cancer.

Health information is not to be used for nonhealth purposes, unless an individual gives explicit permission

Privacy Rule: Need-to-Know Access
Washington Post, March 1, 1995
The 13-year-old daughter of a hospital employee took a list of patients’ names and phone numbers from the hospital when visiting her mother at work. As a joke, she contacted patients and told them they were diagnosed with HIV.

Employees should have access only to what is absolutely required as part of their jobs.



 

What individuals should have access to PHI? What categories of PHI should individuals have access to? What conditions are required for access? How will Business Associates & Trading Partners be informed and controlled?

Privacy Rule: Protections against Marketing
Boston Globe, August 1, 2000
A patient at Brigham and Women’s Hospital in Boston learned that employees had accessed her medical record more than 200 times.

CE must obtain permission before sending any marketing materials, with limited exceptions

Privacy Rule: Establish Privacy Safeguards
Required  Shut or locked doors  Keep voice down  Clear desk policy  Password protection  Auto screen savers  Privacy curtains  Locked cabinets  Paper shredders Not Required  Soundproof rooms  Redesign office space  Private hospital rooms (semiprivate ok)  OK for doctors to talk to nurses at nurse stations

Safeguards should be REASONABLE

Privacy Rule: Employee Training & Accountability
New York Times, Jan. 19, 2002
Eli Lilly and Co. inadvertently revealed over 600 patient E-mail addresses when it sent an all message to every Individual registered to receive reminders about taking Prozac.




Each CE organization shall name one person who is accountable for Privacy Rule compliance Each employee, volunteer, contractor shall be trained in privacy policies and procedures


Full and Part-time

Privacy Rule: Individual Privacy Rights Patient has the Right to:

  

 
 

See or obtain copies of medical information (except for psychotherapy notes) Request correction to health record Receive a Notice of Privacy Practices Request restrictions as to who can see PHI Request specific method of contact for sake of privacy Know who has accessed PHI File a complaint if their rights have been violated Allow and withdraw authorizations for use and disclosure

CE must:  Respond to requests within 30 days  May extend delay with notice for another 30 days

Notice of Privacy Practices
Privacy  NPP must be available when asked for  NPP must be displayed prominently in the office  Health Plan must provide upon enrollment  Health Provider must provide on first service delivery  Both must request written acknowledgment of receipt of NPP  After change, revised NPP must be issued to clients within 60 days
Electronic  Must be displayed prominently on web page  Must be emailed to customers after a change in NPP

Required & Permitted Disclosures
Required Disclosure:  Patient


or personal representative, e.g., parent, next of kin



Office of Civil Rights Enforcement: Investigates potential violations to Privacy Rule

Permitted Disclosure:  Minimum-Necessary PHI may be disclosed without authorization for: judicial proceedings, coroner/funeral, organ donation, approved research, military-related situations, government-provided benefits, worker’s compensation, domestic violence or abuse  ID must be verified by proof of identity/badge and documentation

More Disclosures
Routine Disclosure  Disclosures that happen periodically should be addressed in policies, procedures, forms  E.g.: Referral to another provider, school immunization, report communicable disease, medical transcription Non-routine Disclosure  CEs shall have reasonable criteria to review requests for non-routine PHI disclosures  E.g., Research disclosures Incidental Disclosure  CEs shall have reasonable safeguards  E.g. Patient overhears advice given to another patient Accidental Disclosure  Computer is stolen with PHI

Disclosures Requiring Authorization


 

Research project (special conditions may allow) Person outside health care system Employer


However, employer may require authorization for drug test before hiring

Other insurance companies  Health care provider not involved in patient’s health care  Insurance company not paying patient’s claims  Lawyer Patient should get copy of authorization


Sample Authorization Form
Disclosure Authorization Form Description of Information:_____________________________________

Patient making authorized disclosure____________________________ Person receiving information:__________________________________
Purpose of the disclosure:

Authorization Expiration Date:________________ Patient Signature__________________________ Date:____________ A form to revoke authorization must be completed to terminate authorization.
Must be retained by CE for 6 years

Implementing ‘Minimum Necessary’
Minimum necessary: Just enough info to accomplish the main purpose
 E.g., Send

prescription for glasses to optician, not medical history



Data Classification
 Sensitivity of

information  Type of activities required


Questions to Answer
of record can each user type access?  How will we constrain access to implement view?
 What parts

Business Associates (BA)
Must also be responsible with PHI Accreditation

Not Business Associates
Janitorial Electrical Phone Vending Copy Conduit: Mail Financial Institution: Banks

Consulting

Actuarial

Business Associate Contract
(BAC)
CEs must request BA to sign a BAC:  BA will not disclose PHI  BA is liable for damage due to disclosure or misuse  BA will use safeguards to prevent misuse  BA will report any security incident or violation of agreement  BA will destroy or protect PHI upon termination of contract  CE can terminate contract if violation occurs  BA will provide CE copies of policies, procedures and materials for safeguarding  Etc.

BA Violates BAC
CE is not required to actively monitor BA If BA is violating contract CE must take reasonable steps to correct If CE takes no action then CE=willful neglect, subject to penalties If BA takes no action CE must terminate relationship OR Contact Health & Human Services

The Security Rule

+

Security Rule Enforces Privacy Rule on Computers
Privacy Rule With or w/o computer Protect PHI Minimum Necessary Security Rule With computer Protect EPHI Authentication & Access Control
Unique Login Credentials Authentication Track modifications to EPHI: Who did what when?

Accounting of Disclosures

Security Vocabulary
Asset: Diamonds Threat: Theft Vulnerability: Open door or windows Threat agent: Burglar Owner: Those accountable or who value the asset Risk: Danger to assets

Security Rule Assures…

Security Services
Authentication  Access Control  Data confidentiality  Data integrity  Data backup & recovery  Nonrepudiation = Cannot say it wasn’t you who sent or received data  Risk Management


Risk Management
Risk assessment  Policy & Procedures Maintenance  Security Program Enforcement

 Audit

logs, vulnerability assessments, audit for procedure adherence and control effectiveness  Patches are applied to software  Data is available, confidential, & integrity is protected

Security Mechanisms
Specific  Encryption  Digital Signatures  Access Control  Data Integrity  Authentication  Traffic Padding  Notarization: Electronic notary public  Trusted 3rd Party verifies data transaction

Pervasive  Audit trail  System Recovery (auto recovery following failure)

Security Rule Standards
Comprehensive
Administrative Controls
Security Rule

Technology Neutral

Scalable

Physical Controls

Small or Large

Technical Controls

Look to Best Practices for Technology Answers e.g. NIST

Security Rule

Three Areas of Safeguards
Administrative: Administrative policies, procedures, and actions to implement and maintain security controls to protect EPHI, including risk mgmt, access control, contingency plans, incident response.
Security Rule Physical: Protection of the physical access to terminals, laptops, servers, backup tapes, CDs, memory, including viewing, access, maintenance and disposal. Technical: Protection using technology tools to protect EPHI, including logs, encryption, authentication

Policies & Procedures
Policies and Procedures MUST BE:  Retained for 6 years after date of creation or last effect  Available to workers responsible for them  Must be updated regularly accommodating changes in environment & operations

Security Rule Standard
This is recommended… Address this in some way… Implement at least some alternatives…. If it doesn’t apply, document well why not…

DO IT!

We do this instead: …..

Security Mgmt Process
Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the CIA of EPHI held by the CE. Risk Mgmt: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule

R

R R R

Sanction Policy: Apply appropriate penalties against workforce members who fail to comply with the entity’s security policies and procedures Info System Activity Review: Implement procedures to regularly review records of IS activity, such as audit logs, access reports, and security incident tracking reports

Security Mgmt Implications
We will need an IT person to regularly check logs to be sure our system was not broken into

The Sanction policy basically requires we all sign a confidentiality agreement and if someone breaks the rule, they could be fired.

Risk assessment must be ‘accurate and thorough’ – that will be a challenge! And all are Rs…
Security Mgmt Process

Workforce Security
Authorization and/or Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed Workforce Clearance Procedure: Implement procedures to determine that the access of a workforce member to EPHI is appropriate

A

A

Termination Procedures: Implement procedures for A terminating access to EPHI when the employment of a workforce member ends…

Workforce Security Implications
They are asking for checks and balances with supervision or authorization

.We must have procedures to allocate authorization, periodically check authorization, and procedures to terminate someone

Workforce Security

We are a three person operation, can we get away with not doing this? Must we document our situation? These are As.

Information Access Mgmt
Isolating Health Care Clearinghouse (CH) Function: If a health care CH is part of a larger organization, the CH operation must implement policies and procedures that protect the EPHI of the CH from unauthorized access by the larger organization Access Authorization: Implement policies and procedure for granting access to EPHI – e.g., through access to a workstation, transaction, program, process, or other mechanism

R

A

Access Establishment & Modification: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process.

A

Info Access Mgmt Implications
Isn’t this the same as the previous rule?

It is an implementation: We must define a data owner for each major process

.And then our IT people must define how they will grant access based upon the data owner’s decisions.
Info Access Mgmt

Security Awareness & Training
Security Reminders: Provide periodic security updates to members of the workforce

A

Protection from Malicious Software: Implement A procedures for guarding against, detecting, and reporting malicious software Login Monitoring: Implement procedures for A monitoring login attempts and reporting discrepancies
Password Mgmt: Implement procedures for creating, changing and safeguarding passwords
What do you think these mean?

A

Contingency Plan
Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of EPHI

R

Disaster Recovery Plan: Establish … procedures to restore any loss of data
Emergency Mode Operation Plan: The emergency mode operation plan requires CEs to establish … procedures to enable continuation of critical business processes, while maintaining the security of EPHI while operating in emergency mode Testing & Revision Procedure: Implement procedures for periodic testing and revision of contingency plans.

R
R

A

Applications & Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components.

A

One-Line Safeguards
Assigned Security Responsibility: Identify the R security official who is responsible for the development and implementation of the policies and procedures required by this rule for the entity. Security Incident Procedures: Implement policies & R procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate … harmful effects of security incidents that are known to the CE; and document security incidents and their outcomes.

More One-Line Safeguards
Evaluation: Perform a periodic technical and nontechical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of EPHI, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart

R

BA Contracts and Other Arrangements: A BA [may] create, receive, maintain, or transmit EPHI on the CE’s behalf only if the CE obtains satisfactory assurances that the BA will appropriately safeguard the information.

R

Info Access Mgmt Implications
According to Evaluation, we must self-test or be certified on a regular basis, to be sure we follow the Security Rule

That makes sense when technology changes, but I guess we have to do it periodically as well, since the world changes.

We need to know who, what, when, where, why for incident response. Who shall we name as our Security Manager?

Evaluation

Physical Safeguards: Facility Access Controls
Facility Access Controls: Implement policies and procedures to limit physical access to electronic info systems and areas where sensitive paper documents are stored and any facilities in which they are housed, while ensuring authorized access Contingency Operations A

Facility Security Plan Access Control & Validation Procedures Maintenance Records

A A A

Physical Safeguards: Facility Access Control





How will physical access be restricted to sensitive paper documents, terminals, server, backup copies, laptops, contingency operations in copy, view, or modify forms? How are visitors controlled from accessing PHI/EPHI? When repairs occur (to facility or systems) how will PHI/EPHI be safeguarded?

Physical Safeguards: Workstations
Workstation Use: Implement policies and R procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can be used to access EPHI Workstation Security: Implement physical R safeguards for all workstations that can be used to access EPHI, to restrict access to authorized users

Workstation Use and Security



  

What functions will be performed on which workstations? How will workstation access be limited when the user leaves their station? How will theft of laptops be prevented? How will the workstations be positioned? What other physical safeguards (locked rooms, hoods) will be implemented to prevent shoulder surfing?

Physical Safeguards: Device & Media Controls
Device and Media Controls: Implement policies and procedures that govern the reciept oand removal of hardware and electronic media and devices tht contain EPHI into and out of a worksite or facility, and the movement of these items within the worksite or facility. Disposal

Media Reuse Accountability Data Backup and Storage

R R A A

Device & Media Controls


How will media be erased or damaged before disposal or reuse?
 Reformatting disk

may not be adequate even for

reuse
 

How, when and where has EPHI been moved or transferred? Documentation is necessary How is a backup made and where/how stored?

Technical Safeguards: Access Control
Access Control: Implement technical policies and procedures for electronic info systems that maintain EPHI. These policies and procedures should contain access protocols that will establish and enforce the entity’s other access policies, and allow access only to those persons or software programs that have been granted access rights Unique User Identification R Emergency Access Procedure
Automatic Logoff Encryption and Decryption

R A A

Technical Safeguards: Access Control


 
 

How is each user uniquely identified to the system? How does authentication occur? In an emergency, what backup methods are used for authentication? How does automatic logoff occur after a period of inactivity? Which data is encrypted in storage and/or transmission?

Technical Safeguards: Transmission Security
Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network Integrity Controls A Encryption A

Technical Safeguards: Transmission Security
How are we sure that data is not modified or lost during transmission?  What encryption techniques are used to protect the security of EPHI transmitted over a public network?


Other Technical Safeguards
Audit Controls: Implement hardware, software, and/or R procedural mechanisms that record and examine activity in information systems that contain or use EPHI

Integrity: Implement policies and procedures to protect EPHI at rest, meaning stored on organizational systems and applications, from improper alteration or destruction. Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed

A

R

Other Technical Safeguards



 



For which devices will the logs be monitored? What log events should be archived for security purposes? How will potential attacks found in logs be recorded, reported, and acted upon? What techniques will be used to ensure stored data has not been modified (hashes, message digests?) What authentication mechanisms will be used to assure that approved entities (people or systems) are accessing EPHI?

Words of Wisdom
HIPAA is supposed to be efficient – not overbearing  Make reasonable  Too much restriction => No following  Find ways that work for you

Summary of HIPAA Requirements - Administrative



   

 
 

Control access to data via formal procedures Certify systems using compliance to security standards Implement contingency plans Appoint a security info officer Document security configurations for H/W & S/W Support authentication and authorization, and monitoring of activities Train for security and security awareness Implement personnel termination procedures Develop security policy, procedures, risk assessment structures Implement internal security audits

Summary of HIPAA Requirements – Physical Safeguards
   

 

Assign security responsibility to a person or entity Control access to hardware & peripherals Develop disaster and intrusion response plans Keep maintenance records on H/W, S/W Document allowed activities and configurations for workstations Ensure access is on need-to-know

Summary of HIPAA Requirements –Technical Security
Ensure data confidentiality, integrity, availability with appropriate controls, both for in storage and transmission  Design a hierarchal system of permissions to regulate access to data  Use alarms, alerts, and logs to detect and service abnormal conditions


Question
An example of a vulnerability is 1. Theft 2. Burglar 3. Open door 4. Diamonds

Question
1.

2. 3.

4.

Protected Health Information is: SSN, medical information Name, SSN, medical information Name, address, SSN, phone, medical information Medical information stored in a computer

Question
The Security Rule requires that: 1. Logs are monitored 2. An intrusion detection system is implemented 3. Cabinets containing PHI must be locked 4. Walls must be soundproof and all terminals outside of waiting room

Question
The Privacy Rule requires that: 1. Logs are monitored 2. An intrusion detection system is implemented 3. Cabinets containing PHI must be locked 4. Walls must be soundproof and all terminals outside of the waiting room

Question
The Addressable option for the Security Rule means: 1. Smaller organizations need not implement if they can justify it would be too expensive 2. HIPAA discusses alternative means to accomplish this, and the organization must select one 3. The CE must address how they accomplish this provision in a documented way 4. This provision must be implemented or addressed in some way, although alternative implementations are allowed

Not Covered in this Presentation
Some specialized material is not being covered as part of this presentation, including:  Hybrid Entities: Part Covered, Part Not  Organized Health Care Arrangement (OHCA): Group of doctors  Jointly Administered Govt. Program  Trading Partner: CEs exchange electronic transactions without clearinghouse


								
To top