PowerPoint - Ohio Association of Health Underwriters
Download
Report
Transcript PowerPoint - Ohio Association of Health Underwriters
HIPAA Security
NWOAHU
Presented by Barb Gerken
11/12/2013
Omnibus Rule Updates of 2013 to
the HITECH Act under ARRA
ARRA of 2009, Federal Stimulus Bill
(February 17, 2009)
HITECH requirements deadline was
February 17, 2010
Omnibus Rule Updates of 2013
Final Ruling by HHS January 17, 2013
Detailed guidance with 500+ pages of
legislation.
Final rule was effective March 26, 2013.
Covered Entities and Business Associates
compliance deadline as September 23, 2013
What is the Security Rule?
The HIPAA Security Rule is a technology neutral, federally
mandated “floor” of protection whose primary
objective is to protect the confidentiality, integrity and
availability of individual identifiable health information
in electronic form when it is stored, maintained, or
transmitted.
Confidentiality: ePHI concealed from people who do not
have the right to see it
Integrity: Information not improperly changed or deleted
Availability: Information can be accessed when needed
Federally Mandated “Floor” of Protection
Comprehensive
Scalable
Technology Neutral
Flexibility in the Security Rule
Technology Neutral (does not specify
particular technologies to use) and
organizations may use any security
measures that will allow it to reasonably
and appropriately implement the rule.
Allows organizations to take into account:
Their size, complexity and capabilities
Their technical infrastructure, hardware, and
software security capability
The costs of security measures
The probability and criticality of potential risks
to ePHI
Their access to and use of ePHI
Security Rule Objective
Ensure the confidentiality, integrity and
availability of all ePHI that an organization
creates, receives, maintains or transmits
Protect against reasonably anticipated
hazards to the security or integrity of ePHI
(floods, fires, etc.)
Protect against any reasonably anticipated
uses or disclosures of ePHI not permitted
by the Privacy Rule
Ensure compliance by the organization’s
workforce.
What is protected by the Security
Rule?
Electronic Protected Health Information
(ePHI) which is individually identifiable
health information relating to the past,
present or future health condition of the
individual in electronic form when it is
stored, maintained, or transmitted.
Examples
Electronic Claims
Computer Databases with PHI
Emails
Paper printouts of electronic information
Who Must Comply with the Security
Rule?
Covered Entities
Healthcare Providers
Health Plans
Health Insurance Companies, HMOs, Employer group
health plans, Government programs: Medicare,
Medicaid, VA programs
Business Associates: All third party vendors and
business partners that create, receive, maintain or
transmit PHI on behalf of a Covered Entity
Accountants, Lawyers, Consultants, Software
Companies, Asset Recyclers, IT Consultants, PBMs
A Broker is a Business Associate of their Employer
Group Client’s health plan. An employer should have
a signed Business Associate Agreement with their
Broker.
Who Must Comply with the Security
Rule?
Any person or organization that stores or transmits
individually identifiable health information
electronically.
This includes both Covered Entities and Business
Associates.
With the wide spread use of computers, most
organizations will need to comply with the Security
standards. The only organizations that won’t
need to comply are those that only store
individually identifiable health information on
paper and do not utilize computer systems.
Required vs. Addressable
Security Standards
Covered Entities and Business Associates
are required to comply with every Security
Rule “Standard.” However, the Security
Rule divides the implementation
specifications within those standards into
two types:
Required
Addressable
***It is important to emphasize that
addressable does not mean optional!!!!!!!
Required vs. Addressable
Implementation Specs
Required –must be implemented by the
organization
Addressable – permits organizations to
determine whether the addressable
implementation specification is reasonable and
appropriate for that organization.
If a specification is reasonable and appropriate
it must be implemented.
If a specification is not reasonable and
appropriate an organization has two options:
Implement an equivalent alternative measure that
accomplishes the same purpose as the addressable
spec
Document how the overall standard can be met
without implementation of the standard and an
alternative measure
Penalties for Non-Compliance
Non-compliance is a civil offense that carries a
penalty ranging from $100-$50,000 per violation with
caps of $25,000 to $1.5 million for all identical
violations of a single requirement in a calendar year.
Enforced by Office of Civil Rights (OCR) within HHS.
Unauthorized Disclosure or Misuse of Protected Health
Information under false pretenses or with intent to
sell, transfer, or use for personal gain, or malicious
harm is a criminal offense. Penalties for criminal
offenses can be up to $250,000 in fines and up to 10
years in prison.
Enforced by the Department of Justice
Penalties may apply to the individual violator but may
also apply to an organization or even to its officers.
Penalties for Non-Compliance
There are 4 categories for penalties
Did Not Know
This is when you did not know or would not have known
through exercise of reasonable discretion that the
disclosure or breach was a violation of HIPAA Rules.
Reasonable Cause
This is when you should have known what was going
on, but you had a violation.
Willful Neglect – Corrected
This is when you ignored the Law, and you got caught,
but you corrected the issue within 30 days.
Willful Neglect – Not Corrected
This is when you ignored the Law, your were caught,
and you decided not to correct the issue.
Non-Compliance Penalties from
Omnibus Ruling
Violation Category
1176(a)(1)
Each Violation
Maximum fine for an
identical violation in a
calendar year
(A) Did Not Know
$100-$50,000
$1,500,000
(B) Reasonable Cause
$1,000-$50,000
$1,500,000
(C)(i) Willful Neglect-Corrected
$10,000-$50,000
$1,500,000
(C)(ii) Willful Neglect-Not
Corrected
$50,000
$1,500,000
Criminal Penalties
Direct at individuals
Knowingly obtaining or disclosing PHI: Fine of up
to $50,000 plus up to one year in prison
Offenses committed under false pretenses: Fine
up to $100,000 plus up to five years in prison
Offenses committed with the intent to sell,
transfer or use for commercial advantage,
personal gain or malicious harm: Fines of
$250,000, and up to ten years in prison
Implementation Lag
Healthcare Industry in General
95 percent of organizations have internet
connectivity
25 percent have no firewalls
65 percent intend to integrate web
applications
24 percent conduct security awareness
programs
71 percent provide internal system-wide
computerized client information
General Requirements & Structure
Increasing Security with each safeguard
Privacy Rule
Reasonable Safeguards for all PHI
Administrative Safeguards
P&Ps designed to show how the entity will comply
with the security rule
Physical Safeguards
Controlling physical access to protect against
inappropriate access to protected data
Technical Safeguards
Controlling access to computer systems and the
protection of communications containing PHI
transmitted electronically over open networks
General Requirements & Structure
Within the security categories, there are
18 standards, 12 with implementation
specifications, six without
implementation specifications.
A standard defines what an organization
must do; Implementation
specifications describe how it must be
done.
Security Management Process
Requires an organization to implement
policies and procedures to prevent, detect
and contain and correct security violations
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
All are required, not addressable.
Risk analysis and sanction policy must be
documented, retained for six years and
should be periodically reassessed and
updated as needed.
Assigned Security Responsibility
Required, not Addressable
Must designate a security official (one
individual, not an organization)
Responsible for development and
implementation of the policies and
procedures and having overall responsibility
for the security of the organizations ePHI.
HIPAA Privacy Officer generally the best
candidate
Do not just assign to IT department, it is much
more than just a technical solution.
Information Access Management
IAM standard requires an organization to implement
P&Ps to access ePHI on when such access is
appropriate based on a user’s or recipient’s role.
Includes following implementation specifications
Isolation of Healthcare Clearinghouse Function
(required)
Protect ePHI appropriate for access to a portion of a
larger organization from unauthorized access by
persons of that larger organization
Access Authorizations (addressable)
P&Ps with specific access levels for all personnel
Access Establishment and Modifications (addressable)
P&Ps to specify how to access to ePHI is granted and
modified.
Information Access Management:
Guidelines for Levels of Access
Restrict access rights to the minimum necessary
Define types of users, roles and access labels
Verify the identity of individuals who attempt to
access information
Establish criteria for when access rights should
change
Never allow access rights to be transferred among
users
Communicate policies to every person that has access
to ePHI
Review policies and procedures annually
Security Awareness and Training
Standard requires an organization to
train all members or their workforce
on its security policies and procedures
and includes the following
implementation specifications (all are
addressable):
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management
Security Incident Procedures
Requires an organization to implement policies and
procedures to address security incidents (the
attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information
or interference with systems operations in an
information system) and includes a single
implementation specifications, which is required:
Response and Reporting
Relates to internal reporting of security incidents and
does not specifically require the organization to report
the incident to any outside entity, except if they are
dependent upon business or legal considerations.
Develop P&Ps to identify and respond
Mitigate harmful effects known to the organization
Document security incidents and their outcomes
Contingency Plan
Requires an organization to
implement P&Ps for responding to an
emergency or other occurrence (i.e.
fire, vandalism, system failure, nature
disaster) that damages systems that
contain ePHI
Contingency Plan
5 Implementation Specs
Data Backup Plan (required)
Should be kept offsite to protect them from fire,
flood or other disaster at the facility
Disaster Recovery Plan (required)
Emergency Mode Operation Plan (required)
Testing & Revision Procedure (addressable)
Applications and Data Criticality Analysis
(addressable)
Evaluation (Required)
Perform periodic technical and non-technical
evaluations that determine the extent to which the
organization meets the ongoing requirements of the
Security Rule.
Organization must:
Verify adherence to the HIPAA Security Rule
Verify that the necessary P&Ps have been developed
Verify that the employees have been trained
Verify that contingency plans are in place
Verify that adequate access rights are in place
Periodically evaluate computer systems and/or
network design to ensure proper security has been
applied
Business Associate
Contracts/Agreements
Implement contracts/agreements that
ensure vendors and subcontractors
that create, receive, maintain or
transmit ePHI on the organization’s
behalf will appropriately safeguard
the information and includes the
following implementation
specifications:
Written Contract or Other Arrangement
(required)
Physical Safeguards
Physical measures and P&Ps to
protect electronic information
systems and related buildings and
equipment from
natural/environmental hazards and
unauthorized intrusions.
Physical Safeguards
4 Standards
Facility Access Control
Workstation Use
Workstation Security
Device & Media Controls
Examples:
Computer servers in locked rooms
Data backups stored offsite
Employee badges
Door locks
Locked cabinets
Screen savers/screen locks
Fireproof storage
Facility Access Controls
Limit physical access to facilities
ensuring authorized access is allowed
and includes:
Contingency Operations (addressable)
Facility Security Plan (addressable)
Access Control and Validation Procedures
(addressable)
Maintenance Records (addressable)
Workstation Use (Required)
Develop P&Ps to specify:
The proper functions to be performed
The manner in which those functions are to be
performed
The physical attributes of the surroundings of a
specific workstation or class of workstation that can
access ePHI
Encompasses portable devices, such as tablets, PDAs,
laptops
Conventional desktop – could include log-off
requirement, updating anti-virus
For portable devices – can limit what can be stored on
these devices
Workstation Security (Required)
Implement physical safeguards for all
workstations that can access ePHI in order
to restrict access to authorized users.
Examples:
Positioning monitors so they cannot be viewed
by passers by
Using password-protected screen savers
Limiting access to buildings, offices,
workstations, printers, faxes and remote devices
Device and Media Controls
Implement P&Ps that control the
receipt and removal of hardware and
electronic media that contain ePHI
and includes the following
implementation specifications
Disposal (Required)
Media Re-Use (Required)
Accountability (Addressable)
Data Backup and Storage (Addressable)
Technical Safeguards
Technology and the P&Ps for its use that
protect ePHI and control access to it.
5 Standards
Access Control
Audit Control
Integrity
Person or Entity Authentication
Transmission Security
Examples
Usernames and passwords
Security logs
Firewalls
Data Encryption
Access Control
Implement technical P&Ps that allow
authorized persons or software
programs to access ePHI and includes
the following specifications:
Unique User ID (required)
Emergency Access Procedure (required)
Automatic Logoff (addressable)
Encryption and Decryption (addressable)
Audit Controls (Required)
Requires an organization to implement
hardware, software and/or procedural
mechanisms that record and examine
activity in information systems that contain
or use ePHI.
Create a process to monitor data access
that includes reviews of audit logs for failed
logon attempts or security incidents, the
frequency of such reviews and the desired
escalation process.
Integrity
Implement security measures that ensure
that ePHI is not improperly modified
without detection until disposed of and
includes the following implementation
specifications:
Mechanism to Authenticate Electronic Protected
Health Information (addressable)
P&Ps to protect ePHI from improper alteration
or destruction
For most operating systems and hardware,
integrity is already built in as standard features
such as error-correcting memory and magnetic
disc storage.
Person or Entity Authentication
(Required)
Implement procedures to verify that a
person or entity seeking access to
electronic PHI is the one claimed.
Simple approach = password at login
More sophisticated approach =
biometric ID system, digital
signatures
Transmission Security
Implement technical security
measures to guard against
unauthorized access to ePHI that is
being transmitted over an electronic
communications network and includes
the following implementation
specifications:
Integrity Controls (addressable)
Encryption (addressable)
Applies when using an open network such
as internet and when deemed appropriate.
Implementation:
Implications of Non-compliance
Increased operating costs
Financial penalties
Public exposure leading to loss of
customers
Loss of Accreditations / Licenses
Litigation Damages
Imprisonment
Making an Organization HIPAA
Security Compliant
Typical High-Level Steps
Determine if organization is subject to HIPAA Security
Rule (store or transmit ePHI?)
Appoint a HIPAA Security Officer
Detailed HIPAA Security Training Course for HIPAA
Security Officer and technical IT staff
Perform risk assessment
Develop risk management plan
Draft necessary P&Ps required by the Security
standards
Work with IT to implement security standards
contained in new policies and procedures
Train employees on new security P&Ps and systems
Monitor compliance, perform periodic evaluation of
security systems and take corrective actions, as
needed.
Reasonable, Scalable and Common
Sense
Privacy & Security rules specified by HIPAA
are reasonable and scalable to account for
the nature of each organization’s culture,
size and resources.
Each organization will determine its own
privacy policies and security practices
within the context of the HIPAA
requirements and its own capabilities and
needs.
A good rule of thumb to remember is “when
in doubt, use common sense.”
Keys to Success
Education
Corporate Culture
Commitment
Embracing HIPAA
Many HIPAA requirements are just best practices already
implemented in other industries.
HIPAA can be considered a common federal “floor” for
everyone to achieve.
Many HIPAA requirements would be things you would want
the implement anyway to safeguard the confidentiality of
your clients’ records and protect your organization data
from loss or theft.
We are all patients with our own PHI and would want many
of the same protections for our own personal health
information.
With the move toward electronic records management, it is
even more critical that we all come to terms with securing
our organization’s information as it is all too easy for data
to be stolen by hackers or for an organization to lose its
records because regular backups were not performed.
Thank you for
joining us today.