HIPAA Security - Columbia University Medical Center
Download
Report
Transcript HIPAA Security - Columbia University Medical Center
Columbia University
Health Sciences
Research under the Health Insurance
Portability and Accountability Act of 1996
(“HIPAA”)
HIPAA Overview
Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative Simplification
Insurance
Reform
[Portability]
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002 and
10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
4/20/2005
PRIVACY vs. SECURITY
PRIVACY
Refers to WHAT is protected — Health information about
an individual and the determination of WHO is permitted to
use, disclose, or access the information
SECURITY
Refers to HOW private information is safeguarded—Insuring
privacy by controlling access to information and protecting it
from inappropriate disclosure and accidental or intentional
destruction or loss.
PRIVACY
WHAT does the Privacy Rule COVER?
Protected Health Information (PHI) = Individual
(Patient) identifiable information relating to the past,
present or future health condition of the individual
ALL information whether maintained in electronic,
paper or oral format
PRIVACY
WHAT does the Privacy Rule MEAN?
Limits the Use and Disclosure of PHI
Most uses or disclosures outside of treatment or payment
require actual patient authorization or an exception to
authorization—e.g., research
Establishes Individual’s (Patient) right to control access
and use of PHI
Right to inspect or copy PHI
Right to amend incorrect information, etc…
PRIVACY
WHAT does the Privacy Rule MEAN? (cont’d)
Balances health information protection and individual
rights against public health and safety needs
Administrative Requirements
Privacy Officer
Privacy Board to review research
Notice
Training & Sanctions
Safeguards
Policies & Procedures
RASCAL HIPAA Forms
Human subjects research using identifiable health information must meet one of the
following criteria:
Form A) HIPAA Clinical Research Authorization
Form A - Spanish Version HIPAA Clinical Research Authorization
Form B) HIPAA Application for Waiver of Authorization
Form C) Request for Recruitment Waiver of Authorization
Form D) Investigator's Certification for Reviews Preparatory to Research
Form E) Investigator's Certification for Research with Decedents' Information
Form F) Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes
Form G) Investigator's Certification for Research with De-Identified Data
HIPAA and Research
HIPAA mandates that a Privacy Board ensure
institutional compliance with HIPAA
The Privacy Board function can be administered by
an IRB or as a separate function
For research involving human subjects at CUMC, this
function is fulfilled by a Privacy Board function separate
from the IRB—meets every two weeks
HIPAA and Research
Privacy Board
Exceptions
Authorization signed
by patient for
all clinical research
Waiver Criteria
applied before
records research
• Preparatory to research
• Decedent
• De-identified
• Limited Data Set
HIPAA Authorization
Authorization signed
by patient for
all clinical research
Patient authorization elements
The information
Who may use or disclose the information
Who may receive the information
Purpose of the use or disclosure
Expiration date or event
Individual’s signature and date
Right to revoke authorization
Right to refuse to sign authorization
Redisclosure statement
HIPAA Authorization
The information
Relates
to “minimum necessary standard” (we will
use only the PHI we need to for the research)
Who may use or disclose the information
“the
PI and the research team”
Who may receive the information
The
sponsor/CRO/central labs/etc.
HIPAA Authorization
Purpose of the use of disclosure
Expiration date or event
Short description of research
“end of study”; “never” for databases
Individual’s signature and date
Subject must receive signed copy
Must be retained for 6 years
HIPAA Authorization
Right to revoke authorization
Right to refuse to sign authorization
Must be made in writing
Reliance exception
If refusal exercised, research related treatment can be
withheld—note you cannot as a provider condition signing
an authorization for research on the provision of nonresearch related treatment
Redisclosures not protected
Statement that redisclosures may happen and their PHI
would no longer be protected
Problem areas
Creation of research databases from treatment
encounters
Compound authorizations not permitted—e.g., to build
a research database and do specific research from that
database
Future unspecified research cannot be authorized—
particular problem with Sponsor requested language
Patients general right to their health information—does
this extend to research related treatment?
HIPAA Waiver of Authorization
Waiver Criteria
applied before
records research
Most likely to be used in cases of research
involving retrospective chart reviews
IRB/Privacy Board may also waive
authorization to allow use of PHI by third
parties to recruit study subjects—no waiver or
authorization needed to recruit a researcher’s
patients into a clinical trial
HIPAA Waiver Criteria
Waiver requires IRB/Privacy Board approval
and documentation of three (3) waiver criteria:
1.
Use or disclosure involves no more than
minimal risk to privacy of the subject based
on, at least:
Adequate plan to protect the information from
improper use and disclosure;
Adequate plan to destroy identifiers; and
Written assurances that the PHI will not be disclosed
further than as set forth in the waiver
HIPAA Waiver Criteria, con’t
2.
The research could not practicably be
conducted without waiver or alteration
3.
The research could not practicably be
conducted without access to and use of the
PHI
Waiver problem areas
Case studies or—case studies generally not research
must be de-identified
Limited # of subject studies
Your research involves the disclosure of health
information which the patient has to authorize—e.g.,
HIV status
Your requesting a waiver for research where the Privacy
Board believes you have ample opportunity to get
actual authorization—e.g., research database creation
Recruitment Issues
PI who is also subjects MD may contact his/her
patients directly about research
IRB approved recruitment letters ok—should be signed
by treating MD—active versus passive consent
IRB approved advertisement—subjects call investigator
or screening service
Not OK—recruiting out of waiting rooms;
investigators with no relationship calling patients
directly
Authorization and Waiver exceptions
Exceptions Documented
• Preparatory to research
There can be no disclosure of PHI to
researchers from CU or NYPH without
authorization or waiver unless the disclosure is
for:
1.
2.
Preparatory research—i.e., to assess feasibility
of research; formulate a research hypothesis; or
define recruitment cohort
Or an exception applies—e.g., decedent; deidentified; limited data set
Reviews Preparatory to Research
CE obtains a representation from the researcher that:
Use or disclosure is sought solely to review protected
health information as necessary to prepare a research
protocol;
No protected health information is to be removed from
the covered entity by the researcher in the course of the
review; and
The protected health information is necessary for the
research purposes.
De-Identified Health Information
Research on a decedent
De-identified
Limited data set
1.
If information is “de-identified” in accordance with
“generally accepted statistical and scientific principles or
methods”
2.
If all identifiers listed in a “safe harbor” are removed—
this safe harbor requires the removal of 18 identifiers (of
limited use)
3.
Dummy identifier to facilitate linkage within CE
permitted
Limited Data Set
Permits identifiers not permitted by de-identification
safe harbor such as:
Zip code, town, city & state, date of birth/death and
dates of service
Benefit: no need for waiver or authorization if only
disclosing a limited data set to a researcher; accounting
rule doesn’t apply
Requires a “data use agreement” with the intended
recipient
Limited Data Set
Authorized for public health, research, and health care
operations purposes:
1.
Public health uses—disease registries maintained by private
sector or universities or other types of studies for public health
purposes
2.
Possible health care operations use—hospital sharing of limited
data set information with local hospital association
3.
Possible research use—establishment of research databases and
repositories
HIPAA Security
Soumitra Sengupta
Information Security Officer
Columbia University Biomedical and Health
Information Services (CUBHIS)
HIPAA Recap
Health Insurance Portability and
Accountability Act (HIPAA) - 1996
Administrative
Simplification
Transaction code standards (November 2003)
Privacy (April 2003)
Information Security (April 2005)
Definitions
Protected Health Information (PHI)
Health or medical information identifiably linked to a
specific individual, such as information about:
their identity – demographic and financial data
their medical condition and treatment – clinical data
Electronic PHI (EPHI)
PHI stored on or transmitted via our computers and
networks, including CDs, PDAs, tapes, and clinical
equipment
Goal of HIPAA Security regulation is to –
Secure EPHI
Concepts of Info Security
Confidentiality
Prevent
unauthorized access or release of
EPHI
Prevent abuse of access (identity theft, gossip)
Integrity
Prevent
unauthorized changes to EPHI
Availability
Prevent
service disruption due to malicious or
accidental actions, or natural disasters.
Regulation specification
Administrative Safeguards
Physical Safeguards
Policies and Procedures
Responsibility
Awareness and Training
Incident Processing, Sanctions
Workstation Use and Security
Facility Access Control
Device and Media Control
Technical Safeguards
Access Control
Audit Control
Encryption and Integrity control
Action items to compliance
Development of Policies and Procedures
Information
Security Mgmt
Process
General Info Security
Workstation
Use and Security
Sec: Backup, Device &
Media Control
Information Access Mgmt &
Control
Info
Sec: Audit and Evaluation
Workforce
Security Clearance,
Term and Auth
Info
Info Sec: Facility Access Control
& Security
Info
Info Sec: Security Incident
Procedure
Sec: Disaster Contingency
& Recovery Plan
Information Security Best Practices
Action items to compliance
Infrastructure security
Computer network and systems security
Firewalls, Intrusion Detection/Prevention systems
Secure remote access – VPN
Assuring availability: Bandwidth restrictions to the Internet
Anti-virus (Symantec)
Anti-spyware (Pest Patrol)
Host Integrity Check (Tripwire)
Communication with patients (Relay Health)
Facilities Security
Data Centers (planned upgrade)
Action items to compliance
Infrastructure security
Workforce Security
Authentication and Termination
Columbia UNI, CUMC/NYP LDAP, Weill Cornell
LDAP
Termination from NYP, CU, WC Human Resources,
CU Student Information Services, WC Students,
Service Corporation, Private/Temp employees, etc.
Security Incident Processing and Sanctions
Others
Responsibility action items
Information Asset Owner Responsibility
Risk Assessment and management
Tier A – More than 20 users –
A Detailed Security Questionnaire and a set of formal
Documentation about security of the asset
Tier B – Less than 20 users –
A Limited Security Questionnaire – 11 security questions
Implementation of Security Controls
Audit and evaluation
Disaster Contingency and Recovery Plan
Additional information in Policy documents
Action items
Report EPHI applications with more than 20
users to us to initiate rigorous security risk
assessment
For applications with less than 20 users, CUBHIS
is scheduling for an external agency to conduct
security sessions for asset owners to
Learn about necessary security methods
Help fill out the limited Questionnaire
CUBHIS is also available for server and
workstation management services for assets that
need better management (“Custodial functions”)
Action items
We will incorporate security training with privacy
training; call upon us to discuss HIPAA security to your
department.
All new Clinical Systems must be technically evaluated
and approved by Dr. Randy Barrows Jr., Asst VP,
CUBHIS Clinical Resources. Approval criteria includes
HIPAA Security check requirements.
All EPHI assets are required to be registered
We are working with IRB and Privacy Board to
incorporate Security checks for research systems, Expect
a guidance from IRB about security of all research, not
just EPHI research.
Responsibility action items
Manager responsibility
Workforce Clearance, Termination and
Authorization
Facilities access to sensitive information assets
Education, security reminders, sanctions
End User responsibility
“Acceptable Use”
Safe practices
Sensitivity towards patient privacy
Consequences of Security Failure
Disruption of Patient Care
Increased cost to the institution
Legal liability and lawsuits
Negative Publicity
Identity theft (monetary loss, credit fraud)
Disciplinary action
Types of Security Failure
Intentional Attacks
Malicious Software (Virus, Spyware)
Stolen Passwords (Keyloggers, Trojans)
Impostors e-mailing to infect and steal info
(Phishing)
Theft (Laptop, PDA, CD/USB storage devices, etc.)
Abuse of privilege (Employee/VIP clinical data)
Theft of copyrighted material (Kazaa)
Types of Security Failure
Employee Carelessness
Sharing Passwords
Not signing off systems
Downloading and executing unknown software
Sending EPHI outside the institution without
encryption
Losing PDA and Laptop in transit
Pursuing risky behavior – Improper web surfing, and
instant messaging
Not questioning, reporting, or challenging suspicious
or improper behavior
Methods to Protect against Failures
Install anti-virus, anti-spyware solutions,
Install security patches
Update definitions daily
Use caution when viewing web pages, e-mail
attachments, and using games and programs
Chose strong passwords, refuse to share it,
change if you suspect a breach
Protect your laptop or PDA with a password, and
turn on encryption on sensitive folders, including
copies in CD, Floppy, USB storage devices, etc.
Methods to Protect against Failures
Do not abuse clinical access privilege, report if you
observe an abuse (if necessary, anonymously)
Do not be responsible for another person’s abuse
by neglecting to sign off, this negligence may
easily lead to your suspension and termination
Do not copy, duplicate, or move EPHI without a
proper authorization
Do not email EPHI without encryption to
addresses outside the institution
Methods to Protect against Failures
Strictly follow principles of ‘Minimum necessary’ and
‘Need-to-know’ for all accesses– the 3 fundamental
missions of the institution are Care, Education and
Research.
Challenge improper behavior, question suspicious
behavior, report violations and security problems to proper
authorities – email to [email protected] or
[email protected] or call Privacy Office (1-212305-7315) or call CUBHIS Helpdesk (1-212-305-HELP)
Communicate with colleagues and staff about secure and
ethical behavior
More Information
Current Website
Go to http://www.cumc.columbia.edu/cubhis/
Select Security, and then CUMC HIPAA
Email to
[email protected] or [email protected]