Transcript Columbia University Medical Center

HIPAA
Privacy & Security Update
HITECH Breach Notification Regulations
Practice Management Forum
Karen Pagliaro-Meyer
Soumitra Sengupta
Privacy Officer
Information Security Officer
[email protected]
[email protected]
(212) 305-7315
(212) 305-7035
November 12, 2009
1
This presentation focuses on two types of
confidential electronic information:
• ePHI = Electronic Protected Health Information
– Medical record number, account number or SSN
– Patient demographic data, e.g., address, date of birth, date of death, sex,
e-mail / web address
– Dates of service, e.g., date of admission, discharge
– Medical records, reports, test results, appointment dates
• PII = Personally Identified Information
– Individual’s name + SSN number or Driver’s License # or credit card #
• Electronic media includes computers, laptops, disks, memory stick, PDAs,
servers, networks, dial-modems, cell phones, eMail, web-sites, etc.
2
HITECH (ARRA)
Health Information Technology for Economic and Clinical Health
REQUIREMENT
COMPLIANCE DATE
1. Breach Notification
September 2009
2. Self-Payment Disclosures
February 2010
3. Business Associates
February 2010
4. Minimum Necessary
August 2010
5. Accounting of Disclosures
January 2011/2014
6. Performance Measures for EHR enhanced
reimbursement rate
3
HITECH Act (ARRA)
Health Information Technology for Economic and Clinical Health

New Federal Breach Notification Law – Effective Sept 2009







Applies to all electronic “unsecured PHI”
Requires immediate notification to the Federal Government if
more than 500 individuals effected
Annual notification if less that 500 individuals effected
Requires notification to a major media outlet
Breach will be listed on a public website
Requires individual notification to patients
Criminal penalties - apply to individual or
employee of a covered entity
4
HITECH Act (ARRA)

Enforcement
 Increased penalties for HIPAA Violations
• tiered civil monetary penalties from $10,000 to $1.5 mil
 Expected Increased enforcement and oversight activities
 State Attorneys General will have enforcement authority and
may sue for damages and injunctive relief.

Business Associates
 Standards apply directly to Business Associates
 Statutory obligation to comply with restrictions on use and
disclosure of PHI
 New HITECH Privacy provisions must be incorporated into BAA
5
New York State SSN/PII Laws
Social Security Number Protection Law
 Effective December 2007
 Recognizes SSN to be a primary identifier for identity theft
 It is Illegal to communicate this information to the general public
 Access cards, tags, etc. may not have SSN
 SSN may not be transmitted over Internet without encryption
 SSN may not be used as a password
 SSN may not be printed on envelopes with see-through windows
 SSN may not be requested unless required for a business
purpose
 Fines and Penalties for unauthorized use or disclosure
6
New York State SSN/PII Laws
Information Security Breach and Notification Act
 Effective December 2005
 IF… Breach of Personally Identifiable Information occurs
o SSN
o Credit Card
o Driver’s License
 THEN… Must notify
o patients / customers / employees
o NY State Attorney General
o Consumer reporting agencies
7
New Regulations – Red Flag rule
Red Flag – Identity Theft Prevention Program
 Requires healthcare organizations to establish written
program to identify, detect and respond to and correct reports
of potential identity theft
 Educate all staff how to identify Red Flags and report them
 Appoint program administrator & Report to leadership
 FTC law includes fines and penalties $2,500 per violation
 Business Associate Agreements will have to be revised to
inform CUMC of any Red Flags involving CUMC data
 Enforcement delayed until February 2010
8
What you need to know in Information Security
Ponemon Study on Data Breaches (Nov 2007)
Malicious code
4%
Hacked system
5%
Undisclosed
2%
Electronic backup
7%
Malicious insider
9%
Lost
laptop/Device
48%
Paper records
9%
Third
Party/Outsourcer
16%
9
Types of Information Security Failures
 Lost/Stolen Laptop with unencrypted ePHI or PII
– Under HITECH and NY State SSN Laws, you may be personally liable,
and you will be disciplined for loss of unencrypted PHI or PII
 Sending EPHI outside the institution without encryption
– Under HITECH you may be personally liable for losing EPHI data
 Sharing Passwords
– You are responsible for your password. If you shared your password, you
will be disciplined even if other person does no inappropriate access
 Not signing off systems
– You are responsible and will be disciplined if another person uses your
‘not-signed-off’ system and application
10
Security Controls
Laptop and File Encryption
WinZip (password protect + encrypt)
7-zip (free, password protect + encrypt)
Truecrypt (free, complete folder encryption)
FileVault (folder encryption on Macintosh)
Encrypted USB Drives
Iron Key (Fully encrypted)
Kingston Data Traveler
11
Columbia University Medical Center
 Two of the laptops reported stolen at CUMC last year
1. Laptop was located in a physician office
•
Laptop was not encrypted and not password protected
•
Included 300 patient names, medical record numbers and test results
2. Laptop was located in a patient testing area
•
Laptop was password protected but not encrypted
•
Included approximately 150 patient names, data of birth, medical record
number and test result
Prior to HITECH, these patient were not required to be notified
because the data on the laptops did not include social security
numbers, however the new breach notification act would require
notification of each patient and remediation (free credit monitoring)
12
NewYork-Presbyterian Hospital
 A NYP employee (patient admissions representative) was charged
with stealing almost 50,000 patient files and selling some of them.
 The files stolen probably contained little or no medical information,
but did include patient names, phone numbers and social security
numbers--fertile ground for identity theft.
 Employee report that he sold the demographic info of 1,000
patients and was paid $750.
 NewYork Presbyterian Hospital has reported that the cost of the
breach was over $1.5 million dollar including cost of mailing to all
50,000 patients and offering free credit monitoring. In addition to
the cost associated with the negative publicity.
Security Reminders
Password
Required
Use Encryption for Portable
Devices with PHI
Password protect
your computer
Keep office secured
Dispose of
Information Correctly
Run Anti-virus &
Anti-spam software,
Anti-spyware
14
HITECH Action Plan
 REMINDER Workforce members are required to report the
loss or theft of any Protected Health Information
 Include in New Hire / Welcome Program Staff Education
 Email reminders / alerts for staff
 Department specific – as requested
 Review existing Policies and Procedures
HIPAA
SECURITY
 Implement Confidentiality Agreement
15