1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer...
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
3
Transcript of 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer...
![Page 1: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/1.jpg)
1
HIPAA Privacy and Security
Management Update
January 28, 2008January 28, 2008
Karen Pagliaro-MeyerPrivacy Officer
(212) 305-7315
Soumitra SenguptaInformation Security Officer
(212) 305-7035
![Page 2: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/2.jpg)
2
PRIVACYPRIVACY
Refers to WHATWHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information
HIPAA: PRIVACY vs. SECURITY
What’s the Difference?What’s the Difference?
SECURITYSECURITYRefers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss
![Page 3: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/3.jpg)
3
HIPAA Privacy and Security Update
Security Update
1. Policy & Procedure Update
2. HIPAA & SSN Asset Identification
3. Other Security Information
Privacy Update
1. Policy & Procedure Update
2. HIPAA Staff Education
3. Business Associate Agreements
![Page 4: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/4.jpg)
4
Why do we care about HIPAA?
Privacy Breaches George Clooney
Information Security V.A. Hospital lost hard drive with patient
medical and physician information
Identity Theft Social Security Notification Act
![Page 5: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/5.jpg)
5
1. Privacy Policy and Procedure Update
• Notice of Privacy Practices• Notice – English and Spanish
• Acknowledgement form
• Posters
•Release of patient information
•Privacy and Security Audit tools
•Reporting Privacy Breach Allegation
![Page 6: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/6.jpg)
6
![Page 7: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/7.jpg)
7
![Page 8: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/8.jpg)
8
![Page 9: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/9.jpg)
9
![Page 10: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/10.jpg)
10
![Page 11: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/11.jpg)
11
2. Staff Education
Current Privacy and Security Education– New Hire Staff Education
– On-line HIPAA Education (Professional Staff)
– HIPAA for Researchers (RASCAL)
Additional Education Planned– Quarterly HIPAA Training for managers (refresher and new hire)
– Quarterly HIPAA Training for staff (refresher)
– Quarterly Email reminders / alerts
– Department specific – as requested
– Web Site
![Page 12: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/12.jpg)
12
3. Business Associate
Definition: A person or organization:
• who is not a member of your staff;
• And not another healthcare provider,
• receives, uses, or discloses protected health information (patient information);
• in connection with providing any of the following services to or for your practice
![Page 13: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/13.jpg)
13
3. Who is a Business Associate?
Examples include:
• billing
• claims processing or administration
• call service management
• quality assurance
• data processing or analysis
• transcription services
• utilization review
• design or manage an electronic records system
• accounting
• accreditation
• administrative
• data aggregation
• consulting
• financial services
• management
![Page 14: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/14.jpg)
14
HIPAA Information Security Recap
Confidentiality• Prevent unauthorized access or release of EPHI
• Prevent abuse of access (identity theft, gossip)
Integrity• Prevent unauthorized changes to EPHI
Availability• Prevent service disruption due to malicious or
accidental actions, or natural disasters.
![Page 15: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/15.jpg)
15
Administrative Safeguards• Policies and Procedures• Responsibility• Awareness and Training• Incident Processing, Sanctions
Physical Safeguards• Workstation Use and Security• Facility Access Control• Device and Media Control
Technical Safeguards• Access Control• Audit Control• Encryption and Integrity control
Regulation specification
![Page 16: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/16.jpg)
16
Information Security Mgmt Process
Information Access Mgmt & Control
General Info Security Info Sec: Audit and Evaluation
Workstation Use and Security Workforce Security Clearance, Term and Auth
Info Sec: Backup, Device & Media Control
Info Sec: Facility Access Control & Security
Info Sec: Disaster Contingency & Recovery Plan
Info Sec: Security Incident Procedure
Policies and Procedures
Information Security Best PracticesInformation Security Best Practices
![Page 17: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/17.jpg)
17
Information Asset Owner responsibility– Risk Assessment and management
– Implementation of Security Controls• Access, Authorization, Termination
– Audit and evaluation
– Disaster Contingency and Recovery Plan
– Additional information in Policy documents
Responsibility action items
![Page 18: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/18.jpg)
18
Manager responsibility– Workforce Clearance, Termination and Authorization
– Facilities access to sensitive information assets
– Education, security reminders, sanctions
End User responsibility– “Acceptable Use”
– Safe practices
– Sensitivity towards patient privacy
Responsibility action items
![Page 19: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/19.jpg)
19
• Disruption of Patient Care
• Increased cost to the institution
• Legal liability and lawsuits
• Negative Publicity
• Identity theft (monetary loss, credit fraud)
• Disciplinary action
Consequences of Security Failure
![Page 20: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/20.jpg)
20
Intentional Attacks– Malicious Software (Bots, Spyware)
– Theft of copyrighted material (Torrent, Limewire, Emule, etc.)
– Stolen Passwords (Keyloggers, Trojans)
– Impostors e-mailing to infect and steal info (Phishing)
– Abuse of privilege (Employee/VIP clinical data)
…and an important development…
Types of Security Failure
![Page 21: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/21.jpg)
21
Privacy & Security Concerns
Risk to Clinical Information
• Loss of Laptops, USB/flash drives, CD/DVD, Blackberry/Palm, etc.
• Failure to safeguard equipment • Physically locked / secured ?
• Password protected ?
• Encrypted ?
Eg. Kingston DataTraveler Secure Privacy EditionUSB Flash drive
![Page 22: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/22.jpg)
22
Employee Carelessness– Sharing Passwords
– Not signing off systems
– Downloading and executing unknown software
– Sending EPHI outside the institution without encryption
– Losing PDA and Laptop in transit
– Pursuing risky behavior – Improper web surfing, and instant messaging
– Not questioning, reporting, or challenging suspicious or improper behavior
Types of Security Failure
![Page 23: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/23.jpg)
24
• Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously)
• Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination
• Do not copy, duplicate, or move EPHI without a proper authorization
• Do not email EPHI without encryption to addresses outside the institution
Methods to Protect against Failures
![Page 24: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/24.jpg)
25
Strictly follow principles of ‘Minimum necessary’ and ‘Need-to-know’ for all accesses– the 3 fundamental missions of the institution are Care, Education and Research.
Challenge improper behavior, question suspicious behavior, report violations and security problems to proper authorities – email to [email protected] or [email protected] or call Privacy Office (1-212-305-7315) or call CUMC IT Helpdesk (1-212-305-HELP)
Communicate with colleagues and staff about secure and ethical behavior
Methods to Protect against Failures
![Page 25: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/25.jpg)
26
HIPAA & SSN Asset Identification Project
• Identify electronic storage of patient information and of any SSN (patient, provider, employee)
• Storage includes– Applications, Databases, Files.
– Application/Database/File servers, Workstations/PC/Laptops, USB/Flash devices, CD/DVDs, Home computers
• Started on 12/7 by Bob Sideli, CIO, CUMC (cc to Chairs). So far:
– 43% of departments / centers have responded
– 83 assets with Social Security Numbers
– 70 assets with Protected Health Information
![Page 26: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/26.jpg)
27
Information Systems Security
Name of Individual responsible for Application/Database/File Store)
Brief description of application(Database/File Store) and its use:
Enter Application (Database/File Store) Name:
Does it contain Social Security Number?
Does it contain Protected Health Information?
Application/database/file store Information: List all Applications/databases/file stores for which the Department is responsible. Repeat this information for each application/dabase/file store, one in each worksheet. Protected Health
Information (PHI) is any patient related information including name, DOB, SSN, address, diagnosis, treatment, etc.
When in doubt - report
Title:UNI:
Works in…
Phone:Email:
YES NO Don’t' Know
YES NO Don’t Know
Columbia Dept (Specify name below) CUbhis
Third party vendor (Specify name below)
![Page 27: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/27.jpg)
28
New York State SSN Laws
• Information Security Breach and Notification Act– December 2005
– If… Breach of Personally Identifiable Information• SSN
• Credit Card
• Driver’s License
– Then… Notify consumers, NY State, consumer reporting agencies
– Loss of 100s of thousands for notification and credit report help
– Penalties
![Page 28: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/28.jpg)
29
New York State SSN Laws
• Social Security Number Protection Law– December 2007
– Recognizes SSN to be primary identifier for identity theft
– Illegal to communicate to general public
– Access cards, tags, etc. may not have SSN
– SSN may not be transmitted over Internet without encryption
– SSN may not be used as password
– SSN may not be printed on envelopes with see-through windows
– Penalties
• Identification of SSN assets is the first step towards reducing the risk of violating laws.
![Page 29: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/29.jpg)
30
![Page 30: 1 HIPAA Privacy and Security Management Update January 28, 2008 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d605503460f94a41cf3/html5/thumbnails/30.jpg)
31