HIPAA Privacy and Security

Requirements

600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org

Joe Wivoda

CIO and HIT Consultant

June 19, 2013

Purpose

The National Rural Health Resource Center is a nonprofit organization dedicated to sustaining and improving health care in rural communities. As the nation’s leading technical assistance and knowledge center in rural health, The Center focuses on five core areas:

•Performance Improvement •Health Information Technology •Recruitment & Retention •Community Health Assessments •Networking

Introduction

•B.S. and M.S. in Physics, Ph.D (ABD) in Business Administration

• Computational Physics and Computer Modeling

• Innovation Process and Management of Technology

•Worked as CIO/Director of IT for several hospitals and systems, exclusively in rural and Critical Access

•HIT Consultant for MN/ND REC, HIT Network Grantees, TASC, and other programs

Some Interesting Facts…

•Since 2009 there have been 615 reported breaches affecting over 500 people

•22 Million patients affected

•Want to know who lost the data? We can look it up, AND they had to notify the local media (newspaper, television, etc)

How was this data lost?

•Hackers?

• Yes, but only 7%

• Unauthorized Access?

• Yes, but only 3%

• The winner is…

• Theft and Loss at 46%! Data from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Where was the data?

•Email – 1.5%

•EMR – 12%

•Laptops - 11%

•Servers - 12%

•BIG winner is Backup media at 30%!

Data from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

What does this mean?

•We need to be good stewards of the data

• If banking industry had as many breaches, how would we feel about banking online?

•There are simple ways to protect the data

•Meaningful Use (HiTech Act) places requirements on annual HIPAA Risk Assessments. We need to make this an ongoing activity!

Intro to HiTECH Requirements

•Breach notification

• Breaches of “unsecured” PHI must be provided to each affected individual within 60 days at the latest.

• PHI is considered “unsecured” unless it is rendered “unusable, unreadable, or indecipherable” to unauthorized users (encrypted or shredded).

• Breaches over 500 individuals? Notify prominent local media.

Intro to HiTECH Requirements

•Breach notification

• Breaches of “unsecured” PHI must be provided to each affected individual within 60 days at the latest.

• PHI is considered “unsecured” unless it is rendered “unusable, unreadable, or indecipherable” to unauthorized users (encrypted or shredded).

• Breaches over 500 individuals? Notify prominent local media.

Intro to HiTECH Requirements (cont)

•Business Associate Agreements

•HIPAA now applies DIRECTLY to business associates.

•All BAAs will need to be updated with new language (security compliance, breach notification, etc).

•All the provisions you fall under, your BAs now fall under, including random audits (coming soon to a covered entity near you!)

Risk Assessment Overview

•“Conduct or review a security risk analysis and correct identified security deficiencies as per 45 CFR 164.308”

•http://edocket.access.gpo.gov/cfr_2009/octqtr/pdf/45cfr164.308.pdf

•There are several tools that can help you keep track or perform the risk assessment

•Horse’s mouth: http://scap.nist.gov/hipaa/

Risk Assessment Overview: IT Focus

• Administrative Safeguards

• Business associate agreements

• Policies for downtime, passwords, access, access termination

• Role-based security

• Auditing policies

• Malicious software and repeated login attempts policies

• Security incident response

• Contingency plans and periodic testing

• Backup policies

• Identify critical systems and “grade” them

Risk Assessment Overview: IT Focus

(cont)

•Physical Safeguards

•Policy on access to computer equipment

•Documentation of repairs and changes

•Final disposition of EPHI

Risk Assessment Overview: IT Focus

(cont)

•Technical Safeguards

•Unique name or number for individuals

•Session timeout

•EPHI encryption policy

•Audit controls

•Backups and recovery

Auditing Policies

•Auditing of access to patient data is a requirement of HIPAA

•There are several ways to do this effectively

• High profile patients

• Random employee

• Random patient

• Patient/employee last name matches

• During monthly tracers

How to get started

•A team should be assembled for the risk assessment – this is NOT an IT or HIM project!

• Security officer

• Privacy officer

• HIM

• Nursing

• Others

•Follow the NIST toolkit

What you need to focus on…

•Business Associates • Update language to contain HiTech requirements

• Check your list of BAs (or create one)

• Renew agreements

• Update policies and procedures for privacy and security requirements

• Should be reviewed annually

• Auditing access to patient data

• Perform a security risk assessment

What IT needs to focus on…

• Backups

• Do you store off site? Are they encrypted?

• Server room and network closets

• Secure?

• Protected from fire, water, power failure, and other threats?

• Encryption

• Everyone will need an encryption solution

• Where will you need encryption?

• Securing mobile devices

• Moving target

• Understand your devices, and expect that they will change!

• Security holes

• Firewall, external entities, vendors (especially billing), employees

Myths and Facts

• Encryption

• All devices do NOT need encryption

• You do not need to encrypt on the wire!

• Tapes are not required to be encrypted, but it may be a good idea…

• Disaster recovery

• You need to have a contingency plan

• Disaster recovery, as part of the contingency plan, should be enough information to get you up and running

• Rely on your vendor as much as possible, do expect that you will need to reinstall your EHR without their help

• Need for a hot site

• Not required by the regulations

• May be a good idea

• Consider the likelihood of each threat, and balance against the cost

Useful Web Sites

•NIST Security Rule Toolkit

• http://scap.nist.gov/hipaa/

•HiPAA Collaborative of Wisconsin

• http://hipaacow.org/

•Rural Assistance Center HIT Toolkit – Privacy and Security section

• http://www.raconline.org/hit/topic.php?name=privacy

Joe Wivoda

CIO and HIT Consultant National Rural Health Resource Center 600 East Superior Street, Suite 404

Duluth, MN 55802 (218) 262-9100

jwivoda@ruralcenter.org