Overview: HIPAA Guidelines for Security and Privacy

July, 2001

Jack Buchanan, MSEE MDUniversity of Tennessee Health Science

Center

HIPAA Security and Privacy Regulations

Mandated by Congress via Health Insurance Portability and Accountability Act of 1996.

Requirements for: Data Interchange Standards Data Security Patient Privacy

HIPAA Security and Privacy Regulations

Regulations were to have been established by separate Congressional act

Escape clause mandated HHS to write regulations if Congress didn’t act by a deadline

Regulations issued during final days of Clinton administration.

Delayed, then affirmed by Bush administration We now have “final” Privacy Regulations,

“preliminary” Security Regulations

HIPAA Security and Privacy Regulations-Purpose

To prevent inappropriate use of health information associated with an individual patient

To require organizations which use health information to protect the information and the systems which store, transmit, and process it

Explicitly includes systems and procedures belonging to associates and subcontractors; Requires “Chain of Trust” agreements

HIPAA Security and Privacy Regulations-Who?

Definitely apply if you are (or have a unit which is) a: Health provider Health plan Healthcare clearinghouse

HIPAA Security and Privacy Regulations-Who?

Maybe (probably) apply, if you are affiliated with above as: Business Associate Contractor Consultant Researcher, if data personally identifiable

HIPAA Security and Privacy Regulations-When?

Politics has made this a little difficult to determine

The argument that they will NEVER go into effect has become MUCH less credible

Working Deadline: Mid 2003

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Many requirements are specifically spelled

out: Assign responsibility for security to a person

or an organization Assess risks and determine the major threats

to the security and privacy of protected health information

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Establish a security management program

that addresses: physical security personnel security technical security controls security incident response disaster recovery

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Certify the effectiveness of new or existing

security controls Appoint a privacy officer and a point of

contact for receiving privacy complaints Adopt a privacy policy and publicize the policy

by giving notice to patients/partners

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Privacy policies must have specific

provisions for Gaining consent and authorization, Restricting use and disclosure, Receiving and resolving complaints,

as regards protected health information

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Change contracts and business partner

agreements to include a contractual requirement that partners handle protected health information properly

Train the covered entity’s workforce and business associates who work on the covered entity’s premises to follow proper security and privacy policies and procedures

HIPAA Security and Privacy Regulations

What’s a covered entity to do? Document security and privacy policies and

procedures, as well as actions taken to ensure that policies and procedures are enforced

Minimum necessary information to be provided to fulfill purpose of request

Provision of patient care is exempted Clinical research information is NOT exempt

HIPAA Security and Privacy Regulations

Penalties for non-compliance Civil monetary penalties on a per-person, per-

violation basis Very strong penalties for misuse with knowledge

Significant fines Prison

Penalties potentially apply to Individual violator Organization Officers of organization

What are the Guidelines ? A document meant to help people in AMCs who must form

and run HIPAA-compliant operations. The guidelines contain a section for each point of compliance

in the HIPAA Privacy and Security regulations Each “point” section focuses on explaining the regulation point and

guiding an analysis of impact on AMCs with guidance for compliance. Other sections focus on overall impact of the regulations for AMCs

Part of the intended value of the work is that it is a product of the key HIPAA leaders at several Academic Medical Centers and several related organizations. (i.e. This comes from the people who will have to make their organizations compliant.)

Key motivations for creating the Guidelines HIPAA Security/Privacy is a complex

regulatory regime; Having several interested parties analyze the regs helps

ensure a thoughtful analysis.

AMCs are complex organizations in which to implement HIPAA; Having several parties who are knowledgeable of this

environment do the analysis helps ensure a relevant analysis that is sensitive to the variety of circumstances in AMCs

Key motivations for creating the Guidelines AMCs need an AMC group norm for what

is “reasonable”; This would help ensure high-quality rational cost

implementations that are in the spirit of the “adoption” principle in the HIPAA law. (WEDI is being asked to recommend the Guidelines to HHS.)

Walking the talk; The participating AMCs wanted the guidelines for themselves

and for the wider industry. The document is available at the website (amc-hipaa.org).

Why are AMC environments worthy of special attention?

AMCs typically have operations that provide challenges to security and privacy management due to several factors. AMCs typically have:

DECENTRALIZED MANAGEMENT: are composed of facilities that are managed by a diverse group of people and interests, DIVERSE MISSIONS: are combined clinical, educational, and research efforts, HIGH PROFILE PATIENTS: care for VIPs, celebrities, and other people at times when their health status is of public interest, LARGE : are physically large and have a large staff, SPECIALIZED: tend to have large numbers of people involved in a single patient’s care, MULTI-PARTNERED: have partnerships and special programs with industry, government, and other AMCs that bear on

activity in the clinical area.

do implementation points -compliance ofcr scope change -controversy vs not. -20 minutes each -best practice

-make slides

How were the Guidelines formed?

The idea: evolved from discussions among people working with AAMC, WEDI, NLM, and Internet2 to bring representatives from several academic medical centers together in a series of workshops to create guidelines for implementing HIPAA Privacy and Security regulations in AMCs.

Also, use the workshops to explore what AMC needs were in this area and how relevant organizations might find common cause with the AMCs on this issue.

The result: A series of workshops with many nationally known AMCs and related organizations represented in which the guidelines have been developed.

Participating AMCs Duke University Health System Emory University Johns Hopkins Medical Institutions Kaiser Permanente Mayo Clinic Oregon Health Sciences University Osaka Medical College Texas A&M University System Health Science Center Texas A&M University  University of Alabama at Birmingham  University of Arizona Medical Center  University of Michigan Health System  University of Pennsylvania  University of Tennessee Health Science Center  University of Texas Southwestern Medical Center  Veterans Health Administration  Yale University School of Medicine

Sponsoring Organizations

Association of American Medical Colleges (AAMC)

Internet2 National Library of Medicine (NLM) Object Management Group (OMG)

Supporting Organizations

CPRI-HOST North Carolina Healthcare Information and

Communications (NCHICA) Health Care Financing Administration (HCFA) Healthcare Computing Strategies, Inc. (HCS) Southeastern University Research Association

(SURA) Workgroup on Electronic Data Interchange

(WEDI)

The Goals of the Workshop Process

Develop: To develop guidelines for implementation of HIPAA Security and Privacy regulations which AMC HIPAA leaders could use to guide their institutional approach.

Share: To share the load and improve the result in an area that we’d otherwise have to take up independently.

Focus: To ensure focus on the special issues that AMCs have with security and privacy.

Self-regulate: To have the guidelines submitted to WEDI for recommendation as part of their regulatory role in HIPAA

Norm: To foster a reasonable group norm on HIPAA compliance for AMCs by creating and sharing guidelines that AMCs may implement.

Collaborate: To further develop the of points of collaboration with related national groups.

Guidance only: The process was designed to provide guidance only; no advocacy for “stronger” or “weaker” regs is included.

What’s Next for this work/group?

Evolution – There is a general expectation that changes in the regs and improvements in the content will emerge over the next couple of years as others read and use the material.

Use of materials: Anyone is free to use the material provided that they preserve the copyright and note to prospective users/customers of derivative material that the original document and any updates will be freely available at amc-hipaa.org

Follow-on activities – We expect there to be value in having a group with continuing activities for AMCs in privacy and security at the national level and are pursuing opportunities related to this.

What’s next here?

A tour of the document to give you a better feel for the content and it utility.

Thanks!