Protecting ePHI: What Providers and Business Associates Need to Know
-
Upload
network-1-consulting -
Category
Healthcare
-
view
91 -
download
1
Transcript of Protecting ePHI: What Providers and Business Associates Need to Know
This presentation was originally
delivered at the North Metro
Medical Manager’s Association
(NMMMA) meeting in Kennesaw,
Georgia on October 7, 2014.
2
Protecting ePHI - Overview
• Where are we today – Key Dates, ePHI and Enforcement
• Risk Analysis – Covered Entities and Business Associates (BAs)
• Best Practices and Tips
3
Key Dates
Health Insurance Portability and Accountability Act (HIPAA) –
signed in to law August 21, 1996. It established new standards
associated with the management of healthcare information.
HIPAA HiTech Act – Feb 17, 2009. Part of the American Recovery
and Reinvestment Act of 2009. It established incentives for
healthcare providers to adopt electronic medical records’
software systems. It also expanded the scope of the HIPAA
privacy and security rules and set forth new rules for breach
notification.
HIPAA Omnibus Final Rule – Sept 23rd, 2013. Business Associates
and Sub-Contractors must adhere to the same guidelines that Covered Entities do, according to the HIPAA rule/guidelines
4
5
What is (PHI) Protected Health Information?
US Department of Health and Human Services defines protected health information (PHI) as individually identifiable information that falls into the following 18 types of identifiers:
Here are the 18 PHI identifiers:1. Name
2. Region (smaller than a state)
3. Date
4. Phone #
5. Fax #
6. Email address
7. Social Security #
8. Medical record #
9. Health insurance beneficiary #
10. Account #
11. Certificate/license #
12. Vehicle identifier/license plate #
13. Device ID & serial #
14. Web URL
15. IP address
16. Finger print
17. Full face photo
18. Any other unique ID # or characteristic
that could reasonably be associated with
the individual
What is (ePHI) Electronic Protected
Health Information?
Electronic Protected Health Information (ePHI)
is any protected health information (PHI) that
is created, stored, transmitted, or received
electronically.
Electronic protected health information
includes any medium used to store, transmit,
or receive PHI electronically.
6
ePHI (continued)
The following and any future technologies used for accessing,
transmitting, or receiving PHI electronically are covered by the
HIPAA Security Rule.
Media containing data at rest (stored):
• Personal Computers with internal hard drives used at work, home or
traveling
• External portable hard drives, including iPods and similar devices
• Magnetic Tape
• Removable storage devices such as USB memory sticks, CD’s, DVDs and
floppy disks
• PDAs and Smartphones
Data in transit via: wireless, Ethernet, DSL, cable network
connection:
• File Transfer
7
8
Why all the Fuss?
The core of the HIPAA regulations is to ensure that ownership of any and all medical data is retained solely by the individual. The individual can then decide to share that information with providers, family members, employers, if needed. Only an individual has the right to grant access to their medical data.
Simply put: we’re trying to maintain privacy and avoid bias and discrimination.
9
Enforcement
Historically, HIPAA fines and
reprimands were triggered after an
event, such as a data breach. That
has changed.
The Office for Civil Rights (OCR, part
of the Department of Health & Human Resources) is responsible for
enforcing the HIPAA HiTech
regulation.
Leon Rodriguez, OCR Director, takes
his job very seriously. He has created
a permanent HIPAA audit program that includes BAs.
10
Enforcement (continued)
As he focuses on ramping up the
HIPAA audits of Covered Entities and
Business Associates, Mr. Rodriguez has
powerful allies and one big incentive:
Powerful Allies
• Centers for Medicare & Medicaid Services (CMS)
• Works in conjunction with other Gov’t branches – HHS, FTC, SEC, etc.
• The States’ Attorney Generals
Big Incentive
• The OCR is authorized to keep some of the money paid in fines.
• It was reported that as of January 2014, OCR already had $4.5
million set aside from fines levied from their audits.
The OCR is serious about protecting PHI and they’ve got the teeth, funds and leadership to back it up.
11
Violations & Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA
$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect
$1,000 per violation, with an annual maximum of $100,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period
$10,000 per violation, with an annual maximum of $250,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected
$50,000 per violation, with an annual maximum of $1.5 million
$50,000 per violation, with an annual maximum of $1.5 million
12
Criminal Liability
U.S. Department of Justice (DOJ) clarified that covered entities
and specified individuals can be held criminally liable under
HIPAA as follows:
• Those who "knowingly" obtain or disclose individually
identifiable health information in violation of the Administrative
Simplification Regulations face a fine of up to $50,000 as well
as imprisonment up to one year.
• Offenses committed under false pretenses allow penalties to
be increased to a $100,000 fine with up to five years in prison.
• Offenses committed with the intent to sell, transfer, or use
individually identifiable health information for commercial
advantage, personal gain or malicious harm permit fines of
$250,000 and imprisonment for up to ten years.
13
Companies & Fines
Examples of fines levied:
Entity Fined Fine Violation
CIGNET $4,300,000 Online database application error.
Alaska Department of Health and Human Services
$1,700,000Unencrypted USB hard drive stolen, poor policies and risk analysis.
WellPoint $1,700,000
Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade.
Blue Cross Blue Shield of Tennessee
$1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates
$1,500,000Unencrypted laptop stolen, poor risk analysis, policies.
Affinity Health Plan $1,215,780Returned photocopiers without erasing the
hard drives.
South Shore Hospital $750,000Backup tapes went missing on the way to contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
14
What do I do now?
Whether you are a Covered
Entity or a Business Associate
(BA) you must perform a risk
analysis.
If you are ever audited by the
OCR – the first thing they are
going to ask to see is your risk
analysis.
15
What is a Risk Analysis?
Process to identify potential
hazards and analyze what
could happen should an
unfavorable event occur.
In healthcare we’re looking at:
• What and where are the
gaps associated with the
protection of ePHI?
• What are the biggest
risks(theft, natural disaster,
hacker attack, etc.)?
16
HHS/OCR Final Guidance for a Risk Analysis
1) Scope of Analysis
All ePHI that an organization creates,
receives, maintains, or transmits must be
included in the risk analysis. (45 C.F.R. §
164.306(a)).
This includes all electronic media, network
security between locations and any
aspects of your HIPAA hosting terms with
a third-party or Business Associate (BA).
17
HHS/OCR Final Guidance for a Risk Analysis (continued)
2) Data Collection
Where does ePHI live? Locate where data
is being stored, received, maintained or
transmitted. If you’re hosting health
information at a data center, you should
contact your hosting provider to
document where and how your data is
stored. (45 C.F.R. § 164.308(a)(1)(ii)(A)
and 163.316 (b)(1).)
18
HHS/OCR Final Guidance for a Risk Analysis (continued)
3) Identify and Document Potential
Threats and Vulnerabilities
Identify and document any anticipated
threats to data, and any vulnerabilities
that may lead to leaking of ePHI.
Anticipating potential HIPAA violations
can help your organization quickly and
effectively reach a resolution. (45 C.F.R.
§§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and
164.316 (b)(1)(iii).)
19
HHS/OCR Final Guidance for a Risk Analysis(continued)
4) Assess Current Security Measures
What kind of security measures are you
taking to protect your data? This might
include any encryption, two-factor
authentication, and other security
methods put in place by you or your
hosting provider. (45 C.F.R. §§
164.306(b)(1), 164.308(a)(1)(ii)(A) and
164.316 (b)(1).)
20
HHS/OCR Final Guidance for a Risk Analysis(continued)
5) Determine the Likelihood of Threat
Occurrence
The probability and likelihood of potential
risks to ePHI. (45 C.F.R. § 164.306(b)(2)(iv).)
i.e. – laptop theft versus your location gets
hit by a tornado.
21
HHS/OCR Final Guidance for a Risk Analysis(continued)
6) Determine the Potential Impact of
Threat Occurrence
Consideration of the ‘criticality’ or impact
of potential risks to confidentiality, integrity
and availability of ePHI. (45 C.F.R. §
164.306(b)(2)(iv).)
How many people could be affected
and what extent of data (just medical
records or billing information as well)?
Ex. - Sending someone’s ePHI via
unsecured email versus an unencrypted
laptop that houses 500 patient records.
22
HHS/OCR Final Guidance for a Risk Analysis(continued)
7) Determine the Level of Risk
This is subjective - HHS’ suggestion is
to evaluate the values assigned to
threat occurrence (#5) and the
resulting impact (#6) to come up
with a level of risk. (45 C.F.R. §§
164.306(a)(2), 164.308(a)(1)(ii)(A),
and 164.316(b)(1).)
Risk levels should be accompanied
by a list of corrective measures to
help mitigate that risk.
23
HHS/OCR Final Guidance for a Risk Analysis(continued)
8) Finalize Documentation
The Security Rule requires the risk
analysis to be documented(45 C.F.R. §
164.316(b)(1).)
No format is specified – just make sure
you have things written down.
Remember – if you are ever audited –
documentation is what the OCR looks
for first.
24
HHS/OCR Final Guidance for a Risk Analysis(continued)
9) Periodic Review and Updates to the
Risk Analysis
The Risk Analysis is an ongoing process
(45C.F.R. §§ 164.306(e) and
164.316(b)(2)(iii)).
For Meaningful Use – has to be done
every year.
In general – has to be done whenever
significant changes are made in the
environment. If no changes occur it
should still be done once a year.
25
Risk Analyses, Business Associate Agreements
and Business AssociatesThere are several ways to do a Risk
Analysis – some right and many wrong.
Checklists won’t hold up to an audit.
OCR will come down on you even if your
vendor recommended a checklist – you
don’t want to be at the discretion of the
OCR.
A proper Risk Analysis is going to adhere
to the National Institute of Standards and
Technology (NIST) guidelines.
26
Risk Analyses, Business Associate Agreements
and Business Associates
Identify who your Business Associates
(BAs) are and make sure you have
executed Business Associate Agreements
(BAAs) in place.
Analyze your BAs and rank them based
on the amount of data they have access
too/perception of how much access too
they have.
Do some due diligence on them – ask for
proof of their risk assessment. Use
common sense.
27
Risk Analyses, Business Associate Agreements
and Business Associates
For high risk BAs – have a meeting – invite
them to come in and be a part of the
process that you are having to go
through.
Covered entities can and will be held
liable for the BAs conduct.
Make sure your BAAs are updated –
anything that has not been updated
since Jan 2013 should be updated.
28
Technology-enabled Best Practices
Firewalls
• Have physical firewalls in place.
• Make sure they are up-to-date.
Anti-Virus Protection
• Have a proven, paid version in place.
• Make sure it is up-to-date.
Run Up-to-Date Software
• Make sure it’s actively supported
(note: XP is not).
• Make sure it is up-to-date with
patches.
Hardware /
Software
29
Technology-enabled Best Practices
Identify & Document where PHI Lives
• Paper?
• Electronic?
• Verbally communicated?
Minimize what is Seen or Retained
• Don’t need it? Don’t have it!
• Encrypt information where you
can.
PHI within your
Network
30
Technology-enabled Best Practices
Keep PHI Off if Possible where Risk of Theft is High
• Laptops (if you must have PHI: encrypt)
• Tablets
• Smart phones
• Thumb drives
Mobile Device Management (MDM) Policy
• Have one.
• Enforce it.
• Have software and process to remotely wipe
tablets and smartphones if they are lost or stolen.
All Mobile
Devices
31
Technology-enabled Best Practices
Backups of PHI
• Make sure they are encrypted.
• Keep in a safe, secure place re: hardware
and software.
Physical Access
• Limit both on-site and off-site access.
• Enforce it.
Data Backup &
Recovery
32
Technology-enabled Best Practices
Get an Assessment
• Know your baseline.
• Measure your progress.
• Document processes as well as your
rationale for taking action… and not
taking action.
Communicate
• Train and educate personnel.
• Formally and informally.
Document,
Document,
Document.
Discussing PHI
• Be aware of where you are and your surroundings when talking about
a case/client that involves PHI (patient information):
o Office telephone: Is your door open?
o Cell phone: Where are you? In public? An elevator? Who’s
around you?
o Conversation with a co-worker: Are you in a high-traffic hallway?
An elevator? A coffee shop? The restroom?
o Remember and keep in mind the 18 identifiers.
• Don’t share information with other staff members unless it is absolutely
necessary for them to perform their job functions.
33
Treat PHI with the same care that you would your own information: keep it secure and protect the right to privacy.
Workforce Tips
• Do not use Gmail/AOL/Hotmail accounts or any other consumer
based email systems to send any PHI. They are not secure.
• Pay close attention to your incoming emails . Example - phishing
attacks:
o Targeted emails sent to a small number of people, typically an executive
team.
o Message will appear to be personal to you: oftentimes information is
pulled from social media sites or online profiles.
o Email can contain links to websites or include compromised attachments.
o Once clicked or opened, key loggers or some other form of malware is
installed that allows remote parties to monitor your activity and steal data.
34
Workforce Tips
Mobility
• Don’t download or send ePHI to anything
mobile unless absolutely necessary to
perform your job function.
• This includes laptops, iPhones, iPads,
Androids, thumb drives, etc.
• If you have to have data on a mobile
device, ensure that the data is encrypted.
• Do not send information via text
messaging: this is not secure.
35
Minimizing where ePHI lives is a huge step
in protecting it and maintaining compliance.
Workforce Tips
Mobility
• When you work remotely and connect in to your corporate network:
o Keep documents on the office network.
o Guard against copying any information to your workstation
and/or device.
• Do not save passwords in applications such as web browsers or VPN
clients: If your device is ever lost, stolen or compromised, the new
owner could easily connect to the internet and access your sites
without having to guess or crack your password.
36
Workforce Tips
Passwords
• Your organization has a password policy for a
reason. Typically it requires you to change your
password periodically and to have certain
requirements to make it a strong password, such as:
o 8-12 characters
o Change quarterly (for example).
o Should include letters, numbers and symbols
37
Workforce Tips
• www.howsecureismypassword.net: a website to measure the strength
of a password (note: do not enter your real passwords into this or any site)
o PW = stgpwb!g 33 minutes to crack with a PC
o PW = stgpWb!g 24 hours to crack with a PC
o PW = s2gpWb!g 72 hours to crack with a PC
• Don’t fight your company’s password policy!
• Do not share your passwords.
• Do not write your passwords on a sticky note and attach to your
computer or monitor.
Working with Paper
• Keep areas where PHI is located locked
at all times.
• Have a designated person that can lock
and unlock these areas only. (Privacy
Officer)
• If you are working with paper copies of
documents that contain PHI:
o Maintain control of the copies at all
times.
o Do not leave the copies lying around
for others to see.
• Use fax cover sheets that have privacy
statements on them.
38
Workforce Tips
Miscellaneous
• Lock your workstation when you leave your desk.
+
• Position your monitors so people passing by your office, or coming
into your office to talk to you, cannot see the information on your
monitors.
39
Workforce Tips
Worry Free IT
Richard Stokes
Richard joined Network 1 in 2003, as employee #4, and has been an integral part of Network 1’s growth over the years both in sales and client management. He has been leading Network 1’s focus on medical practices and healthcare since 2010.
Richard is an active member of the North Fulton Medical Group Management Association (NFMGMA) and has served on their Board. He is also an active member of the North Metro Medical Manager’s Association (NMMMA) and serves on their Board. In addition, Richard has been interviewed and quoted as a healthcare IT consultant in Physicians Practice, American Medical News andMedicalOfficeToday and has spoken as a HIPAA and ePHI expert at several medical and
legal associations in Atlanta. Richard is also a regular contributor for Network 1’s Tuesday Tips.
40