Information security and privacy hipaa s potential impact
Download
1 / 60

- PowerPoint PPT Presentation


  • 137 Views
  • Uploaded on

Information Security and Privacy: HIPAA’s Potential Impact. Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information Security Officer, Mayo Foundation, Rochester, MN. Program Objectives. Overview of data security/privacy issues

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - cecil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information security and privacy hipaa s potential impact

Information Security and Privacy: HIPAA’s Potential Impact

Gordon J. Apple

Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN

Lee Olson

Information Security Officer, Mayo Foundation, Rochester, MN


Program objectives
Program Objectives

  • Overview of data security/privacy issues

  • Review of HIPAA security standards

  • Review of HIPAA privacy standards

  • Facing HIPAA challenges


Existing data protection requirements
Existing Data Protection Requirements

  • State law

  • Federal law

  • JCAHO

  • Conditions of Participation

  • Professional codes


New hipaa requirements
New HIPAA Requirements

  • Standards for electronic transactions and code sets

  • National standard health care provider identifier

  • National standard employer identifier

  • Security and electronic signature standards


New hipaa requirements cont d
New HIPAA Requirements cont’d

  • Standards for privacy of individually identifiable health information

  • National standard for health claims attachment

  • National standard identifiers for health plans



Privacy
Privacy

  • “The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.”

  • Minnesota Supreme Court 582 N.W.2d 231, 1998



Data mining
Data Mining

  • Develop clinical pathways to improve patient care

  • Develop drug formularies

  • Develop marketing opportunities?


Cvs case
CVS Case

  • Pharmacy records

  • Alleged misuse

  • PR firestorm

  • Class action litigation


Information security and privacy hipaa s potential impact

“It is only slightly facetious to say that digital information lasts forever - or five years, whichever comes first.”

Jeff Rothenberg

Scientific American, Jan. 1995


Geek speak
Geek Speak information lasts forever - or five years, whichever comes first.”

  • Firewall

  • Hacker

  • Bandwidth

  • Router

  • Port

  • Probes

  • TTP


Geek speak ii
Geek Speak II information lasts forever - or five years, whichever comes first.”

  • CA

  • PKI

  • PKE

  • PKE

  • LAN

  • ISP


Wetware
Wetware information lasts forever - or five years, whichever comes first.”


Ii general review of hipaa security standards
II. General Review of HIPAA Security Standards information lasts forever - or five years, whichever comes first.”


Security
Security information lasts forever - or five years, whichever comes first.”

  • “The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.”

  • Three aspects to consider

    • confidentiality

    • integrity

    • availability


Security standards applicability
Security Standards: Applicability information lasts forever - or five years, whichever comes first.”

Applies to any health plan, provider or clearinghouse that electronically maintains or transmits any individually identifiable health information, internally or externally


Security is risk management
Security is information lasts forever - or five years, whichever comes first.”risk management


Risk management process
Risk Management Process information lasts forever - or five years, whichever comes first.”

  • Quantify assets, risks and threats

    • a mix of the objective and subjective

    • need not be complicated

  • Determine cost-effective security controls

    • protect what’s worth protecting & don’t worry about the rest

  • The government is big on this

    • mainly because the government is big

    • approach statistical mean


Risks
Risks information lasts forever - or five years, whichever comes first.”

  • Passive, always in the background

    • fires, floods, power outages, equipment failure

    • predictable on a large scale & statistical in nature


Threats
Threats information lasts forever - or five years, whichever comes first.”

  • Active, evolving, never static

  • Goal: defeat security

    • people oriented

    • hackers, viruses, insiders, disgruntled persons

    • must be actively managed by security professionals


1 administrative procedures
1. Administrative Procedures information lasts forever - or five years, whichever comes first.”

  • Guard data confidentiality, integrity and availability

  • Policies and procedures

    • written

    • communicated

    • enforced


Administrative requirements
Administrative Requirements information lasts forever - or five years, whichever comes first.”

Certification

Chain of trust partner agreements

Organizational policies, practices and procedures

Access controls

Internal audit

Personnel security

Configuration management

Incident response

Termination procedures

Training


2 physical safeguards
2. Physical Safeguards information lasts forever - or five years, whichever comes first.”

  • Appointment of security czar

  • Physical access control

  • Workstation usage

  • Media & output controls

  • Locks, keys, tokens…

  • Termination procedures

  • Backup


3 technical security services
3. Technical Security Services information lasts forever - or five years, whichever comes first.”

  • System Level Features

  • System access

    • user identification and authentication

  • Entity authentication

  • Data authentication

  • Authorization control

    • discretionary access to data

    • least privilege principle

  • Audit controls


4 technical security mechanisms
4. Technical Security Mechanisms information lasts forever - or five years, whichever comes first.”

  • Communications & network controls

    • firewall management

    • access controls

    • alarms

    • audit trail

    • encryption

    • event reporting

    • integrity controls


5 electronic signature
5. Electronic Signature information lasts forever - or five years, whichever comes first.”

  • Must implement three characteristic features:

    • message integrity

    • non-repudiation

    • user authentication

  • Digital signature provides these


Getting started gathering current state information
Getting Started: information lasts forever - or five years, whichever comes first.”Gathering Current State Information

  • Translate requirements

    • 38 pages of single-spaced legalese-- don’t try this at home

  • HIPAA EarlyViewTM tool

    • developed by NC Information & Communication Alliance

    • cost effective, uncomplicated, user friendly license

    • saves lots of work

    • generates reports useful for gap analysis

    • http://www.nchica.org/activities/EarlyView/More_info.htm


Organizational assessment
Organizational Assessment information lasts forever - or five years, whichever comes first.”

  • Conduct survey in bite-sized chunks

  • Different systems & applications have different security attributes

    • Clinical systems

    • Clinical operations support

    • Finance & electronic commerce

    • Laboratory services

    • Business & HR systems, etc.


Logistical considerations
Logistical Considerations information lasts forever - or five years, whichever comes first.”

  • Consider geography, complexities & capabilities

  • Who will collect & analyze the data?

    • Information Security Officer’s role

    • Stewards & Administrators’ roles


Pitfalls to avoid
Pitfalls to Avoid information lasts forever - or five years, whichever comes first.”

  • Overanalyzing the requirements & process

    • Leads to corporate constipation

    • Academics need to put on their operational hats

  • Garbage in, garbage out

    • Must understand the goal & process

    • Effective communication & buy-in essential

  • Don’t sweat the details…. for now

    • Use a top down approach, not Band Aids


Develop implementation plan
Develop Implementation Plan information lasts forever - or five years, whichever comes first.”

  • Strategy must address both administrative & technical levels

    • coordinate with e-commerce

    • awareness & education

    • initiate process changes

    • modify systems & applications

    • replace systems & applications

  • Final rule may necessitate minor course changes


Sources
Sources information lasts forever - or five years, whichever comes first.”

Minnesota Health Data Institute

http://zen.mhdi.org/

North Carolina Healthcare Information and Communication Alliance http://www.nchica.org/

Massachussetts Health Data Consortium

http://www.mahealthdata.org

Workgroup for Electronic Data Interchange

http://www.wedi.org

HIPAAlert news briefs published by Phoenix Health Systems, Inc.

http://hipaalert.com


Iii general review of hipaa privacy standards

III. General review of HIPAA Privacy Standards information lasts forever - or five years, whichever comes first.”


Covered entities
Covered Entities information lasts forever - or five years, whichever comes first.”

  • Health plans

  • Health care providers who transmit PHI in electronic form in connection with standard transactions

  • Health care clearinghouses

  • Short list indirectly expanded through business partner requirements


Hipaa data
HIPAA Data information lasts forever - or five years, whichever comes first.”

  • Heath information

  • Individually identifiable health information

  • Protected health information

    (PHI)


Protected health information
Protected Health Information information lasts forever - or five years, whichever comes first.”

  • Individually Identifiable Health Information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form (printout of electronic data)

    45 CFR 164.504


Uses and disclosures of protected health information
Uses and Disclosures of Protected Health Information information lasts forever - or five years, whichever comes first.”

  • To carry out treatment, payment or health care operations

  • With patient consent

  • No consent, but for public health, health oversight, judicial/administrative proceedings, coroners/MEs, law enforcement, …. 45 CFR 164.510


Uses and disclosures requiring patient consent
Uses and Disclosures Requiring Patient Consent information lasts forever - or five years, whichever comes first.”

  • Requests by patient

  • Request by CEs re: marketing, fundraising, employers for employment determinations, non-health related divisions of the CE…

    45 CFR 164.508


Fair information practices
Fair Information Practices information lasts forever - or five years, whichever comes first.”

  • Series of individual rights

  • General rule on disclosure

    • “Minimum necessary”


Minimum necessary
Minimum Necessary information lasts forever - or five years, whichever comes first.”

  • To meet the purpose of the use or disclosure

  • To limit access only to those people who need access to the information to accomplish the use or disclosure.


Notice of information practices
Notice of Information Practices information lasts forever - or five years, whichever comes first.”

  • An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information

    45 CFR 164.512


Access of individuals to protected health information
Access of Individuals to Protected Health Information information lasts forever - or five years, whichever comes first.”

  • Right of access includes access to PHI with

    • Health plan

    • Health care provider

    • Business partner if records not a duplicate

  • Access as long as records maintained

    45 CFR 164.514


Accounting for disclosures of protected health information
Accounting for Disclosures of Protected Health Information information lasts forever - or five years, whichever comes first.”

  • Right to full accounting of disclosures from CEs except for treatment, payment and health care operations and for certain disclosures to health oversight or law enforcement agencies.

  • Right of accounting also applies to business partners

    45 CFR 164.515


Right to request amendment or correction
Right to Request Amendment or Correction information lasts forever - or five years, whichever comes first.”

  • Requests will have to be either accepted or rejected within 60 days

  • Rejections will require an explanation in plain language

  • Patients can still file statement of disagreement - for the record

    45 CFR 164.516


Administrative requirements1
Administrative Requirements information lasts forever - or five years, whichever comes first.”

  • Privacy officer

  • Training

    • Everyone likely to obtain access to PHI

  • Safeguards

    • Administrative, technical and physical safeguards to protect privacy

  • Complaint process

    45 CFR 164.518


Documentation compliance and enforcement
Documentation, Compliance and Enforcement information lasts forever - or five years, whichever comes first.”

  • Documentation

    • Uses and disclosures

    • Individual rights

    • Administrative requirements

    • 6 years

  • Keep records of compliance activities, permit DHHS access and be nice!

    45 CFR 164.520-522


Penalties claims
Penalties & Claims information lasts forever - or five years, whichever comes first.”

  • Civil penalties

  • Criminal penalties

  • No private cause of action

  • Third party beneficiary contract claims


Business partners
Business Partners? information lasts forever - or five years, whichever comes first.”


Business partners1
Business Partners information lasts forever - or five years, whichever comes first.”

  • Insurance companies

  • Law firms

  • Accountants

  • IT contractors

  • Compliance consultants

  • Insurance brokers


Business partners2
Business Partners information lasts forever - or five years, whichever comes first.”

  • How well do you know them?

  • How well do you want to know them?

  • How well should you know them?

  • Business partners - winners and losers


Satisfactory assurance bp will
Satisfactory Assurance information lasts forever - or five years, whichever comes first.”BP will….

  • Ensure that subcontractors are bound to HIPAA requirements

  • Make PHI available upon appropriate request

  • Have an open door for DHHS

  • Abide by contract termination req’s

  • Be able to amend/correct PHI upon CE notice


Ce responsibility for bp violations
CE Responsibility for BP Violations information lasts forever - or five years, whichever comes first.”

  • Reasonable steps to ensure compliance

    • K due diligence

  • Tainted by BP breach if CE “knew or should have known” of BP breach and….DID NOTHING…AKA as “Ostrich Syndrome”


Business partners3
Business Partners information lasts forever - or five years, whichever comes first.”

  • Basic contract provisions

    • Follow HIPAA use and disclosure limits

    • Require technical and administrative safeguards for security and privacy

    • Reps, warranties, indemnification and deep pockets or certificate of insurance

    • Third party beneficiary language

    • Termination - give it back or destroy


De identified phi
De-identified PHI information lasts forever - or five years, whichever comes first.”

  • Issue of ownership

    • Sale

    • Licensing

  • Requires data be stripped of listed elements

  • Protections against re-identification


Iv facing hipaa challenges

IV. Facing HIPAA Challenges information lasts forever - or five years, whichever comes first.”


Group discussion of hipaa challenges
Group Discussion of HIPAA Challenges information lasts forever - or five years, whichever comes first.”

  • What are facilities doing now?

  • Will it be possible to develop uniformity across complex systems?

  • Should HIPAA standards be adopted for DTM records?


The corporate compliance model
The Corporate Compliance Model information lasts forever - or five years, whichever comes first.”

  • Who leads?

    • Compliance Officer

    • Security Officer

    • Privacy Officer

  • Gap analysis

    • Security standards

    • Privacy standards


The corporate compliance model cont d
The Corporate Compliance Model cont’d information lasts forever - or five years, whichever comes first.”

  • Defining areas of exposure

    • The Mayo model

    • Internal

    • External

  • Plan development, implementation and training

    • Integration with compliance program?