hitech management briefing n.
Skip this Video
Loading SlideShow in 5 Seconds..
HITECH Management Briefing PowerPoint Presentation
Download Presentation
HITECH Management Briefing

Loading in 2 Seconds...

play fullscreen
1 / 32

HITECH Management Briefing - PowerPoint PPT Presentation

  • Uploaded on

HITECH Management Briefing. Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315. Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035. June 23, 2010. AGENDA. HITECH update Privacy & Information Security Training

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HITECH Management Briefing' - paul

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hitech management briefing
HITECH Management Briefing

Karen Pagliaro-Meyer

Privacy Officer


(212) 305-7315

Soumitra Sengupta

Information Security Officer


(212) 305-7035

June 23, 2010

  • HITECH update
  • Privacy & Information Security Training
  • Privacy Issue Log Summary
  • Encryption
  • Risk Assessment
  • Data Leakage Prevention

Health Insurance

Portability and Accountability Act (HIPAA)

Fraud and Abuse (Accountability)

Administrative Simplification







Information Technology for Economic and Clinical



Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002

and 10/16/03


Compliance Date: 4/14/2003


Compliance Date:


hitech act arra


  • Breach Notification September 2009
  • Self-Payment Disclosures February 2010
  • Business Associates February 2010
  • Minimum Necessary August 2010
  • Marketing
  • Fundraising
  • Accounting of Disclosures January 2011/2014
  • Performance Measures for EHR
    • enhanced reimbursement rate
hitech act arra1
  • New Federal Breach Notification Law – Effective Sept 2009
    • Applies to all electronic “unsecured PHI”
    • Requires immediate notification to the Federal Government if more than 500 individuals effected
    • Annual notification if less that 500 individuals effected
    • Requires notification to a major media outlet
    • Breach will be listed on a public website
    • Requires individual notification to patients
  • Criminal penalties - apply toindividualor employee of a covered entity


  • Self Payment Disclosures
    • If patient pays for service – has the right to limit the disclosure of that information to their health insurance
  • Business Associates
    • Standards apply directly to Business Associates
    • Statutory obligation to comply with restrictions on use and disclosure of PHI
    • New HITECH provisions must be incorporated into BAA
  • Minimum Necessary Standards
    • New Definition of Minimum Necessary, determined by the disclosing party, encourage the use of limited data sets
hitech act arra2
  • Accounting of Disclosures
      • Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical information
  • Electronic Health Record
    • Performance Measures for EHR enhanced reimbursement
    • Patient has a right to electronic copy of records
    • Electronic copy transmission
    • Delivery options
    • 96 hours or 48 hours w/o ancillary - information available to the patient
    • Meet Meaningful Use Standards
who is a business associate
Who is a Business Associate?
  • Individuals who do business with CUMC and have access to protected health information.
  • Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.

Examples of BAAs include:

    • billing companies or claims processing
    • voice mail or appointment reminder service management
    • transcription services or coding companies
    • accreditation
    • consultants
    • Software used for medical data
summary of breaches reported to office of civil rights sept 2009 june 2010
Summary of Breaches Reported to Office of Civil Rights Sept. 2009 – June 2010

Breaches of over 500 records: 100

  • 72% of breaches are computer related
  • 64% of breaches the result of a theft

Type of Facility

  • 39% from hospital / medical center
  • 29% from a private practice / corporation
  • 20% from a health plan / insurance company
privacy information security training
Privacy & Information Security Training
  • HITECH changed the definition and reporting requirements of Protect Health Information
  • Technology has increased the potential exposure of data theft / loss (portable data)
  • All staff benefit from refresher HIPAA training
  • Tracking of workforce members to verify that they complete HIPAA training has improved
privacy information security training2
Privacy & Information Security Training

Management Follow-up

  • Scheduling refresher HIPAA training for staff
  • Verify that all new workforce members (employees, faculty, students, volunteers) receive HIPAA training
  • Review policies and procedures related to information security and privacy
  • Distribute “HIPAA reminders” to staff
privacy issue summary 2010
Privacy Issue Summary 2010
  • Privacy Breach Allegation 15
  • Access to Medical Record 9
  • Theft of Electronic Device 8
  • Registration Issue 5
  • Medical Record Sent to wrong patient 3
  • Paper Data Loss 1
  • Development 1
  • Marketing 1
cost of data breach
Cost of Data Breach
  • Ponemon annual study on breach costs
  • Loss of 10,000 records means $2,000,000
  • The cost includes Detection, Notification, Post-response & Lost business
  • Qn: Who will pay this cost?
what does ocr s privacy breach reporting tells us
What does OCR’s Privacy Breach reporting tells us?
  • 46% of reported breaches are for lost/stolen laptops, PDA, and Back up tapes
  • HITECH permits non-notification if the information is “encrypted.”
  • So, encrypt already, or stop carrying sensitive data
  • Our encryption help page is:https://secure.cumc.columbia.edu/cumcit/secure/security/encryption.html

Risk of incurring

a breach cost


what s new from ocr
What’s new from OCR?
  • Office for Civil Rights Guidance
    • May 7, 2010
    • HIPAA Security Standards
      • Guidance on Risk Analysis
    • Based on NIST recommendation

NIST 800 Special Publication 30

Risk Management Guide for Information Technology Systems

ocr risk analysis guidance steps
OCR Risk Analysis Guidance Steps
  • Scope of the Analysis
  • Collect all Assets
  • Identify and document Potential Threats and Vulnerabilities
  • Assess current Security Measures (Controls)
  • Determine the Likelihood and Impact of Threat Occurrence to determine the Level of Risk
  • Finalize Documentation
  • Periodic Review and Updates to the Risk Assessment
scope of the analysis at cumc
Scope of the Analysis at CUMC
  • G.R.O.W.I.N.G…
    • Protected Health Information
    • Personally Identifiable Information

(SSN, Driver’s License, Credit cards)

    • Payment Card Industry Data Security Standard
    • FDA Approved Research - 21 CFR Part 11
    • FERPA (Student information)
    • Etc.
  • Has to fit in a common framework
threats and vulnerabilities likelihoods impact
Threats and Vulnerabilities + Likelihoods + Impact
  • Original analysis of HIPAA issues at CUMC
  • Used a classification method
    • Threat Source: Internal/External
    • Type: Opportunistic/Accidental/Deliberate/Environmental
    • Likelihood: Very likely/Likely/Unlikely/Very unlikely
    • Costs/Severity: Operational Impact/Monetary Impact/Regulatory Impact/Reputation Impact
  • New threats
    • Social networks
    • Wireless devices
threats and vulnerabilities likelihoods impact1
Threats and Vulnerabilities + Likelihoods + Impact
  • Examples:
    • Internal user, accidentally, infects a workstation with a virus through a personal USB drive
    • External user, deliberately, uses a server to distribute music or DVD or to send SPAM
    • Internal user, deliberately, looks up clinical data of a celebrity
security controls
Security Controls
  • Examples of controls that address threats
asset inventory program at cumc
Asset Inventory Program at CUMC
  • Work starts July 2010
  • Ask departments to Identify a Primary Person responsible for all matters Privacy and Security communications, incidents, and resolutions
  • Ask Primary Person to identify Servers and Workstations with PII, PHI, FDA Research
    • Description, responsibility, IP address, etc.
asset inventory
Asset Inventory
  • CUMC IT will establish Asset inventory database of PHI, PII, and FDA systems
  • IT Security group will conduct vulnerability scans using automated tools, and return results and recommendations to Primary Person
  • Departments will address deficiencies with their IT custodians and take corrective actions; with follow up re-scan
  • Departments will be provided with a comprehensive list of assets from the inventory
asset inventory1
Asset Inventory
  • Non-compliant systems after a specified time period will be disconnected from the network
  • Non-compliant systems after a specified time period will be reported to CUMC HIPAA/InfoSec Committee, department management, and CUMC senior management
  • The inventory will be updated by self-reporting and by annual recertification
new control data leakage prevention
New control: Data Leakage Prevention
  • DLP technology is a set of tools that look at
    • Our networks
    • Our incoming and outgoing emails
    • Our workstations and servers


    • Alert on leakage of PHI, PII and other sensitive data

(Data at rest)

    • Report on where such data reside

(Data in motion)

    • Control how such data are used

(Data in use)

data leakage prevention
Data Leakage Prevention
  • A pilot study showed
    • Sensitive PHI data are sent to billers, vendors without encryption
    • Sensitive data are accidentally left on workstations
    • Old, forgotten, sensitive data stay forever on servers
    • Users are using social networks and systems such as wikis and GoogleDocs to store sensitive, institutional data without proper authorization
data leakage prevention1
Data Leakage Prevention
  • A 2010 project to start alerting on what is found on the networks
  • Reports to the department Primary Person
  • Reports to CUMC senior management
  • Development of a process to address

the findings comprehensively

hitech management briefing1
HITECH Management Briefing

Karen Pagliaro-Meyer

Privacy Officer


(212) 305-7315

Soumitra Sengupta

Information Security Officer


(212) 305-7035