PREP Course #23: Privacy and IT Security for Researchers

Transcription

1 PREP Course #23: Privacy and IT Security for Researchers Presented by: Emmelyn Kim, Office of Research Compliance & Debbie Wright, Office of Corporate Compliance

2 CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the North Shore-LIJ for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director, Kevin Tracey, has disclosed a commercial interest in Setpoint, Inc. as the cofounder, for stock and consulting support. He has resolved his conflicts by identifying a faculty member to conduct content review of this program who has no conflicts. Speakers Emmelyn Kim & Debbie Wright, have nothing to disclose. 2

3 Today s Objectives Identify various privacy and IT security issues that can occur in the research setting Acquire techniques to manage privacy and IT security risks in research 3

4 Today We Will Discuss HIPAA Privacy & Security related regulatory requirements Privacy and security risks in the current environment Techniques to reduce potential privacy and IT security risks in research Use of Business Associate Agreements Resources available to mitigate risks 4

5 Question: Where do Privacy & Security Requirements Come From? 5

6 Privacy & Security Regulatory Requirements HIPAA: Health Insurance Portability and Accountability Act Federal law to facilitate continuity of care and adds protections for health information: 1. HIPAA Privacy Rule Governs use and disclosure of protected health information Applies to all PHI including oral, written, and electronic 2. HIPAA Security Rule Governs security standards for protecting health information Only applies to electronic PHI 6

7 To Whom Does HIPAA Apply? A) Everyone B) Only covered entities (e.g. Provider, facility or organization that conducts health care operations involving creation and transmission of PHI) C) Researchers that are not part of a covered entity D) Researchers collecting de-identified data 7

8 PHI A Quick Review PHI = Protected Health Information Individually identifiable health information (e.g. oral, written or electronic) collected or stored Associated or derived from healthcare service event such as diagnosis or treatment, payment or operations Within medical record or designated record set 8

9 What are the 18 HIPAA Identifiers? 1. Name 2. Geographic location 3. Elements of dates 4. Telephone # 5. Fax # 6. Address 7. Social Security # 8. Medical Record 9. Health Plan Beneficiary # 10. Account # 11. Certificate/license # 12. VIN, serial #s, license plate #s 13. Device identifiers/serial # 14. Web URLs 15. IP Address #s 16. Biometric Identifiers 17. Full face, photographic images 18. Other unique identifying #, characteristic, or code 9

10 Beyond HIPAA Value and Importance of privacy & security: Protecting valuable research data Intellectual property Public trust fosters research Protection of research subjects from harm and preservation of rights is essential to ethical research 1 1. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. 10

11 What Are Main Concepts of HIPAA Privacy? 1. With some exceptions, PHI can only be used, accessed, disclosed with patient authorization Two important exceptions: health care operations (eg. treatment, payment) and education 2. Patients have the right to understand and control use of their PHI 11

12 What is the Main Concept of HIPAA Security? Physical, administrative and technical safeguards are required to ensure the confidentiality, integrity and security of electronic protected health information 12

13 Who is Looking at This? The Office for Civil Rights (OCR) enforces both the Privacy & Security rules Performs regular audits of covered entities Increased audits starting 2011 Audit protocol and findings listed on 13

14 Privacy and Security Risks in the Current Environment and Risk Reduction Techniques

15 What Are Some Risks You Can Think of Technology trends: in the Current Environment? -Use of electronic data and systems (e.g. EMR, electronic data capture, research data from various sources, etc.) -Use of portable devices (e.g. smart phones, laptops, tablets, flash drives, etc.) -Cloud based use for maintenance and storage of data -Use of social media and public forums Security Issues: -Data breaches identity theft prevention -Data integrity or loss disaster recovery plans 15

16 Challenges of Protecting Privacy and Security Image from:

17 Recent Headlines US HHS settles HIPAA security cases: Alaska DHHS for $1.7 million - USB hard drive with ephi was stolen from the vehicle of an employee Phoenix Cardiac Surgery for $100,000 posting patient appointments on a publicly accessible internet-based calendar BCBST for $1.5 million - 57 unencrypted computer hard drives containing PHI were stolen from a leased facility Mass General Hospital for $1 million Loss of PHI via documents left by employee on the subway train UCLA for $865,500 unauthorized access to celebrity PHI by employees 17

18 Recent Tweets

19 Case Study Physical Safeguards Dr. Tresh got his IRB approval to do a study that required collection of data with PHI from the EMR. He was too busy so he had one of his residents Butters, who was not listed on the study, go into the EMR to gather the data for him. Butters didn t have a computer so he used one in a public lounge where the screen could easily be seen by others. When he finished viewing the EMR he forgot to log off, because he was so excited to get the data (that he downloaded onto a mini-hard drive) to Dr. Tresh. Butters couldn t find Dr. Tresh so he left the hard drive in the resident lounge with a note taped to it. Later the cleaners came by to do a sweep and threw away the hard drive because they thought the note said For Trash. What s wrong with this picture? 19

20 Case Study Technical Safeguards Susan was collecting sensitive information for a project on infectious disease and had to send information to an external collaborator at Jon12@research.edu by Wed. On Tuesday she became ill and asked her colleague Jody to send the information for her. She gave Jody her user ID and password to access the database to download the information. Jody went in to the database, downloaded the file and sent the data to Jon21@research.edu through her Gmail account. What s wrong with this picture? 20

21 Encrypt through HS By typing in the words Secure or PHI in the subject line Or clicking on the Encrypt and send (Zixmail) button when you send 21

22 Device Encryption Mobile devices = Laptops, tablets, removable portable hard drives, USB/thumb drives, smart phones, etc. To check that a device is using HS encryption, verify that the Sophos Safeguard icon is located within the system tray 22

23 Scenario: A laptop containing PHI of 500+ individuals was stolen Non-encrypted = Vs. Information not adequately protected Internal investigation Notification of media Notification of individuals of breach & call center set up External investigations Excess man hours dedicated to issue Encrypted = Information protected Internal investigation Minimal man hours dedicated to issues 23

24 Case Study Administrative Safeguards Pip was gathering data for a neonatal study she was doing at her facility. She created a folder on her desktop called the Newbie Study and files were saved in the folder on her C:\ drive. Later that year a tornado had ripped apart her office and destroyed her computer. She was not aware of any disaster recovery plan for her facility and did not have a backup to her study data. What s wrong with this picture? 24

25 Save Data on Health System Servers Create shared folders on health system servers with limited access (study team only) Do not save on your C:\ drive that is only your local computer Files saved on HS servers are backed up regularly Terminate access to folders and databases accordingly 25

26 Image from: 26

27 Case Study Administrative Safeguards Casper had a lot of data that he was collecting for his clinical trial and found a great cloud storage vendor that offered remarkably low prices. He decided to go with them and paid out of pocket for their services since he didn t want to bother going through internal channels it took too long. 4 months later the vendor went out of business and he couldn t access his data. He later read in the news that a hacker had stolen all the data from the vendor, which is why they shut down. They didn t have any other backup to their data. What s wrong with this picture? 27

28 Impact of the HITECH Act Health Information Technology for Economic and Clinical Health Act Security provisions including notification of patients & HHS of security breaches Increased penalties for violations of HIPAA rules with a max penalty of $1.5 million Applies HIPAA to business associates Mandates HIPAA audits 28

29 Impact of the Final Omnibus HIPAA Rule 2013 changes to HIPAA & HITECH include: New data breach standard that presumes that security of PHI is compromised if it is misused More aggressive OCR enforcement and fines Applies HIPAA to subcontractors of business associates = Greater liability and compliance requirements

30 HIPAA Breach Analysis Requires a new risk assessment that includes: 1. The nature and extent of the PHI involved 2. Recipient of the PHI 3. Whether the PHI was actually acquired or viewed 4. Extent to which the risk was mitigated following unauthorized disclosure 30

31 What About Our Business Associates? Business associate (BA) = Person or organization outside of HS workforce who provides services to HS that involve the use or disclosure of PHI E.g. claims processing, billing, medical record delivery, data analysis, quality assurance reviews Agreements with business associates must include protections for the PHI and cannot let the business associate do anything that would violate HIPAA HIPAA extends to subcontractors 31

32 Why Is It Important? 32

33 Polluted Medical Record 33

34 Protect Mobile Devices Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance Take the Steps to Protect and Secure Health Information When Using a Mobile Device 34

35 What Not To Do With Your Mobile Devices Share your mobile device password or user authentication Allow use of your mobile device by unauthorized users Store or send unencrypted health information with your mobile device Ignore mobile device security software updates Download applications (apps) without verifying they are from a trusted source Leave your mobile device unattended Use an unsecured Wi-Fi network Discard your mobile device without first deleting all stored information Ignore our mobile device policies and procedures 35

36 Be Cautious When Using Social Media Image from 36

37 What Else? Huping Zhou, a researcher for UCLA Healthcare System was accused of accessing electronic health care records without authorization for 323 patient records including actors. NAME THAT PUNISHMENT! 37

38 Protect Sensitive Information Do not collect social security numbers and medicare numbers unless absolutely necessary NYS law requires strict protection of this information If you collect this information you are now burdened with the responsibility of protecting this information This information can be masked in databases 38

39 Mailing/ ing Checklist Carefully check name and address of intended recipient. Many names are similar; make sure you have the correct name for the intended recipient on the envelope or the to line. Make sure the address on the envelope matches the correct address of the intended recipient. Carefully check the contents before sealing the envelope or hitting send. Make sure the contents may be permissibly disclosed to the intended recipient or properly relate to the individual. Check all pages to make sure records or material related to other individuals are not mistakenly included. Check the information showing on the outside of the envelope or through the address window. Make sure identifying information that is not necessary to ensure proper delivery is not disclosed. 39

40 Faxing, Scan/ ing Checklist Carefully check the fax number/ address to make sure you have the correct information for the intended recipient. When manually entering the number/ , check to see that it has been entered correctly before sending. Confirm fax number/ address with the intended recipient when sending to party for the first time or if sent infrequently. Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending. Update fax numbers promptly upon receipt of notification of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine. 40

41 Faxing, Scan/ ing Checklist (Cont d) Locate fax machines/scanners in areas where access can be monitored and controlled and avoid leaving patient information on machines after sending. Have policies and procedures in place to safeguard protected health information that is faxed/scanned, including processes to act promptly on (1) changes in fax numbers/ s to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax/ to identify the cause and take steps to prevent future incidents, including revising the organization s policies and procedures. Train staff on the policies and procedures for the proper use of fax machines/scanners that your organization has put in place to safeguard protected health information. Update training periodically and be sure to train new staff. 41

42 Resources Available Research Resources: ORC Web Site: Under Tools and Guidance/ Electronic Security ephi Security Guidance HIPAA Compliance and Microsoft Applications Microsoft Applications Delegation and Access Log ephi Security Tips 42

43 Secure IT Card 43

44 HS Resources Available IS Web Site 44

45 HS Resources Available Health System Policies related to IT privacy and security: Under Information Services Policies and Procedures Be aware of the following policies (including but not limited to): Computer Usage Policy Disaster Planning and Operations Policy Data Encryption and Integrity Policy Device and Media Control Policy 45

46 OCR web site: 46

47 Thank You! Contact Us for Questions Research Compliance General: (516) / orc@nshs.edu Emmelyn Kim: (516) / ekim@nshs.edu Corporate Compliance General: (516) / Debbie Wright: (516) / dwright3@nshs.edu 47