1 healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that give physicians, nurses, medical staff, administrative employees and patients increased access to electronic health information. Providers are also using clinical applications such as electronic health records (EHR), radiology, pharmacy, and laboratory systems. This means that the medical workforce and healthcare consumers have quick access to critical health information while being more mobile. While technology provides these and many other opportunities and benefits they also create an increase in potential security risks and pose new risks to patient privacy. This means that the medical workforce and healthcare consumers have quick access to critical health information while being more mobile.
2 HIPAA and HITECH The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals electronic personal health information (ephi) that is created, received, used, or maintained by a covered entity. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2008 was created to strengthen the privacy and security protections for health information established under HIPAA by expanding on the existing requirements. The current HIPAA requirements encompass five categories of rules: 1. Privacy Rule protects the privacy of individually identifiable health information. The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) was adopted as a final Rule in August the Privacy Rule applies to all forms of patients PHI, whether electronic, written, or oral. In contrast, the Security Rule covers PHI that is in electronic form. 2. Security Rule sets national standards for the security of ephi. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is found at 45 CFR Part 160 and Part 164, Subparts A and C. The Security Management Process standard in the Security Rule requires organizations to [i]mplement policies and procedures to prevent, detect, contain, and correct security violations. (45 C.F.R (a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. The Security Management Process standard requires covered entities (healthcare organizations) to implement policies and procedures to prevent, detect, contain, and correct security violations. (45 C.F.R (a)(1).) 3. Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information if the breach affects 500 or more people. 4. Patient Safety Rule protects identifiable information being used to analyze patient safety events and improve patient safety. 5. Omnibus Rule expands the requirements to business associates of covered entities for those that receive protected health information. HIPAA Business Associates/Business Vendors will now be subject to the same HIPAA Security Rule Requirements, Use and Disclosure Limitations as the Covered Entity and will be subject to audit and fines by U.S. Department of Health and Human Services. This rule is a critical step in insuring ephi privacy and security as some of the largest breaches reported to HHS have involved business associates. This was effective as of March 26, Both business associates and their subcontractors must now develop comprehensive, written HIPAA security policies and procedures. They also must implement the safeguards mandated by the HIPAA Security Rule. Business associates also must now enter into written contracts with subcontractors that contain specific provisions required by the HIPAA Privacy and Security Rules. Previously, business associates were only required to ensure that subcontractors agree to the same restrictions on the use and disclosure of PHI. Omnibus Rule expands the requirements to business associates of covered entities for those that receive protected health information.
3 Who must comply with the HIPAA Act? It s important that covered entities and business associates understand and fully comply with the HIPAA Act as the Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are in adherence with the HIPAA Privacy and Security Rules and Breach Notification standards. A covered entity covers three groups of individual or corporate entities: health care providers, health plans, and health care clearinghouses i. In general, any provider of medical or other healthcare services or supplies that transmits any health information in electronic form. Not all healthcare organizations must comply with the HIPAA Rules; for example, Organ Donation organizations do not (see 45 CFR for the few statutory exemptions.) A business associate is an individual or corporate person that performs on behalf of the covered entity any function or activity involving the use or disclosure of PHI and is not a member of the covered entity s workforce. This can include a volunteer, consultant, subcontractor, perdiem nurse, laboratory, collection agencies, message services, IT vendor, or other similar persons or businesses. This white paper focuses on the HIPAA Privacy and Security Rules. The Privacy Rule sets the standards for who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access. It s important to note that the Privacy Rule applies to all forms of patients PHI, whether electronic, written, or oral. In contrast, the Security Rule covers PHI that is in electronic form. HIPAA rules The HIPAA Security Rule establishes national standards to protect individuals ephi that is created, received, used, or maintained by a covered entity. In developing the Security Rule, HHS chose to closely reflect the requirements of the final Privacy Rule (adopted as a final Rule in August 2002). As a result, covered entities that have implemented the Privacy Rule requirements in their organizations may find that they ve already taken many of the measures necessary to comply with the Security Rule. In addition, healthcare organizations that have met the Core Requirement # 15 Conduct or Review a Security Risk Analysis per 45 CFR (a)(1) required to qualify for incentive dollars associated with Meaningful Use have also taken steps to comply with the Security Rule. The security needs of covered entities can vary significantly, therefore the security standards were designed to provide guidelines to all types of covered entities; small, large, multi-facility, single facility, hospital, physician group practice, clinic, etc. The standards allow a covered entity to choose technologies and security measures that best meet its specific needs and ability to comply with the standards. In deciding which technologies and security measures to implement, a covered entity should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. For example, larger entities may feel that penetrations testing of electronic systems are warranted while a two physician practice would not. Organizations need to implement technology to record and examine suspicious activity down to the user level. Administrative, physical and technical safeguards The HIPAA Security Rule poses a challenge for health organization implementation from a technological as well as a compliance and policy perspective. Organizations need to implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ephi. They also need to review mechanisms that must be deployed to record and examine system activity to determine suspicious data activities. The audit capability must be such that it enables tracing not just to the device, but also to the user. This is becoming more important as the number and usage of cloud services increases. Currently, there are over 2,000 cloud services with hundreds being created every few months. It is difficult for a covered entity to manually identify which cloud services are being utilized by employees and the riskiness level of the cloud services when identified. Some cloud services, such as Carbonite.com, have a lower level of risk while others, such as Google cloud service, an unsecured platform, are very risky. Recently a medical center learned that its residents and physiciansin-training used Google to share data on over 3,000 patients. In another example of cloud usage exposing ephi, a two person physician practice was fined USD 100,000 for using a cloud based calendar application, among other things. The Security Rule requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ephi. Administrative Administrative requirements are of a policy and procedural nature to protect data integrity, confidentiality, and availability. They re non-technical in nature and do not directly affect technical implementation. However, administrative procedures should take into account technology issues and deployments should conform to existing organizational administrative procedures. These requirements include delegation of security responsibility to an individual, workforce HIPAA and Security training, a Security Risk Assessment, and Security Risk Evaluation.
4 Physical Safeguards Physical Safeguards represent policy level controls and technology solutions to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized access or exploitation. These requirements represent practices to prevent unauthorized access to facilities and physical devices such as workstations and electronic media, to ensure adequate backup and recovery of systems and data and proper usage, storage, and disposal of devices. Technical Safeguards Technical Safeguards are the automated processes used to protect and control access to data. This includes authentication controls to verify that a person is authorized to access the ephi, hardware and software audit controls, PHI integrity controls and encrypting and decrypting data during transmission and storage. While the three safeguards discussed above comprise the majority of the standards and implementation specifications under the Security Rule, there are four other standards that must be implemented. Collectively, these are referred to as the Organizational requirements which address (1) Business Associate Contracts and Other Arrangements (2) Requirements for Group Health Plans, (3) Policies and Procedures and (4) Documentation Requirements. Within the administrative, physical and technical safeguards, the Security Rule specifications are labeled either required or addressable. If a specification is labeled required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. A common misconception is that an addressable implementation specification is optional. If an implementation specification is labeled addressable, then the covered entity must assess whether it s a reasonable and appropriate safeguard in the entity s environment. If an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it s not reasonable and appropriate. Otherwise, it must adopt an equivalent measure if it is reasonable and appropriate to do so. It is anticipated that there will be an increase in the frequency of the audits in the future as it is expected that OCR will use proceeds from the fines to fund their activities. Periodic evaluations If your organization is like many, you may have performed a Risk Assessment and drafted the required policies, but you may not be performing a regular audit or updated your policies. To comply with HIPAA and MU incentive programs, you must continue to review, correct or modify, and update security protections on a periodic basis (yearly for MU). For HIPAA, the need for a new evaluation is driven by changes to the security environment since the last evaluation. For example, if the covered entity has experienced a security incident or is planning to implement new technology, the potential risk should be analyzed to ensure the ephi is protected. The evaluation is for both the technical and non-technical components of security. If it s determined that existing security measures are not sufficient to protect against the risks associated with the changes to the security environment then the entity must determine if additional security measures are needed. This evaluation may be performed internally or by an external firm, which would be acting as a business associate. HHS OCR security audits As was mentioned earlier, the HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. For years HIPAA privacy and security rules had not been enforced and healthcare entities had little to worry about in terms of being audited for HIPAA compliance. That has all changed and every covered entity and business associate is eligible for an audit. In general, the objectives of the audits are to assess if all vulnerabilities have been addressed and verify that all compliance requirements have been met. The HHS Office for Civil Rights (OCR) is responsible for performing the audits and enforcing the rules. As part of the audit, entity personnel are interviewed and documentation is requested and reviewed. The actual HIPAA Audit covers the following three areas: Privacy Rule - notice of privacy practices for PHI - rights to request privacy protection for PHI - access of individuals to PHI - administrative requirements - uses and disclosures of PHI - amendment of PHI - accounting of disclosures Security Rule - administrative, physical, and technical safeguards Breach Notification Rule The OCR released a checklist for HIPAA Onsite Investigations and Compliance Audit Reviews which details the lists of personnel who may be interviewed and documents that may be requested (Table 1 - HIPAA Audit Checklist, proceeding page) ii. The OCR asks for a significant amount of information which must be presented in a very short period of time. It would be nearly impossible for an organization to pull this information together if they didn t have all the required documentation already in place. Let this be a warning - you won t be able to pull together a Risk Assessment at the last minute.
5 Typical compliance shortfalls No organization is 100% secure; however an organization needs to be in a position to show OCR that it has tried with a good faith effort to comply with the law of the Privacy and Security Rule 45 C.F.R Understanding where other covered entities have come up short can show an organization where they should focus additional attention. During 2008, CMS performed reviews of 10 Health Covered Entities to verify compliance with the Security Rule iii. After completing reviews, CMS performed an analysis on the identified compliance issues to determine areas where CEs appeared to struggle to comply with the Security Rule. These areas included: risk assessment currency of policies and procedures security training workforce clearance workstation security encryption Later, in 2012, OCR performed an audit pilot program with 115 covered entities. Audits conducted through June of 2012 found similar compliance shortfalls as found in 2008 including an absence of periodic Risk Assessments, inadequate Policy and Procedure, lack of priority for HIPAA Compliance programs, and poorly managed third-party risks. As of December 2012, findings from the audits show that iv : smaller entities had more issues than larger entities Security Rule compliance problems were more of an issue than Privacy Rule compliance problems entities have been faulted for a lack of policies and procedures directly addressing mobile technology tracking, authentication, and security including encryption Security Rule issues often reflected IT issues involving: - user activity monitoring - authentication and system integrity - user access permissions - media reuse/destruction The audit program also identified the most common HIPAA vulnerabilities as being: paper files flash drives laptops social media EHR review of your own or others information safeguards not in place (e.g., white boards, elevator conversation) 1. Personnel that may be interviewed President, CEO or Director HIPAA Compliance Officer Lead Systems Manager or Director Systems Security Officer Table 1 - HIPAA Audit Checklist for HIPAA Onsite Investigations and Compliance Audit Reviews Lead Network Engineer and/or individuals responsible for: - administration of systems which store, transmit, or access Electronic Protected Health Information - administration systems networks (wired and wireless) - monitoring of systems which store, transmit, or access EPHI - monitoring systems networks (if different from above) - Computer Hardware Specialist - Disaster Recovery Specialist or person in charge of data backup - Facility Access Control Coordinator (physical security) - Human Resources Representative - Director of Training - Incident Response Team Leader - others as identified.
6 Table 1 - HIPAA Audit Checklist for HIPAA Onsite Investigations and Compliance Audit Reviews (continued) 2. Documents and other information that may be requested for investigations/reviews policies and procedures and other evidence that address the following: - prevention, detection, containment, and correction of security violations - employee background checks and confidentiality agreements - establishing user access for new and existing employees - list of authentication methods used to identify users authorized to access EPHI - list of individuals and contractors with access to EPHI to include copies pertinent business associate agreements - list of software used to manage and control access to the Internet - detecting, reporting, and responding to security incidents (if not in the security plan) - physical security - encryption and decryption of EPHI - mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives) - monitoring systems use - authorized and unauthorized - use of wireless networks - granting, approving, and monitoring systems access (for example, by level, role, and job function) - sanctions for workforce members in violation of policies and procedures governing EPHI access or use - termination of systems access - session termination policies and procedures for inactive computer systems - policies and procedures for emergency access to electronic information systems - password management policies and procedures - secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage) - disposal of media and devices containing EPHI other documents: - Entity-wide Security Plan - Risk Analysis (most recent) - Risk Management Plan (addressing risks identified in the Risk Analysis) - security violation monitoring reports - vulnerability scanning plans - results from most recent vulnerability scan - network penetration testing policy and procedure - results from most recent network penetration test - list of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) - configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations) - encryption or equivalent measures implemented on systems that store, transmit, or access EPHI - organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI - examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training) - policies and procedures governing the use of virus protection software - data backup procedures - disaster recovery plan - disaster recovery test plans and results - analysis of information systems, applications, and data groups according to their criticality and sensitivity - inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI - list of all Primary Domain Controllers (PDC) and servers - inventory log recording the owner and movement media and devices that contain EPHI
7 HIPAA violations HIPAA violations can lead to substantial penalties and burdensome corrective action plans. Just in the recent past: In 2010, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. agreed to pay USD 1.5 million to the federal government to resolve allegations that it violated the Health Insurance Portability and Accountability Act Security Rule by failing to properly protect patients protected health information maintained on an unencrypted laptop. The investigation indicated that Massachusetts Eye and Ear had failed to take steps to comply with some Security Rule requirements, including ensuring data maintained on portable devices was protected from unauthorized users and that procedures were in place for identifying and reporting data security incidents. Take away: Although encryption is not a requirement under the HIPAA Security Rule, it does provide a safe harbor in the event of a security incident. If a device (laptop, desktop, USB drive, DVD, etc.) that contains ephi is lost or stolen and the device is encrypted, the covered entity does not have to report the breach. Encryption dramatically reduces the liability of storing ephi on desktops, laptops and portable devices. The Alaska Department of Health and Social Services was handed a USD 1.7 million fine by the OCR. The Alaska agency lost a USB drive with 501 patient s information which led to an investigation by OCR. During the investigation numerous HIPAA violations were uncovered. Based on the severity of the fine it appears that OCR found the Alaska agency to be in Willful Neglect of the HIPAA regulations including had not performed a current Risk Assessment, lack of required policies and procedures, and lack of employee security training. Take away: Many audits will be the result of a breach. The OCR will investigate the breach and perform a full HIPAA audit. The HIPAA Security Rule mandates that all covered entities perform a Risk Assessment to determine how ephi is being protected and to recommend additional safeguards. A Risk Assessment is the foundation of the HIPAA Security Rule. If an organization gets audited, one of the first questions is going to be: Where is your latest Risk Assessment? On February 19, 2009, OCR notified Phoenix Cardiac Surgery of its initiation of an investigation of a complaint alleging that it had impermissibly disclosed ephi by making it publicly available on the Internet via an Internetbased calendar and Internet-based . Ultimately, it was fined USD 100,000 and told to implement a corrective action plan. An audit identified that the practice: did not provide and document training of each workforce member on PHI failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI posted over 1,000 separate entries of ephi on a publicly accessible, Internetbased calendar transmitted ephi from an Internet-based account to workforce members personal Internet-based accounts on a daily basis failed to identify a security official failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ephi failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public providers that these entities would appropriately safeguard the ephi received from Covered Entity Take away: Many audits will be the result of a complaint. The OCR doesn t care how small an entity is (in this case a two physician practice) that they may not have known that they were breaking the law, or that many other healthcare entities are running their practices in a similar manner; OCR will investigate and fine based on the HIPAA Rules. It would be nearly impossible for an organization to pull this information together if they didn t have all the required documentation already in place
8 HIPAA penalties OCR may fine or otherwise penalize the covered entities if they have not met the HIPAA regulations. Penalties were previously capped at USD 25,000 for multiple violations of the same provision in a single calendar year, but they have been increased for non-compliance based on the level of negligence with a maximum penalty of USD 1.5 million per violation. These HIPAA fines can be devastating to an organization as they re usually not covered by general liability insurance. There are specific insurance policies, called HIPAA/ cyber insurance that provide coverage for HIPAA associated fines, and expenses related to data breaches. Interestingly, some of the insurance policies require an organization to attest that they re compliant with HIPAA regulations; have implemented security best practices, etc. So an organization can t avoid being compliant. A penalty will not be imposed for violations in certain circumstances such as if: the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR) the Department of Justice has imposed a criminal penalty for the failure to comply In addition, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the non-compliance. Before OCR imposes a penalty, it must notify the covered entity and provide the covered entity with an opportunity to provide written evidence of circumstances that would reduce or bar a penalty. This evidence must be submitted by the covered entity to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty v. An organization may feel that the chance of being audited by a random OCR HIPAA audits is very small so it doesn t need to worry. Those organizations should remember that security breaches and complaints can lead to investigations. And recent events indicate that the number of major breaches is increasing vi : The number of major PHI breaches in 2012 increased by more than 21% compared with the previous year. Two-thirds of major breaches results from theft or loss, 38% of breaches come from unencrypted laptops and other portable devices, and 57% involve a business associate. The threat of hacking is real 780,000 Utah Department of Public Health Medicaid and CHIP recipients were affected by a server being hacked. Breaches by business associates historically affect five times more patient records than breaches at covered entities. Cloud service breaches are becoming more prevalent and are expected to increase as the number of cloud services increases. It s anticipated that there will be an increase in the frequency of the audits in the future as it s expected that OCR will use proceeds from the fines to fund their activities. These HIPAA fines can be devastating to an organization as they are usually not covered by an organization s general liability insurance. Conclusion Implementing HIPAA security will enable a covered entity to put into place security measures that will protect patient information and lower the risk of having security breaches. Training employees on how to protect patient information will help them understand what is required to protect information and familiarize them with security best practices. Avoiding data breaches will eliminate the associated damage to an organization and protect from loss of revenue. Data breaches can have long-term damaging effects to an organization s reputation that could potentially prevent prospective patients from purchasing services. Avoiding data breaches can protect a covered entities revenue and reputation. Remember, at a minimum, a successful compliance program includes: regular Risk Assessments action plan to respond to incidents analyze, evaluate, and correct potential risk areas implementation of privacy and security policies and procedures technology to record and examine suspicious activity down to the user level employee training business associate agreements
9 Dimension Data Healthcare Our associates have extensive experience assisting clients in the acute, ambulatory, diagnostic services, and other care provider environments, delivering access and information at the point of care. We ve been responsible for creating and implementing the technical designs for many hospitals, clinical data centers, and the Cisco LifeConnections Health Center and Pharmacy. We provide HIPAA services and solutions including HIPAA Risk Assessments, Contingency Planning, Security Audit and Evaluation, Security Policy and Procedures, and Managed Recovery Services. To learn more about how we can assist you or to access other healthcare related white papers, please visit our website: References i As defined by 45 C.F.R that transmits health information in electronic form in connection with a transaction covered by 45 C.F.R. Part 162 ii Please note that the interview and information request document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all noncompliance scenarios. iii enforcement/ cmscompliancerev 08.pdf iv HIPAA Audits and the New Audit Protocol, Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance, media.straffordpub.com/products/ hipaa-auditsand-the-new-auditprotocol /presentation.pdf v HHS.org, Enforcement and Penalties for Noncompliance, gov/ocr/privacy/hipaa/understanding/ summary/index.html; Enforcement and Penalties for Noncompliance vi The 3rd Breach Report/Protected Health Information from Redspin Inc We ve been responsible for creating and implementing the technical designs for many hospitals, clinical data centers, and the Cisco LifeConnections Health Center and Pharmacy.
10 Middle East & Africa Asia Australia Europe Americas Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia Austria Belgium Czech Republic France Germany Hungary Italy Ireland Luxembourg Netherlands Poland Portugal Slovakia Spain Switzerland United Kingdom Brazil Canada Chile Mexico United States For contact details in your region please visit dimensiondata.com/globalpresence