Industry leading Education

Transcription

1 Industry leading Education Please ask questions #CGwebinar Todays slides are available group.com/slides023/ Past webinars and recordings group.com/webinar/ HIPAA

2 Ensuring Patient Privacy The Need to Monitor for Inappropriate Access to ephi This document may not be reproduced, transmitted, or distributed without the prior permission of All Medical Solutions

3 Introduction About the Speaker: Stephen Salinas serves as Senior Business Development Consultant and Channel Manager at All Medical Solu9ons (AMS). While at AMS, Stephen has worked alongside California s two most successful Regional Extension Centers (HITEC- LA and COREC), overseeing the successful adop9on of EHR technology and Meaningful Use to over 1,200 California physicians. About All Medical Solu4ons: All Medical Solu9ons (AMS) is a healthcare organiza9on consultancy and solu9ons development division of Fusion Systems Co., Ltd., a global Informa9on Technology Solu9ons consul9ng business. Based in California, AMS has over 20 years of experience in developing proprietary technology products for Fortune 500 companies and over 10 years in bringing tailored and insighwul solu9ons to na9onal and regional healthcare providers. As a Service Partner of two RECs, AMS has witnessed first hand the many issues healthcare organiza9ons face with regards to HIPAA and Meaningful Use. AMS launched SPHER in 2013, an online state- of- the- art Electronic Health Record (EHR) monitoring solu9on which fulfills federal HIPAA audit requirements. For more informa9on, go to amsspher.com.

4 Today s Topic: Ensuring Pa4ent Privacy The Need to Monitor for Inappropriate Access to ephi A look into the current state of healthcare and security, your obliga4ons under HIPAA to monitor user ac4vity of your EHR to ensure pa4ent privacy rights are protected, and an outline of what should be done to protect your organiza4on from the threat of a privacy breach

5 Agenda The Need to Become Compliant with HIPAA The current state of healthcare and security Results of the OCR Pilot HIPAA Audits of 2012 User Ac9vity Monitoring the #1 security deficiency The official OCR HIPAA Audits enforced in 2013 A Deeper Dive into User Ac4vity Monitoring (Privacy Monitoring) The importance of User Ac9vity Monitoring User Ac9vity Monitoring references in HIPAA and Meaningful Use Iden9fying the hurdles organiza9ons face when aiming for compliance How to correctly implement, document, and maintain a Privacy Monitoring program Re- evalua4ng Your Current Security Posture The need to priori9ze Privacy Monitoring and Workforce Educa9on Case Studies

6 What is a Privacy Breach? According to HIPAA, an impermissible use or disclosure of protected health informa9on is presumed to be a breach unless the covered en9ty or business associate demonstrates that there is a low probability that the protected health informa9on has been compromised. 4 factors: Nature and extend of the PHI involved Unauthorized person who the used the PHI or to whom disclosure was made to Whether PHI was actually acquired or viewed Extent to which the risk to the PHI has been mi9gated

7 The Current State of Healthcare and Security The cost of a Privacy Breach Healthcare industry loses $7 Billion a year due to privacy breaches Average cost of a privacy breach = $2.4 million 94% of healthcare organiza9ons have had at least one data breach in the last two years Compared to all other industries in the US, healthcare had the highest per capita breach cost 54% of organiza9ons have liile or no confidence they can quickly detect privacy breaches (Ponemon Ins9tute)

8 The Need to be Compliant with HIPAA The HIPAA/HITECH rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a pa9ent s privacy rights and protec9ons, but also strengthen the ability of [the Office of Civil Rights] to vigorously enforce the HIPAA privacy and security protec9ons. (Leon Rodriguez, Head of OCR)

9 The Driver for HIPAA/HITECH Audits " Section of the HITECH Act Mandatory audits will occur separate from the standard audits now in place. " US Government Accountability Office GAO GAO evaluates the HITECH EHR/Meaningful Use Incentive Program managed by CMS Proposes the need for Meaningful Use Audits to ensure hospitals and providers participating in the program have not falsely attested to achieving Meaningful Use 10% Hospitals and 20% of Providers that attested for Meaningful Use will be audited " HIPAA Omnibus Final Rule redefines and increases Civil Monetary Penalties Civil Money Penalties (CMPs) for covered entities have been increased to a $1.5 million cap per violation for violations due to willful neglect ( did not know ) Willful Neglect Not Corrected: defined as a breach resulting from an intentional failure or reckless indifference of HIPAA obligations, and the breach was not corrected immediately after discovery. Violations are defined as the number of patient records affected. " HHS Contracts KPMG 2012 Audit Pilot Program 115 Covered Entities (CEs) Audited during Q Selection of CEs was based on random selection, and not based on prior HIPAA infractions #1 Discrepancy: NO User Activity Monitoring

10 KPMG Pilot Audits: Privacy/Security/Breach Non-Compliance

11 KPMG Findings Top 9 Security Issues Auditors reported that the CEs did not know it was required *Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation

12 HIPAA/HITECH Audits Occurring in 2013 " Covered En99es can expect two (2) separate audits where they will be required to demonstrate HIPAA Compliance Q CMS Meaningful Use (MU) Audits Q HHS OCR Privacy/Security/Breach Audit Program

13 CMS Meaningful Use Audits " Q CMS Meaningful Use (MU) Audits 10% Hospitals, 20% of Providers will be audited and be able to demonstrate that they met the required MU criteria If an audited entity has failed to correctly attest to even a single metric then that participant will be required to return all of the funds and face the possibility of fraud charges Specifically MU Core Measure 14 for Hospitals, MU Core Measure 15 for Providers (HIPAA Security Rule Compliance) Measure: Conduct or review a security risk analysis in accordance with (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the risk management process. You will be required to submit a copy of your Security Risk Assessment as well as an outline of your risk management process showing the security safeguards (? policies and procedures) both implemented to date and in progress. If the entity is unable to demonstrate compliance with the HIPAA Security Rule, the entity may be subject to the more stringent HHS OCR Audit

14 HHS OCR Audit Program " Q HHS OCR Privacy/Security/Breach Audit Program " Increased number of Audit Protocol Procedures compared to the OCR KPMG Pilot Audit Program Privacy Audit Procedures Security Audit Procedures of the Audit Procedures directly relate to User Ac9vity Monitoring Breach No9fica9on Audit Procedures 10 Learn more about the HIPAA Audit Program Protocol :

15 The OCR Audit Process " Advanced day no9fica9on by mail " 15 day deadline to respond a large documenta9on request " 3-5 day on- site data collec9on of up to 5 auditors Interviews of key personnel and assorted staff members, site walkthroughs, opera9onal reviews, and requests for further informa9on " Drat report issued, 10 days window to respond " Final report issued, imposing CMPs and correc9ve ac9on Notification letter and request for documentation sent to Covered Entity Receiving and reviewing documentation and planning the audit field work On-site field work Draft audit report Covered Entities review and comment on draft audit report Final audit report

16 A Deeper Dive into User Ac4vity Monitoring HIPAA requires user ac4vity monitoring You must review your EHR audit logs for inappropriate access Protect your Pa4ents Privacy by adhering to the law

17 What is Inappropriate Access and Disclosure? " HHS outlines what is defined as inappropriate access and disclosure under the HIPAA Privacy Rule: HIPAA is based on sound current prac9ce that protected health informa9on should not be used or disclosed when it is not necessary to sa9sfy a par9cular purpose or carry out a func9on. The minimum necessary standard requires covered en99es to evaluate their prac9ces and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health informa9on.

18 Outline the Problem " Internal workforce and 3 rd par9es have access to your pa9ents ephi " You grant access to PHI under the assump9on that privacy policies will be followed in the strictest sense " New informa9on systems put in place (EHR) " Implemen9ng new policies, procedures, and security safeguards are an aterthought " Staff not effec9vely educated on the new policies and procedures " Management not strictly and rou9nely enforcing " Current and newly adopted policies and procedures may not strong enough and will need revised " It is the covered en99es responsibility to monitor all access to ephi, including access granted to Business Associates " Your Risk/Vulnerability of facing an internal privacy breach is high

19 HIPAA Security Related Regulations HIPAA Security Rules " Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(1)(ii)(D) " Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (B) " Implement procedures for monitoring log-in attempts and reporting discrepancies (a)(5)(ii)(C) " Retain required documentation of policies, procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later (B)(1)(ii) Meaningful Use Requirements " ONC certification for EHR technology requires an EHR to produce an audit log (r) " Conduct a Security Risk Assessment per HIPAA (a)(1), implementing security updates as necessary and correcting deficiencies Meaningful Use Core Measure 14 for Hospitals, 15 for Providers

20 Insurance Exclusions " For arising out of or resulting from any act, error, omission, incident, failure of Computer Security. " Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization. Due to the increasing number of ephi related breaches since the adoption of EHR, insurance companies are utilizing their exclusion clauses. Many policies do not cover breaches due to reckless indifference of HIPAA obligations (willful neglect). Civil Money Penalties (CMPs) mandated by the OCR and Class Action Lawsuits Costs associated with fulfilling breach notification requirements and loss of income due to site failure Credit card monitoring services for affected patients, etc. Source: Beazley, Chubb, Doctors Company, Lloyds of London If found negligent, the Insurance Carrier is not obligated to pay these.

21 Common Misconceptions " This is a responsibility that is supposed to be handled by my EHR vendor (or other health informa9on system) As required by Federal ONC- Cer9fica9on for EHRs, their obliga9on to the client is to ensure that their system is audit capable, that it can generate a human readable audit log " This is a responsibility that can be handled by my IT department Reviewing audit logs requires prac9cal knowledge of healthcare workflow and as well as the organiza9ons policies and procedures; this is the responsibility of the privacy/security department

22 Why is user activity monitoring important? While external aiackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destruc9ve and insidious. Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organiza9ons today, up 22 percent since the first survey. (Larry Ponemon, Chairman of Ponemon Ins9tute)

23 What does the audit log tell you? Date Provide a precise date for organizations to see who has accessed patient information Time Provide a precise time for organizations to see who has accessed patient information 5 Core Audit Log Attributes User Provide a clear definition of all user access within organizations, to know who has data privileges Patient Maintain record of all authorized and unauthorized access to specific patient information Action Must be recorded when health information is viewed, created, modified, exported, or deleted

24 Full Review vs Partial Review The Facts: " Auditing takes so many resources and so much time it is near impossible to do manually. The Math: " Time for auditing 1 line: ~15 seconds Event correlation - Is this specific activity permitted? Users of the EHR: Staff, HIE, Vendors, etc. " Calculations for level of effort*: Average daily audit log: ~ 3560 lines per provider (3 to 4 staff) Range Day Week Month Year 100 % hours hours hours 3,559 hours 80% ,846 20% " 100% review by use of trained staff and an automated incident detection tool is the NIST standard** * Calculations using 20 business days in a month ** NIST SP use trained staff and tool to review 100% logs

25 The method of auditing audit logs Basic audi9ng methods These methods will only be allow you to detect large security incidents Examples: 1. Abnormal 9mes of access: Accessing records during non- standard hours for that par9cular user 2. Abnormal number of pa9ent records accessed per user: Seeing a spike of 100 pa9ents vs the average 20 that par9cular user sees per day 3. Abnormal exports or dele9ons of informa9on

26 The method of auditing audit logs Advanced audi9ng methods (known as Behavioral Analy9cs) These methods will allow you to detect smaller security incidents Examples: 1. Role based behavior: Authorized uses of PHI by role (Physicians, Nurses, Medical Assistants, Administrators, etc.) 2. Individual behavior: Tracking of individual user s paierns of behavior i. A medical assistant working in the front office accesses the system in a different way (check- in/check- out procedures) than a medical assistant working in the back office (documen9ng vital signs) ii. Individuals may only be allowed to work in a single department, where other individuals float from department to department having mul9ple roles and responsibili9es within the organiza9on 3. Pa9ent Workflow: Tracking of the documented order of events as a pa9ent navigates through the office

27 How do I demonstrate compliance? A sound policy and procedure for audi9ng user ac9vity (reviewing of audit logs) outlining a clear methodology Frequency and 9meliness of review, as well as to the extent they are reviewed A documented history of reviewed audit logs as well as security incident tracking reports (outlining all suspicious security incidents you ve flagged for further inves9ga9on) A sound policy and procedure for an incident response plan outlining how you respond to suspicious security incidents Timeliness to no9fy/interview key personnel as well as the individual responsible Who to contact and steps to take in the event that the flagged incident is in fact a Privacy Breach A documented history of your inves9ga9on of flagged incidents, the results of you inves9ga9on, and the response taken (enforcing sanc9on policies or staff re- educa9on as needed) Educa3on to workforce members and 3 rd par9es that have access to your systems must be made aware that their ac9vity is con9nuously monitored Must be made a aware that they must comply to any further inves9ga9on needed by the Security Officer(s) Are subject to Sanc3on Policies in the event that they have caused a privacy breach

28 From an auditors perspective You want to demonstrate your ability to find poten9al security incidents regardless if they were a privacy breach or not It demonstrates your ability to enforce HIPAA Non- breaches gives you valuable informa9on of where security vulnerabili9es may exist Ater the inves9ga9on leads you to believe that the incident does not cons9tute a privacy breach, ask yourself had the individual had malicious intent, could they have caused a breach Rou9ne inves9ga9ons with staff members also serves as a means to re- educate and reinforce your security posture Your ability to immediately iden9fy a breach AND immediately respond to it (within 30 days) works in your favor should you be faced with an OCR inves9ga9on The use of an automated security system that reviews ALL access to ephi is your best defense The audit log review remains impar9al and allows for automa9c documenta9on

29 Case Study Cedars- Sinai Medical Center, Los Angeles (June 18 th - 24 th ) Medical Record Breaches Following Kardashian Birth Reveal an Ongoing Issue An automated security system was in place and immediately flagged this ac9vity for review The internal inves9ga9on and breach no9fica9on process occurred immediately ater the event took place. 5 staff members and 1 volunteer from the adjacent Cedars- affiliated physician offices were immediately fired Physicians had shared with their employees their EHR usernames and passwords to access the hospital system, in viola9on of hospital policy. Cedars is in the process of addressing the conduct of the physicians partly at fault and has indefinitely terminated their access. How will they fair during the OCR inves9ga9on?

30 Affirmative Defense and Good Faith Effort " The OCR may not impose a CMPs on a CE or BA for a viola9on if the CE or BA establishes that the viola9on is: Not due to willful neglect; and Corrected during the 30- day period beginning on the first date the CE or BA knew, or by exercising reasonable diligence, would have know that the viola9on occurred. " However, in order to make a claim to affirma9ve defense, you must be able to quickly detect breaches in the first place.

31 Re-evaluating Your Current Security Posture " Top factors that lower overall costs as it relates to minimizing/mi9gated breaches 1. Strong security posture (risk management and educa9on/training) 2. Incident response plan (incident detec9on/ inves9ga9on and breach no9fica9on) 3. Appointment of a CISO or equivalent posi9on (centralizing the management of data protec9on) 4. Consultants engaged to help remediate the breach

32 Automated EHR-Centric Breach Detection Impartial vs. Manual Log Review HIPPA Compliance Audit Log Requirement Six (6) Year Activity Reporting (b)(2)(i) Self Reporting & Document Storage Time Savings (more patient focused) Proactive Incident & Breach Detection Improved HIPAA Reporting Accuracy Compliments EHR Security Framework

33 To learn more about SPHER please visit: Stephen Salinas Channel Manager All Medical Solutions Contact Data Tel: (310) Fax: (310)

34 HIPAA Compliance HITECH Attestation Omnibus Rule Ready Meaningful Use Core Measure 15 Free Demo and 15 Day Evaluation group.com HIPAA Hotline HIPAA