HIPAA Privacy and Security Requirements

Transcription

1 600 East Superior Street, Suite 404 I Duluth, MN I Ph or I HIPAA Privacy and Security Requirements Joe Wivoda CIO and HIT Consultant June 19, 2013

2 Purpose The National Rural Health Resource Center is a nonprofit organization dedicated to sustaining and improving health care in rural communities. As the nation s leading technical assistance and knowledge center in rural health, The Center focuses on five core areas: Performance Improvement Health Information Technology Recruitment & Retention Community Health Assessments Networking

3 Introduction B.S. and M.S. in Physics, Ph.D (ABD) in Business Administration Computational Physics and Computer Modeling Innovation Process and Management of Technology Worked as CIO/Director of IT for several hospitals and systems, exclusively in rural and Critical Access HIT Consultant for MN/ND REC, HIT Network Grantees, TASC, and other programs

4 Some Interesting Facts Since 2009 there have been 615 reported breaches affecting over 500 people 22 Million patients affected Want to know who lost the data? We can look it up, AND they had to notify the local media (newspaper, television, etc)

5 Hackers? How was this data lost? Yes, but only 7% Unauthorized Access? Yes, but only 3% The winner is Theft and Loss at 46%! Data from ml

6 1.5% EMR 12% Laptops - 11% Servers - 12% Where was the data? BIG winner is Backup media at 30%! Data from

7 What does this mean? We need to be good stewards of the data If banking industry had as many breaches, how would we feel about banking online? There are simple ways to protect the data Meaningful Use (HiTech Act) places requirements on annual HIPAA Risk Assessments. We need to make this an ongoing activity!

8 Intro to HiTECH Requirements Breach notification Breaches of unsecured PHI must be provided to each affected individual within 60 days at the latest. PHI is considered unsecured unless it is rendered unusable, unreadable, or indecipherable to unauthorized users (encrypted or shredded). Breaches over 500 individuals? Notify prominent local media.

9 Intro to HiTECH Requirements Breach notification Breaches of unsecured PHI must be provided to each affected individual within 60 days at the latest. PHI is considered unsecured unless it is rendered unusable, unreadable, or indecipherable to unauthorized users (encrypted or shredded). Breaches over 500 individuals? Notify prominent local media.

10 Intro to HiTECH Requirements (cont) Business Associate Agreements HIPAA now applies DIRECTLY to business associates. All BAAs will need to be updated with new language (security compliance, breach notification, etc). All the provisions you fall under, your BAs now fall under, including random audits (coming soon to a covered entity near you!)

11 Risk Assessment Overview Conduct or review a security risk analysis and correct identified security deficiencies as per 45 CFR cfr pdf There are several tools that can help you keep track or perform the risk assessment Horse s mouth:

12 Risk Assessment Overview: IT Focus Administrative Safeguards Business associate agreements Policies for downtime, passwords, access, access termination Role-based security Auditing policies Malicious software and repeated login attempts policies Security incident response Contingency plans and periodic testing Backup policies Identify critical systems and grade them

13 Risk Assessment Overview: IT Focus (cont) Physical Safeguards Policy on access to computer equipment Documentation of repairs and changes Final disposition of EPHI

14 Risk Assessment Overview: IT Focus (cont) Technical Safeguards Unique name or number for individuals Session timeout EPHI encryption policy Audit controls Backups and recovery

15 Auditing Policies Auditing of access to patient data is a requirement of HIPAA There are several ways to do this effectively High profile patients Random employee Random patient Patient/employee last name matches During monthly tracers

16 How to get started A team should be assembled for the risk assessment this is NOT an IT or HIM project! Security officer Privacy officer HIM Nursing Others Follow the NIST toolkit

17 What you need to focus on Business Associates Update language to contain HiTech requirements Check your list of BAs (or create one) Renew agreements Update policies and procedures for privacy and security requirements Should be reviewed annually Auditing access to patient data Perform a security risk assessment

18 Backups What IT needs to focus on Do you store off site? Are they encrypted? Server room and network closets Secure? Protected from fire, water, power failure, and other threats? Encryption Everyone will need an encryption solution Where will you need encryption? Securing mobile devices Moving target Understand your devices, and expect that they will change! Security holes Firewall, external entities, vendors (especially billing), employees

19 Encryption All devices do NOT need encryption Myths and Facts You do not need to encrypt on the wire! Tapes are not required to be encrypted, but it may be a good idea Disaster recovery You need to have a contingency plan Disaster recovery, as part of the contingency plan, should be enough information to get you up and running Rely on your vendor as much as possible, do expect that you will need to reinstall your EHR without their help Need for a hot site Not required by the regulations May be a good idea Consider the likelihood of each threat, and balance against the cost

20 Useful Web Sites NIST Security Rule Toolkit HiPAA Collaborative of Wisconsin Rural Assistance Center HIT Toolkit Privacy and Security section

21 Joe Wivoda CIO and HIT Consultant National Rural Health Resource Center 600 East Superior Street, Suite 404 Duluth, MN (218)