HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

Transcription

1 HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

2 Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for Civil Rights, Midwest Region Presentation to the Indiana Network for Privacy and Security on August 6, 2015

3 OCR & Enforcement Types of OCR Inquiries Complaint Investigations 45 C.F.R Compliance Reviews 45 C.F.R

4 OCR & Enforcement Overview of Investigative Process Notification and Data Request Covered Entity/Business Associate Response 45 C.F.R outlines responsibilities On-site Investigation Case Resolution No Violation or Voluntary Compliance Resolution Agreement (RA) and Corrective Action Plan (CAP) Civil Money Penalty (CMP)

5 OCR & Enforcement Security Rule cases Risk analysis Risk management plan o Evidence of implemented security measures Security incident report Breach cases Notices to individuals and media Evidence of corrective action

6 OCR & Enforcement Ask questions Response format Evidence = documentation Be forthcoming

7 Enforcement Statistics

8 Enforcement Statistics CY 2014 Resolution Agreements/Corrective Action Plans 7 RA/CAPs Total resolution amounts of $7,940,220 CY 2013 Investigated Complaints/Compliance Reviews 4,459 investigative closures 3,467 closed with corrective action

9 Breach Reports as of May 31, ,237 reports involving 500 or more individuals 1,281 as of 8/7/ ,434,323 Enforcement Statistics Over 173,000 reports involving fewer than 500 individuals 1,000,000 affected individuals

10 500+ by Location of Breach

11 500+ by Type of Breach

12 Statistics Incidents % of Total Individuals % of Total Total since ,434,323 Indiana % 79,737, % % 102,527, % TYPE OF INCIDENT Hacking % 105,397, % % 101,637, % Theft % 22,275, % % 334, % Improper Disposal % 816, % % 76, % Unauthorized Access % 258, % 2015 last one Loss % 398, % % 20, %

13 Statistics Incidents % of Total Individuals % of Total Laptops & Mobile Devices % 1,221, % % 2, % Desktops % 8,992, % % 136, % EMR % 6,802, % % 3,961, % Network Servers % 113,061, % % 101,115, % % 3,449, % % 535, % Paper % 2,232, % % 270, %

14 OCR Enforcement Cases o o o o o o o o o o o o Providence Health & Services ($100K) CVS Pharmacy ($2.25M) Rite-Aid ($1M) Management Services Organization of Washington ($35K) Cignet ($4.3M) Massachusetts General Hospital ($1M) UCLA Health Services ($865K) Blue Cross Blue Shield of Tennessee ($1.5M) Alaska Medicaid ($1.7M) Phoenix Cardiac Surgery, P.C. ($100K) Massachusetts Eye and Ear Infirmary ($1.5M) Hospice of North Idaho ($50K) o o o o o o o o o o o o o Idaho State University ($400K) Shasta Regional Medical Center ($275K) WellPoint ($1.7M) Affinity Health Plan ($1.2M) Adult & Pediatric Dermatology, P.C. of Massachusetts ($150K) Skagit County, Washington ($215K) QCA Health Plan, Inc. ($250K) Concentra Health Services ($1.725M) New York and Presbyterian Hospital ($3.3M) Columbia University ($1.5M) Parkview Health System ($800K) Cornell Prescription Pharmacy ($125,000) St. Elizabeth Medical Center ($218,400) *most recent

15 OCR Enforcement Cases St. Elizabeth Medical Center ($218,400) ephi stored in internet-based document sharing application Breach of unsecured ephi stored on former workforce member's personal laptop and USB flash drive Violations: o Risk Management o Response and Reporting o Impermissible Disclosure (2) Cornell Prescription Pharmacy ($125,000) Paper records left in an unlocked container on Cornell s premises Violations: o Safeguards o Privacy Rule Policies and Procedures o Privacy Rule Training

16 OCR Enforcement Cases Anchorage Community Mental Health Services, Inc. ($150,000) Malware compromised the security of ephi due to unpatched, unsupported software Violations: o Risk Analysis o Risk Management o Transmission Security Parkview Health System ($800,000) Parkview left 71 boxes of medical records in a retiring physician s driveway Violations: o Impermissible Disclosure o Safeguards

17 Common Compliance Issues Risk Analysis Identify all ephi Ongoing process Risk Management Mobile Devices Implement a policy Train workforce member

18 OCR & Enforcement Policies and Procedures 45 C.F.R , , (i)-(j) Revise as necessary to comply with applicable law and to address changes in business and workflow Should reflect an entity s environment

19 Responding to OCR Inquiries

20 OCR & Enforcement Name and contact information of individual designated to work with OCR Position statement Business Associate Agreement (if applicable) Policies and procedures Evidence of workforce training Training materials Workforce attendance Evidence of sanctions (if applicable)

21 OCR & Enforcement Security Rule cases Risk analysis Risk management plan Evidence of implemented security measures Security incident report Breach cases Notices to individuals and media Evidence of corrective action

22 Guidance and Compliance Tools

23 Guidance and Compliance Tools Revised Guide to Privacy and Security of Electronic Health Information HIPAA and Workplace Wellness Programs wellness/index.html HIPAA Privacy in Emergency Situations

24 Guidance and Compliance Tools HIPAA and Same-sex Marriage xmarriage/index.html Medscape Videos Your Mobile Device and Health Information Privacy and Security Understanding the Basics of HIPAA Security Risk Analysis and Risk Management ml

25 Guidance and Compliance Tools De-identification Guidance redentities/de-identification/guidance.html Guidance on Marketing: Refill Reminders redentities/marketingrefillreminder.html Guidance on Decedents redentities/decedents.html

26 Guidance and Compliance Tools Sample Business Associate Contract Language contractprov.html Security Rule Guidance Risk Analysis Guidance /rafinalguidancepdf.pdf NIST HIPAA Security Rule Toolkit NIST Guidelines for Media Sanitation FTC Guidance on Copier Data Security /index.html

27 Guidance and Compliance Tools Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file-sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device.

28 Guidance Still to Come Omnibus Final Rule Breach Safe Harbor update Breach Risk Assessment tool Minimum Necessary More on Marketing More factsheets on other provisions Other Guidance Security Rule guidance updates

29 Box Health Accounts Technical Content Courtesy of Bob Flynn Manager of Cloud Services

30 Goal Identify the process that has been established for the use of Box at IU for health information including protected health information (PHI) 30

31 Background

32 Indiana University began working with Box, Internet2* and other university that were early adopters of Box since September, 2011 Schools included: Background University of Notre Dame; University of Michigan; Cornell University; Carnegie Mellon University; University of Illinois; University of California Berkeley Stanford University IU put Box into production in April,

33 Background Internet2 is a consortium which includes Industry, Research & Education Networks and Higher Education. All the universities listed above are members of the consortium which includes Indiana University. Higher Education 295 Research& Education Networks 42 Industry 85 Affiliates 70 33

34 Background Historically Indiana University had not offered a cloud service that was approved for data protected under HIPAA We have learned in the absence of an approved service, users will seek out alternatives to meet their needs Most of the time these services are less secure than those services offered by the university Once IU began to offer Box, it was clear Box needed to be vetted and approved for use with PHI as the IU HIPAA Affected Areas had a need for a secure cloud service 34

35 Background Internet2 began negotiations with Box to develop a business associate agreement for consortium members who were also covered entities such as: University of Michigan Indiana University 35

36 Background IU entered into a Business Associate Agreement with Box in August, 2014 Before the BAA was signed, The HIPAA Privacy and Security Officers made it clear more had to be done including: Develop a process to request & create secure Box Accounts Establish responsibilities at the account owner level Establish a procedure for the users to ensure the accounts & data remain secure 36

37 Background Vetting of use of Box for Health Data Multiple presentations to IU s Committee of Data Stewards; Presentation to Academic Health Center Privacy Group; Use of Health Box accounts was announced to the University Clinical Affairs Cabinet on July 15 th 37

38 The Process

39 The Process Box is inherently secure. Meets the technical security requirements under HIPAA We needed to identify how an individual responsible for the data to could manage: users' access to; and behavior with the data. 39

40 The Process A few things to bear in mind about Box Whoever owns the account (folder), is responsible for the data in the Box account. All settings flow down to subfolders. Invited collaborators only see the folder they are invited to and below. 40

41 The Process If you created a Research Health Data Account for your department: Main folder Name: [Box Health] Radiology Research Studies You may create subfolders that are specific research projects: [Box Health] Jackson Breast Cancer Study Team * 41

42 The Process Created special Box accounts Box Entrusted Data accounts Intended for use with Restricted Data Box Health Data accounts Required for use with health data such as PHI 42

43 The Process Created a process to request one of these accounts Create an account owned by the IU Box enterprise rather than an individual user Certain restrictions are placed on the account at the time it is created Establish two co-owners to administer the folders owned by the account These would be service accounts rather than personal accounts Administration and access to data is deliberate Activity audit trail remains 43

44 The Process Request for Box Health Data Accounts go through Clinical Affairs IT (CAITS) staff CAITS currently manages systems that host data protected under HIPAA Co-admins can ensure requestors adhere to the prescribed conventions and recommendations Requestors will get accounts in the Box folder structure managed by CAITS 44

45 The Process Based on specific business needs, CAITS co-admins will create the folder in the appropriate area of their folder structure Internal only IU collaborators External when collaboration with non-iu users is required Requestor is made co-owner of his/her own folder Trained on use Naming conventions Access management (inviting collaborators) Permission level based on need Permission level based on regulatory requirements 45

46 The Process Byproducts of this work: Box Entrusted Data Account. Intended for use with Restricted Data. They will not have the oversight of a Box Health Data Account Will utilize the same guidelines and recommendations to increase controls over sharing, desktop sync, etc. Established process that can be leveraged for other services 46

47 Additional Considerations

48 Additional Consideration Created Knowledge Base articles Update existing Knowledge Base articles Identify additional safeguards users must apply Access management Polices and procedures Attestation to Terms of Use Approvals for the use of data 48

49 KB Articles About Box at IU - What types of data are appropriate for my IU Box account? - At IU, how do I request a Box account for use with sensitive data? - Includes a link to the online form to request an account IU Health Data Account Request Form 49

50 KB Articles How do I securely set up my IU Box account? - Protecting sensitive data in Box - This article explains folder naming conventions Box acceptable use responsibilities