HIPAA and HITECH Regulations

Transcription

1 HIPAA and HITECH Regulations Implications for Healthcare Organizations and their Business Associates A Primer on Achieving Compliance by KOM Networks 1

2 Contents Table of Contents Preface... 3 Target audience... 3 Legal disclaimer... 3 Executive Overview... 4 Overview of HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part Overview of HIPAA Privacy Rule 45 CFR Part 160 and Subparts A and E of Part HITECH Act Overview... 5 HIPAA & HITECH Compliance Requirements that Pertain to Security and Privacy of PHI in Electronic Storage Systems CFR Part 160 General Administrative Requirements Compliance reviews Responsibilities of covered entities and business associates Discovery CFR Parts 164 Security and Privacy Security standards: General rules How KOMpliance Addresses these Requirements Administrative safeguards How KOMpliance Addresses these Requirements Physical safeguards How KOMpliance Addresses these Requirements Technical safeguards How KOMpliance Addresses these Requirements HITECH Act Compliance Requirements Standards for health information technology to protect electronic health information created, maintained, and exchanged How KOMpliance Addresses these Requirements Conclusion How KOMpliance Can Help

3 Preface Target audience The target audience are healthcare professionals and their business associates, health information security specialists, compliance officers and CIO s in the healthcare industry and health related organizations who are regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Healthcare Information Technology for Economic and Clinical Health Act (HITECH) to employ procedures and controls that ensure the confidentiality, integrity, authentication, non-repudiation, auditability and availability of electronic health information. This document can also be used as a reference for professionals in health information management, as well as all individuals working in medical practices and healthcare organizations. Legal disclaimer This document is meant to be used as a reference document only. The reader is responsible for ensuring his or her own compliance with legal requirements. It is the reader's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the reader's business and any actions the reader may need to take to comply with such laws. KOM Networks does not provide legal advice or represent or warrant that its products or services will ensure that the reader is in compliance with any law. 3

4 Executive Overview On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed. Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of Protected Health Information (PHI) and to protect against any reasonably anticipated threats or hazards to the security or integrity of PHI and its unauthorized use or disclosure. These safeguards must ensure compliance with the statute by the officers and employees of the covered entities. The law applies to healthcare providers, health insurance businesses (insurers & other payors), healthcare clearinghouses (organizations such as billing services that process health information), the business associate of healthcare practitioners, and employers who provide healthcare benefits. HIPAA authorizes both civil and criminal penalties, including significant fines and imprisonment for non-compliance. As of April 14, 2003 these non-compliance penalties came into effect. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), was signed into law on February 17, 2009, to promote the adoption of Electronic Health Records and meaningful use of Health Information Technology to improve patient outcomes. Subtitle D of the HITECH Act addresses the privacy and security associated with the electronic handling of health information through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. This Primer lists selected HIPAA and HITECH requirements specific to the storage, retention and protection of electronic health data and provides a brief write up on KOM Networks secure storage solution. Each requirement is followed by a brief explanation of how the capabilities and features of KOMpliance Secure Storage inclusive of KOMworx enterprise data management software assist the storage administrator, IT staff and compliance officer to meet or exceed these regulations. Overview of HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164 The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Each covered entity must assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current, and must include, at a minimum, the following requirements and implementation features: Administrative procedures to guard data integrity, confidentiality, and availability (documented, formal practices to manage the selection and execution of security measures to protect data, and to manage the conduct of personnel in relation to the protection of data). These procedures include the following requirements: Data backup plan (a documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information). A disaster recovery plan (the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure). 4

5 Formal mechanism for processing records (documented policies and procedures for the routine, and nonroutine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information). While implementation specifications may be addressable or required, HHS has made it clear that it does not regard the addressable implementation specifications as optional. A covered entity must assess whether each implementation specification is an appropriate safeguard in its environment for protecting its electronic PHI. If implementing an addressable specification is found not to be reasonable and appropriate, the covered entity must document why and implement an equivalent alternative measure. Overview of HIPAA Privacy Rule 45 CFR Part 160 and Subparts A and E of Part 164 The Privacy Rule standards address the use and disclosure of individuals health information, PHI, by covered entities. The goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. The health care marketplace is diverse so the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. HITECH Act Overview The HITECH Act seeks to improve American health care delivery and patient care through a significant investment in Health IT. The HITECH Act as part of the American Recovery and Reinvestment Act of 2009 (ARRA), contains financial incentives for the creation of a national health care infrastructure designed to accelerate the adoption of electronic health record (EHR) systems among providers. The HITECH Act also widens the scope of privacy and security protections available under HIPAA and it increases the potential legal liability (with a maximum penalty of $1.5 million) for non-compliance while calling for rigorous enforcement. Furthermore HIPAA s civil and criminal penalties now extend to business associates and finally, HHS is now required to conduct periodic audits of covered entities and business associates. The HITECH Act imposes the following requirements: Application of HIPAA security and privacy provisions and penalties to business associates of covered entities. Notification of Breach of Unsecured PHI (Unsecured PHI essentially means Unencrypted PHI ) the Act requires notification to patients, HHS, if the breach impacts 500+ patients, and in some instances the local media. Electronic Health Record Access the Act requires an Accounting of Disclosures over a 3 yr period to be available to patients who request it. Improved enforcement of penalties for non-compliance. 5

6 HIPAA & HITECH Compliance Requirements that Pertain to Security and Privacy of PHI in Electronic Storage Systems 45 CFR Part 160 General Administrative Requirements Compliance reviews (a) The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect. (b) The Secretary may conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions in any other circumstance Responsibilities of covered entities and business associates (a) Provide records and compliance reports. A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity or business associate has complied or is complying with the applicable administrative simplification provisions Discovery (a) A party may make a request to another party for production of documents for inspection and copying that are relevant and material to the issues before the Administrative Law Judge. (b) For the purpose of this section, the term documents includes information, reports, answers, records, accounts, papers and other data and documentary evidence. Nothing contained in this section may be interpreted to require the creation of a document, except that requested data stored in an electronic data storage system must be produced in a form accessible to the requesting party. (e)(1) When a request for production of documents has been received, within 30 days the party receiving that request must either fully respond to the request, or state that the request is being objected to and the reasons for that objection. How KOMpliance Addresses these Requirements All files (whether they are data, image, audit logs, compliance reports, etc.) stored in a KOMworx secure storage volume are readily available on the network and fully accessible by authorized users and applications. Legal Holds can be set to enforce retention to comply with court and legal audits and proceedings. Legal Hold does not change the retention expiry date just merely insures that the expired files cannot be destroyed in accordance with legal and litigation requirements. At any time, KOMpliance supports the ability of authorized administrators to print or copy files to media of choice for compliance reviews or discovery purposes. 6

7 45 CFR Parts 164 Security and Privacy Subpart C Security Standards for the Protection of Electronic Protected Health Information Security standards: General rules. (a)general requirements. Covered entities and business associates must do the following: (a)(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (a)(3) Protect against any reasonably anticipated uses or disclosures of such information (a)(4) Ensure compliance with this subpart by its workforce. How KOMpliance Addresses these Requirements KOMpliance security settings identify users and ensure that only those with appropriate privileges are allowed access to data in a KOMworx secure storage volume. KOMpliance Privacy Shield security enforces the strictest controls preventing anyone (user, application, virus or intruder) from walking through the secure volume contents. Each KOMpliance volume is encrypted for data privacy, meeting all data-at-rest security requirements and protecting data from unauthorized access. KOMpliance s patented eworm technology ensures that archived files remain quickly accessible to authorized users or applications but cannot be modified, altered or deleted by internal or external threats, either intentional or accidental. 7

8 Administrative safeguards. (a) A covered entity or business associate must, in accordance with : (a)(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (a)(1)(ii)(b) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (a)(1)(ii)(d) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (a)(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. (a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information (a)(4)(ii)(b) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. (a)(5)(ii)(b) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. (a)(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (a)(7)(ii)(a) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (a)(7)(ii)(b) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (a)(7)(ii)(c) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. How KOMpliance Addresses these Requirements KOMworx File Lifecycle policies automatically enforce protection and retention policies according to your Security and Risk Management processes to manage, control and preserve files from creation until destruction. Our policy engine provides a flexible and responsive method of defining and maintaining file retention and protection policies that can adapt on-the-fly to changes in requirements without requiring any application modifications or database re-indexing. The appropriate file protection policies are assigned instantaneously, on a file-by-file basis, independent of the physical storage location, and enforced from the moment the files are created, until they are 8

9 eligible to be destroyed. This unique capability transparently secures the files immediately and eliminates the window where a file may reside in an unsecured state pending the actual archival process. KOMpliance enforces all Active Directory Services, all group policies and ACLs. Defined security policies are applied to all relevant files and folders in the KOMworx secure storage volume, enforcing access rules, and limiting file and folder access to only authorized users and applications. AES-256 encryption is applied to every file to keep its contents private and prevent tampering with the time stamp. KOMpliance has the ability to block visibility and securely prohibit access to files, making them private and accessible only to applications that know the actual full file name and path. KOMpliance automatically enforces no-bypass protections, such as Read-Only, on an individual file basis to ensure that files and directories cannot be modified, altered, or overridden in any way, not even by a file's creator/owner or privileged user. KOMpliance validates the operations to determine whether it would be allowed or disallowed. This unique method of enforcement immunizes the data against any and all viruses that could normally affect the integrity of the data. If a virus was able to get past the anti-virus software it will be inhibited from execution. On the other hand, if the virus was stored outside the virtual volume it will not be able to affect any of the protected and retained data. KOMpliance complements the perimeter protection provided by anti-virus packages by independently enforcing the protection policies against viruses and processes that corrupt, overwrite, or manipulate existing files and their contents. Nothing else comes close to protecting existing data against brand new viruses. KOMpliance supports file replication to all industry leading storage, backup and archiving technologies (HD, CD, DVD, MO, UDO, tape, etc.) to address data back up plans. KOMpliance can provide a complete duplicated remote system by provisioning the storage mirror at a remote site to a second KOMpliance storage server as part of a comprehensive disaster recovery plan and emergency mode operation plan in compliance with HIPAA requirements. 9

10 Physical safeguards. (a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. (d)(2)(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. (d)(2)(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. (d)(2)(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. How KOMpliance Addresses these Requirements Because data on the KOMpliance secure storage volume is encrypted, access to that data is prohibited even if the physical drive is accessed. Write once (WORM) file protections also protect the data from being deleted before the assigned retention is up and finally, data redundancy on the RAID arrays further protects against the loss of data if a hard drive fails. When policy-based file retention has been reached, a KOMpliance protected file is eligible for extension of retention or secure destruction. If destruction is decided, KOMpliance can enforce NIST compliant erasure of sensitive data by overwriting each bit seven times with 1's & 0's so that there can be no disk discovery possible. An online retrievable exact copy of ephi can easily be created with built in file replication to any compliant storage technology available. KOMpliance can also provide a complete duplicated remote system by provisioning the storage mirror at a remote site to a second KOMpliance storage server. 10

11 Technical safeguards. (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). (a)(2) (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (c)(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. How KOMpliance Addresses these Requirements Security and access policies are applied to all relevant files and folders in the KOMworx secure storage volume limiting file and folder access to only authorized users and applications. KOMpliance also has the ability to block visibility and securely prohibit access to files, making them private and accessible only to applications that know the actual full file name and path. KOMpliance integrates readily with Active Directory enforcing all Active Directory Services, all group policies and ACLs. AES-256 encryption is applied to every file to keep its contents private and preventing tampering with the time stamp. KOMpliance tracks the changes made when a file is accessed. Who created the file, when it was created, who accessed it. Changes are date and time stamped. A log is created and maintained and provides a history of changes for quick audit. Audit reports can be submitted in paper or electronic form for system review and HIPAA audits. Appropriate file protection policies are enforced instantaneously, on a file-by-file basis from the moment the files are created, until they are eligible to be destroyed. Transparently securing the files immediately eliminates any window in which a file could reside in an unsecured state pending the actual archival process. No-bypass protections, such as eworm and Read-Only, ensure that protected files and directories cannot be modified, altered, deleted, or overridden in any way, even by a file's creator/owner or privileged user. Individual archive volumes can be uniquely authenticated using SHA-256 digital signatures to ensure the highest level of data integrity and authenticity. Writes are verified by hardware to ensure that the committed buffers are identical. The final phase of the commit process validates and compares the entire contents of the archive storage volume with the original contents. KOMworx creates a digital signature that is used to validate and compare the archive volume contents with the original image. KOMworx provides a WORM digital signature validation capability. This provides a complete validation of the accuracy of the recording process and guarantees the integrity of the contents. Built-in secure-time facility enforces retention without any deviation in time periods. 11

12 HITECH Act Compliance Requirements Standards for health information technology to protect electronic health information created, maintained, and exchanged. (a) Encryption and decryption of electronic health information. (1) General. A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used. (b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, deleted, or printed; and an indication of which action(s) occurred must also be recorded. (c) Verification that electronic health information has not been altered in transit. Standard. A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit. The secure hash algorithm (SHA) used must be SHA-1 or higher. How KOMpliance Addresses these Requirements KOMpliance volume data security incorporates Advanced Encryption Standards using key sizes of 256 bits (AES- 256 encryption) to enforce privacy and prevent date tampering as required by HITECH. KOMpliance tracks the changes made when a file is accessed. Who created the file, when it was created, who accessed it. Changes are date and time stamped. A log is created and maintained and provides a history of changes for quick audit. A Secure Hashing Algorithm (SHA-256) digital signature is used for data authentication. 12

13 Conclusion Healthcare organizations are finding it challenging to manage the surge of new patient data resulting from the combination of meaningful use initiatives and implementation of electronic health record (EHR) technology, HIPAA and HITECH requirements for retention, protection and preservation of PHI, and the additional storage needs for higher resolution digital images from disparate image silos. HIPAA and HITECH require that healthcare covered entities and their business associates implement measures to ensure the integrity and security of private health information with a wide range of mandated retention policies based on the type of information and its use. The bottom line is that PHI must be securely locked down in such a way that only authorized systems and users are provided access, and information must be protected from modification, theft, loss or deletion throughout the data retention period or a covered entity can face hefty fines along with embarrassment and loss of reputation. How KOMpliance Can Help KOMpliance is Secure Storage that TRULY adapts to your needs. The flexibility you get with KOMpliance is unmatched with any other storage vendor. KOMpliance can easily be deployed as a Network Attached Secure Storage Server with SAS/SATA RAID storage arrays, a Secure SAN Gateway in front of ANY iscsi or FC SAN backend to leverage existing storage investments, or as a Virtual Secure Storage Subscription, an ideal solution for regulatory compliance, data retention, and security in virtualized environments where you can simply create a secure vault by installing the KOMpliance software on a Windows 2008 R2 Virtual Server. KOMpliance offers a cost effective way to upgrade levels of security, protection, retention, and regulatory compliance utilizing what you already have and what you already know. A highly scalable, secure, and cost-efficient storage platform for healthcare IT and EHR applications enabling covered entities and their business associates to: Protect existing IT investments Reduce storage costs Mitigate risk and liability Improve information access Easily protect ephi to fully meet HIPAA & HITECH compliance KOMpliance takes the complexity out of HIPAA and HITECH regulations with a simple, affordable, vendor-neutral WORM storage solution. With KOMpliance you can automate long-term retention, access, and security across a variety of content types; leverage your existing applications and storage infrastructure; and enable absolute protection of data on the most appropriate tier of storage. The result is a tamperproof data storage repository that minimizes the financial impact of data growth and compliance. For further information on compliance solutions for healthcare and life sciences, contact +1 (613) , info@komnetworks.com or visit 13

14 KOM Networks is a world leading provider of flexible, secure, tamper-proof data archiving and storage management software and solutions. Over 10,000 of the world's leading corporations have recognized KOM Networks as the most logical, unobtrusive and secure way to store, access and protect their data. KOM is enabling enterprises large and small a cost effective way to improve productivity and meet compliance requirements without altering their network infrastructure or daily business routines. The industry pioneer holds vital industry patents for electronic file lifecycle management, virtual file management and eworm fixed content hard disk archiving. Find out how KOM Networks can help you implement a comprehensive information lifecycle solution to optimize your existing storage environment and meet your compliance requirements. Contact us at , sales@komnetworks.com or visit our website for more information, CANADA: KOM Networks Inc., 150 Katimavik Rd, Suite 1000 Ottawa, ON K2L 2N2. Tel: USA: 20 Trafalgar Square, Suite 450, Nashua, NH Tel: Copyright 2013 KOM NETWORKS. All Rights Reserved. U.S. PATENTS No. 6,349,294; 6,336,175; 6,438,642; 6,370,545; 6,546,384; 7,076,624; 6,654,864; 7,392,234; 7,536,524; 8,234,447. CDN PATENTS No. 2,270,651; 2,270,698; 2,308,681; 2,279,759; 2,393,787; other patents pending in the United States, Canada and/or other countries. KOM Networks, KOMpliance, OptiServer, OptiStorm, KOMworx, Shieldworx, OptiFile are registered trademarks of KOM Networks in the U.S.A., Canada and elsewhere. All other brands and product names are registered trademarks or trademarks of their respective owners. Technical information in this document is subject to change without notice. 14