HIPAA Breaches, Security Risk Analysis, and Audits

Transcription

1 HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC

2 What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers in a dataset that could reasonably be used to iden?fy an individual is considered PHI. You must=

3 What is a Breach? Final rule defines breach to mean, generally, the unauthorized acquisi?on, access, use, or disclosure of protected health informa?on which compromises the security or privacy of such informa?on. Acquisi?on, Access, Use, or Disclosure of protected health informa?on (PHI) in a manner not permived under Subpart E of the Privacy Rule which compromises the security or privacy of the PHI

4 New - Breach Risk Assessment An acquisi?on, access, use, or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least four factors

5 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated

6 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated Entities should consider the type of PHI involved in the impermissible use or disclosure Is the information of more serious nature? Financial Data SSN, Credit Card number Clinical Data Consider the nature of the information and details it includes treatment plan, diagnosis, medical history information

7 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated Consider whether the unauthorized person who received the informa?on has obliga?ons to protect the privacy and security of the informa?on If in- house or within your BA, is it likely to be re- disclosed or impermissibly used If disclosed to an outside CE or BA who is bound by HIPAA

8 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated For example: If a laptop was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never compromised, then probability of low risk In contrast, if envelopes were improperly labeled and PHI was mailed out to the wrong recipients then we can assume that the likelihood of it being viewed as high

9 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been miegated CEs and BAs should avempt to mi?gate the risks to the PHI following any impermissible use or disclosure CEs and BAs should consider the extent and efficacy of the mi?ga?on when determining the probability that the PHI has been compromised. Also acknowledge that the recipient of the informa?on will have an impact on whether the CE can conclude that an impermissible use or disclosure has been appropriately mi?gated.

10 Exclusions to Breach Uninten?onal- Applies to workforce members and BAs ac?ng under CE Made in good faith and under the scope of authority No further disclosures made Inadvertent- Authorized individuals at CE or BA to another Person or en?ty covered by the BA No further disclosures made Good Faith Belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such informa?on.

11 Dermatology Office Employee leaves usb flash drive in their car Thec breaks into vehicle and takes the flash drive It was never recovered.

12 Dermatology Office OCR inves?gated to find Prac?ce had not done a thorough security risk analysis ~2,200 individual records on the flash drive No policies and procedures surrounding breach no?fica?on Along with a correc?ve ac?on plan this prac?ce sevled with OCR on a $150,000 CMP Office for Civil Rights

13 ENT and Eye Prac?ce Personal laptop was stolen Contained pa?ent records along with research pa?ents 3,594 individual records in all

14 ENT and Eye Prac?ce OCR inves?gated to find Prac?ce had not done a thorough security risk analysis No policies and procedures surrounding safeguards for portable devices Along with a correc?ve ac?on plan this prac?ce sevled with OCR on a $1,500,000 CMP Included in this correc?ve ac?on plan is a 3 years of semi- annual repor?ng to HHS Office for Civil Rights

15 Managed Care Organiza?on Uses an technology company to lease business equipment Return a leased copy machine CBS Evening News was doing a report on data lec on copiers and finds theirs

16 Managed Care Organiza?on OCR inves?gated to find Prac?ce had not done a thorough security risk analysis No policies and procedures surrounding leased equipment Individual at 344,579 Along with a correc?ve ac?on plan this MCO sevled with OCR on a $1,215,780 CMP Office for Civil Rights

17 Breach Breakdown Other 13% Hacking 6% 45% Theft 22% Unauthorized Disclosure 10% Loss 4% Improper Disposal

18 Breach Breakdown Other 13% Hacking 6% How do you avoid this list? 45% Theft 22% Unauthorized Disclosure 10% Loss 4% Improper Disposal

19 Security Risk Analysis

20 Meaningful Use Objec?ve Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryp1on/security of data at rest and implement security updates as necessary and correct idendfied security deficiencies as part of risk management process

21 What is a Risk Analysis? Systema?c and ongoing process of: Iden?fying and examining poten?al threats and vulnerability to PHI Implemen?ng changes to make PHI more secure, then monitoring results Process should provide detailed understanding of risk to: confidendality, integrity, and availability of ephi

22 Why Conduct a Risk Analysis? Required component of Meaningful Use & HIPAA Iden?fy non- compliance of HIPAA and other rules and regula?ons Iden?fy threats and vulnerabili?es Iden?fy weaknesses that could result in unauthorized disclosures or breaches Improve processes when handling PHI

23 Step 1: System Characteriza?on Risk Analysis Steps Step 2: Threat Iden?fica?on Step 3: Vulnerability Iden?fica?on Step 4: Control Analysis Step 5: Likelihood Determina?on Step 6: Impact Analysis Step 7: Risk Determina?on Step 8: Control Recommenda?ons Step 9: Results Documenta?on

24 Step 1: System Characteriza?on Iden?fies which informa?on assets need protec?on based on cri?cality to the business and/or because ephi is processed, transmived, or stored on the system

25 Step 2: Threat Iden?fica?on Threat = Any poten?al event that can adversely impact organiza?onal opera?ons and assets involving protected health informa?on Maintain, Transmit, Process, Access Consider realis?c, probable human, environmental, and natural incidents that can have a nega?ve impact on an organiza?ons ability to protect ephi

26 Step 3: Vulnerability Iden?fica?on Vulnerability = Flaws or weaknesses in an informa?on system, system security procedures, internal controls, or implementa?on that could be exploited by a threat source. Develop a list of vulnerabili?es Focus on areas where ephi can be disclosed without proper authoriza?on, improperly modified, or made unavailable when needed.

27 Step 4: Control Analysis Determine if the implemented or planned security controls will minimize or eliminate risks to ephi

28 Step 5: Likelihood Determina?on Evaluate the likelihood/probability of a threat occurring that can cause or trigger an adverse event

29 Step 6: Impact Analysis Evaluate the impact/effect that an adverse event would have on an organiza?on if a vulnerability were exploited

30 Step 7: Risk Determina?on Risk = The poten?al impact that a given threat will exploit the vulnerabili?es of assets (such as an informa?on system) and thereby cause harm to an organiza?on. Assess level of risk to the organiza?on Risk is based off of values assigned to the likelihood and impact of a threat occurrence

31 Step 8: Control Recommenda?ons For iden?fied vulnerabili?es, evaluate what needs to be done to reduce the level of risk to the IT system and its data to an acceptable level

32 Step 9: Results Documenta?on Results Documenta?on is cri?cal in proving that the risk analysis was performed. The HIPAA Security Rule does not specify the type of documenta?on required. HIPAA requires documenta?on of the risk analysis to be retained for six years.

33 OCR HIPAA Audits

34 OCR Audits In addi?on to Meaningful Use Audits, you may also be audited by the Office of Civil Rights (OCR) for HIPAA compliance HITECH Act requires HHS to conduct periodic audits to ensure covered en??es and business associates are mee?ng HIPAA compliance requirements Office for Civil Rights

35 OCR Audits Pilot audit program completed Dec ini?al audits Audits concentrate on adherence to three rules: HIPAA Privacy Rule Security Rule Breach No?fica?on Rule Office for Civil Rights

36 Why Care About OCR Audit? Federal mandate Federal penal?es (up to $1.5 million) State fines Reputa?on risk Business risk Legal costs No?fica?on costs Increased number of breaches/avacks Loss of contracts Criminal and civil inves?ga?on

37 OCR Audit Protocol 169 total audit procedures 81 privacy audit procedures 78 security audit procedures 10 breach no?fica?on procedures

38 Auditee Selec?on Criteria Covered en??es of all sizes and types: Healthcare Providers Healthcare Plans Healthcare Clearinghouses Business Associates (subject to audits as of 2013) Random selec?on based on mul?ple factors: Public vs. Private Size (level of revenues/assets, # of pa?ents/employees, use of HIT) Affilia?on with other healthcare organiza?ons Geography Type of en?ty and rela?onship to pa?ent care

39 Types of En??es Level 1 Large provider/payer Use of HIT: extensive Revenues and/or assets greater than $1 billion Level 2 Level 3 Level 4 Large regional hospital systems Paper and HIT enabled work flows Revenues/assets between $300 and $1 billion Community hospitals, outpa?ent surgery, regional pharmacy Use of HIT: mostly paper- based Revenues between $50 and $300 million Small providers: provider prac?ces, community/rural pharmacy Use of HIT: livle or none Revenues < $50 million

40 Pilot Program: En?ty Size & Type Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total

41 Pilot Program: Findings HIPAA Rule Most Cited in Findings

42 Pilot Program: Findings Types of Privacy Rule Findings

43 Pilot Program: Findings Types of Security Rule Findings

44 Pilot Program: Findings Breach No?fica?on: 500+ Breaches by Type

45 Civil Monetary Penal?es (CMPs) ViolaEon Category Each ViolaEon All IdenEcal ViolaEons per Calendar Year Did Not Know $100- $50,000 $1,500,000 Reasonable Cause $1,000- $50,000 $1,500,000 Willful Neglect- Corrected $10,000- $50,000 $1,500,000 Willful Neglect- Not Corrected $50,000 $1,500,000

46 HIPAA Compliance/Enforcement *As of May 7, 2014 Total Complaints Filed (since 2003): 95,588 Total Cases Inves?gated: 32,611 Total Cases with Correc?ve Ac?on: 22,497 Total is now over $25.1 Million in Resolu?on Agreements & CMPs since 2008

47 What Now?? In 2013, OIG cri?cized OCR s enforcement of the HIPAA Security Rule as mandated by HITECH Business Associates will be subject to audits New audit protocol is in development OCR received permission to use collected CMPs to increase enforcement efforts

48 2015 Audits Common Audit Mistakes Failure to keep up with regulatory requirements No documented security program A reac?ve approach to audit Assump?ons regarding business associates agreements A checkbox approach to compliance

49 Are You Prepared? Leon Rodriguez, OCR Director Expects complaints to increase 90% in 2014 New Compliant Portal When asked about common mistakes by CEs: failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis (OCR) will leverage more civil penal?es in 2014

50 Kentucky REC Can Help! Kentucky REC offers the following services performed by AHIMA Cer?fied HIPAA Privacy & Security professionals: Security Risk Analysis addressing HITECH requirements for Meaningful Use Review of Administra?ve, Technical & Physical safeguards Remedia?on plan and?meline to eliminate or mi?gate iden?fied gaps HIPAA compliant sample policies Breach No?fica?on