VERMONT2007. HIV Name-Based Reporting. Report to the Legislature on Act 73 (2007-08) January 15, 2008



Similar documents
SENATE DOCKET, NO. 176 FILED ON: 1/14/2015. SENATE... No The Commonwealth of Massachusetts PRESENTED BY: Marc R. Pacheco

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA PRIVACY AND SECURITY AWARENESS

Health Information Privacy Refresher Training. March 2013

HIPAA and Privacy Policy Training

Why Lawyers? Why Now?

HIPAA BUSINESS ASSOCIATE AGREEMENT

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Introduction to HIPAA Privacy

HIPAA Update Focus on Breach Prevention

1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Overview. Health Insurance Portability and Accountability Act of 1996 (PL )

HIPAA Privacy Rule CLIN-203: Special Privacy Considerations

HIPAA Privacy Regulations: Frequently Asked Questions

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA Privacy at SCG...

State Enforcement of Privacy Laws. Phil Ziperman. Mark Pacella. Allen Brandt, CIPP/US, CIPP/E

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

ASSEMBLY BILL No. 2036

HIPAA Privacy Summary for Fully-insured Employer Groups

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

HIPAA Security Rule Compliance

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

STATE SUPPLEMENTAL HEALTH PRIVACY LAWS

BUSINESS ASSOCIATE AGREEMENT

SENATE FILE NO. SF0065. Sponsored by: Senator(s) Johnson and Case A BILL. for. AN ACT relating to consumer protection; providing for

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Privacy Summary for Self-insured Employer Groups

PATIENT SAFETY AND QUALITY IMPROVEMENT ACT OF 2005

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIPAA Security Training Manual

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

ONLINE CREDIT REPORTING S SUITE SOLUTIONS MEMBERSHIP GUIDELINES

TITLE 34. LABOR AND WORKERS' COMPENSATION CHAPTER 19. CONSCIENTIOUS EMPLOYEE PROTECTION ACT. N.J. Stat. 34:19-1 (2007)

ELECTRONIC HEALTH RECORDS

Substitute Senate Bill No Public Act No AN ACT CONCERNING EMPLOYEE ONLINE PRIVACY.

Garden City Public Schools CHILD ABUSE IN AN EDUCATIONAL SETTING EXHIBIT - NOTICE/REPORTING REQUIREMENTS

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Contents

SUITE SOLUTIONS MEMBERSHIP GUIDELINES Clients using EZ-Filing Inc. Software

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

The Basics of HIPAA Privacy and Security and HITECH

HIPAA 101. March 18, 2015 Webinar

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA. HIPAA and Group Health Plans

BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

HIPAA & HITECH AND THE DISCOVERY PROCESS

How To Protect Research Data From Being Compromised

Accountability Report Card Summary 2013 Tennessee

HIPAA WEBINAR HANDOUT

As Amended by Senate Committee SENATE BILL No. 408

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Health Partners HIPAA Business Associate Agreement

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The ReHabilitation Center Buffalo Street. Olean. NY

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HOUSE BILL 184. By Swann BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

BUSINESS ASSOCIATE AGREEMENT

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

HIPAA Security Alert

HIPAA OVERVIEW ETSU 1

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements

Senate Bill No. 48 Committee on Health and Human Services

MCOLES Information and Tracking Network. Security Policy. Version 2.0

Clinical Solutions. 2 Hour CEU

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Oregon Prescription Drug Monitoring Program. Terms & Conditions of Account Use Agreement. Statutory Authority:

Cumulative Elder Financial Abuse Statutes Updated as of January 26, 2015

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

ACE Advantage PRIVACY & NETWORK SECURITY

Key Definitions: VT LEG # v.1

Identity Theft Regulation. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA. *Corresponding Author, 490 Piya Wiconi Road-Kyle, South Dakota

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

BUSINESS ASSOCIATE AGREEMENT

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

M E M O R A N D U M. Definitions

HIPAA and Mental Health Privacy:

CYBERCRIME LAWS OF THE UNITED STATES

COMPLIANCE ALERT 10-12

Texas Medical Records Privacy Act

Regular Session, ACT No To amend and reenact R.S. 9:3573.1, (A), (1), (8), (9) and (10), ,

Transcription:

VERMONT2007 HIV Name-Based Reporting Report to the Legislature on Act 73 (2007-08) January 15, 2008 108 Cherry Street, PO Box 70 Burlington, VT 05402 1.802.863.7341 healthvermont.gov

Vermont Department of Health Table of Contents Table of Contents Executive Summary 4 Introduction 5 Security Audit 6 Community Input on Security and Adequacy of Penalties 8 Conclusion 11 Report to the Legislature 2007 3

Report to the Legislature January 15, 2007. Executive Summary A security audit carried out by the Department of Health found no high risk problems with the current security practices regarding the collection of reportable disease information, but recommended several low effort and cost measures to address low and moderate risk problems. These measures will be implemented and will enhance management, operational and technical security of the HARS and NEDSS information systems. The penalties for unauthorized disclosure of medical information were deemed adequate following an analysis by the Department and a review by members of the HIV/AIDS community. Report to the Legislature 2007 4

Introduction Section 2 of Act 73 (2007-08) required the Department of Health to conduct an information and security audit by November 1, 2007 regarding reportable disease information collected under 18 VSA 1001. The audit was to include an evaluation of the systems and procedures developed to implement 1001 and an examination of the adequacy of penalties for disclosure by State personnel. Section 2 also required the Department to report by January 15, 2008 to the Senate Committee on Health and Welfare and the House Committee on Human Services concerning options available, and the expected costs of such options, for maximizing protection of the information collected pursuant to 1001. The report was also to include the Department s recommendations on whether the General Assembly should impose or enhance criminal penalties on health care providers for unauthorized disclosures of medical information. The Department was mandated to solicit input from AIDS service organizations and the community advisory group regarding the success of the Department s security measures and the examination of the adequacy of penalties as they apply to HIV/AIDS. Report to the Legislature 2007 5

Security Audit As required by Act 73, a security audit was conducted in October 2007 on the HIV/AIDS Reporting System (HARS), and the National Electronic Disease Surveillance System (NEDSS), which is the system used by the Department for collecting information on all reportable infectious diseases. HARS is an older data base system developed by CDC and resides on a stand-alone PC (not connected to the Department s computer network) in the HIV/AIDS program office. NEDSS is a more recent application, also developed by CDC, and used by many states as well as the Federal government. NEDSS has been built to meet today s higher standards for security. The audit was done by the Information Systems Security Director of the Agency of Human Services using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems, and selected controls. This is a standard methodology recommended by Health and Human Services, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIV/AIDS Reporting System (HARS). The audit found that the HARS security protocols and practices were adequate to protect the data against security risks rated high. However, the audit did reveal moderate and low rated potential risks in the areas of Management, Operational and Technical Security. The options available to address these risks are limited because, as a non-networked system, the security of the data in HARS relies primarily on the physical security of the room in which the HARS computer resides. If the HARS database were on a networked system, it would be possible to enhance the security of the data to meet today s security standards. Until it can be replaced by a modern system, the audit recommended several safeguards to bolster the security of the existing system: Recommendation #1: Ensure that all staff (including IT) are trained on, understand, and follow the HIV/AIDS policy and procedures. Recommendation #2: Encrypt the entire hard disk and back-up copies. Report to the Legislature 2007 6

Recommendation #3: Strengthen auditing capabilities by changing local user accounts on the HARS PC and installing file auditing software to record users and actions taken on the files. Recommendation #4: Implement many minimum-effort, low-cost controls and safeguards including: require individual log on authorization to track users; adopt strong passwords; update the anti-virus software, activate the built-in firewall, and set the screensaver to lock the machine after 5 minutes of inactivity. National Electronic Disease Surveillance System (NEDSS). The NEDSS vulnerabilities and recommended safeguards presented in the audit report have been reviewed by infectious disease epidemiology and information technology staff. Two of the recommendations from the audit can and will be implemented by Epidemiology staff within three months add a staff separation section to the Infectious Disease Section Confidentiality and Security Policies and Procedures document; and fully promulgate that document. The remaining recommendations and controls are all information technologyrelated, and all of them address moderate and low risks. These will be reviewed, prioritized, assigned and implemented. Report to the Legislature 2007 7

Community Input on Security and Adequacy of Penalties Program staff have met with and solicited input from the HIV/AIDS community regarding the department s security measures to protect HIV case information, and the department s examination of the adequacy of penalties as they apply to unauthorized disclosure of HIV/AIDS medical information. In July, August, and November 2007, staff met with representatives of the following: AIDS Service Organizations; AIDS comprehensive care clinics; the HIV/AIDS program Community Advisory Group; HIV community members; Fletcher Allen Health Care; and Dartmouth Hitchcock Medical Centers. These meetings covered all aspects of the legislation (including patient notification and public education campaign), but focused on the department s security and confidentiality policies and procedures, and the adequacy of penalties for unauthorized disclosure. Security. In general, the feedback from the community groups indicated that the department s current security measures, along with the enhancements planned, adequately address their concerns around security and confidentiality. We did, however, receive suggestions for changes to the security policies and procedures. These included using stronger passwords, prohibiting the use of laptop computers to collect or store HIV related information, and prohibiting the physical removal of HIV related files from the department offices. All suggestions from the community have been incorporated. Report to the Legislature 2007 8

Adequacy of Penalties Act 73 (2007-08) proposes to change the penalties for disclosure of the content of any confidential public health record without written authorization or as authorized by law or in violation of certain subsections of 18 VSA 1001. Here is a summary of the new penalty provisions: STATUTE PROHIBITION NATURE OF PENALTY Willful or malicious 18 VSA 1001(e)(1) disclosure of the content of Civil any confidential public health record without written authorization or as authorized by law or in violation of 18 VSA 1001(b)(c) or (d). 18 VSA 1001(e)(2) Negligent disclosure of the content of any confidential Civil public health record without written authorization or as authorized by law or in violation of 18 VSA 1001(b)(c) or (d). 18 VSA 1001(e)(3) Willful, malicious, or negligent disclosure of the Criminal results of an HIV test to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply without written authorization or as authorized by law or in violation of 18 VSA 1001(b)(c) or (d) that results in economic, bodily, or psychological harm to the subject of the test. 18 VSA 1001(e)(4) Any act described at (e)(1), (e)(2), or (e)(3). Civil PENALTY Between $10,000 and $25,000, costs and attorney fees as determined by the court, compensatory and punitive damages, or equitable relief, including restraint of prohibited acts, costs, reasonable attorney s fees, and other appropriate relief. Not to exceed $2500 plus court costs, as determined by the court. Penalty and costs to be paid to the subject of the confidential information. Misdemeanor punishable by imprisonment for a period not to exceed one year or a fine not to exceed $25,000, or both. All actual damages, including damages for economic, bodily, or psychological harm that is a proximate result of the act. Report to the Legislature 2007 9

The revision also emphasizes that nothing in 18 VSA 1001 limits or expands the right of an injured subject to recover damages under any other applicable law. Section 2 of Act 73 requires, among other things, that the Department of Health report on whether the General Assembly should impose or enhance criminal penalties on health care providers for unauthorized disclosures of medical information. The Department must also solicit input from AIDS service organizations and the community advisory group regarding their examination of the adequacy of penalties as they apply to HIV/AIDS and include this input in the report. The input solicited and received by the Department from AIDS service organizations and the community advisory group indicates that Act 73 s penalties are adequate as they apply to HIV/AIDS. The Department agrees with this assessment and does not believe that the General Assembly should impose or enhance criminal penalties on health care providers for unauthorized disclosures of medical information. Even with only a civil penalty in place for willful or malicious disclosure, the Department is not aware of any breaches of 18 VSA 1001. In addition, Act 73 expressly allows the use of other applicable laws such as the Health Insurance Portability and Accountability Act (HIPAA) and its attendant regulations. Under 42 USC 1320d-6, a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice. Act 73 penalties viewed in connection with HIPAA penalties provide substantial deterrence against unauthorized disclosure. The Department of Health sees no reason at this time to change the penalty provisions. Report to the Legislature 2007 10

Conclusion A security audit carried out by the Department of Health found no high risk problems with the current security practices regarding the collection of reportable disease information, but recommended several low effort and cost measures to address low and moderate risk problems. These measures will be implemented and will enhance management, operational and technical security of the HARS and NEDSS information systems. The penalties for unauthorized disclosure of medical information were deemed adequate following an analysis by the Department and a review by members of the HIV/AIDS community. Report to the Legislature 2007 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information