HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035 Tuesday, June 14, 2011
Agenda Privacy Recent Cases reported Office for Civil Rights HITECH Update Potential Areas of Risk Information Security Breach Details Risk Assessments Common Security Controls
HITECH = HIPAA Act II and this time we really mean it! 3
4
5
6
7
HITECH Update Breach Notification As reported by the Office for Civil Rights At CUMC Business Associate Agreements New proposed regulations Accounting of Disclosures New Regulations Issued Friday May 28, 2011 8
9
10
11
12
HITECH Breach Notification at CUMC One case reported involved over 500 records required immediate disclosure to the Office for Civil Rights, patient notification and other corrective actions Additional cases (< 500) requiring annual disclosure in 2010 Lost/stolen unencrypted laptop (s) Unauthorized use or disclosure of medical information Patient information available on the internet 13
In Response to Breach Reports New CUMC Policy on system registration and system risk assessment New Breach risk assessment tool to determine if notification is required New Confidentiality Agreement for staff Increased education and staff communication regarding risk areas for breach Use of new controls to prevent breaches 14
Business Associates OCR issued a Proposed Rule - NPRM Published July 14, 2010 HIPAA civil and criminal enforcement and penalties apply directly to BAs (and to subcontractors) in addition to contractual liability Final Rule expected in 3rd quarter 2011 15
Business Associates NPRM modifies BA definition under HIPAA Privacy & Security Rules and clarifies when a BA relationship exists New duties for Business Associate in NPRM - BAA must directly comply with all HIPAA Security Rule administrative, physical, & technical safeguards & documentation requirements 16
HITECH & Business Associates Additional parties added to definition of BA E prescribing gateways Vendors that offer personal health records to patients on behalf of a covered entity Organizations that provide data transmission services and that require routine access to PHI including health information organizations Regional and State Health Information Exchanges 17
18
Accounting of Disclosures Patient has the right to receive a report of workforce members that accessed, used or disclosed information from their designated record set including medical and billing records for up to a 3 year period Includes Business Associates access of the designated record set! Must include date, time, name of individual and if available the reason for access Response must be provided within 30 days to the patient 60 day comment period August 2011 Effective Compliance Date 1/1/2013 or 1/1/2014 19
20
21
Additional Proposed HITECH Regulations Patient Right to Request restrictions on disclosures to Insurance Companies CE Must agree to a restriction on disclosure to a insurance company if the patient paid out of pocket in full HITECH and Fundraising Disclosures Clear and conspicuous opportunity to opt out Recommend language changes for Notice of Privacy Practices and statement on fundraising communications 22
Privacy / Medical Record Management ERH = Availability of all medical info to all staff Medical information sent is not consistent with the authorization signed by patient. Medical information sent to wrong person Medical information mailed to wrong address Medical information given to wrong person Management of medical records of departing faculty 23
Next Steps / Areas of Risk Business Associates Staff education Medical Record Management Security of Devices with medical information Social Media Policy Development Guidance for removing paper documents with protected health information from CUMC - taking work home or transporting to other locations 24
25
26
27
Incidents and breaches Departmental files on NOAA Departmental computer in Albany Use of Google calendar (Two clinical departments) Lost Blackberry of an administrator 28
Departmental files on NOAA Pre-HIPAA activity A physician, leaving CUMC in 2005, wanted to copy electronic copies of journal articles Relative copied a folder to NOAA public FTP site Folder contained clinical reports In 2011, a patient, searching on self, found the files and issued a complaint HIPAA breach reported to the OCR 29
Departmental Computer in Albany Pre-HIPAA activity In 2004-2005, a division moved location, and purchased new Macintosh desktops An old desktop was picked up in Albany curbside in 2011. Computer person looking through the content contacted CUMC Desktop was that of the divisional administrator, and one particular file had grant investigator information, including SSN Significant faculty of CUMC were listed Reported to State attorney general s office 30
Use of Google Calendar Use of Google calendar to schedule patients Care schedule, as well as, research schedule Patient name or ID or Initials Location or Clinic name or Physician name Google agreement permits Google to read and analyze content and use it for whatever they deem appropriate Google will not sign Business Associate Agreement All non-institutional storage (DropBox, Wikis, Blogs, Calendars, Emails) without encryption and/or BAA have the same risks 31
Lost Blackberry Loss or theft of a blackberry, did not have password Billing administrator communicated PHI using email for billing verification Blackberry remained silent for a while, and then it did come back up, and was wiped Lack of password meant Blackberry encryption was useless as a protection Identify patients by going through emails on the server Reported as breach to OCR 32
33
CUMC Risk Assessment Program Objective To assess the information security fitness of CUMC s systems and advance our collective compliance posture for HIPAA & HITECH AKA Certification Program Identified 265 systems that use Protected Healthcare Information (PHI) and or Personally Identifiable Information (PII) 185 have been evaluated so far 34
Execution The Information Security group is executing the program in departmental groups We have certifications in progress with 19 academic and administrative departments, schools, and centers Results are discussed with the Chair or Head of the department by the COO of CUMC Progress and results are reported to the Audit committee of the Columbia University Board 35
What is Risk Assessment or Certification? HITRUST Alliance, LLC provided us with a control list to use in the assessments We also included questions from the previous 2003 HIPAA questionnaire We perform vulnerability management scans: Infrastructure Web applications We review basic architecture, physical security, etc. 36
Sample Questions 1. Do you host PHI or PII? 2. Is your server in a locked room accessible via a badge reader? 3. Does one person control every aspect of your system? 4. Does your system publish any information to the Internet? 5. Does your system require authentication? 6. Do you have audit logs? 37
Discovery The Process NYPH Interfaces Clinical Data Warehouse System Inventory 2007 HIPAA Inventory Assess Interview Sponsors Interview System Custodians Vulnerability Scans Report Identify Risks Develop Impact Make Recommendations 38
Report Outcomes PASS Your system is protected with adequate system controls Security will return in one year s time to perform a new assessment REMEDIATION Your system has risks to be corrected Implement the recommendations within 90 days or sunset the system Security will return in one year s time to perform a new assessment after remediation 39
40
Program Summary The program is changing IT security operations in the departments at CUMC Many defunct systems have been decommissioned Risks are dealt with based on severity CUMC IT has developed a security solutions catalog Systems are being remediated Senior leaders are engaged in the compliance process Current inventory will be assessed by Nov. 1 st, 2011 Departments are responsible for annual risk assessment The program is being incorporated into standard business practice at CUMC 41
CUMC Privacy and Security Initiatives Management Controls System Registration and Certification Policy established May 13, 2011 Notices sent to all Deans, Chairs and Department Administrators Published in DA Manual Training and Awareness Events New employee orientation Online training for faculty New student orientation HIPAA training in CUMC schools curriculum Annual Privacy and Information Security Management Briefing Information bulletins Technical Controls Data Loss Prevention - Scan CUMC websites for the presence of patient data and SSNs Anti Virus - Monitoring PC system health for n systems with Symantec Central AV Server. Vulnerability Management - Scanning CUMC IT hosts for missing patches and configuration errors Bluecoat Internet Proxy - Limit Internet use to safe sites Bradford Network Access Control - Register and scan student devices CUMC IT managed Smart Phones - Enforce strong password Email forwarding and DLP on Email Control coming this year 42
http://www.cumc.columbia.edu/hipaa/ 43
Information Security & Privacy Management Briefing 44