HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE) and Business Associate (BA) CE includes Health care providers who conduct certain standard administrative and financial transactions in electronic form, including doctors, clinics, hospitals, nursing home and pharmacies. Health plans. Health care clearinghouses 1
Who Must Comply with HIPAA Rules? Continued BA includes A person or entity, other than a workforce member, who performs certain functions or activities on your behalf, or provides certain services to or for you, when the services involve the access to, or the use or disclosure of, PHI. What constitutes PHI? HIPAA provides a list of 18 identifiers that constitute PHI. Any one of these identifiers in a dataset that could reasonably be used to identify an individual is considered PHI. You must= What is a Breach? Final rule defines breach to mean, generally, the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. 2
New - Breach Risk Assessment An acquisition, access, use, or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least four factors Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated Was PHI unsecured? Was PHI more than the minimum? Does the breach pose significant risk of compromise? Did improper use/disclosure only include name? 3
Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated To whom was the information disclosed (or made accessible)? Who misused the information? What information was it? And how much PHI was involved? Was the access or disclosure intentional for self-serving, malicious, or harmful reasons? Did the violation involve: Covered entity Another patient Non-covered entity/business Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated For example: If a laptop was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never compromised, then probability of low risk In contrast, if envelopes were improperly labeled and PHI was mailed out to the wrong recipients then we can assume that the likelihood of it being viewed is high Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated What was done to mitigate the potential harm? Were immediate steps taken to mitigate the risk? Not further used or disclosed Immediately destroyed Immediately returned 4
Exclusions to Breach Unintentional disclosure- Applies to workforce members and BAs acting under CE Made in good faith and under the scope of authority No further disclosures made Inadvertent disclosure- Authorized individuals at CE or BA to another Person or entity covered by the BA No further disclosures made Good Faith Belief- that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Real Life Examples Employee leaves USB flash drive in their car Dermatology Office Thief breaks into vehicle and takes the flash drive It was never recovered. 5
Dermatology Office OCR investigated to find Practice had not completed a thorough security risk analysis ~2,200 individual records on the flash drive No policies and procedures surrounding breach notification Along with a corrective action plan this practice settled with OCR on a $150,000 CMP Office for Civil Rights Radiation Oncology Practice Employee laptop was stolen from car PHI on the laptop was unencrypted 55,000 individual records in all Radiation Oncology Practice OCR investigated to find Practice had not completed a thorough security risk analysis Policies and procedures did not exist for taking hardware and disks containing PHI out of the office Along with a corrective action plan this practice settled with OCR on a $750,000 CMP Office for Civil Rights 6
Managed Care Organization Uses a technology company to lease business equipment Return a leased copy machine CBS Evening News was doing a report on data left on copiers Managed Care Organization OCR investigated to find Practice had not completed a thorough security risk analysis No policies and procedures surrounding leased equipment Individual at 344,579 Along with a corrective action plan this MCO settled with OCR on a $1,215,780 CMP Office for Civil Rights Used an internet-based document sharing application to store PHI PHI was unsecured Along with a stolen laptop and USB flash drive the following year Devices contained unencrypted PHI Medical Center 7
Managed Care Organization OCR investigated to find Did not complete a risk analysis for storing data on a cloud source Disclosed 1,093 individuals PHI Failed to timely respond to the security incident Along with a corrective action plan this Medical Center settled with OCR on a $218,400 CMP Office for Civil Rights Breach Breakdown Breach Breakdown How do you avoid this list? 8
Security Risk Analysis Meaningful Use Objective Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of risk management process What is a Risk Analysis? Systematic and ongoing process of: Identifying and examining potential threats and vulnerability to PHI Implementing changes to make PHI more secure, then monitoring results Process should provide detailed understanding of risk to: confidentiality, integrity, and availability of ephi 9
Why Conduct a Risk Analysis? Required component of Meaningful Use & HIPAA Identify non-compliance of HIPAA and other rules and regulations Identify threats and vulnerabilities Identify weaknesses that could result in unauthorized disclosures or breaches Improve processes when handling PHI Step 1: System Characterization Risk Analysis Steps Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation Step 1: System Characterization Identifies which information assets need protection based on criticality to the business and/or because ephi is processed, transmitted, or stored on the system 10
Step 2: Threat Identification Threat = Any potential event that can adversely impact organizational operations and assets involving protected health information Maintain, Transmit, Process, Access Consider realistic, probable human, environmental, and natural incidents that can have a negative impact on an organizations ability to protect ephi Step 3: Vulnerability Identification Vulnerability = Flaws or weaknesses in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Develop a list of vulnerabilities Focus on areas where ephi can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Step 4: Control Analysis Determine if the implemented or planned security controls will minimize or eliminate risks to ephi 11
Step 5: Likelihood Determination Evaluate the likelihood/probability of a threat occurring that can cause or trigger an adverse event Step 6: Impact Analysis Evaluate the impact/effect that an adverse event would have on an organization if a vulnerability were exploited Step 7: Risk Determination Risk = The potential impact that a given threat will exploit the vulnerabilities of assets (such as an information system) and thereby cause harm to an organization. Assess level of risk to the organization Risk is based off of values assigned to the likelihood and impact of a threat occurrence 12
Step 8: Control Recommendations For identified vulnerabilities, evaluate what needs to be done to reduce the level of risk to the IT system and its data to an acceptable level Step 9: Results Documentation Results Documentation is critical in proving that the risk analysis was performed. The HIPAA Security Rule does not specify the type of documentation required. HIPAA requires documentation of the risk analysis to be retained for six years. OCR HIPAA Audits 13
OCR Audits In addition to Meaningful Use Audits, you may also be audited by the Office of Civil Rights (OCR) for HIPAA compliance HITECH Act requires HHS to conduct periodic audits to ensure covered entities and business associates are meeting HIPAA compliance requirements Office for Civil Rights Pilot audit program completed Dec 2012 115 initial audits OCR Audits Audits concentrate on adherence to three rules: HIPAA Privacy Rule Security Rule Breach Notification Rule Office for Civil Rights Why Care About OCR Audit? Federal mandate Federal penalties (up to $1.5 million) State fines Reputation risk Business risk Legal costs Notification costs Increased number of breaches/attacks Loss of contracts Criminal and civil investigation 14
OCR Audit Protocol 169 total audit procedures 81 privacy audit procedures 78 security audit procedures 10 breach notification procedures Auditee Selection Criteria Covered entities of all sizes and types: Healthcare Providers Healthcare Plans Healthcare Clearinghouses Business Associates (subject to audits as of 2013) Random selection based on multiple factors: Public vs. Private Size (level of revenues/assets, # of patients/employees, use of HIT) Affiliation with other healthcare organizations Geography Type of entity and relationship to patient care Types of Entities Level 1 Level 2 Level 3 Level 4 Large provider/payer Use of HIT: extensive Revenues and/or assets greater than $1 billion Large regional hospital systems Paper and HIT enabled work flows Revenues/assets between $300 and $1 billion Community hospitals, outpatient surgery, regional pharmacy Use of HIT: mostly paper-based Revenues between $50 and $300 million Small providers: 10-15 provider practices, community/rural pharmacy Use of HIT: little or none Revenues < $50 million 15
Pilot Program: Entity Size & Type Level 1 Level 2 Level 3 Level 4 Total Health Plans 13 12 11 11 47 Healthcare Providers 11 16 10 24 61 Healthcare Clearinghouses 2 3 1 1 7 Total 26 31 22 36 115 Pilot Program: Findings HIPAA Rule Most Cited in Findings Pilot Program: Findings Types of Security Rule Findings 16
Pilot Program: Findings Breach Notification: 500+ Breaches by Type Civil Monetary Penalties (CMPs) Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected $10,000-$50,000 $1,500,000 Willful Neglect- Not Corrected $50,000 $1,500,000 HIPAA Compliance/Enforcement *As of May 2015 Audit fines could result in $50,000 per violation and up to $1.5 million per violation of an identical provision in a single calendar year. 1 in 3 HIPAA complaints were investigated by the Office of Civil Rights (OCR). 1 in 5 breaches were due to unauthorized access and theft or loss of encrypted devices. 29.3 million patient health records have been compromised in HIPAA data breaches since 2009. 17
What Now?? In 2013, OIG criticized OCR s enforcement of the HIPAA Security Rule as mandated by HITECH Business Associates will be subject to audits OCR received permission to use collected CMPs to increase enforcement efforts 2015 Audits Common Audit Mistakes Failure to keep up with regulatory requirements No documented security program A reactive approach to audit Assumptions regarding business associates agreements A checkbox approach to compliance Are You Prepared? Deven McGraw, OCR Director Expects complaints to increase 90% in 2015 New Complaint Portal When asked about common mistakes by CEs: failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis (OCR) will leverage more civil penalties in 2015 18
Kentucky REC Can Help! Kentucky REC offers the following services performed by AHIMA Certified HIPAA Privacy & Security professionals: Security Risk Analysis addressing HITECH requirements for Meaningful Use Review of Administrative, Technical & Physical safeguards Remediation plan and timeline to eliminate or mitigate identified gaps HIPAA compliant sample policies Breach Notification 19