Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information.

Information Security and Information Security and Privacy: HIPAA’s Potential Privacy: HIPAA’s Potential

Impact Impact

Gordon J. AppleAttorney at Law, Law Office of Gordon J. Apple, St. Paul, MN

Lee OlsonInformation Security Officer, Mayo Foundation, Rochester, MN

Program ObjectivesProgram Objectives

Overview of data security/privacy issues Review of HIPAA security standards Review of HIPAA privacy standards Facing HIPAA challenges

Existing Data Protection Existing Data Protection RequirementsRequirements

State law Federal law JCAHO Conditions of Participation Professional codes

New HIPAA RequirementsNew HIPAA Requirements

Standards for electronic transactions and code sets

National standard health care provider identifier

National standard employer identifier Security and electronic signature standards

New HIPAA Requirements New HIPAA Requirements cont’dcont’d

Standards for privacy of individually identifiable health information

National standard for health claims attachment

National standard identifiers for health plans

I. Overview of Data Security I. Overview of Data Security and Privacy Issuesand Privacy Issues

PrivacyPrivacy

“The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.”

Minnesota Supreme Court 582 N.W.2d 231, 1998

The Power of AnecdotesThe Power of Anecdotes

Data MiningData Mining

Develop clinical pathways to improve patient care

Develop drug formularies Develop marketing opportunities?

CVS CaseCVS Case

Pharmacy records Alleged misuse PR firestorm Class action litigation

““It is only slightly facetious to It is only slightly facetious to say that digital information say that digital information lasts forever - or five years, lasts forever - or five years,

whichever comes first.”whichever comes first.”

Jeff Rothenberg

Scientific American, Jan. 1995

Geek SpeakGeek Speak

Firewall Hacker Bandwidth Router Port Probes TTP

Geek Speak IIGeek Speak II

CA PKI PKE PKE LAN ISP

WetwareWetware

II. General Review of HIPAA II. General Review of HIPAA Security StandardsSecurity Standards

SecuritySecurity

“The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.”

Three aspects to consider– confidentiality– integrity– availability

Security Standards: ApplicabilitySecurity Standards: Applicability

Applies to any health plan, provider or clearinghouse that electronically maintains or transmits any individually identifiable health information, internally or externally

Security is Security is risk managementrisk management

Risk Management ProcessRisk Management Process

Quantify assets, risks and threats– a mix of the objective and subjective– need not be complicated

Determine cost-effective security controls– protect what’s worth protecting & don’t worry

about the rest The government is big on this

– mainly because the government is big– approach statistical mean

RisksRisks

Passive, always in the background

– fires, floods, power outages, equipment failure

– predictable on a large scale & statistical in nature

ThreatsThreats

Active, evolving, never static

Goal: defeat security– people oriented

– hackers, viruses, insiders, disgruntled persons

– must be actively managed by security professionals

1. Administrative Procedures 1. Administrative Procedures

Guard data confidentiality, integrity and availability

Policies and procedures– written– communicated– enforced

Administrative RequirementsAdministrative Requirements

Certification

Chain of trust partner agreements

Organizational policies, practices and procedures

Access controls

Internal audit

Personnel security

Configuration management

Incident response

Termination procedures

Training

2. Physical Safeguards2. Physical Safeguards

Appointment of security czar Physical access control Workstation usage Media & output controls Locks, keys, tokens… Termination procedures Backup

3. Technical Security Services3. Technical Security Services

System Level Features System access

– user identification and authentication

Entity authentication Data authentication Authorization control

– discretionary access to data

– least privilege principle

Audit controls

4. Technical Security 4. Technical Security MechanismsMechanisms

Communications & network controls– firewall management

– access controls

– alarms

– audit trail

– encryption

– event reporting

– integrity controls

5. Electronic Signature5. Electronic Signature

Must implement three characteristic features:– message integrity

– non-repudiation

– user authentication

Digital signature provides these

Board of TrusteesAudit Committee

Information PolicyCommittee

FoundationHIPAA

CoordinatingGroup

GOVERNANCE

OPERATIONALLEVEL

COORDINATION& PLAN

EXECUTION

•Compliance office•Accreditation office•Education/Research•Medical Records•Systems and Procedures•Information Security•Internal Audit•Information Technology•Legal•Finance•Health Plans

ScottsdaleCoordination Team

RochesterCoordination Team

Mayo Health System(Rochester)

Coordination Team

JacksonvilleCoordination Team

RemoteSites

Proposed HIPAA Project Structure

Foundation FinanceOversight Group

Foundation SecuritySubcommittee

Foundation PrivacyGroup

= New groups

Getting Started:Getting Started:Gathering Current State Gathering Current State

InformationInformation Translate requirements

– 38 pages of single-spaced legalese-- don’t try this at home

HIPAA EarlyViewTM tool– developed by NC Information & Communication Alliance

– cost effective, uncomplicated, user friendly license

– saves lots of work

– generates reports useful for gap analysis

– http://www.nchica.org/activities/EarlyView/More_info.htm

Organizational AssessmentOrganizational Assessment

Conduct survey in bite-sized chunks Different systems & applications have

different security attributes– Clinical systems– Clinical operations support– Finance & electronic commerce– Laboratory services– Business & HR systems, etc.

Logistical ConsiderationsLogistical Considerations

Consider geography, complexities & capabilities

Who will collect & analyze the data?– Information Security Officer’s role– Stewards & Administrators’ roles

Pitfalls to Avoid Pitfalls to Avoid

Overanalyzing the requirements & process– Leads to corporate constipation– Academics need to put on their operational hats

Garbage in, garbage out– Must understand the goal & process– Effective communication & buy-in essential

Don’t sweat the details…. for now– Use a top down approach, not Band Aids

Develop Implementation PlanDevelop Implementation Plan

Strategy must address both administrative & technical levels– coordinate with e-commerce– awareness & education– initiate process changes– modify systems & applications – replace systems & applications

Final rule may necessitate minor course changes

SourcesSources

Minnesota Health Data Institute

http://zen.mhdi.org/

North Carolina Healthcare Information and Communication Alliance http://www.nchica.org/

Massachussetts Health Data Consortium

http://www.mahealthdata.org

Workgroup for Electronic Data Interchange

http://www.wedi.org

HIPAAlert news briefs published by Phoenix Health Systems, Inc.

http://hipaalert.com

III. General review of HIPAA III. General review of HIPAA Privacy StandardsPrivacy Standards

Covered EntitiesCovered Entities

Health plans Health care providers who transmit PHI in

electronic form in connection with standard transactions

Health care clearinghouses Short list indirectly expanded through

business partner requirements

HIPAA Data HIPAA Data

Heath information Individually identifiable health information

Protected health information

(PHI)

Protected Health InformationProtected Health Information

Individually Identifiable Health Information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form (printout of electronic data)

45 CFR 164.504

Uses and Disclosures of Uses and Disclosures of Protected Health InformationProtected Health Information

To carry out treatment, payment or health care operations

With patient consent No consent, but for public health, health

oversight, judicial/administrative proceedings, coroners/MEs, law enforcement, …. 45 CFR 164.510

Uses and Disclosures Uses and Disclosures Requiring Patient ConsentRequiring Patient Consent

Requests by patient Request by CEs re: marketing, fundraising,

employers for employment determinations, non-health related divisions of the CE…

45 CFR 164.508

Fair Information PracticesFair Information Practices

Series of individual rights

General rule on disclosure– “Minimum necessary”

Minimum Necessary Minimum Necessary

To meet the purpose of the use or disclosure To limit access only to those people who

need access to the information to accomplish the use or disclosure.

Notice of Information Notice of Information PracticesPractices

An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information

45 CFR 164.512

Access of Individuals to Access of Individuals to Protected Health InformationProtected Health Information

Right of access includes access to PHI with – Health plan– Health care provider– Business partner if records not a duplicate

Access as long as records maintained

45 CFR 164.514

Accounting for Disclosures of Accounting for Disclosures of Protected Health InformationProtected Health Information

Right to full accounting of disclosures from CEs except for treatment, payment and health care operations and for certain disclosures to health oversight or law enforcement agencies.

Right of accounting also applies to business partners

45 CFR 164.515

Right to Request Amendment Right to Request Amendment or Correctionor Correction

Requests will have to be either accepted or rejected within 60 days

Rejections will require an explanation in plain language

Patients can still file statement of disagreement - for the record

45 CFR 164.516

Administrative RequirementsAdministrative Requirements

Privacy officer Training

– Everyone likely to obtain access to PHI Safeguards

– Administrative, technical and physical safeguards to protect privacy

Complaint process45 CFR 164.518

Documentation, Compliance Documentation, Compliance and Enforcementand Enforcement

Documentation – Uses and disclosures– Individual rights– Administrative requirements– 6 years

Keep records of compliance activities, permit DHHS access and be nice!

45 CFR 164.520-522

Penalties & ClaimsPenalties & Claims

Civil penalties Criminal penalties No private cause of action Third party beneficiary contract claims

Business Partners?Business Partners?

Business PartnersBusiness Partners

Insurance companies Law firms Accountants IT contractors Compliance consultants Insurance brokers

Business PartnersBusiness Partners

How well do you know them? How well do you want to know them? How well should you know them? Business partners - winners and losers

Satisfactory AssuranceSatisfactory AssuranceBP will….BP will….

Ensure that subcontractors are bound to HIPAA requirements

Make PHI available upon appropriate request Have an open door for DHHS Abide by contract termination req’s Be able to amend/correct PHI upon CE notice

CE Responsibility for BP CE Responsibility for BP ViolationsViolations

Reasonable steps to ensure compliance– K due diligence

Tainted by BP breach if CE “knew or should have known” of BP breach and….DID NOTHING…AKA as “Ostrich Syndrome”

Business PartnersBusiness Partners

Basic contract provisions– Follow HIPAA use and disclosure limits– Require technical and administrative safeguards

for security and privacy– Reps, warranties, indemnification and deep

pockets or certificate of insurance– Third party beneficiary language– Termination - give it back or destroy

De-identified PHIDe-identified PHI

Issue of ownership– Sale– Licensing

Requires data be stripped of listed elements Protections against re-identification

IV. Facing HIPAA ChallengesIV. Facing HIPAA Challenges

Group Discussion of HIPAA Group Discussion of HIPAA ChallengesChallenges

What are facilities doing now? Will it be possible to develop uniformity

across complex systems? Should HIPAA standards be adopted for

DTM records?

The Corporate Compliance The Corporate Compliance ModelModel

Who leads?– Compliance Officer– Security Officer– Privacy Officer

Gap analysis– Security standards– Privacy standards

The Corporate Compliance The Corporate Compliance Model cont’dModel cont’d

Defining areas of exposure– The Mayo model– Internal– External

Plan development, implementation and training– Integration with compliance program?