Security and Privacy Requirements Beyond HIPAA Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS.

Security and Privacy Requirements Beyond HIPAA

Tom Walsh, CISSPTom Walsh Consulting, LLC

Overland Park, KS

Objectives• Understand some of the potential impacts on

information security and privacy as a result of the new ARRA or “stimulus bill” on covered entities and their business associates

• Gain awareness and an understanding of the requirements for:– FTC’s Identity Theft Red Flags Rule– PCI Data Security Standards– Data breach disclosure laws

2Copyright © 2009, Tom Walsh Consulting, LLC

Objectives (cont.)• Identify some potential sources of identity

theft and data breaches• Determine who in your organization needs to

be included and the key departments for your organization’s (renewed) compliance efforts

• Locate resources for additional information

3Copyright © 2009, Tom Walsh Consulting, LLC

a.k.a. “Stimulus Bill”

American Recovery and Reinvestment Act

• Other names or references– ARRA– Public Law 111-5– H.R. 1– Stimulus Bill

• Date of enactment: February 17, 2009– Key date for the timing of future deadlines

• Appropriations Provisions – 16 Titles– Title XIII – Health Information Technology

• Subtitle D - Privacy

5 Copyright © 2009, Tom Walsh Consulting, LLC

Implications and future changes have yet to be fully comprehended

Brief History (Why Privacy is in the Stimulus Bill?)

• 1996 – HIPAA is passed; Congress has three years to enact medical privacy protection standards; fails to do so; too busy trying to impeach Bill Clinton; by default DHHS creates Privacy standards

• 1998 (Aug) – Proposed HIPAA Security Rule is released for comment• 1999 (Nov) – Proposed HIPAA Privacy Rule is released for comment• 2002 – Final HIPAA Privacy Rule is released• 2003 (Feb) – Final HIPAA Security Rule is released • 2003 (Apr 14) – Deadline for compliance with HIPAA Privacy Rule • 2005 (Apr 20) – Deadline for compliance with HIPAA Security Rule

No changes to the rules since the final release

What was the computing environment like back then versus now?

Copyright © 2009, Tom Walsh Consulting, LLC 6

Promotion of Health Information Technology

Office of the National Coordinator (ONC) for Health Information Technology (HIT) (Section 3001)– Chief Privacy Officer

• Appointed by the Secretary of HHS• To advise on privacy, security, and data stewardship

– HIT Policy Committee (Section 3002)• Appointed positions• Make recommendations for nation-wide health information

technology infrastructure– HIT Standards Committee (Section 3003)

• Appointed positions• Make recommendations for electronic exchange and use of health

information

7 Copyright © 2009, Tom Walsh Consulting, LLC

Privacy – Subtitle D

Section 13400 – Definitions of 18 terms Many have the same definition as found in HIPAA, but unique to ARRA are:

• Breach• Unsecured Protected Health Information• Electronic Health Record (EHR)• Personal Health Record (PHR)• Vendor of Personal Health Record

8 Copyright © 2009, Tom Walsh Consulting, LLC

New Definitions

• Breach – In general terms means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information

• Unsecured Protected Health Information – protected health information (PHI) that is not secured through the use of a technology or methodology specified by the Secretary

9 Copyright © 2009, Tom Walsh Consulting, LLC

Breach • Covered entity must notify each individual

whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach

• Notifications – Who? What? How? (based upon number of individuals)– When? Must be made without reasonable delay

and no later than 60 days from discovery• Discovery - Key concept, “…should reasonably

have been known…”10 Copyright © 2009, Tom Walsh Consulting, LLC

Breach – Non Covered Entities

• Includes vendors of PHR• Includes 3rd parties that provide services to a

vendor of PHR• Requirements for reporting breaches same as

covered entities except that the notification is made to the Federal Trade Commission (FTC) rather than the Secretary of HHS

• The FTC will also notify the Secretary of HHS

11 Copyright © 2009, Tom Walsh Consulting, LLC

Business Associates

Application of Security Provisions (Section 13401) • HIPAA security applies to Business Associates

– §164.308 Administrative Safeguards– §164.310 Physical Safeguards– §164.312 Technical Safeguards – §164.316 Policies and Procedures and

Documentation Requirements

12 Copyright © 2009, Tom Walsh Consulting, LLC

Business Associates

• Business Associate Agreement (BAA) will need to be updated to incorporate the new HIPAA Security Rule requirements into the agreement

• Must respond to Privacy noncompliance issues the same as a Covered Entity

• Business Associate will now also be subject to the civil and criminal penalties for violating any of the security provisions

13 Copyright © 2009, Tom Walsh Consulting, LLC

Disclosures• Secretary will issue guidance on “minimum

necessary”• Accounting of Disclosures – HIPAA revision

– Old “…except for TPO” (Treatment, Payment, and healthcare Operations)

– New – If the Covered Entity uses or maintains an electronic health record (EHR), then the exception for Accounting of Disclosures for TPO no longer applies (Note: Disclosure vs. Use)

– Two deadlines: January 2014 or January 2011 based upon when the EHR was implemented

14 Copyright © 2009, Tom Walsh Consulting, LLC

Enforcement

• Clarification of Application of Wrongful Disclosures Criminal Penalties (Section 13409)– Individuals can be prosecuted under HIPAA and ARRA

• Improved Enforcement (Section 13410)– “Willful neglect” by employees – now can be held liable– State Attorney Generals may bring civil action

• Audits (Section 13411)– Periodic audits to ensure that covered entities and

business associates comply with HIPAA and ARRA

15 Copyright © 2009, Tom Walsh Consulting, LLC

Identity Theft Red Flags Rule

• Implements sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)

• Applies to financial institutions and creditors that hold any consumer account

• Applies if a healthcare provider:– Permits payment of services to be deferred– Allows payment in multiple installments

• Must comply by May 1, 2009

Things to Consider

• Types of patient billing accounts• Methods used to allow installment payments

(may be considered “covered accounts”)• How a covered account is accessed

– Example: Web portal for patient bill paying• Previous incidents of identity theft• Privacy safeguards and security controls currently

in place to protect an individual’s identity and personal information (i.e. HIPAA)

PCI Security Standards Council, LLC

• Responsible for the security standards• Formed in September 2006 by the five major

credit card companies:– Visa International– MasterCard Worldwide – American Express– Discover Financial Services– JCB (Europe)

www.pcisecuritystandards.org

PCI Data Security Standard• 12 requirements that must be followed

– State law in Minnesota; other states next?• If the merchant lacks adequate controls:

– May be fined (payments withheld)– May be held liable for credit card losses– Could lose merchant status – ability to accept credit cards

• Merchants fall into one of the four merchant levels based on transaction volume over a 12-month period– Regardless of level, all merchants must comply

21Copyright © 2009, Tom Walsh Consulting, LLC

PCI Terminologies • Merchant – Any business that accepts credit

cards for payment• POS – Point of Sale terminal – used for swiping

credit cards; usually connected to the bank via a modem

• PAN – Primary Account Number• CVV – Card Verification Value – the last three

digits printed on the signature panel on the back side of credit cards for transaction authorization when the payment is not made in person

22Copyright © 2009, Tom Walsh Consulting, LLC

Conducting a PCI Self-Assessment

• Determine the volume of transactions• Inventory where credit card transactions

occur• Conduct a self-assessment• Remediate identified issues• Create a Credit Card Handling policy• Create, deliver, and document user training

on Credit Card Handling

Key Departments – Workflows

• Patient financial services (billing)• Admitting, registration, or cashier• Gift shop• Cafeteria• Outpatient services

– Pharmacy– Durable medical equipment (DME) and other

medical supplies – Urgent care centers

24Copyright © 2009, Tom Walsh Consulting, LLC

State Data Breach Disclosure Laws

• California – leading the way…• 44 States now have some type of law• Wisconsin

– Act 138 requires notification in the event that personal information is lost or illegally accessed

– Office of Privacy Protectionwww.privacy.wi.gov

• Other Wisconsin resources:http://www.legis.wisconsin.gov/lrb/pubs/ttp/ttp-04-2008.html

26Copyright © 2009, Tom Walsh Consulting, LLC

Identity Theft in the Workplace

Some possible sources:• Carelessness – loss of mobile computing devices

• Stealing (and in some cases, selling) employee records from their employer

• Conning information out of employees• Unsecured data – paper or electronic • Rummaging through trash• Improper disposal or resale of computing

devices and/or media• Hacking into computers

28Copyright © 2009, Tom Walsh Consulting, LLC

Preventing Identity Theft

People, Processes, and Technology• Background and clearance checks on key

employees– System administrators– Patient Financial Services or Patient Accounting

• Proper handling and disposal of media• Encrypt data at rest and while in transmission• Auditing and monitoring

29Copyright © 2009, Tom Walsh Consulting, LLC

Renewed Compliance Efforts

• Corporate Compliance Officer• Privacy and Information Security Officer• Risk Management / Legal Counsel• Patient Access (Registration / Admitting)• Patient Financial Services (Accounting)• Others? ______

31Copyright © 2009, Tom Walsh Consulting, LLC

Governance, Risk, and Compliance (GRC)

JCAHO Red Flags

Rule

SOX

FISMAPCI DSS

HIPAA

= Governance framework for an information security program for __consistency in satisfying multiple regulations and requirements

ARRA

Resources• An electronic copy of ARRA (PDF format)

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf

• PCI Security Standards Council, LLCwww.pcisecuritystandards.org

• PCI Frequently Asked Questions www.pcisecuritystandards.org/about/faqs.htm

• FTC’s Identity Theft Site www.ftc.gov/bcp/edu/microsites/idtheft/

• Identity Theft Resource Center www.idtheftcenter.org

34Copyright © 2009, Tom Walsh Consulting, LLC

SummaryDuring this session we discussed:• Privacy and security highlights of the new

ARRA or “stimulus bill” • An awareness of:

– FTC’s Identity Theft Red Flags Rule– PCI Data Security Standards– Data breach disclosure laws

• Ideas for preventing identity theft• Renewed involvement for compliance• Resources for more information

36Copyright © 2009, Tom Walsh Consulting, LLC

Questions?

37Copyright © 2009, Tom Walsh Consulting, LLC

Tom Walsh, CISSPtwalshconsulting@aol.com

913-696-1573

Good News!

Because of the current global economic crisis, hackers, creators of malicious code, spammers, and disgruntled former employees have all pledged to be compassionate to businesses and individuals by cutting back on their harmful and disruptive activities by at least 30%.

More Good News!

Additionally, Congress has urged that all American employees who still have a job to temporarily suspend any of their unauthorized activities that could disrupt or significantly impact businesses until after the current economic crisis has passed.

Even More Good News!

It was announced yesterday that the United Nations overwhelming passed a measure, which can only be described as an extraordinary act of reconciliation, that with Barack Obama now as president of the United States, all nations vow to no longer harbor any hostilities toward the United States government and its people.

Sad Reality

• While everything else in our economy is declining, threats to information security are on the rise

• Desperate times result in desperate measures– People are willing to do whatever it takes to ensure their

own personal wellbeing– Employees on the verge of being laid off or former

employees that recently lost their job represent a significant threat to security