HIPAA Privacy and Information Security Management Briefing Tuesday, June 14, 2011 Karen Pagliaro-Meyer Privacy Officer [email protected] (212) 305-7315.

HIPAAPrivacy and Information Security

Management Briefing

Tuesday, June 14, 2011

Karen Pagliaro-MeyerPrivacy Officer

[email protected](212) 305-7315

Soumitra SenguptaInformation Security Officer

[email protected](212) 305-7035

AgendaPrivacy

Recent Cases reported –Office for Civil RightsHITECH Update Potential Areas of Risk

Information SecurityBreach DetailsRisk AssessmentsCommon Security Controls

3

HITECH = HIPAA Act II and this time we really mean it!

4

6

HITECH Update• Breach Notification– As reported by the Office for Civil Rights– At CUMC

• Business Associate Agreements– New proposed regulations

• Accounting of Disclosures– New Regulations Issued Friday May 28, 2011

9

10

11

12

HITECH Breach Notification at CUMC

• One case reported involved over 500 records required immediate disclosure to the Office for Civil Rights, patient notification and other corrective actions

• Additional cases (< 500) requiring annual disclosure in 2010– Lost/stolen unencrypted laptop (s)– Unauthorized use or disclosure of medical information– Patient information available on the internet

In Response to Breach Reports• New CUMC Policy on system registration and

system risk assessment• New Breach risk assessment tool to determine

if notification is required• New Confidentiality Agreement for staff• Increased education and staff communication

regarding risk areas for breach• Use of new controls to prevent breaches

Business Associates

OCR issued a Proposed Rule - NPRM Published July 14, 2010

HIPAA civil and criminal enforcement and penalties apply directly to BAs (and to subcontractors) in addition to contractual liability

– Final Rule expected in 3rd quarter 2011

16

Business Associates

• NPRM modifies BA definition under HIPAA Privacy & Security Rules and clarifies when a BA relationship exists

• New duties for Business Associate in NPRM - BAA must directly comply with all HIPAA

Security Rule administrative, physical, & technical safeguards & documentation requirements

HITECH & Business Associates

• Additional parties added to definition of “BA”– E prescribing gateways– Vendors that offer personal health records to

patients on behalf of a covered entity– Organizations that provide data transmission

services and that require routine access to PHI including health information organizations

– Regional and State Health Information Exchanges

18

19

Accounting of Disclosures• Patient has the right to receive a report of workforce

members that accessed, used or disclosed information from their “designated record set” including medical and billing records for up to a 3 year period

• Includes Business Associates access of the designated record set !

• Must include date, time, name of individual and if available the reason for access

• Response must be provided within 30 days to the patient• 60 day comment period – August 2011• Effective Compliance Date 1/1/2013 or 1/1/2014

20

21

22

Additional Proposed HITECH Regulations

• Patient Right to Request restrictions on disclosures to Insurance Companies– CE Must agree to a restriction on disclosure to a insurance

company if the patient paid out of pocket in full

• HITECH and Fundraising Disclosures– Clear and conspicuous opportunity to opt out– Recommend language changes for Notice of Privacy

Practices and statement on fundraising communications

23

Privacy / Medical Record Management

• ERH = Availability of all medical info to all staff • Medical information sent is not consistent with the

authorization signed by patient.• Medical information sent to wrong person• Medical information mailed to wrong address• Medical information given to wrong person• Management of medical records of departing faculty

Next Steps / Areas of Risk• Business Associates• Staff education• Medical Record Management• Security of Devices with medical information• Social Media Policy Development• Guidance for removing paper documents with

protected health information from CUMC - taking work home or transporting to other

locations

26

27

Incidents and breaches

• Departmental files on NOAA• Departmental computer in Albany• Use of Google calendar (Two clinical

departments)• Lost Blackberry of an administrator

Departmental files on NOAA• Pre-HIPAA activity• A physician, leaving CUMC in 2005, wanted to

copy electronic copies of journal articles• Relative copied a folder to NOAA public FTP site• Folder contained clinical reports• In 2011, a patient, searching on self, found the

files and issued a complaint• HIPAA breach reported to the OCR

Departmental Computer in Albany• Pre-HIPAA activity• In 2004-2005, a division moved location, and purchased

new Macintosh desktops• An old desktop was picked up in Albany curbside in 2011.

Computer person looking through the content contacted CUMC

• Desktop was that of the divisional administrator, and one particular file had grant investigator information, including SSN

• Significant faculty of CUMC were listed• Reported to State attorney general’s office

Use of Google Calendar• Use of Google calendar to schedule patients• Care schedule, as well as, research schedule• Patient name or ID or Initials• Location or Clinic name or Physician name• Google agreement permits Google to read and analyze

content and use it for whatever they deem appropriate• Google will not sign Business Associate Agreement• All non-institutional storage (DropBox, Wikis, Blogs,

Calendars, Emails) without encryption and/or BAA have the same risks

31

Lost Blackberry • Loss or theft of a blackberry, did not have password• Billing administrator communicated PHI using email

for billing verification• Blackberry remained silent for a while, and then it did

come back up, and was wiped• Lack of password meant Blackberry encryption was

useless as a protection• Identify patients by going through emails on the

server• Reported as breach to OCR

32

CUMC Risk Assessment Program Objective

• To assess the information security fitness of CUMC’s systems and advance our collective compliance posture for HIPAA & HITECH

• AKA Certification Program• Identified 265 systems that use Protected

Healthcare Information (PHI) and or Personally Identifiable Information (PII)

• 185 have been evaluated so far

Execution

• The Information Security group is executing the program in departmental groups

• We have certifications in progress with 19 academic and administrative departments, schools, and centers

• Results are discussed with the Chair or Head of the department by the COO of CUMC

• Progress and results are reported to the Audit committee of the Columbia University Board

What is Risk Assessment or Certification?

• HITRUST Alliance, LLC provided us with a control list to use in the assessments

• We also included questions from the previous 2003 HIPAA questionnaire

• We perform vulnerability management scans:– Infrastructure– Web applications

• We review basic architecture, physical security, etc.

Sample Questions

1. Do you host PHI or PII?2. Is your server in a locked room accessible via a

badge reader?3. Does one person control every aspect of your

system?4. Does your system publish any information to

the Internet?5. Does your system require authentication?6. Do you have audit logs?

The ProcessNYPH

Interfaces

Clinical Data Warehouse

2007 HIPAA Inventory

System Inventory

Discovery

Assess

InterviewSponsors

Interview System

Custodians

Vulnerability Scans

Report

Identify Risks

Develop Impact

Make Recommendations

Report Outcomes

PASS• Your system is protected

with adequate system controls

• Security will return in one year’s time to perform a new assessment

REMEDIATION• Your system has risks to be

corrected• Implement the

recommendations within 90 days or sunset the system

• Security will return in one year’s time to perform a new assessment after remediation

41

Program Summary

• The program is changing IT security operations in the departments at CUMC

• Many defunct systems have been decommissioned• Risks are dealt with based on severity• CUMC IT has developed a security solutions catalog• Systems are being remediated• Senior leaders are engaged in the compliance process• Current inventory will be assessed by Nov. 1st, 2011• Departments are responsible for annual risk assessment• The program is being incorporated into standard business

practice at CUMC

42

CUMC Privacy and Security InitiativesTechnical Controls• Data Loss Prevention - Scan CUMC

websites for the presence of patient data and SSNs

• Anti Virus - Monitoring PC system health for n systems with Symantec Central AV Server.

• Vulnerability Management - Scanning CUMC IT hosts for missing patches and configuration errors

• Bluecoat Internet Proxy - Limit Internet use to safe sites

• Bradford Network Access Control - Register and scan student devices

• CUMC IT managed Smart Phones - Enforce strong password

• Email forwarding and DLP on Email Control – coming this year

Management Controls• System Registration and Certification

Policy• established May 13, 2011• Notices sent to all Deans, Chairs

and Department Administrators• Published in DA Manual

• Training and Awareness Events• New employee orientation• Online training for faculty• New student orientation• HIPAA training in CUMC schools’

curriculum• Annual Privacy and Information

Security Management Briefing• Information bulletins

43http://www.cumc.columbia.edu/hipaa/

Information Security & Privacy Management Briefing