Keynote Presentation "Building a Culture of Privacy and Security into Your Organization"

Privacy and Security: Building a Privacy and Security

Culture in Health CareOrganizations

April 25th, 2012

Joy Pritts, JD, Chief Privacy Officer Office of the National Coordinator Health Information Technology

HHS Reaches $100,000 Settlement with 5 Physician Practice over HIPAA Violations

1

Why Create a Culture of Privacy and Security?

• Assists Compliance to Law

– New Developments

• HIPAA Privacy and Security Rules

• Enforcement

• Good business

• It’s Just the Right Thing To Do – Patient Trust

2

Compliance: Federal Health Information Privacy Laws

• HIPAA Privacy and Security Rules – Health Insurance Portability and Accountability

Act of 1996, effective 2003 and 2005, respectively

• Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 – Final Rule submitted to OMB March 24th, 2012

• Others (e.g., 42 CFR part 2)

3

Who Must Comply with HIPAA Privacy and Security Rules?

• Covered entities (CEs)

–Health plans

–Health care clearinghouses

–Most health care providers

4

Business Associates and HITECH

• Business Associates include: • EHR Vendors

• Data Analytic Firms

• HITECH Clarifies Business Associates include: • Health Information Exchanges

• Personal Health Record Vendors

• HITECH Specifies that Business Associates • Must follow administrative, physical and technical

safeguards of the Security Rule

• Must Follow use and Disclosure Limits of Privacy Rule

• Subject to the same Civil and Criminal Penalties as Covered Entities

5

HIPAA Privacy Rule: Two Sides of One Coin

6

Protect Privacy: A CE may not use or disclose PHI except: • as the Privacy Rule permits or requires (ie. payment, treatment operations etc) • as the patient or their representative authorizes in writing.

Patients’ Rights:

• Right to access

• Right to an accounting of disclosures of

• Right to correct or amend

• Right to notice of privacy practices

• Right to file a complaint

HIPAA Security Rule (CFR 164.306)

• Protects Patient Health Information that is transmitted by or maintained in any form of electronic media

• Framework of Technical, Administrative, Physical Safeguards

• Ensures workforce training and compliance

Flexible Approach (Addressable):

Size, complexity and capabilities of Covered Entity

Security Capabilities of CE hardware and software

Cost of Security Measures

Probability and criticality of potential risks to ePHI

7

So…

Isn’t this old news?

Then, why Are So Many Organizations

Not In Compliance?

8

Major Causes of Breaches of PHI in 2010

Breaches over 500 records:

• Theft and loss were the most common reported causes of large breaches.

• Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or theft of electronic media

• This accounted for records of 2,979,121 individuals.

• Loss of electronic media or paper records affected approximately 1,156,847 individuals

- OCR Report to Congress on Breaches of

Unsecured Information, 2011

9

Risk Assessments

• 25% of healthcare organizations do not conduct security risk assessments

– HIMSS 2011 Security Study

• 39% of healthcare organizations do not or are not sure if they perform a risk assessment

– Ponemon Study, 2011

10

Business Associates and Breaches

Due to the high volume of records handled, a breaches from business associates translate into a disproportionate number of patients affected:

• Business associates involved in 22% of the breaches

• But this 22% accounts for 63% of all patients affected by the breaches

11

Security and Mobile Devices

12 - Ponemon Institute, 2011

HITECH: It’s a New Day . . .

13

HITECH and Privacy and Security

• Established Chief Privacy Officer for the Office of the National Coordinator

• Increased fines for breaches

• Created mandatory fines for willful neglect

• Created Mandatory Breach Notification Rule

• Established basis for Meaningful Use

14

Meaningful Use and Privacy and Security

MU Stage 1 requires eligible providers and hospitals to

• Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

• No exclusion.

15

Enforcement

• OCR has begun systematic audits of 150 organizations

• CMS and Meaningful Use audits for Incentive funds are set to begin

16

Enforcement: Large organizations

• Blue Cross Blue Shield of Tennessee (BCBST) settled with OCR for $1,500,000 for the theft of 57 hard drives to theft, March 13, 2012

• Hard Drives contained names, social security numbers, diagnosis codes, DoB and Plan ID #s for over 1 million individuals

• Caused by failure to implement appropriate physical access controls

17

Small Practice Enforcement

Phoenix Cardiac Surgery (5 physician practice) was posting clinical and surgical appointments for its patients on an Internet-based publicly accessible calendar

18

Phoenix Cardiac Surgery

• July 2007 to February 2009, Practice posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar

• September 2005 until November 2009, Practice daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts

19

OCR’s Other Findings

• Failure to implement adequate policies and procedures to appropriately safeguard patient information

• Failure to document any employee training on its policies and procedures on the Privacy and Security Rules

• Failure to identify a security official and conduct a risk analysis

• Failure to obtain business associate agreements with Internet-based email and calendar services that included storage of and access to its PHI

20

Outcome of Investigation

• $100,000 Settlement

• Corrective Action Plan includes:

– Develop written policies and procedures, submitted to and approved by OCR and documented training for employees

– “An accurate and thorough” risk assessment of the potential risks and vulnerabilities to PHI

– Submission of Risk Management Plan to OCR

– Identification of Security Official

– Business Associates Agreements

– Any violation of policies and procedures will be a Reportable events to OCR

CAP available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

21

“We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

- Leon Rodriguez Director of the Office for Civil Rights

April 17th 2012, OCR Press Release

22

The Real Loss – Patient Trust

Beyond Compliance and Return on Investment,

Ensuring Patient Privacy is Just the Right Thing to Do

23

Diminished productivity and financial consequences due to a breach can be severe. Organizations reported:

• The potential result is patient churn; the average lifetime value of one lost patient is $113,400

• Economic impact

• Loss of time and productivity

• Diminishment of brand or reputation

• LOSS OF PATIENT GOODWILL

- Ponemon, “Second Annual Benchmark Study 24

Good Business: Patient Trust The ROI for Breach Prevention

Developing a Privacy and Security Culture

Challenges:

• Providers and Staff may have little understanding of new technology and privacy and security issues

• Providers and Staff are reticent about asking questions or for assistance

• Adopting new software and workflow in the fast-moving healthcare culture is difficult

• Vendors may assume that providers and staff understand privacy and not adequately train

25

Strategies

• Executive Leadership Communicate Essential Value

• Privacy and Security Metrics are included in Employee Performance Plans/Evaluations

• Considered as part of physical environment, patient care, and all communications

• Staff are made to feel comfortable in asking questions and for help, resources are widely and freely available

• Training, is regular and updated and an essential part of the overall strategic plan

• Continuous Improvement and audits completed and results communicated to all

26

ONC’s Office of the Chief Privacy Officer Recent and Current Projects

• Personal Health Record Roundtable

• Mobile Device Roundtable

• Small practice Risk Assessment – original and revised

• HIE Privacy and Security Program Information Notice

• Security Training and Video Games

• Research project on security configurations of mobile devices

• Mobile device good practices videos and materials

• Website redesign: www.healthit.gov

• Data Segmentation Project

• Community College Curriculum Privacy and Security Review

27

Training Materials – Series of Security Video Games Due for Release Summer of 2012

DRAFT 28

29

Sharing Responsibility for Ensuring Patient Privacy

We all have a role to play in keeping health

information private and secure.

• Government establishes P/S policies that are affordable and workable

• Vendors should create easy-to-use P/S features and communicate importance

• Providers and staff should understand their role in protecting patient privacy

• Patients understand their rights and basic means of securing their PHI

We Are All In This Together

4/30/2012 Office of the National Coordinator for

Health Information Technology 30

Conclusion

Questions?

31

• Privacy and Security Section of HealthIT.gov: http://healthit.hhs.gov

• Are you a Covered Entity?:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html • OCR HIPAA Privacy Rule Training Materials:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html

• OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html

• OCR Settlement with Phoenix Cardiac Surgery: http://www.hhs.gov/news/press/2012pres/04/20120417a.html

• Fast Facts about the HIPAA Privacy Rule:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/cefastfacts.html

• The HHS Office of Civil Rights, HIPAA FAQs: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html

• Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/smallbusiness.html

• OCR’s Sample Business Associate Contract Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

32

HIPAA/HITECH Resources

32

• 42 CFR Pt. 2: http://www.samhsa.gov/healthPrivacy/

• Title X Confidentiality: 42 C.F.R. § 59.11: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ce18bb9053f3b026e8983fd8ac27170c&rgn=div8&view=text&node=42:1.0.1.4.43.1.19.11&idno=42

• GINA deferring to HIPAA: 29 C.F.R. §§ 1635.9(c) and 1635.11(d): http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&node=29:4.1.4.1.21.0.26.9&idno=29 and http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&node=29:4.1.4.1.21.0.26.11&idno=29 – GINA: http://www.ornl.gov/sci/techresources/Human_Genome/publicat/GINAMay2008.pdf

• HIPAA deferring to FERPA; exceptions to “protected health information” under

(2)(i) and (2)(ii) in 45 C.F.R. § 160.103: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=35aa826589279b8cff00d53c641a609f&rgn=div8&view=text&node=45:1.0.1.3.74.1.27.3&idno=45 – FERPA/HIPAA Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-

guidance.pdf

4/30/2012 ONC 33

Other Federal Law Resources

33

• For state privacy laws, see the National Conference of State Legislators (NCSL): http://www.ncsl.org/?tabid=17173

• For state privacy law information: http://ihcrp.georgetown.edu/privacy/records.html

• National Governor’s Association (NAG) Report on state laws and HIE: http://www.nga.org/Files/pdf/1103HIECONSENTLAWSREPORT.PDF

• Health Information Security and Privacy Collaboration (HISPC) reports on state laws: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__hispc/1240

• The Financial Management of Cyber Risk: “An Implementation Framework for CFOs” American National Standards Institute, 2010 • Second Annual Benchmark Study on Patient Privacy and Data Security, 2011 Ponemon Institute • OCR’s Sample Business Associate Contract Provisions:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

4/30/2012 Office of the National Coordinator for

Health Information Technology 34

Other Resources

34