How The Hitech Act Raises The Ante For Hipaa Security Rule Compliance

© 2009-2010 Data Mountain LLC | All Rights Reserved.

How The HITECH Act Raises the Ante for HIPAA Security Rule

Compliance

Discussion

1

Bob Chaput615-656-4299 or [email protected] Mountain, LLC

…Welcome to …

http://www.linkedin.com/in/BobChaput�

http://www.datamountain.com/�



Top 10 List… …things heard in audience during my talks…1. Today's dessert was really good except for

that guy yakking in background?2. Didn’t the AMA make this go away yet?!#? 3. Does this guy really have a dog that ugly?4. I think he’s talking about that HIPAA thing

again…5. The way he talks, he must be Kathleen

Sebelius' first cousin6. Doesn’t this guy know we have patients to treat?7. Did he really say $1.5 million in fines?8. HITECH-SMITECH!9. How do you pronounce his last name again?10. What’s he saying? My doctor told me we have the best

healthcare system in the whole wide world!2


HIPAA, HITECH and Healthcare Reform together are __________________________________:

A. A Communist (a.k.a., Democratic) plot to ruin the best healthcare system in the world

B. Driving me crazyC. A reasonable start at improving our healthcare

systemD. A good way to get government moola to fix

our messed up computer systemsE. None of the aboveF. All of the above

3

Before we begin…Pop Quiz 1 Time


A. Projected 2010 Total US Healthcare Expenditures

B. US Ranking of life expectancy at birth in the world

C. Number of Americans who die from medical mistakes each year

D. US Global ranking of health care costs per person per year

E. US Ranking in lowest Infant Mortality in the world

4

Before we begin…Pop Quiz 2 Time

1. ____100,0001

2. ____43rd in the world2

3. ____1st in the world3

4. ____47th in the world4

5. ____$2.5 Trillion5

1Institute of Medicine2CIA Factbook3U.S. Centers for Medicare & Medicaid Services2CIA Factbook5U.S. Centers for Medicare & Medicaid Services


A. Projected 2010 Total US Healthcare Expenditures

B. US Ranking of life expectancy at birth in the world

C. Number of Americans who die from medical mistakes each year

D. US Global ranking of health care costs per person per year

E. US Ranking in lowest Infant Mortality in the world

5

Before we begin…Quick Quiz

1. 100,0001

2. 43rd in the world2

3. 1st in the world3

4. 47th in the world4

5. $2.5 Trillion5

1Institute of Medicine2CIA Factbook3U.S. Centers for Medicare & Medicaid Services2CIA Factbook5U.S. Centers for Medicare & Medicaid Services


• We have a broken healthcare system…

• In fact, it’s more or a “sick care” system

• Every President since Eisenhower has vowed to “fix” healthcare

• Too many special interests for any “quick fix”

• It’s people, process and technology and, with the latter, a big Rx for Privacy and Security 6

So what?

• Like it or hate it, first HIPAA (Kennedy-Kassebaum bill) and now HITECH are taking aim to fix healthcare…


HIPAA-HITECH is Not About Technology!

It’s about health outcomes improvement in the US…

1. Improving quality, safety, efficiency, and reducing health disparities.

2. Engaging patients and families in their healthcare

3. Improving care coordination

4. Improving population and public health

5. Ensuring adequate privacy and security protections for personal health information

7

Five health outcomes policy priorities in Meaningful Use Stage 1 guidelines…


Better Outcomes …1. Quality, safety, efficiency, and

reduction of health disparities….




…through… better processes and use of technology while ensuring protection of individuals’ private health information…

8

“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”


• Perfect storm is brewing…

• Many Covered Entities and Business Associates and Subcontractors are unaware of and unprepared for Security Compliance!

• HITECH = Hey It’s Time to End your Compliance Holiday 9

What’s the Story?

• Help you mitigate the huge risks of being out of compliance with HIPAA Security Rule requirements


Session Objectives

In this session, we will:• Review the HIPAA Security Final Rule

• Learn about major changes brought about by The HITECH Act

• Learn about the new Civil Monetary Penalty System

• Learn practical, actionable steps to take today to mitigate risk and help assure compliance

10


Disclaimers

1. Information about and around HIPAA and HITECH continues to evolve.

2. HIPAA rules and regulations are subject to lots of different interpretations.

3. Every effort has been made to insure that the information presented is correct, but we can cannot offer such assurances.

4. You should not rely on this information for legal purposes, but simply use it as a tool to raise your awareness.

5. We are not attorneys! Consult with your own legal counsel or advisors.

11


Discussion Agenda

1. Quick Introductions2. HIPAA Security Final Rule – Overview3. The HITECH Act - Overview4. Major Changes from The HITECH Act5. Actions You Should Take Now6. Summary

12


About Your Speaker – Bob Chaput

13

• President – Data Mountain LLC• 30+ years in Business and Technology• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets• 25 years DR / BC experience• 20 years Regulated-Industry Experience• BA, MA – Mathematics; GE – FMP; Vanderbilt; HPI• Numerous Technical Certifications• Serve customers of all sizes in all industries• 6 years - Channel Partner/Reseller for Iron Mountain Digital• Expertise and Focus: Healthcare, Financial Services, Legal• Member: ACHE, NTC, Chambers, Boards

• Passion: Helping business owners and managers manage risks: Risk of being out of regulatory compliance Risk of going out of business Risk of throwing money away on phony/ineffective solutions

http://www.linkedin.com/in/BobChaput�


http://www.hipaasecurityassessment.com/�


Meet Healthcare’s Perfect Storm

14

Rigorous enforcement

- HIPAA Security Rule

Historical Behavior of

Ignoring HIPAA Security Rule

Healthcare Reform


Meet the HHS Data Breach ‘Wall of Shame’

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

15

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html�




Health and Human Services “Wall of Shame” – Data Breaches

16


HHS is not kidding!

110 Postings as of

7/23/2010


Discussion Agenda


17


Health Insurance Portability and Accountability Act of 1996

• HIPAA = High Income Potential for Aggressive Attorneys ?

18



19

Preamble to The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

"Public Law 104-191, 104th Congress -- An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”



20

HIPAAHealth Insurance Portability and Accountability Act

Title II Title III Title IV Title V

Security

Fraud and Abuse and Medical

Liability Reform

AdministrativeSimplification

Group Health Plan Requirements

Revenue Off-sets

InsurancePortability

Tax Related Health Provision

Title I

EDI IdentifiersPrivacy

Transactions Code Sets


• Privacy Rule (protect privacy) 11/2003

Administrative Simplification

21

Three Key Components of Administrative Simplification in HIPAA…

• Transactions and Code Sets (EDI) 11/2002

• Security Rule (safeguard information) 4/2005*


How Security and Privacy Relate

Privacy Rule Reasonable Safeguards for all PHI

Physical Safeguards for EPHI

Technical Safeguards

for EPHI

Administrative Safeguards for EPHI

• Security Management Process• Security Officer• Workforce Security• Information Access Mgmt• Security Training• Security Incident Process• Contingency Plan• Evaluation• Business Associate Contracts

• Access Control• Audit Control• Integrity• Person or Entity Authentication• Transmission Security

• Facility Access Control• Workstation Use• Workstation Security• Device & Media Control

22

HIPAA Security is

NOT a “techie” project

18 Standards


Discussion Agenda


23


Health Information Technology for Economic and Clinical Health Act

• HITECH = Hey It’s Time to End your Compliance Holiday

24


HITECH Act is Not About Technology!

It’s about health outcomes improvement in the US…

1. Improving quality, safety, efficiency, and reducing health disparities.




5. Ensuring adequate privacy and security protections for personal health information

25

One of five health outcomes policy priorities in Meaningful Use Stage 1 guidelines…


The HITECH Act, Money & Teeth

26

• Part of American Reinvestment and Recovery Act (ARRA)

• ARRA contains incentives related to health care information technology

• Legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI)

• Widens the scope of privacy and security protections available under HIPAA

• Largest and most consequential expansion and change to the federal privacy and security rules ever

• Bob’s opinion: Healthcare industry (and Business Associates) remain woefully unprepared for security provisions


Discussion Agenda


27


The HITECH Act – Major Changes - 1Enforcement is strengthened significantly• Penalties are increased in the new Civil Monetary Penalty (CMP) System• Enforcement is more proactive, more punitive and by more parties• Additional audit authority is now provided to HHS to audit CEs and BAs

Business Associates and others are fully and completely “in scope”• BAs are now statutorily obligated to comply with the relevant

regulations

Business Associates’ subcontractors now must enter into BAA-like contracts**• BAs are now statutorily obligated to comply with the relevant

regulations

28


New Civil Monetary Penalty System

• Tier 1 (Accidental)– $100 each violation– Up to $25,000 for identical violations, per year

• Tier 2 (Not Willful Neglect, but Not Accidental)– $1000 each violation– Up to $100,000 for identical violations, per year

• Tier 3 (Willful Neglect, but Corrected)– $10,000 each violation– Up to $250,000 for identical violations, per year

• Tier 4 (Willful Neglect, Not Corrected)– $50,000 each violation– Up to $1.5 million, per year

29

Key Question: what is a

“violation”?

Key Question: what is “willful

neglect”?


The HITECH Act – Major Changes - 2Security Provisions are strengthened and clarified• Data protected is expanded beyond EPHI to include other personal information • More specific guidance on technical safeguards is provided by HHS annually• New data breach notification requirement is first-time Federal legislation

Privacy Provisions are strengthened and clarified• Individual right to request restrictions on use and disclosure of PHI is now

mandatory • The definition of “minimum necessary” PHI to use/disclose is clarified• Disclosure accounting is strengthened• There are now tighter restrictions on use of protected health information for

marketing purposes• Individuals must be offered clear and conspicuous opt-out opportunity for fund-

raising communications • Consumers now have the right to receive an electronic copy of their PHI• Prohibits a CE or BA from receiving payment in exchange for any PHI

30


The HITECH Act – Major Changes - 3From a Privacy and Security perspective, here are five absolute “game changers” under HITECH:

1) Mandatory audits (Subtitle D, Part 1, Section 13411)

2) HHS non-compliance fines return to HHS’ coffers and within a few years (by law) individuals will participate in sharing the proceeds

3) State AGs can now bring civil actions on behalf of their citizens

4) Business Associates are now statutorily obligated5) Subcontractors , soon, contractually obligated6) Data Breach Notification requirements

31

http://www.hipaasurvivalguide.com/hitech-act-13411.php�









Reporting heating up for Docs

32

• Arcane provision protecting names of private practice physicians rescinded

• Soon, Doctors’ names will appear on HHS Data Breach “Wall of Shame” rather than “Private Practice”

• Case cited discusses data backups kept in bag, similar to purse, taken offsite each night…


CT State Attorney General Lawsuit

33

Goodwill Industries of Greater Grand Rapids, Inc.State: Michigan Approx. # of Individuals Affected: 10,000 Date of Breach: 12/15/09 Type of Breach: TheftLocation of Breached Information: Backup Tapes

Blue Island Radiology ConsultantsState: Illinois Business Associate Involved: United Micro Data Approx. # of Individuals Affected: 2,562 Date of Breach: 12/09/09 Type of Breach: LossLocation of Breached Information: Backup Tapes

HITECH creates new jurisdiction

for State Attorneys General


At What Cost, Data Breaches?

34http://www.businessweek.com/idg/2010-03-01/data-theft-creates-notification-nightmare-for-bluecross.html

Blue Cross – Blue Shield of TN

• Breach date: October 2009• $10 Million, to date…• 500 full-time workers and 300

part-time employees, working in two shifts, six days a week

• 3 million customer records reviewed

• 300,000 notification letters• Several months to go


Health and Human Services “Wall of Shame” – Data Breaches

35


HHS is not kidding!

110 Postings as of

7/23/2010


What the Initial Postings Tell Us• By law, HHS is very serious• Of the Data Breach Notification postings, “Breach Types”…

• Paper record thefts and losses• Theft of Computers (Desktops and Servers)• Theft or Loss of Laptops• Theft or loss of CDs/DVDs• Theft or loss of USB drives or other external devices• Theft or loss of backup tapes

• Implementing the “OLD”, REQUIRED HIPAA Security Final Rule Administrative, Technical and Physical Safeguards would have avoided ALL these Data Breaches YOU CAN FIX IT!

• YOU CAN AVOID BEING ON THE “WALL OF SHAME” 36


Health and Human Services “Wall of Shame” – Two Classics

37


Goodwill Industries of Greater Grand Rapids, Inc.• State: Michigan• Approx. # of Individuals Affected: 10,000 • Date of Breach: 12/15/09 • Type of Breach: Theft• Location of Breached Information: Backup Tapes

Blue Island Radiology Consultants• State: Illinois • Business Associate Involved: United Micro Data • Approx. # of Individuals Affected: 2,562 • Date of Breach: 12/09/09 • Type of Breach: Loss• Location of Breached Information: Backup Tapes


Discussion Agenda


38


Actions You Should Take Now

1. Build A Data Breach Response Plan 2. Assess Your HIPAA Security Compliance3. Plan For HIPAA Security Compliance4. Tactically, Secure Your Data5. Review Compliance Resources Available

39

Specific Tips

Provided!



Build A Data Breach Response Plan*1. Identify and protect sensitive data2. Identify the potential H-M-L areas of risk3. Establish processes to reduce unintentional errors4. Plan a layered defense approach5. Empower the response team and ask “What if…?”6. Build a ‘Risk Assessment’ Plan7. Build a Notification Plan8. Develop a Communication plan9. Test your plans religiously and address gaps quickly 10. Establish internal and external relationships11. Provide appropriate tools and training to responders12. Treat your people as your last line of defense

40*Based, in part, on:” Forrester's 10 steps to create a data breach response…” by Khalid Kark


HIPAA Security – Contingency Plan Standard§ 164.308 Administrative safeguards.• (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies

and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

• (ii) Implementation specifications:• (A) Data backup plan (Required). Establish and implement procedures to create

and maintain retrievable exact copies of electronic protected health information.

• (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

• (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

• (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

• (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

41


Sample HIPAA Security Assessment

42




HIPAA Security-HITECH Act Compliance Roadmap

HIPAA Security

Assessment(HSA)

Preliminary Remediation

Plan(PRP)

HIPAA Risk

Analysis(HRA)

HIPAASecurity Training(HST)

HIPAA BA

Contracts(HBC)

HIPAA Compliance

Manual(HCM)

HIPAA Security

Evaluation(HSE)

HIPAARemediation

Plan(HRP)

HIPAASecurity Strategy

(HSS)

43

HIPAA SecurityPolicies(HSP)

HIPAA Security is

NOT a “techie” project

… A journey, not a

destination !



10-Point Data Protection Checklist1. Backup Data; be 100% confident you

know it and can restore it! 2. Secure Network3. Block Spam4. Stop Malware5. Condition Power6. Patch Software7. Encrypt Data8. Practice Recovery9. Enforce Policies10. Insure Technology / Data 44




Compliance Resources - 1http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.htmlThis is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.

http://csrc.nist.gov/publications/PubsSPs.htmlThe National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, is responsible for developing information security standards for federal agencies. NIST has produced a series of Special Publications which provide information that is relevant to information technology security.

http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_848086_0_0_18/SmallPracticeSecurityGuide-1.pdf.The Office of the National Coordinator for Health Information Technology (ONC) has produced a risk assessment guide for small health care practices, called Reassessing Your Security Practices in a Health IT Environment.

http://www.himss.org/content/files/ApplicationSecurityv2.3.pdfThe Healthcare Information and Management Systems Society (HIMSS), a private consortium of health care information technology stakeholders, created this information technology security practices questionnaire.

45

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html�

http://csrc.nist.gov/publications/PubsSPs.html�

http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_848086_0_0_18/SmallPracticeSecurityGuide-1.pdf�




http://www.himss.org/content/files/ApplicationSecurityv2.3.pdf�


Compliance Resources - 2http://hitrustcentral.net/filesThe Health Information Trust Alliance (HITRUST) worked with industry to create this Common Security Framework (CSF).

http://www.hhs.gov/ocr/privacy/The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.htmlIn this web page, you will find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI).

46

http://hitrustcentral.net/files�

http://www.hhs.gov/ocr/privacy/�

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html�


Discussion Agenda


47


Wouldn’t It Be Great If……In the event of a Potential Data Breach or Data Loss

event, you could say…

48

• “All ePHI has been continuously backed up (“exact copies…”)”

• “Therefore, we know exactly what data and individuals are affected…”

• “All ePHI is encrypted when outside internal controls, both ‘at rest’ and when ‘in motion’”

• “Therefore, we have ‘safe harbor’ vis-à-vis Data Breach Notification requirements”

• “Any/All ePHI on lost or stolen laptops can be securely quarantined or destroyed, if necessary”

• “Therefore, we have no risk of downstream breach notification and related legal, financial risks!”


ePHI Breach Types Can be Addressed • Of the Data Breach Notification postings, “Breach Types”…

• Paper record thefts and losses• Theft of Computers (Desktops and Servers)• Theft or Loss of Laptops• Theft or loss of CDs/DVDs• Theft or loss of USB drives or other external devices• Theft or loss of backup tapes

49

• All ePHI Breach Types can be completely addressed or risks of occurrence significantly mitigated with…• Assessment services • Encryption services• Lost Data Destruction services• Secure Online Data Backup Services

© 2009-2010 Data Mountain LLC | All Rights Reserved.50

Passion: Helping business owners and leaders manage risks…

Risk of being out of regulatory compliance Risk of going out of business Risk of throwing money away on ineffective

solutions

How Data Mountain Can Help




Here’s What We Do For Free…



• Encryption services for Laptops & Desktops• Lost Data Destruction services for Laptops &

Desktops

Here’s What We Do For a Living…Secure Online Data Backup Services for Servers and PCs

• HIPAA Security Assessment ToolKit™• HIPAA-HITECH Data Backup Analysis• Disaster Preparedness Analysis





Summary

53

HIPAA-HITECH is about improving our healthcare

system… Privacy and Security

Compliance is part of the Law… and,

Simply Makes Good Business Sense…

53

Get started Today!


Bob Chaputhttp://www.DataMountain.com

http://[email protected]

Phone: 800-704-3394 or 615-656-4299

Connect: www.linkedin.com/in/bobchaputFollow me: Twitter.com/bobchaput

Data Mountain, LLC

54

Contact



Documents

How The Hitech Act Raises The Ante For Hipaa Security Rule Compliance