Embed Size (px)
Citation preview
Privacy and Security: Building a Privacy and Security
Culture in Health CareOrganizations
April 25th, 2012
Joy Pritts, JD, Chief Privacy Officer Office of the National Coordinator Health Information Technology
HHS Reaches $100,000 Settlement with 5 Physician Practice over HIPAA Violations
1
Why Create a Culture of Privacy and Security?
• Assists Compliance to Law
– New Developments
• HIPAA Privacy and Security Rules
• Enforcement
• Good business
• It’s Just the Right Thing To Do – Patient Trust
2
Compliance: Federal Health Information Privacy Laws
• HIPAA Privacy and Security Rules – Health Insurance Portability and Accountability
Act of 1996, effective 2003 and 2005, respectively
• Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 – Final Rule submitted to OMB March 24th, 2012
• Others (e.g., 42 CFR part 2)
3
Who Must Comply with HIPAA Privacy and Security Rules?
• Covered entities (CEs)
–Health plans
–Health care clearinghouses
–Most health care providers
4
Business Associates and HITECH
• Business Associates include: • EHR Vendors
• Data Analytic Firms
• HITECH Clarifies Business Associates include: • Health Information Exchanges
• Personal Health Record Vendors
• HITECH Specifies that Business Associates • Must follow administrative, physical and technical
safeguards of the Security Rule
• Must Follow use and Disclosure Limits of Privacy Rule
• Subject to the same Civil and Criminal Penalties as Covered Entities
5
HIPAA Privacy Rule: Two Sides of One Coin
6
Protect Privacy: A CE may not use or disclose PHI except: • as the Privacy Rule permits or requires (ie. payment, treatment operations etc) • as the patient or their representative authorizes in writing.
Patients’ Rights:
• Right to access
• Right to an accounting of disclosures of
• Right to correct or amend
• Right to notice of privacy practices
• Right to file a complaint
HIPAA Security Rule (CFR 164.306)
• Protects Patient Health Information that is transmitted by or maintained in any form of electronic media
• Framework of Technical, Administrative, Physical Safeguards
• Ensures workforce training and compliance
Flexible Approach (Addressable):
Size, complexity and capabilities of Covered Entity
Security Capabilities of CE hardware and software
Cost of Security Measures
Probability and criticality of potential risks to ePHI
7
So…
Isn’t this old news?
Then, why Are So Many Organizations
Not In Compliance?
8
Major Causes of Breaches of PHI in 2010
Breaches over 500 records:
• Theft and loss were the most common reported causes of large breaches.
• Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or theft of electronic media
• This accounted for records of 2,979,121 individuals.
• Loss of electronic media or paper records affected approximately 1,156,847 individuals
- OCR Report to Congress on Breaches of
Unsecured Information, 2011
9
Risk Assessments
• 25% of healthcare organizations do not conduct security risk assessments
– HIMSS 2011 Security Study
• 39% of healthcare organizations do not or are not sure if they perform a risk assessment
– Ponemon Study, 2011
10
Business Associates and Breaches
Due to the high volume of records handled, a breaches from business associates translate into a disproportionate number of patients affected:
• Business associates involved in 22% of the breaches
• But this 22% accounts for 63% of all patients affected by the breaches
11
Security and Mobile Devices
12 - Ponemon Institute, 2011
HITECH: It’s a New Day . . .
13
HITECH and Privacy and Security
• Established Chief Privacy Officer for the Office of the National Coordinator
• Increased fines for breaches
• Created mandatory fines for willful neglect
• Created Mandatory Breach Notification Rule
• Established basis for Meaningful Use
14
Meaningful Use and Privacy and Security
MU Stage 1 requires eligible providers and hospitals to
• Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
• No exclusion.
15
Enforcement
• OCR has begun systematic audits of 150 organizations
• CMS and Meaningful Use audits for Incentive funds are set to begin
16
Enforcement: Large organizations
• Blue Cross Blue Shield of Tennessee (BCBST) settled with OCR for $1,500,000 for the theft of 57 hard drives to theft, March 13, 2012
• Hard Drives contained names, social security numbers, diagnosis codes, DoB and Plan ID #s for over 1 million individuals
• Caused by failure to implement appropriate physical access controls
17
Small Practice Enforcement
Phoenix Cardiac Surgery (5 physician practice) was posting clinical and surgical appointments for its patients on an Internet-based publicly accessible calendar
18
Phoenix Cardiac Surgery
• July 2007 to February 2009, Practice posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar
• September 2005 until November 2009, Practice daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts
19
OCR’s Other Findings
• Failure to implement adequate policies and procedures to appropriately safeguard patient information
• Failure to document any employee training on its policies and procedures on the Privacy and Security Rules
• Failure to identify a security official and conduct a risk analysis
• Failure to obtain business associate agreements with Internet-based email and calendar services that included storage of and access to its PHI
20
Outcome of Investigation
• $100,000 Settlement
• Corrective Action Plan includes:
– Develop written policies and procedures, submitted to and approved by OCR and documented training for employees
– “An accurate and thorough” risk assessment of the potential risks and vulnerabilities to PHI
– Submission of Risk Management Plan to OCR
– Identification of Security Official
– Business Associates Agreements
– Any violation of policies and procedures will be a Reportable events to OCR
CAP available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf
21
“We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
- Leon Rodriguez Director of the Office for Civil Rights
April 17th 2012, OCR Press Release
22
The Real Loss – Patient Trust
Beyond Compliance and Return on Investment,
Ensuring Patient Privacy is Just the Right Thing to Do
23
Diminished productivity and financial consequences due to a breach can be severe. Organizations reported:
• The potential result is patient churn; the average lifetime value of one lost patient is $113,400
• Economic impact
• Loss of time and productivity
• Diminishment of brand or reputation
• LOSS OF PATIENT GOODWILL
- Ponemon, “Second Annual Benchmark Study 24
Good Business: Patient Trust The ROI for Breach Prevention
Developing a Privacy and Security Culture
Challenges:
• Providers and Staff may have little understanding of new technology and privacy and security issues
• Providers and Staff are reticent about asking questions or for assistance
• Adopting new software and workflow in the fast-moving healthcare culture is difficult
• Vendors may assume that providers and staff understand privacy and not adequately train
25
Strategies
• Executive Leadership Communicate Essential Value
• Privacy and Security Metrics are included in Employee Performance Plans/Evaluations
• Considered as part of physical environment, patient care, and all communications
• Staff are made to feel comfortable in asking questions and for help, resources are widely and freely available
• Training, is regular and updated and an essential part of the overall strategic plan
• Continuous Improvement and audits completed and results communicated to all
26
ONC’s Office of the Chief Privacy Officer Recent and Current Projects
• Personal Health Record Roundtable
• Mobile Device Roundtable
• Small practice Risk Assessment – original and revised
• HIE Privacy and Security Program Information Notice
• Security Training and Video Games
• Research project on security configurations of mobile devices
• Mobile device good practices videos and materials
• Website redesign: www.healthit.gov
• Data Segmentation Project
• Community College Curriculum Privacy and Security Review
27
Training Materials – Series of Security Video Games Due for Release Summer of 2012
DRAFT 28
29
Sharing Responsibility for Ensuring Patient Privacy
We all have a role to play in keeping health
information private and secure.
• Government establishes P/S policies that are affordable and workable
• Vendors should create easy-to-use P/S features and communicate importance
• Providers and staff should understand their role in protecting patient privacy
• Patients understand their rights and basic means of securing their PHI
We Are All In This Together
4/30/2012 Office of the National Coordinator for
Health Information Technology 30
Conclusion
Questions?
31
• Privacy and Security Section of HealthIT.gov: http://healthit.hhs.gov
• Are you a Covered Entity?:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html • OCR HIPAA Privacy Rule Training Materials:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html
• OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html
• OCR Settlement with Phoenix Cardiac Surgery: http://www.hhs.gov/news/press/2012pres/04/20120417a.html
• Fast Facts about the HIPAA Privacy Rule:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/cefastfacts.html
• The HHS Office of Civil Rights, HIPAA FAQs: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
• Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/smallbusiness.html
• OCR’s Sample Business Associate Contract Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
32
HIPAA/HITECH Resources
32
• 42 CFR Pt. 2: http://www.samhsa.gov/healthPrivacy/
• Title X Confidentiality: 42 C.F.R. § 59.11: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ce18bb9053f3b026e8983fd8ac27170c&rgn=div8&view=text&node=42:1.0.1.4.43.1.19.11&idno=42
• GINA deferring to HIPAA: 29 C.F.R. §§ 1635.9(c) and 1635.11(d): http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&node=29:4.1.4.1.21.0.26.9&idno=29 and http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&node=29:4.1.4.1.21.0.26.11&idno=29 – GINA: http://www.ornl.gov/sci/techresources/Human_Genome/publicat/GINAMay2008.pdf
• HIPAA deferring to FERPA; exceptions to “protected health information” under
(2)(i) and (2)(ii) in 45 C.F.R. § 160.103: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=35aa826589279b8cff00d53c641a609f&rgn=div8&view=text&node=45:1.0.1.3.74.1.27.3&idno=45 – FERPA/HIPAA Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-
guidance.pdf
4/30/2012 ONC 33
Other Federal Law Resources
33
• For state privacy laws, see the National Conference of State Legislators (NCSL): http://www.ncsl.org/?tabid=17173
• For state privacy law information: http://ihcrp.georgetown.edu/privacy/records.html
• National Governor’s Association (NAG) Report on state laws and HIE: http://www.nga.org/Files/pdf/1103HIECONSENTLAWSREPORT.PDF
• Health Information Security and Privacy Collaboration (HISPC) reports on state laws: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__hispc/1240
• The Financial Management of Cyber Risk: “An Implementation Framework for CFOs” American National Standards Institute, 2010 • Second Annual Benchmark Study on Patient Privacy and Data Security, 2011 Ponemon Institute • OCR’s Sample Business Associate Contract Provisions:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
4/30/2012 Office of the National Coordinator for
Health Information Technology 34
Other Resources
34
