1.in partnership withFebruary 6, 2014MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 1HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

2. About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since 1980. It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCAs mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan.www.MPCA.net 517-381-8000 3. About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501c(3) non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide IT and security related services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare.www.OSISSecurity.com 513-677-5600 x1223 4. Presented by: Jay Trinckes, Vice President of Information Security, OSIS Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) Author: Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA Regional Upcoming: PMI National Conference, Chicago, IL May 2014 Experience: risk assessments, vuln/pen tests, information security management, former law enforcement officer. 5. Overview of MPCA webinar Series Series of 5 Webinars to assist members with HIPAA Compliance and Meaningful Use Webinar 1: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1) Webinar 2: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2) Webinar 3: Meaningful Use Requirements for FQHCs Webinar 4: Preliminary Assessment Tool for FQHCs Webinar 5: Review of Preliminary Assessment for FQHCs 6. webinar 1: Topics HIPAA/HITECH Basics 101 Privacy Rule Security Rule Enforcement Activities New Omnibus Rule Changes Questions/Answers 7. HIPAA/HITECH BASICS 101 8. Overview of HIPAA/HITECH The Health Insurance Portability and Accountability Act (HIPAA) was enacted in1996 as a response from Congress to: Increase technology in healthcare Protect against potential fraud or compromise of sensitive information Different regulations within states contradicting federal regulations Regional isolation everyone doing their own thing 9. HHS Responsibilities The Department of Health and Human Services (HHS) was assigned responsibility and oversight over: Implementation Enforcement through the Office for Civil Rights (OCR) Published/Finalized as a result of the Administrative Simplifications Provisions The Privacy Rule The Electronic Transactions and Code Sets Rule The National Identifier Requirements The Security Rules 10. HITECH ACT Part of the American Recovery and Reinvestment Act (ARRA) of 2009 The Health Information Technology for Economic and Clinical Health Act (The HITECH Act) Revised HIPAA and amended enforcement regulations Stiffer Penalties Provided enforcement actions for State Attorney Generals Increased Breach Notification Rules 11. Covered Entities Health Plan Healthcare Clearing House Covered Healthcare Provider Healthcare care, services, or supplies related to the health of an individual Information must be transmitted in an electronic form Covered Transactions 12. Covered Transaction Healthcare claims or equivalent encounter information; Healthcare payment and remittance advice; Coordination of benefits; Healthcare claim status; Enrollment and dis-enrollment in a health plan; Eligibility for a health plan; Health plan premium payments; Referral certification and authorization; First Report of injury; Health claims attachments; and Other transactions that the Secretary of HHS may prescribe by regulation. 13. Direct IdentifiersDirect Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR 164.514(e)(2) and include the following eighteen (18) items: 1. 2.Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.3.4. 5. 6. 7.All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers;8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; 18. Any other unique identifying number, characteristic, or code.Omnibus Rule includes Genetic Information as Protected Health Information 14. PRIVACY RULE 15. I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Hippocratic Oath, Dr. Louis Lasagna (Wikipedia 2010) 16. Privacy Basics In the most basic terms, a health center (and business associate) may NOT use or disclose protected health information except as permitted or required by the HIPAA Privacy Rule. A health center and business associate should apply the least amount of privileges to their individual employees based upon the roles of their employees. These restrictions should be applied through policies and procedures to restrict access to protected health information as need-to-know or to perform their job functions. 17. Minimum Necessary A health center and business associate must develop policies and procedures to reasonably limit to, the minimum necessary, its disclosures and requests for protected health information for payment and healthcare operations. There are several different examples to demonstrate how the minimum necessary standards can be applied, but there may be an easier example of what not to do. It would be a violation of the minimum necessary standard if a hospital employee is allowed routine, unimpeded access to patients medical records if that employee does not need this access to do his or her job.Minimum necessary requirements do NOT apply to disclosures to or requests by a healthcare provider for treatment; uses or disclosures made to the individual; uses or disclosures made pursuant to an authorization; disclosures made to the Secretary; uses or disclosures that are required by law; and uses or disclosures that are required for compliance with the Privacy Rule. 18. Administrative Requirements Privacy Personnel Designations Privacy Training Administrative Safeguards Complaint Handling Workforce Member Sanctions Mitigation Retaliation Waiver of Rights Privacy Policies 19. SECURITY RULE 20. Security Rule Basics Security is always evolving; on-going Two primary purposes for the Security Rule Intended to protect certain electronic healthcare information While allowing the proper access and use of the information Goal: To promote the expanded use of electronic health information in the healthcare industry 21. Important Requirements Administration Security Management Process Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review Security Awareness Training Security Incident Procedures Contingency Planning Physical Workstation, Device, Remote Access Technical Access Control, Integrity, Transmission 22. Administrative Safeguards Over of the HIPAA Security requirements are covered under the Administrative Safeguards Administrative Safeguards are: Administrative actions Policies/Procedures To manage security, must measure the: Selection of mitigating controls Development controls accordingly Implementation of controls Maintenance of controls Will discuss more in webinar 2 23. Security Management Must implement policies and procedures to prevent, detect, contain, and correct security violations. Conduct a Risk Assessment Risk Analysis conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center. Risk Management - implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level. 24. Evaluation One of the most important requirements of the HIPAA Security Rule is reflected in 45 CFR 164.308(a)(8) that states a health center is required to: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [the HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entitys security policies and procedures meet the requirements [of the HIPAA Security Rule]. Also, one of the meaningful use core objectives Will discuss more in webinar 3 25. Physical Safeguards First Layer of Defense Physical Layer Controls over physical access Procedures and maintenance of documents/hardware Two Areas: Facility Access Control Device/Media Controls Physical security requires a total commitment to a CULTURE of security and an adherence to the principles of physical security. Proper Identification Proper Authorization Need to Know; Minimum Use60% of all theft is committed by internal staff Will discuss more in webinar 2 26. Technical Safeguards The objective of these safeguards is to mitigate the risk of electronic protected health information being used or disclosed in an unauthorized manner. CIA Triad Confidentiality Integrity Availability Will discuss more in webinar 2 27. Required vs. Addressable Addressable is NOT the same as optional! Addressable means the entity must: Perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the entitys environment Decide whether to implement the addressable specification as-is, implement an equivalent alternative that still allows compliance, or not implement either one Document the assessments and all decisions 28. Privacy Rule vs. Security Rule Security Rule Privacy Rule Intended to protect Implement certain Electronic Protected Health appropriate and Information (EPHI) reasonable Secure the confidentiality, integrity, availability while safeguards to allowing authorized use secure Protected and disclosure Administrative Health Physical Information (PHI): Administrative Physical Technical Technical More Detailed and Comprehensive 29. OMNIBUS RULE 30. Omnibus Rule Effective: March 26, 2013 180 days to comply deadline September 23, 2013 Modifies Privacy, Security, Enforcement Rule, and Breach Notification Rules Business Associates (and subcontractors of a BA) are now directly liable for compliance minimum necessary applies Limit use/disclosure for marketing/fundraising prohibit sale of PHI Individuals have right to electronic copies of health information Right to restrict disclosure for out-of-pocket payments Modify authorization for proof of immunization to schools Enable access to decedent information (after 50 years) 31. Business Associates Omnibus Rule: Directly liable Implement administrative, physical, and technical safeguards to protect CIA of EPHI BA is any organization that creates, receives, maintains, or transmits PHI on health centers behalf Any agent, or subcontractor of BA is also considered a BA Agent must enter into a BAA with subcontractor to comply with HIPAA Security Rules and applicable Privacy Rules Will discuss more in webinar 2 32. Examples of Business Associates Companies that provide certain types of functions, activities, and services to covered entities. Claims Processing; Data Analysis; Utilization review; Billing; Legal Services; Accounting/financial services; Consulting; Administrative; Accreditation; or Other related services Omnibus Rule added: Patient Safety Organizations Health Information Organizations, E-Prescribing Gateways, other data transmission services that require routine access Persons that offer personal health records to one or more individuals on behalf of health center Will discuss more in webinar 2 33. Omnibus Rule (cont.) Enforcement Rule Increased tiers for Civil Monetary Penalties (CMP); willful neglect Breach Notification Removes harm threshold; every security incident is presumed a breach, unless risk analysis demonstrates low probability of compromise Privacy Rules includes protection of genetic information De-Identification - guidance 34. ENFORCEMENT ACTIVITIES 35. HITECH:EnforcementViolation Category Section 1176(a)(1)Each ViolationAll Such Violations of an Identical Provision in a Calendar Year(A) Did Not Know$100 - $50,000$1,500,000(B) Reasonable Cause$1,000 - $50,000$1,500,000(C)(i) Willful Neglect Corrected$10,000 - $50,000$1,500,000(C)(ii) Willful Neglect Not Corrected$50,000$1,500,000 [Note: State Attorney Generals can also bring enforcement actions.] OCR has collected over $50 million from enforcement It is more cost effective to become HIPAA compliant than to risk enforcement 36. Civil Monetary Penalties (CMP) Civil Monetary Penalties (CMP) Cignet Health of Prince Georges County, MD - $4.3 million (denied patients rights to medical records); refused to cooperate with OCR BlueCross and BlueShield of Tennessee - $1.5 million (first HITECH breach notification; spent nearly $17 million for efforts related to loss of 57 hard drives with 1 million customer records; inadequate admin safeguards and facility access controls) Massachusetts General Physicals Organization, Inc. settled $1 million (loss of 192 patient records some having HIV/AIDS) Health Net settled for $250,000 with state AG for losing unencrypted hard drive of 1.5 million participants Accretive Health, Inc. being sued by Minnesota AG for losing unencrypted laptop of 23,500 individuals TRICARE class action lawsuit of $4.9 Billion ($1,000/record) for losing 4.9 million records of military personnel on unencrypted tape drive being handled by third party SAIC Medical Records Firm, Impairment Resources, LLC. filed for bankruptcy after a burglary involving the loss of 14,000 (worked for over 600 clients/insurers on reviewing medical records for workers comp/auto) 37. Enforcement (cont.)US Code Title 42 Chapter 7 1320d-6 Wrongful disclosure of individually identifiable health information Offense: A person who knowingly and in violation of this part Uses or causes to be used a unique health identifier; Obtains individually identifiable health information relating to an individual; or Discloses individually identifiable health information to another personA person described shall (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. 38. OCR Audit Transition form relaxed pilot to full-on enforcement Organizations will need to be prepared for 169item performance audit, concentrating on: HIPAA Privacy Rule HIPAA Security Rule Breach Notification Rule Business associates will also be subject to these audits Providers are being recommended to have an annual third-party independent report conducted on them for HIPAA compliance. 39. Potential Violations Some examples of potential violations are, but not limited to, the following: Inappropriate use or disclosure of protected health information. Any fraudulent activity involving protected health information; Unauthorized access of protected health information; or Improper handling of protected health information. 40. SECURITY INCIDENT/BREACH NOTIFICATION 41. Security Incident Security incidents are those situations where it is believed that protected health information has been used or disclosed in an unauthorized fashion. Actual unauthorized access, use, or disclosure Interference with system operations (Denial of Service) According to a report by Solutionary, security service provider, companies pay $6,500 an hour from a DDoS attack and up to $3,000 a day to mitigate/recover from malware infections. 42. Breach Notification Rule Breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [45 CFR Subpart E Privacy of Individually Identifiable Health Information] of this part which compromises the security or privacy of the protected health information [or poses a significant risk of financial, reputational, or other harm to the individual]. Ponemon Survey: Overall Cost $188 per record (2012) Healthcare $233 per record (2012) Pharmaceutical $207 per record (2012) Full cost of a data breach averages $5.4 million (includes account detection, notification, postresponse and loss of business) 43. Breach Risk Assessment LoProCo Breach definition modified by Omnibus Rule: Eliminated harm threshold Adopted 4 factor test Nature and extent of information involved Unauthorized person who used the information or whom the disclosure was made Whether the information was actually acquired or viewed; and Extent to which the risk to the information has been mitigated Presumption of Breach unless demonstrate a low probability of a compromise (LoProCo) 44. Factor 1 Nature/Extent Nature and extent of PHI involved including the type of identifiers and the likelihood of re-identification Information sensitivity? Financial: social security numbers; credit cards (fraud potential?) Clinical: chart notes, diagnosis/treatment details Direct Identifiers Consider Context Open Source Intelligence (OSINT) 45. Direct IdentifiersDirect Identifiers of the individual or of relatives, employers, or household members of the individual are defined under 45 CFR 164.514(e)(2) and include the following eighteen (18) items: 1. 2.Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three (3) digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and The initial three (3) digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.3.4. 5. 6. 7.All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine (89) and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety (90) or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers;8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; 18. Any other unique identifying number, characteristic, or code.Omnibus Rule includes Genetic Information as Protected Health Information 46. Factor 2 Unauthorized Person The unauthorized person who used the PHI or to whom the disclosure was made Was person obligated to adhere to HIPAA Regulations? Can information be linked to other information to likely make a re-identification? 47. Factor 3 Acquired/Viewed Was the PHI actually acquired or viewed? HHS provided two examples: Low probability of compromise stolen laptop recovered; forensic analysis determined no one accessed hard drive; indicated no breach High probability of compromise unauthorized recipient received PHI in error; viewed the PHI; reported it to center 48. Factor 4 Mitigate Risk The extent to which the PHI has been mitigated. Make efforts to mitigate risks Confidentiality agreements Assurances for destruction of PHI Reliability of mitigation-agreement: consider if recipient is in health network or outside of network 49. Breach Notification Notify relevant parties involved without unreasonable delay or Within 60 days from date of discovery Describe in plain language May delegate to business associate, but who is best situated to contact individuals 50. Individual Notification Brief description, including date of breach Types of information Steps to take to protect against potential harm Mitigating steps taken by entity Contact information for individuals to learn more 51. Media/HHS Notification Less than 500 make log and report within 60 days after calendar year on HHS website Over 500 individuals immediately report breach to HHS secretary Over 500 residents notify prominent media outlet serving State or jurisdiction 52. Notification Exceptions Unintentional access by workforce member; good faith and scope of employment Inadvertent disclosure between two of health centers workforce Disclosure to unauthorized person deemed unable to have retained the information Remember: Impermissible use or disclosure of unsecured PHI is presumed a breach Presumption may be overcome by 4 factor test; loproco Health center could always opt to report in absence of formal breach risk assessment 53. Safe Harbor If data is properly encrypted, it is considered secure and falls under safe harbor Must follow HHSs specification on encryption standards Not all encryption is the same. 54. Privacy Changes 55. Notice of Privacy Practices NPP should contain: Uses/Disclosures of PHI PHI-related legal duties Individual Rights Change: Include required authorization for the following PHI Use: Uses/disclosures of psychotherapy notes Uses/disclosures of PHI for marketing purposes Disclosures that constitute sale of PHI Individuals authorization is required for any use/disclosures not discussed in the NPP 56. Fundraising and Opt-Out Clause NPP must contain an opt-out clause If so, Health center may contact individual to raise funds and disclose: Demographic information Dates of health care Department of service information Treating physician Outcome information Health insurance status 57. Individual Notification in Event of Improper PHI Disclosure NPP must include: Individuals right to receive notification in event of privacy breach Health centers requirement to communicate breach news to individual 58. NPP Modification Implementation NPP should be available upon request by individual NPP should be available at site and posted in clear/prominent location Provide revised NPP to new patients; make copies for individuals upon request Post on website (45 CFR 164.520c(3)(i)) 59. Out of Pocket Restrictions Individuals may restrict PHI disclosure for items/services paid out-of-pocket NPP must contain this new right New record keeping system not required Must develop method to red flag or make a notation in the record to prevent disclosure If law requires disclosure must disclose Medicare/Medicaid: If required by law without exception, submit claim If Medicare beneficiary pays out of pocket must restrict Other considerations 60. Electronic PHI Individuals have the right to electronic copies of their PHI upon request Provide in form/format requested if possible Or, provided in agreeable form Machine-readable copies when possible Requests for PHI to 3rd party must be: Written Signed Clearly designate recipient Include destination location Provide access within 30 days (can be granted another 30-day extension) 61. MEANINGFUL USE OVERVIEW 62. Meaningful Use Center for Medicare and Medicaid provides incentives (i.e. $) for the use of Electronic Health Record (EHR) Technologies As of July 2013, estimated $9.5 billion has been paid out to over 250,000 physicians and hospitals. Stage 1: 15 core objectives to meet Core 15 determines if a security risk analysis was conducted or reviewed as required under 45 CFR 164.308(a)(1) In addition, security updates must be implemented Stage 2 Ensure adequate privacy and security protection for personal health information (same as Core 15 above); ALSO addresses the encryption/security of data stored within the EHR software Use secure electronic messaging to communicate with patients on relevant health information 63. IMPEDIMENTS, RECOMMENDATIONS, SUMMARY 64. Impediments to Compliance Awareness Technology moving faster than policies/procedures/regulations No one taking responsibility for compliance Systemic issues management doesnt believe it is important Lack of resources 65. Recommendations Make Information Security a priority in the organization - Every company needs a CISO Understand weakest link PEOPLE Security is an ongoing process Resources 66. Summary Assume Audit will happen Prepare for Audit Take Ownership Conduct Risk Assessment Update Policies/Procedures Revise BAAs Modify Notice of Privacy Practices Train and Educate Evaluate Document, Document, Document 67. Service Offerings HIPAA Compliance Program HIPAA/HITECH Information Systems Security Risk Assessment Administrative Safeguards Physical Safeguards Technical Safeguards Internal/External Vulnerability/Penetration Test Organizational Requirements Policies, Procedures, & Documentation Requirements Policies/Procedures Security Awareness Training Mitigation Management Vendor Due Diligence Security Incident Response Handling Business Continuity/Disaster Recovery Planning Subject Matter Expertise 68. Questions Jay@OSISSecurity.com 513-707-1623 (direct) 69. in partnership withThursday, February 20, 2014 2pm 3pm ESTMPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 2HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2)