The Startup Path to HIPAA Compliance

The Startup Path to HIPAA Compliance

MATTER WorkshopJim AnfieldJune 8, 2016

2

About Me

• Finance• Strategy• M&A

• Bus dev • Prod Dev• IT• Startups

• Technology• Prod Dev• Finance• Bus Dev

Fortune 500 Dot Com Healthcare Healthcare Consulting

3

Today As Advertised

Every healthcare startup needs to comply with HIPAA and data security regulations, especially when selling to health systems. The provider chief compliance officer and the chief information security officer must agree that a solution is HIPAA compliant and does not pose a security risk. Jim Anfield will prepare entrepreneurs to partner with health systems who care about compliance and security above all. He will offer insights on HIPAA compliance for startups and walk through common pitfalls when communicating how solutions incorporate compliance and security requirements.

4

Thinking about Providers

What is the typical mindset of hospitals and providers regarding HIPAA ?

5

The Federal Government has leveled several large scale HIPAA fines…

Covered Entity Media Fine Amount Violation

Alaskan Department of Health and Social Services $1.7 million

Portable unsecured electronic storage device (USB hard drive) possibly containing PHI was stolen from the vehicle of a DHHS employee

Puerto Rican insurerTriple S Salud $6.8 million

Mailed a pamphlet displaying the Medicare Health Insurance Claim Number of approximately 70,000 of its Medicare Advantage beneficiaries.

WellPoint (aka Anthem), Blue Cross Blue Shield

plans in 14 states$1.5 million

Cyber attack data breach affecting 80 million customers resulting in account information stolen

Stanford University's Lucile Packard Children's Hospital $4.0 million

Stolen unencrypted laptop containing medical information on 13,000 pediatric patients

6

HIPAA impacts not only large entities but also much smaller organizations…

Covered Entity Media Fine Amount Violation

Skagit County, State of Washington $215,000

Electronic receipts for 1,600 patients containing their protected health information had been improperly placed online and accessed.

Massachusetts medical billing practice and four

pathology groups$140,000

Sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump

Phoenix Cardiac Surgeons, LLC $100,000

Group’s clinical and surgical appointments were available to the public on an Internet-based calendar

Cornell Prescription Pharmacy $125,000

Disposal of unshredded documents containing the protected health information of 1,610 patients in an open dumpster.

7

Several major brands have suffered bad publicity and damage…

Anthem BlueCross BlueShield – data breach affecting 80 million members

Advocate HC – stolen unencrypted laptops affecting 4 million patients

Walgreens – employee breach of customer data for personal gain

Premera BlueCross BlueShield – data breach affecting 11 million members

Sony Pictures – data breach impacting health records of 30,000 employees

BCBS TN – 57 hard drives stolen impacting 1 million members

8

Not only does HIPAA impact entitles, it reaches down to the employee level - loss of job, personal fines, and prison time.

UCLA Medical Center – 4 months in prison for illegally viewing PHI

NE Arkansas nurse fired, sentenced to probation for illegally viewing PHI

Dentist paid $12,000 for dumping files on an unsecured basis

University of Iowa Hospital – 4 employees fired for illegally viewing PHI

East TX Hospital employee sentenced to 18 months for illegally viewing PHI

Lake Health (OH) fired several employees for illegally viewing PHI

9

Your strategy for HIPAA as it pertains to selling to providers…

The best defense is a good offense.

10

Proactively address HIPAA and be ready to go

Market requirements will require you to become HIPAA compliant• If you are working with providers and their patient data, it will be mandatory that

you are compliant with HIPAA.• You will avoid lengthy hospital provider conversations, especially with the

hospital compliance office.• You will be able to take this risk off of the table in your business development

meetings.• You will have to sign a Business Associates Agreement (BAA) and agree to

Master Services Agreement (MSA) language with warranties, representations, and indemnification regarding all aspects of HIPAA.

Be prepared to talk to the following people as they will vet your solution for HIPAA• Chief Medical Officer• Chief Information Officer• Chief Medical Information Officer• Chief Information Security Officer• Chief Compliance Officer

11

High Level HIPAA Roadmap

Become compliant with HIPAA• Develop an enterprise fluent understanding of HIPAA• Embed HIPAA into your culture and operations• Develop game plan to implement HIPAA requirements• Completely document your HIPAA efforts• At this stage, you are compliant with HIPAA

Ultimately, you will need to achieve HIPAA Compliance• Conduct a HIPAA self assessment• When ready, contract out and conduct a HIPAA audit• The HIPAA audit and successful audit remediation will achieve HIPAA

Compliance• If successful, the satisfactory audit report will be your certification

12

How do you become HIPAA Compliant?

Here’s the blueprint.

13

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress and signed by President Bill Clinton on August 21, 1996. It has been known as the Kassebaum-Kennedy Act after two of its leading sponsors.

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title I also regulates the availability and breadth of group health plans and certain individual health insurance policies.

Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system.

However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.

These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.

Per the requirements of Title II, the HHS has promulgated rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, the Breach Notification Rule, and the Enforcement Rule.

Source: Wikipedia,.

14

Four major rules to understand on the path to HIPAA Compliance…

HIPAA Privacy Rule

HIPAA Breach Notification Rule

HIPAA Enforcement

Rule

• HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other PHI. Requires appropriate safeguards to protect PHI privacy and sets conditions/limits/disclosures with patient authorization. Defines patients’ rights regarding access to their records.

• HIPAA Breach Notification Rule requires most healthcare providers to notify patients when there is a breach of unsecured PHI. Requires the entities to promptly notify HHS if there is any breach of unsecured PHI and notify the media/public if the breach affects more than 500 patients.

• HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings. Penalties can include fines and/or prison time.

Overview and key points

HIPAA Security Rule

• HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure confidentiality, integrity, and security of protected health information (PHI).

15

The HIPAA Privacy Rule provides the definitions of compliance…

Privacy RuleRule Summary• The Privacy Rule addresses the use and disclosure of individual’s Protected Health Information (PHI) by organizations

subject to the Privacy Rule (Covered Entities) as well as standards for individuals privacy rights to understand and control how their PHI is used.

• A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.

• The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services has the responsibility for promoting and enforcing the Privacy Rule.

Health PlansHealth Plan Covered Entities include individual and group health insurance plans that provide or pay the cost of medical care including health, dental, vision, prescription drug insurers, health maintenance organizations, Medicare, Medicaid, Medicare supplemental insurers, and long-term-care insurers.

Health Care ProvidersAll health care providers who provide medical or health services, regardless of size, who electronically transmit health information in connection with certain transactions. Transactions include claims, benefit eligibility, referral authorization, and other HIPAA transactions.

Health Care ClearinghousesEntities that process non-standard information they receive from another entity. Clearinghouses only receive PHI only when they are providing services to a Health Plan or Health Care Provider. Clearinghouses include billing services, community health management information systems, and repricing companies.

Who are the Covered Entities subject to the Privacy Rule?

16

Know the Privacy Rule Definitions

Term Definition

Protected Health Information (PHI)

All individually identifiable health information held or transmitted by a Covered Entity or its Business Associate in any form or media including electronic or paper. PHI includes any information that relates to the individuals’ past, present, or future physical or mental health/condition as well as the provision of past, present, or future provision or payment for health care to the individual that identifies the individual or there is a reasonable basis to identify the individual.

Business AssociatePerson or organization that performs certain functions or activities on behalf or to a covered entity that includes the use or disclosure of PHI and can include claims processing, data analysis, utilization review, legal, actuarial, consulting, accounting, data aggregation, management, administrative, accreditation, or financial services.

Business Associate Agreement (BAA)

Agreement necessary to be put in place when a Covered Entity engages a Business Associate perform functionality that requires access or exposure to PHI.

De-Identified Health Information

De-Identified Health Information neither identifies or provides a reasonable basis to identify the individual. There are two ways to de-identify PHI: 1) a formal determination by an expert; or 2) the removal of specified identifiers of the individual.

Authorization

A Covered Entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for payment, treatment, or operations. The Covered Entity may not condition payment, treatment, or operations on an individual granting authorization. Communication for treatment of the individual or care coordination for the individual to recommend treatment are not subject to Authorization.

Minimum NecessaryA Covered Entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI to accomplish the intended purpose of the use, disclosure, or request. The Covered Entity must develop/implement a Minimum Use Policy and Procedure.

17

Understand Privacy Rule – Permitted Uses and Disclosures of PHI

Permitted Uses and

Disclosures

Individual

Payment, Treatment, Operations

Permitted by Individual

Incidental Use and

Disclosure

Public Interest and

Benefit *

De-Identified Limited Data

Set

Basic PrincipleA major use of the Privacy Rule is to define and limit the circumstances in which a individual’s PHI may be used or disclosed by Covered Entities.

Required DisclosuresA Covered Entity must disclose PHI in two situations: 1) upon request by the individual; 2) to HHS when undertaking a compliance investigation.

Permitted Use and DisclosuresA Covered Entity is permitted but not required to use and disclose PHI without and individual’s authorization for the reasons listed in the diagram to the right.

* Public Interest and BenefitIncludes required by law, public health, abuse or domestic violence cases, law enforcement, research, worker’s comp, serious threat to health/safety, etc.

18

The Privacy Notice is a key component of the Privacy Rule.

Each Covered Entity must provide a copy of its Notice of Privacy Practices and it must contain the following elements:

• Describe the ways in which the Covered Entity may use and disclose PHI.

• State the Covered Entity’s duties to protect privacy

• Provide a notice of privacy practices and abide by the current notice

• Describe the individual’s rights including the right to complain to HHS and the Covered Entity if they believe their privacy rights have been violated.

• Include a point of contact for further information and for making complaints

In addition to the Privacy Notice, individuals have the following rights with regards to PHI held by a Covered Entity:

• Access – To review and obtain a copy of their PHI in the Covered Entity’s dataset

• Ability to Amend PHI – To have Covered Entities amend their PHI when they feel the information is inaccurate or incorrect

• Disclosure Accounting – Access to an accounting of the disclosures of their PHI by a Covered Entity for a maximum of six years.

• Restriction Request – To request that a Covered Entity restrict use or disclosure of PHI for payment, treatment, and operations. However, Covered Entity is under no obligation to agree to requests for restrictions.

19

Action Description ImplementationPrivacy

Policies and Procedures

Covered Entity must develop and implement written privacy policies and procedures.

Develop Policies and Procedures manual

Privacy Personnel

Covered Entity must designate a privacy official responsible for developing and implementing privacy policies and procedures and also provide a contact person for receiving complaints and inquiries.

Assign this duty to a company leader


Workforce Training and Management

Covered Entity must train all employees on its policies and procedures which include sanctions for policy violations.

Training program Sourced Computer

Based Training

Mitigation Covered Entity must mitigate any harmful effect that was caused by use or disclosure of PHI in violation of its Policies and Procedures or the Privacy Rule.

Business/IT functional response as needed

Data Safeguards

Covered Entity must maintain administrative, technical, and physical safeguards to prevent intentional or unintentional of PHI in violation of its Policies and Procedures or the Privacy Rule.

See Security Rule for implementation.

Complaints Covered Entity must have procedures for individuals to complain about its compliance with its policies and procedures and the Privacy Rule.


Implement at the web

HIPAA Privacy Rule – implementation

20

HIPAA Privacy – implementation continued

Action Description Implementation

Documentation and Record Retention

Covered Entity must maintain for at least six years its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions that the Privacy Rule requires to be documented.


Store historical information on Cloud

Privacy PolicyCovered Entity must establish and publish its Privacy Policy with the elements listed per the Privacy Rule. Typically, the Privacy Policy is linked from the company website.

Policy and Procedure Post Privacy Policy on

the web.

Retaliation and Waiver

Covered Entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting with an investigation by HHS, or opposing an action that the person believes in good faith violates the Privacy Rule.

Policy and Procedure

21

HIPAA defines the way PHI breaches are handled.

Breach Notification Rule

Definition of PHI BreachUnauthorized use or disclosure of unsecured protected health information unless the HIPAA covered entity can demonstrate that the probability of the PHI being compromised is a low probability

To show low probability, a risk assessment should be completed:1. What kind of PHI was involved – identifiers and likelihood of re-identification?2. Who was the person who had the unsecured PHI?3. What was the PHI that was actually viewed?4. What is the actual risk to the PHI?

Three exceptions to the definition of Breach:5. Unintentional access to the PHI in the workplace or acting under the authority of the Covered

Entity6. Accidental disclosure of PHI by someone who is authorized to access the PHI7. Covered Entity has a good belief that the person who accessed the PHI was unauthorized

and was not able to retain the PHI

22

There are specific steps to notify those affected by a breach.

• Breach Notification should be sent to the affected individuals by first class mail or email if the individual has selected this method.

• Must be sent out within 60 days of discovery of the breach.• Notification should include:

- Description of breach- Type of information breached- Steps individuals need to take to protect themselves- Steps the Covered Entity is taking to investigate and prevent further breaches

• If the individual contact information is out of date for more than 10 individuals, then the Covered Entity is required to post a notice on its website for 90 days or send a media notice. Toll free number needs to be posted.

• Media notice is required in addition to individual notification.• Media notice takes the form of a press release within 60 days to the media outlets that serve the

areas that are affected.• Notification of the breach also needs to be sent to the office of the U.S. Secretary of Health and

Human Services (HHS).• An investigation by the Office for Civil Rights under HHS may be initiated to determine

cause as well as potential penalties under the Enforcement Rule.

More than 500 individuals

23

HIPAA defines the penalties for breaches.

Enforcement Rule

Violation Category Penalty for Each ViolationMaximum for All Violations of

an Identical Provision in a Calendar Year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 - $50,000 $1,500,000

Willful Neglect – Corrected $10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected $50,000 $1,500,000

• HHS is mandated to conduct HIPAA investigations if a preliminary review indicates a potential violation is due to willful neglect. Otherwise, investigations are discretionary.

• HHS will not impose the maximum penalty in all cases but will determine the fine amount on a case by case basis depending upon the nature and extent of the violation, the nature and extent of resulting harm, the history of non-compliance of the entity, and the financial condition of the entity.

• Previous history of non-compliance is major factor as HHS will use the history as either a mitigating or punitive factor.

• The Enforcement Rule prohibits the imposition of a civil monetary penalty for any violation of than willful neglect if the violation is corrected within 30 days of the entity realization of the violation.

24

The Security Rule defines requirements to protect PHI.

Security Rule

Technical Safeguards Physical Safeguards Administrative

Safeguards

1. Access Control2. Audit Controls3. Integrity4. Authentication5. Transmission Security

1. Facility Access Control2. Workstation Use3. Workstation Security4. Device and Media Controls

1. Security Management Process2. Assigned Security Responsibility3. Workforce Security4. Information Access Management5. Security Awareness and Training6. Security Incident Procedures7. Contingency Plan8. Evaluation of Business/Law

Changes9. BAA Contracts and Other

Agreements

Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to us specific technologies and are designed to be “technology neutral.”

Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.

Administrative Standards are a collection of policies and procedures that govern the conduct of the workforce and the security measures put in place to protect PHI.

25

HIPAA Security Rule - implementation

Safeguard Standard Action Description Implementation

Technical Safeguards

Access Control

Unique User Identification

Assign a unique name and/or number for identifying and tracking user identity User authentication


Access Control

Emergency Access

ProcedureEstablish procedure for obtaining necessary PHI during an emergency.

Policy and Procedure Business process set up to fulfill

requests


Access Control Automatic Logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity

Build timeout into technology


Access Control

Encryption and Decryption

Implement technology to encrypt and decrypt data both at rest and in transmission Database encryption

Technical Safeguards Audit Controls Audit Controls

Implement hardware, software, and/or procedural mechanisms to corroborate that record and examine activity in information systems that contain or use PHI

Build logging and audit capability

Technical Safeguards Integrity Mechanism to

Authenticate PHIImplement electronic mechanisms to corroborate that PHI has not been altered or destroyed in an unauthorized manner.

Build tracking, logging, and audit into technology

Technical Safeguards Authentication Authentication Implement procedures to verify that a person or

entity seeking access to PHI is the one claimed Build user authentication in

technology

26




Transmission Security

Integrity Controls

Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until disposed of.

Build audit, logging, and tracking in technology


Transmission Security Encryption Implement a mechanism to encrypt PHI whenever

deemed appropriate. Encrypt data wherever needed

Physical Safeguards

Facility Access Controls

Contingency Operations

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the Disaster Recovery Plan and emergency mode operations in the event of an emergency.

Develop and test DR/BC plan

Physical Safeguards


Facility Security Plan

Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Alarm systems Keys policy

Physical Safeguards


Access Control and Validation

Procedures

Implement procedures to control and validate a person’s access to facilities based upon their role or function, including visitor control, and control of access to software programs for testing and revision.

Policy and Procedure Role based access Business process to support

Physical Safeguards


Maintenance Records

Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors, and locks).

Policy and Procedure Alarm system Keys policy

27



Physical Safeguards

Workstation Use Workstation Use

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access PHI.


Physical Safeguards

Workstation Security

Workstation Security

Implement physical safeguards for all workstations that access PHI, to restrict access to authorized users.

Laptop encryption No laptop PHI Policy and Procedure

Physical Safeguards

Device and Media Controls Disposal

Implement policies and procedures to address the final disposition of PHI and/or the hardware or electronic media on which it is stored.

Policy and Procedure Build PHI destruction in the

database

Physical Safeguards

Device and Media Controls Media Re-Use

Implement procedures for removal of PHI from electronic media before the media are made available for re-use

Flash drive/CD destruction Policy and Procedure

Physical Safeguards

Device and Media Controls Accountability

Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Develop record database, maintain database, and store on the network

Administrative Safeguards

Security Management

ProcessRisk Analysis

Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.

Perform Risk Analysis using Risk Analysis Tool

28




Security Management

ProcessRisk

ManagementImplement sufficient measures to reduce these risks to an appropriate level. Policies and Procedures


Security Management

ProcessSanction Policy Implement sanction policies for employees who

fail to comply. Policy and Procedure


Security Management

Process

Information Systems Activity

ReviewRegularly review system activity, logs, audit trails, etc.

Business process to review logs


Assigned Security

ResponsibilityOfficer Designate HIPAA Security and Privacy Officers.

Assign this role to a company leader


Workforce Security

Employee Oversight

Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.

Policy and Procedure Business process to support


Information Access

ManagementMultiple

OrganizationsEnsure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.

Put BAA in place for appropriate organizations

29




Security Awareness and

TrainingSecurity

RemindersPeriodically send updates and reminders about security and privacy policies to employees.

Annual employee training Develop ongoing HIPAA

program for employees



TrainingProtection

Against MalwareHave procedures for guarding against, detecting, and reporting malicious software.

Implementation of firewalls, anti-virus, and other security protections



TrainingPassword

ManagementEnsure that there are procedures for creating, changing, and protecting passwords.

Create and implement password change policy



TrainingLogin Monitoring Institute monitoring of logins to systems and

reporting of discrepancies. Build logging and monitoring

into technology


Security Incident

ProceduresResponse and

ReportingIdentify, document, and respond to security incidents.

Policy and Procedure Security business process


Contingency Plan

Contingency Plan

Ensure that there are accessible backups of PHI and that there are procedures for restoration of any lost data.

Create frequent backups for the database


Contingency Plan

Contingency Plans Updates and Analysis

Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plans components.

Test DR/BC plans

30




Contingency Plan Emergency Mode

Establish (and implement as needed) procedures to enable continuation of critical business procedures for protection of the security of PHI while operating in emergency mode.

DR/BC Plan

Administrative Safeguards Evaluations Evaluations

Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.

HIPAA seminars and education


Business Associate

Agreements

Business Associate

Agreements

Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.

BAA

31

Summary - Achieving HIPAA Compliance

Key Activities• Develop HIPAA Policies and

Procedures and implement• Name Chief Compliance Officer• Implement enterprise training for Policy

and Procedures• Mandatory annual HIPAA training for

employees and onboarded new employees

• Put BAA agreements in place with both vendors and customers

• Develop security measures for laptops including encryption

• Implement ongoing HIPAA employee communication program

• Post Privacy Notice on website• Build into technology

- Database encryption – at rest and in transit

- Role Based Access to systems- Authentication – two factor - Access audit records- Documented technology

configurations- Data corroboration

•Develop Breach Notification Plan

• Conduct preliminary enterprise risk assessment and analysis using National Institute of Standards and Technology (NIST) Assessment Tool

• Remediate any issues flagged by the NIST Assessment Tool

• When ready, contract out for a HIPAA Compliance Audit.

• Remediate any issues flagged by the audit.

• Receive final Compliance Audit report showing documented HIPAA compliance

• Maintain and adhere to HIPAA Policies and Procedures

• Maintain ongoing employee HIPAA program

• Defend against PHI breaches.

• Conduct periodic Risk Assessments

• Prepare for and assist with any customer HIPAA audits

• Respond, if necessary, to any and all breaches.

• Achieve SOC 2 compliance

Become HIPAA compliant Achieve HIPAA Compliance HIPAA Maturity

32

When in doubt, go to the source

https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html



Thanks

Jim [email protected]