HIPAA PRIVACY & CONFIDENTIALITY HIPAA Health Insurance Portability and Accountability Act was enacted by the 104th United States Congress and signed by President Bill Clinton in 1996 It is a legislation which provides security provisions and data privacy, in order to keep patients’ medical information safe. “The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information — whether it is stored on paper or electronically.” (HealthIT.gov,2018) PRIVACY V.S. CONFIDENTIALITY Privacy: refers to the right of an individual to keep his or her health information private. (CDC,2012) Confidentiality: refers to the duty of anyone entrusted with health information to keep that information private. (CDC,2012) PRIVACY RULE Privacy rule went into effect April 14,2003. Defines how a patient’s information is used and disclosed. Gives patient’s privacy rights and more control over their own health information. Outlines ways to protect Personal Health Information (PHI). SECURITY RULE Security (IT) regulations went into effect April 21,2005. Security is controlling: Confidentiality of electronic PHI. Storage of electronic PHI. Access to electronic PHI. PHI? WHAT IS IT? Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health plan, employer, or health care clearinghouse and that: Relates to past, present, or future physical or mental health or condition of an individual; Relates to the provision of health care to an individual. Relates to the past, present, or future payment for the provision of health care related to an individual. PHI INCLUDES Information in the health record, such as: Encounter/visit documentation Lab results Appointment dates/times Invoices Radiology films and reports History and physicals (H&Ps) Patient Identifiers • Patient Identifiers = Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate numbers Internet protocol addresses Health plan numbers Full face photographic images and any comparable images Web universal resource locaters (URLs) Any dates related to any individual (date of birth) Telephone numbers Fax numbers Email addresses Biometric identifiers including finger and voice prints Any other unique identifying number, characteristic or code USE & DISCLOSURE When PHI is reviewed or used internally. (Audits, Training, Customer Service, or Quality Improvement) When PHI is released or provided to someone outside the facility. (Attorney, patient, faxing records to another provider) “The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information — whether it is stored on paper or electronically.” (HealthIT.gov,2018) WHY DO WE SAFEGUARD? Patient confidentiality is one of the most important pillars of medicine. Protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between the doctor and the individual. Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March(2012). Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah Department of Technology Services shut down the server when the breach was discovered April 2(2012). The Utah breach stands as the 9th largest data breach ever reported to the HHS. (Breaches,2013) WHY DO WE DO IT? there’s a much greater threat to our personal data that few are thinking about at all. That threat is the theft and sale of our health records on the black market, a thriving business with “dark web” online stores that don’t look much different from an Amazon marketplace. In fact, there were nine times more medical than financial records breached in 2016 — 27 million — representing nearly 10% of the U.S. population. (Lord, 2017) (Daitch,2020) WHO IS RESPONSIBLE? It's Everybody's Job: CLINICAL • • • • • • • • Physician (ER doctors, surgeons, hospitalists) Nurse (CRNA, RN, LPN/LVN, CNS) Techs (Radiology Tech, Ultrasound Tech, Surgical Tech) Therapist (Physical Therapist, Radiation Therapist) Medical Assistants Pharmacists Medical Technologist, Medical Laboratory Technologist Dietitian Non-Clinical • • • • • • • • Case Manager/Social Worker Accountant Human Resources & Recruiting Executive: CEO, CFO, CIO Information Technology Food Service Environmental Services Administrative Assistant HOW DO WE SAFEGUARD? 1. Develop a comprehensive patient privacy and confidentiality policy https://medicalcityhealthcare.com/about/notice-of-privacy-practices.dot HOW CAN WE DO IT? 2. Ensure the confidentiality policy extends to partners. https://medicalcityhealthcare.com/about/notice-of-privacy-practices.dot HOW CAN WE DO IT? 3. Make sure all confidential information is stored within secure systems. https://ap.idf.medcity.net/IdentityFederationPortal/Login/FormLogin/HCA? HOW CAN WE DO IT? 4. Implement best practice IT security policies. Consider biometric security Form a hierarchical cybersecurity policy Employ a risk-based approach to security Back up your data Manage IoT security Use multi-factor authentication Handle passwords securely Use the principle of least privilege Keep an eye on privileged users Monitor third-party access to your data Be wary of phishing Raise employee awareness IT BEST PRACTICES Consider biometric security Biometrics ensures fast authentication, safe access management, and precise employee monitoring. Voice recognition, fingerprint scans, palm biometrics, facial recognition, behavioral biometrics, and gait analysis are perfect options to identify whether or not users are who they claim to be. Behavioral biometrics analyzes the way users interact with input devices. If abnormal behavior is detected, a tool sends a warning to security officers so they can react immediately. Here are several types of behavioral biometrics that can be employed by user and entity behavior analytics (UEBA) systems: Keystroke dynamics – considers typing speed and the tendency to make typical mistakes in certain words to create user behavior profiles Mouse dynamics – tracks the time between clicks and the speed, rhythm, and style of cursor movement Eye movement biometrics – uses eye and gaze tracking devices to record videos of eye movement and detect unique patterns IT BEST PRACTICES Form a hierarchical cybersecurity policy a written policy serves as a formal guide to all cybersecurity measures used in your company. It allows your security specialists and employees to be on the same page and gives you a way to enforce rules that protect your data. Employ a risk-based approach to security Pay attention to the risks that your company faces and how they affect the bottom line. Your best tool here is a thorough risk assessment. Back up your data Ensure the security of your data by regularly backing it up. (12 Best cybersecurity, 2020) IT BEST PRACTICES Manage IoT security The Internet of Things market continues to grow. However, no matter how badly we want to see new technologies, safety always comes first. The most challenging thing about IoT devices is their access to sensitive information. Conduct penetration testing to understand the real risks and plan your security strategy accordingly. Provide encryption for both data at rest and in transit (end-to-end encryption). Ensure proper authentication to allow only trusted connections to endpoints. Don’t use default hard-coded credentials: commonly used passwords are easy to find on the internet. Purchase a secure and up-to-date router and enable the firewall. Develop a scalable security framework to support all IoT deployments. IT BEST PRACTICES Use multi-factor authentication Multi-factor authentication (MFA) is a must-have solution for advanced security strategies. Handle passwords securely The best way to ensure proper security is to use specialized tools, such as password vaults and PAM solutions. IT BEST PRACTICES Use the principle of least privilege Granting new employees all privileges by default allows them to access sensitive data even if they don’t necessarily need to. Such an approach increases the risk of insider threats and allows hackers to get access to sensitive data as soon as any of your employee accounts is compromised. A much better solution is to use the principle of least privilege. The principle of least privilege seems similar to the zero trust security model. The zero trust practice says to grant access only to those users and devices that have already been authenticated and verified in the system. (12 Best cybersecurity, 2020) IT BEST PRACTICES Keep an eye on privileged users Limit the number of privileged users by implementing the principle of least privilege. Make sure that privileged accounts are deleted immediately whenever people using them are terminated. Employ user activity monitoring solutions to record any actions taken inside your network. Monitor third-party access to your data User activity monitoring should also be used in conjunction with one-time passwords in order to provide full logging of all user actions so you can detect malicious activity and conduct investigations when necessary. IT BEST PRACTICES Be wary of phishing Your basic defense can be simple and consists of only two steps: Get a properly configured spam filter and ensure that the most obvious spam is always blocked. Educate your employees about popular phishing techniques and the best ways to deal with them. Raise employee awareness A sure way to deal with negligence and security mistakes by your employees is to educate them on why safety matters. VIOLATIONS Three types of violations Incidental Accidental Intentional INCIDENTAL VIOLATIONS If reasonable steps are taken to safeguard a patient’s information and a visitor happens to overhear or see PHI that you are using, you will not be liable for that disclosure. Incidental disclosures are going to happen (even in the best of circumstances). ACCIDENTAL VIOLATIONS Mistakes happen. If you mistakenly disclose PHI or provide confidential information to an unauthorized person or breach the security of confidential data, you must Acknowledge the mistake and notify your supervisor and the Privacy Officer immediately. Learn from the error and help revise procedures (when necessary) to prevent it from happening again. Assist in correcting the error only as requested by your leader or the Privacy Officer. Don’t cover up or try to make it “right” by yourself. INTENTIONAL VIOLATIONS If you ignore the rules and carelessly or deliberately use or disclose protected health or confidential information, you can expect: Disciplinary action, up to and including termination Civil and/or criminal charges REFERENCES “10 Largest HIPAA Breaches of 2012.” Healthcare IT News, 10 Jan. 2013, www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012. “12 Best Cybersecurity Practices in 2020.” Ekran System, 20 Jan. 2020, www.ekransystem.com/en/blog/best-cyber-security-practices. Daitch, Heidi. “Real Identity Theft Stories Case #9: Medical ID Theft: IdentityForce®.” We Aren't Just Protecting You From Identity Theft. We Protect Who You Are., 6 Feb. 2020, www.identityforce.com/blog/real-identity-theft-stories-part-9. “HIPAA Basics.” HealthIT.gov, 21 May 2018, www.healthit.gov/topic/privacy-security-andhipaa/hipaa-basics. Lord, Robert. “The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards.” Council Post, 15 Dec. 2017, 7:30 AM, www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-isin-your-medical-records-not-credit-cards/#527464e91b59. “Privacy & Confidentiality.” Centers for Disease Control and Prevention, Centers for Disease Control and Prevention, 14 Mar. 2012, www.cdc.gov/aging/emergency/legal/privacy.htm.