HIPAA
Privacy and Security
Update
Karen Pagliaro-Meyer
Soumitra Sengupta
Privacy Officer
Information Security Officer
kpagliaro@columbia.edu
sen@columbia.edu
(212) 305-7315
(212) 305-7035
June 2009
1
HIPAA Privacy and Security Update
1. In the News - Privacy and Security Problems
2. Recent theft of electronic devices at CUMC
3. New Regulations - Privacy and Security
4. What you need to know about Patient Privacy
5. What you need to know about Information Security
2
Consequences of Privacy or Security Failure
 Disruption of Patient Care
 Increased cost to the institution
 Legal liability and lawsuits
 Negative Publicity
 Negative Patient perception
 Identity theft (monetary loss, credit fraud)
 Disciplinary action
3
In the News: Providence Health System
 Lost 365,000 patient records when 10 backup tapes/disks were
stolen from an employee’s minivan in 2006
 Agreed to pay $100,000 in fines to the DOJ and implement a
detailed Corrective Action Plan to safeguard electronic patient
information
 Providence reports they have spent over $7 million to respond to the
breach including:
 Free credit monitoring for patients
 Hiring an independent forensic firm to investigate and make
recommendations to improve the security of electronically stored
patient information
 Negative media attention very damaging to their reputation
4
In the News: NewYork-Presbyterian
 A NYP employee (patient admissions representative) was charged
with stealing almost 50,000 patient files and selling some of them.
 The files stolen probably contained little or no medical information,
but did include patient names, phone numbers and social security
numbers--fertile ground for identity theft.
 McPherson told investigators that a Brooklyn man offered him
money in exchange for personal information on male patients born
between 1950 and 1970.
 McPherson then sold the man 1,000 files for $750.
In the News: NewYork-Presbyterian
 NYP sent letters and offered free 2 year credit monitoring to all
patients
50,000 * $15 = $750,000 +++
 NYP senior management were summoned by District Attorney’s
office for explanation and steps to improve
 An Information Security Enhancement Task Force led by the COO
was established, and a consultant was engaged to evaluate NYP
security posture
 NYP is currently implementing measures to improve information
security
Recent theft of electronic devices at CUMC
 A large fire in a NYP/CUMC building with immediate
evacuation of the entire building
 An outside firm was hired to assist with the clean-up and
repair of the building
 When staff returned it was discovered that laptops, USB drives
(thumb drives) and digital cameras had been stolen
 Lesson learned – All equipment must be password protected.
Portable equipment that includes patient information must also
be encrypted.
 Consider installing software like PC phone home that may
assist in locating stolen portable devices
7
New Regulations: HITECH Act (ARRA)
(Health Information Technology for Economic and Clinical Health)

New Federal Breach Notification Law – Effective
Sept 2009






Applies to all electronic “unsecured PHI”
Requires immediate notification to the Federal Government if
more than 500 individuals effected
Requires notification to a major media outlet
Will be listed on a public website
Requires individual notification to patients
Criminal penalties apply to individual or employee of a
covered entity
8
New Regulations: HITECH Act (ARRA)

Business Associates
 Standards apply directly to Business Associates
 Statutory obligation to comply with restrictions on use and
disclosure of PHI
 New HITECH Privacy provisions must be incorporated into BAA

Enforcement
 Increased penalties for HIPAA Violations (tiered civil monetary
penalties)
 Increased enforcement and oversight activities
 State Attorneys General will have enforcement authority and
may sue for damages and injunctive relief.
9
New York State SSN/PII Laws
Social Security Number Protection Law
 Effective December 2007
 Recognizes SSN to be a primary identifier for identity theft
 It is Illegal to communicate this information to the general public
 Access cards, tags, etc. may not have SSN
 SSN may not be transmitted over Internet without encryption
 SSN may not be used as a password
 SSN may not be printed on envelopes with see-through windows
 SSN may not be requested unless required for a business
purpose
 Fines and Penalties
10
New York State SSN/PII Laws
Information Security Breach and Notification Act
 Effective December 2005
 IF… Breach of Personally Identifiable Information occurs
o SSN
o Credit Card
o Driver’s License
 THEN… Must notify
o patients / customers / employees
o NY State Attorney General
o Consumer reporting agencies
11
New Regulations – Red Flag rule
Red Flag – Identity Theft Prevention Program
 Requires healthcare organizations to establish written
program to identify, detect and respond to and correct reports
of potential identity theft
 Educate all staff how to identify Red Flags and report them
 Appoint program administrator & Report to leadership
 FTC law includes fines and penalties $2,500 per violation
 Business Associate Agreements will have to be revised to
inform CUMC of any Red Flags involving CUMC data
12
4. What you need to know about Patient Privacy
 Notice of Privacy Practices
 Business Associates
 Authorization to Release Medical Information
 Privacy Breaches
 HIPAA and Research
 HIPAA Education and Training
13
14
15
Who is a Business Associate?
Examples include:
 billing
 accounting
 claims processing or administration
 accreditation
 call service management
 administrative
 quality assurance
 data aggregation
 data processing or analysis
 consulting
 transcription services
 financial services
 utilization review
 management
 design or manage an electronic records system
16
Authorization to Release Medical Information
Written Authorization required to release
medical information
Physician may share information with
referring physician without an
authorization “patient in common”
All legal requests for release of
information should be forwarded to the
HIPAA Compliance Office for review
CUMC or NYP Authorization form
17
18
Privacy Breach
 Privacy Breaches do not usually involve high profile
patients
 Most Privacy Breaches involve staff accessing medical
information of friends, family members and co-workers
 Implementation of CROWN (electronic medical record)
will improve the availability of treatment information, but
it will also make patient information more available
 It is important that staff are aware that ANY access of
medical information WITHOUT a business purpose will
result in disciplinary action
19
HIPAA and Research
 In 2008 combined the Privacy Board and IRB review
process
 Improved communication between researchers, the IRB
and the HIPAA research during the review process
 Conducted several educational sessions with
researchers and research staff to inform them of the
review process and respond to questions
 RASCAL research training program updated to include
the HIPAA review process and respond to FAQ’s
20
Professional and Support Staff Education
Privacy and Security Education
 New Hire Welcome Program Staff Education
 On-line HIPAA Education (Professional Staff)
 HIPAA for Researchers (RASCAL)
 Email reminders / alerts
 Department specific – as requested
 HIPAA Web Site
 HIPAA training for all staff will be increased
21
What you need to know in Information Security
Ponemon Study on Data Breaches (Nov 2007)
Malicious code
4%
Hacked system
5%
Undisclosed
2%
Electronic backup
7%
Malicious insider
9%
Lost
laptop/Device
48%
Paper records
9%
Third
Party/Outsourcer
16%
22
Security Controls
Laptop and File Encryption
WinZip (password protect + encrypt)
7-zip (free, password protect + encrypt)
Truecrypt (free, complete folder encryption)
FileVault (folder encryption on Macintosh)
Encrypted USB Drives
Kingston Data Traveler
Iron Key (Fully encrypted)
23
Types of Security Failure
 Sharing Passwords
– You are responsible for your password. If you shared your
password, you will be disciplined even if other person does no
inappropriate access
 Not signing off systems
– You are responsible and will be disciplined if another person uses
your ‘not-signed-off’ system and application
 Downloading and executing unknown software
– If the software is malicious, you will lose your passwords and data.
If the machine misbehaves, your machine will be disconnected from
the network
24
Digital Piracy statistics for Top Universities
2007
Rank
Organization Name
Total
1
MIT
2,593
16
University of Washington
1,888
5
Boston University
1,408
2
Columbia University
985
6
University Of Pennsylvania
961
14
Vanderbilt University
886
10
University of Massachusetts
803
4
Purdue University
784
26
Iowa State University
719
BitTorrent & eDonkey are used the most !
-- BAY TSP 2008 Report
25
Types of Security Failure
 Sending EPHI outside the institution without encryption
– Under HITECH you may be personally liable for losing EPHI data
 Losing PDA and Laptop in transit with unencrypted PHI or
PII
– Under HITECH and NY State SSN Laws, you may be personally
liable, and you will be disciplined for loss of PHI or PII
 Not questioning, reporting, or challenging suspicious or
improper behavior
– You put the institution and areas under your supervision at risk
26
Types of Security Failure
 Not being extremely careful with Social
Security Numbers
 First avoid SSN (and Driver’s License, Credit Card Numbers)
REFUSE to take files or reports with SSN if you do not need
them. Tell the sender to take SSN out before you will accept file
or report.
 Do not store SSN long-term
DESTROY the file/report as soon as you are done with it.
Delete the file from your computer, delete the email that brought
the file, etc. Or, using an editor program, cut out SSN from the
file.
27
Types of Security Failure
 Not being extremely careful with Social
Security Numbers (contd.)
 Do not keep the complete SSN
ERASE first 5 digits of SSN.
 Encrypt SSN, and Obfuscate SSN
If you must keep it, keep SSN in an encrypted file or folder.
Do not show the SSN in an application, or show only the last 4
digits if that meets the needs. AUTHENTICATE again if
complete SSN is shown, and LOG who saw the SSN. Ask why
they must see the SSN.
28
Methods to Protect against Failures
 Do not abuse clinical access privilege, report if you
observe an abuse (if necessary, anonymously)
 Do not be responsible for another person’s abuse by
neglecting to sign off, this negligence may easily lead to
your suspension and termination
 Do not copy, duplicate, or move EPHI without a proper
authorization
 Do not email EPHI without encryption to addresses
outside the institution
29
31
PATIENT PRIVACY
At some point in our lives we will all be a
patient
Treat all information as though it was your own
32