The HIPAA Privacy Rule
advertisement
Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information Act Officer Philadelphia VA Medical Center, Philadelphia, PA Catherine Reynolds, RN, MSN Information Security Officer Philadelphia VA Medical Center, Philadelphia, PA Lydia Duckworth HIPAA Security Specialist, VHA HIPAA Project Management Office Chief Business Office, Washington, D.C. Program Agenda Security and Privacy Rules: Similarities and Differences Overview of the Philadelphia VA Medical Center Privacy Rule Security Rule Case Study Questions Comparison of the Rules Several similarities exist between the HIPAA Privacy and Security Rules: Intended to be compatible Both protect confidentiality of electronic PHI (“ePHI”) Both provide workforce access controls and protections Coordinated compliance infrastructure Both require written and documented policies and procedures relating to privacy and security. Both require business associate agreements Comparison of the Rules Likewise, several differences exist between the HIPAA Privacy and Security Rules: No exceptions for incidental uses and disclosures Broader audit trail is advisable under the Security Rule Scope: Security applies only to electronic PHI, while Privacy applies to all PHI. Continued monitoring is specifically required in the language of the Security rule Philadelphia VA Medical Center Provides health care for more than 400,000 veterans living in America’s fifth largest metropolitan area and seven counties. Staffed by more than 1,500 employees who support 135 acute beds, a 240 bed nursing home care unit and four Community Based Outpatient Clinic Site for over 200 ongoing research projects involving all clinical disciplines Affiliated with the University of Pennsylvania Schools of Medicine, Nursing and Dental Medicine The HIPAA Privacy Rule Introduction and Background VA has a strong legacy in protecting the privacy and security of veterans’ and employees’ personal information. In an effort to oversee multiple efforts in VA to protect privacy, the Enterprise Privacy Program was established. The VHA Privacy Office is responsible for implementing privacy regulations consistently across the Veterans Health Administration. What is Privacy in the VA? As a federal agency, the VA is subjected to various regulatory statutes that promote the protection of private and confidential health information. Namely, there are six statutes with which VA must comply: Health Insurance Portability and Accountability Act of 1996 – 45 CFR 160 & 164 The Privacy Act of 1976 – 5 U.S.C. 552a The Freedom of Information Act – 5 U.S.C. 552 Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Infection with Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records – 38 U.S.C. 7332 Confidentiality of Healthcare Quality Assurance Review Records – 38 U.S.C. 5705 The VA Claims Confidentiality Statute – 38 U.S.C. 5701 Why Privacy Compliance Monitoring? To ensure program goals for confidential protection of health information are achieved. To determine if policies, procedures and programs are being followed. To minimize consequences of privacy failures through early detection and remediation. To provide feedback necessary for privacy program improvement. To demonstrate to the workforce and the community at large, organizational commitment to health information privacy. Acknowledge Common Problems Unclear and inconsistent polices and procedures. Inconsistencies in enforcement of policies and procedures. Ineffective or insufficient training and education. Employee morale and motivation. The Processes for Monitoring Establish goals & objectives Define areas for review How? Metrics and methods Establish frequency Perform monitoring Act on results Establishing Goals and Objectives Identification of monitoring goals should take into consideration several factors: Privacy program objectives; Risk assessment results; Incident reporting; Feedback from staff; Administrative mandates. Taking these factors into consideration identifies the desired outcomes of the monitoring process. Defining the Areas for Review Choosing which areas of the medical center should be reviewed can be the most difficult process. Initially, a facility-wide analysis is most helpful to determine which areas are troubled. The key in future monitoring is to focus on those areas that are high risk, high volume and/or areas subject to environmental/system changes. Further, reliance on the incident reporting system will identify key areas for review. Metrics and Methods for Monitoring The key to identifying the methods for monitoring is to first identify the objectives and metrics of the audit. Once the objectives and metrics are delineated, creation of a formal audit tool is critical to documenting and analyzing the results. Critical to the overall compliance program is the presence of written analysis, compiled as a result of the formal audit. Examples of Monitoring Methods Interviews (staff and patients) Violation Tracking reports Chart Audits Privacy Rounds Program/Service Self-Assessment Peer Review Simulated Case Studies Establish Frequency Ongoing process (monthly, quarterly and annually) monitoring is essential to ensuring that the organization is fulfilling the requirements mandated by law. Once audits are completed, corrective action plans (CAPs) should be designed and implemented across the department or medical center. Proceeding the implementation of the CAPs, further audits should take place to monitor compliance with the CAP. Taking Action… What’s the next step after you analyze the audit findings? Documented analysis of the findings; Identification of best practices; Documented comparison between the findings and the program objectives; Identification of non-compliant areas; Identification of trends from one department to another; Identification of problem areas which pose other serious liability issues for the organization (areas where a root cause analysis committee may be helpful). Corrective Actions Examples of corrective actions may include: Revision of policies and procedures; Focused education and training; and/or Heightened supervision of staff and enforcement of policies and procedures for safeguarding protected health information. The HIPAA Security Rule The HIPAA Security Rule Builds on and coordinates with organizational requirements under the Privacy Rule. Addresses the confidentiality, integrity and availability of ePHI the covered entity creates, receives, maintains, or transmits. The C-I-A Triad Confidentiality Information Security Integrity Availability Security Rule Definitions 45 CFR 160.103 – Confidentiality Data or information is not made available or disclosed to unauthorized persons or processes. 45 CFR 162.103 – Integrity Data or information have not been altered or destroyed in an unauthorized manner. 45 CFR 164.103 – Availability Data or information is accessible and usable upon demand by an authorized person. Background of VA Security Practices Federal Policies National Institute of Standards and Technology (NIST) Guidance VA Information Technology Security Directive Federal Policies The Computer Act of 1987 Office of Management and Budget Circular A130 The Federal Managers Financial Integrity Act of 1982 (FMFIA) Office of Management and Budget Circular A123 The Federal Information Security Management Act (2003) NIST Guidance SP 800-12: An Introduction to Computer Security: The NIST Handbook SP 800-14: Generally Accepted Principles and Practices for Security IT Systems SP 800-26: Security Self-Assessment Guide for IT Systems VA Information Security Directive VA Directive & Handbook 6210: Automated Information Systems Security Policy VA Directive 6212: Security of External Connections VA Directive 6213: VA Public Key Infrastructure VA Directive 6214: Information Technology Security Certification and Accreditation Program VA Cyber Security Practitioner Position Title: Information Security Officer Responsibilities Education and Training The HIPAA Security Standards Administrative Safeguards “Actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Physical Safeguards “Security measures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Technical Safeguards “The technology and the policy and procedures for its use that protect ePHI and control access to it.” Administrative Safeguards Security Management Processes Assigned Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Planning Business Associate Agreements, etc. Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Case Study of the PVAMC HIPAA Program Compliance Plan: Three Phase Risk Assessment: Departmental Self-Assessment and Surveys (handout 1) Privacy and Security Steering Committee Assessment (handout 2) Formal Assessment by Privacy Officer and Information Security Officer (handout 2) Case Study of the PVAMC Areas for Review: Discussion of confidential information among staff in public areas (hallways, elevators, parking garage and cafeteria) Health information in trash or unsecured compartments Health information in open view on desks, in hallways or medicine carts Health information left on faxes and printers Sharing passwords Computers and workstations not logged off or securely positioned where feasible Case Study of the PVAMC Areas for Review (cont.): Physical arrangement of the area Sign in sheets Use of electronic mail for transmitting protected health information Staff awareness of and responsibilities for visitors (i.e. Did the staff challenge visitors for identification?) Dictation conducted in public areas or in areas where the provider can be easily overheard Business Associate Agreements with contracted business/service agreements and accrediting organizations Case Study of the PVAMC Survey of Key Findings: Employees consistently rely on the fax machine as a means for transmitting protected health information. Lack of attention to ensuring that health records are appropriately locked and secured. Continued reliance on garbage cans as a means of destroying protected health information. Lack of attention to logging off of computers and workstations. Lack of written policies and procedures governing specific actions within the departments (i.e. Monitoring of Visitors in Surgery) Case Study of the PVAMC Corrective Actions: Required departments to implement policies and procedures regarding certain processes within the department which pose a risk to the overall Privacy and Security Program. Provide ongoing education to all employees through bulletins, seminars, staff meetings, annual privacy and information security training and newsletters. Develop and implement policies governing the disposal of health information. Posted signage to remind employees and patients that health information should not be discussed in public forums. Purchased privacy screens for all computers where repositioning was impossible or impractical. Questions??? Contact Information: Timothy H. Graham, Esq. Privacy and FOIA Officer, Philadelphia VAMC timothy.graham@med.va.gov 215.823.6270 Catherine Reynolds, RN MSN Information Security Officer, Philadelphia VAMC catherine.reynolds@med.va.gov 215.823.5159 Lydia Duckworth HIPAA Security Specialist, VHA HIPAA PMO lydia.duckworth@hq.med.va.gov 202.254.0353
