HIPAA
HITECH Briefing
IRB Monthly Investigator
Meeting
Karen Pagliaro-Meyer
Privacy Officer
Columbia University Medical Center
kpagliaro@columbia.edu
http://www.cumc.columbia.edu/hipaa
June 2010
1
Health Insurance
Portability and Accountability
Act (HIPAA)
Insurance
Reform
Administrative
Simplification
[Portability]
Fraud and
Abuse
(Accountability)
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002
and 10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
4/20/2005
HITECH
Health
Information
Technology for
Economic and
Clinical
Health
9/18/2009
HITECH (ARRA)
Health Information Technology for Economic & Clinical Health
1.
2.
3.
4.
5.
6.
REQUIREMENT
Breach Notification
Self-Payment Disclosures
Business Associates
Minimum Necessary
Accounting of Disclosures
Performance Measures for EHR
–
3
enhanced reimbursement rate
COMPLIANCE DATE
September 2009
February 2010
February 2010
August 2010
January 2011/2014
HITECH Act (ARRA)
Health Information Technology for Economic and Clinical Health

New Federal Breach Notification Law – Effective Sept 2009







Applies to all electronic “unsecured PHI”
Requires immediate notification to the Federal Government if
more than 500 individuals effected
Annual notification if less that 500 individuals effected
Requires notification to a major media outlet
Breach will be listed on a public website
Requires individual notification to patients
Criminal penalties - apply to individual or employee of
a covered entity
4
HITECH Act (ARRA)

Enforcement
 Increased penalties for HIPAA Violations (tiered civil monetary penalties)
 Required Audits and Investigations
 Increased enforcement and oversight activities
 State Attorneys General will have enforcement authority and may sue for
damages and injunctive relief.

Tiered Civil Penalties
 When the person did not know about the violation
$100 per violation (max $25,000) to $50,000 (max $1.5 mil)
 Where the violation was due to reasonable cause and not to willful neglect
$1,000 per violation (max $100,000) to $50,000 (max $1.5 mil)
 Where the violation was due to willful neglect
$10,000 per violation (max $250,000) and $50,000 (max $1.5 mil)
5
Laptops.
Of the 95 breaches on the Office for Civil Rights (OCR) website as of June 17, 32, or 34%, involved laptop computers. Another 11 incidents involved the loss or the
HITECH mandates that OCR to post the breaches on its website. In its first public posting in February, OCR listed 32 entities that reported the egregious breaches.
6
HITECH Act (ARRA)

Self Payment Disclosures


If patient pays for service – has the right to limit the disclosure
of that information
Business Associates
 Standards apply directly to Business Associates
 Statutory obligation to comply with restrictions on use and
disclosure of PHI
 New HITECH Privacy provisions must be incorporated into BAA
 Minimum Necessary Standards
 New Definition of Minimum Necessary, determined by the
disclosing party, encourage the use of limited data sets
7
HITECH ACT (ARRA)
 Accounting of Disclosures
 Right to request copy of record in any format and to know who viewed,
accessed, used or disclosed their medical information
 Electronic Health Record






Performance Measures for EHR enhanced reimbursement
Patient has a right to electronic copy of records
Electronic copy transmission
Delivery options
96 hours to make information available to the patient
Meet Meaningful Use Standards
8
Who is a Business Associate?
•Individuals who do business with CUMC and have access to
protected health information.
•Signed Business Associate Agreement (BAA) is needed to assure
that they will protect the information and inform CUMC if the
data is lost or stolen.
Examples of BAAs include:
 billing companies or claims processing
 voice mail or appointment reminder service management
 transcription services or coding companies
 accreditation
consultants
Software used for medical data
9
HITECH BREACH NOTIFICATION
Sept 2009 – June 2010
35
35
30
25
20
15
10
5
21
15
11
9
6
5
2
0
10
HITECH BREACH NOTIFICATION REPORTS
2%
Laptops
5%
6%
Paper
34%
9%
Desktop
Portable Device
10%
Other
Network
Email
14%
20%
Backup tapes
11
New York State SSN/PII Laws
Information Security Breach and Notification Act
 Effective December 2005
 IF… Breach of Personally Identifiable Information occurs
o SSN
o Credit Card
o Driver’s License
 THEN… Must notify
o patients / customers / employees
o NY State Attorney General
o Consumer reporting agencies
o RED FLAG REGULATIONS
o New enforcement date June 1, 2010
o Medical Identity Theft accounted for 7% of all ID
Theft – up from 3% - new threat
1
3
Types of confidential electronic information:
• ePHI = Electronic Protected Health Information
– Medical record number, account number or SSN
– Patient demographic data, e.g., address, date of birth, date of death,
sex, e-mail / web address
– Dates of service, e.g., date of admission, discharge
– Medical records, reports, test results, appointment dates
• PII = Personally Identified Information
– Individual’s name + SSN number or Driver’s License # or credit card #
• Electronic media = computers, laptops, disks, memory sticks, PDAs,
servers, networks, dial-modems, cell phones, email, web-sites, etc.
14
Types of Security Failures
 Failing to encrypt protected health information (PHI)
 Sending EPHI outside the institution without encryption
– Under HITECH you may be personally liable for losing EPHI data
 Losing Laptop or other portable device in transit with
unencrypted PHI or PII
– Under HITECH and NY State SSN Laws, you may be personally liable, and
you will be disciplined for loss of PHI or PII
 Failing to follow basic Security Requirements
– Sharing passwords, signing on to applications for another user, failing to
sign off a workstation
15
Types of Security Failure
 Social Security Numbers
 First avoid SSN (and Driver’s License, Credit Card Numbers)
REFUSE to take files or reports with SSN if not needed
 Do not store SSN long-term
DESTROY the file/report as soon as you are done with it. Delete the file from your
computer, delete the email that brought the file, etc. Or, using an editor program,
cut out SSN from the file.
 Do not keep the complete SSN
ERASE first 5 digits of SSN.
 Encrypt SSN, and Obfuscate SSN
If you must keep it, keep SSN in an encrypted file or folder.
 Do not show the SSN in an application, or show only the last 4 digits if that meets
the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the
SSN. Ask why SSN needed.
16
Good Computing Practices: 10 Safeguards for Users
User Access Controls (Sign on, restricted access)
Passwords
Workstation Security
Portable Device Security – USB, Laptops
Data Management, e.g., back-up, archive, restore
Remote Access - VPN
7. Recycling Electronic Media & Computers
8. E-Mail – Columbia/NYP email account ONLY
9. Safe Internet Use
10. Reporting Security Incidents / Breach
1.
2.
3.
4.
5.
6.
Safeguard #1
Unique User Log-In / User Access Controls
Access Controls:
– Users are assigned a unique “User ID” for log-in
purposes
– Each individual user’s access to ePHI system(s) is
appropriate and authorized
– Access is “role-based”, e.g., access is limited to the
minimum information needed to do your job
– User access to information systems is logged and
audited for inappropriate access or use
– Unauthorized access to ePHI by former employees is
prevented by terminating access
18
Safeguard #2
Password Protection
To safeguard YOUR computing accounts, YOU need
to take steps to protect your password
• Don't share your password — protect it the same as you
would the key to your home. After all, it is a "key" to your
identity.
• Do not write down your user ID /password and leave
unsecured
• Don't use a word that can easily be found in a dictionary —
English or otherwise.
• Use at least eight characters (letters, numbers, symbols).
• Don't let your Web browser remember your passwords.
Public or shared computers allow others access to your
password.
19
Safeguard #3
Workstation Security
• “Workstations” include any electronic computing device, for example, a
laptop or desktop computer, or any other device that performs similar
functions, and electronic media stored in its immediate environment.
• Log-off before leaving a workstation unattended.
– This will prevent other individuals from accessing EPHI
under your User-ID and limit access by unauthorized users.
• Lock-up! – Offices, windows, workstations, sensitive papers and PDAs,
laptops, mobile devices / media.
– Lock your workstation (Cntrl+Alt+Del and Lock) – Windows
XP, Windows 2000
– Do not leave sensitive information on remote printers or
copier.
20
Safeguard #4
Security for USB drives & Storage Devices
• USB drives are new devices which
pack
a lot of data in tiny packages.
e.g., 256MB, 512MB, 1GB.
• Approved encrypted devices include:
Lexar or Kingston Data Traveler
• Safeguards:
– Don’t store ePHI on USB drives
– If you do store it, either deidentify it or use encryption
software
– Delete the ePHI when no longer
needed
21
2
3
Safeguard #6
Secure Remote Access
Standards for remote network access by laptops,
home computers and PDAs (same standard as
desktops at work):
Minimum network security standards are:
1.
2.
3.
4.
Software security patch up-to-date
Anti-virus software running and up-to-date on every device
Turn-off unnecessary services & programs
Physical security safeguards to prevent unauthorized access
Consider these also:
5.
6.
7.
8.
Host-based firewall software – running & configured
Placement to conceal screen content
No downloads from lesser known web sites
No peer-to-peer software, use only work related software
Apply these same standards to all portable devices & home PCs.
24
Safeguard # 7
Data Disposal: Clean devices before recycling
Destroy ePHI data which is no longer needed:
–“Clean” hard-drives, CDs, zip disks, or back-up tapes
before recycling or re-using electronic media.
–Have an IT professional overwrite or destroy your
digital media before discarding – via magnets or
special software tools; and/or
–Know where to take these items for appropriate safe
disposal
–Do not just donate an old workstation without
cleaning the disks
25
Safeguard #8
E-Mail Security
E-mail is like a “postcard”. E-mail may potentially be viewed in
transit by many individuals, since it may pass through several
switches enroute to its final destination or never arrive at all!
E-mails containing ePHI needs a higher level of security
1. Do not use personal e-mail accounts to communicate any
information related to CUMC.
2. Do not send or forward emails with ePHI from secure addresses
to non-institutional accounts, e.g., Hot Mail, Google, Yahoo, etc.
3. Use secure, encrypted email software, if available (e.g. WINZIP)
4. Security at the Subject Line: Avoid using individual names, medical
26
record numbers or account numbers in unencrypted e-mails
Safeguard #10
Report Information Security Incidents
• You are responsible to:
 Report and respond to security incidents and
security breaches.
 Know what to do in the event of a security
breach or incident related to ePHI and/or
Personal Information.
 Report security incidents & breaches to:
Help Desk 305-HELP (ext. 54357)
security@columbia.edu
27
Sanctions for Violators
Workforce members who violate policies regarding privacy /
security of confidential /protected health information or
ePHI are subject to corrective & disciplinary action.
Actions taken may include:
– Department/Grant responsible for fines, penalties,
notification costs etc.
– Counseling & additional training
– Suspension
– Termination of access to applications
– Violation of City, State and Federal laws may carry
additional consequences of prosecution under the law
– Knowing, malicious intent can = Penalties, fines, jail!
28
Information Security Reminders
Password protect
computer/data
Keep office
secured
ENCRYPT!
Use Encryption for Portable
Devices with PHI
Use institutional
E-mail
Run Anti-virus &
Anti-spam software,
Anti-spyware
HIPAA and Research
HIPAA Research Use & Disclosures
Authorization signed
by patient for
all clinical research
Waiver Criteria
applied before
records research
Exceptions Documented
• Preparatory to research
• Research on decedents
Limited
data-set
Form A
Form B
Form D & E
Form F
Form C
Recruitment Waiver
Deidentified
Form G
HIPAA Form A
Authorization signed by patient for all clinical research
• TWO signatures required
1.
2.
Consent to participate in research
Authorization to USE information collected
• If Consent is being obtain then HIPAA
Authorization must also be obtained
• Information Sheet – must include HIPAA
language
• Single signature - Combined consent and HIPAA
authorization
• International Research
32
HIPAA Form B
Waiver Criteria applied before records research
• Mostly retrospective medical record reviews
• All 5 questions must be answered and must
explain why subject consent/authorization is
not practical.
• Partial waiver of signed authorization is
required when information sheet will be used
• Can not waive authorization for records that
do not belong to CUMC/NYP
33
HIPAA Form D & E
Exceptions Documented
Prepatory to Research & Decedent Data Research
• Form D should be attached when investigator will
review multiple records, schedules, or other items to
identify potential candidates or if involved in
preliminary research to establish a thesis
• Form E - Research on decedents – Really only
needed when research will focus exclusively on
decedents.
34
HIPAA Form F
Limited Data-set
• SIGNED agreement when research will include
DOB, Date of admission, surgery, event, MRN
• Multi Center studies – whose Data Use
Agreement
• HIPAA form F is written to reflect that CUMC is
the data owner.
• Data sharing should not be initiated until
document is fully executed
• A lab not involved in research performing a paid
function is a Business Associate not a research
collaborator.
35
Form G
De-identified Data
• Assumes NONE of the 18 identifiers will be
COLLECTED during research
• Name, address, email, telephone, photo, ss#, DOB,
credit card number
• A code or link back to source data is not
permitted
• International research may qualify for deidentified data if the code/link to identifiers is
not brought back to CUMC / USA
36
FOR ADDITIONAL INFORMATION:
http://privacyruleandresearch.nih.gov
37