demystifying hipaa: strategies for joint compliance with the hipaa privacy and security rules...
TRANSCRIPT
![Page 1: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/1.jpg)
Demystifying HIPAA: Strategies for Joint Compliance with the
HIPAA Privacy and Security Rules
Timothy H. Graham, Esq.
Privacy and Freedom of Information Act OfficerPhiladelphia VA Medical Center, Philadelphia, PA
Catherine Reynolds, RN, MSN
Information Security OfficerPhiladelphia VA Medical Center, Philadelphia, PA
Lydia Duckworth
HIPAA Security Specialist, VHA HIPAA Project Management OfficeChief Business Office, Washington, D.C.
![Page 2: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/2.jpg)
Program Agenda
Security and Privacy Rules: Similarities and Differences
Overview of the Philadelphia VA Medical Center
Privacy Rule Security Rule Case Study Questions
![Page 3: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/3.jpg)
Comparison of the Rules
Several similarities exist between the HIPAA Privacy and Security Rules:
Intended to be compatible Both protect confidentiality of electronic PHI (“ePHI”) Both provide workforce access controls and protections Coordinated compliance infrastructure Both require written and documented policies and
procedures relating to privacy and security. Both require business associate agreements
![Page 4: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/4.jpg)
Comparison of the Rules
Likewise, several differences exist between the HIPAA Privacy and Security Rules:
No exceptions for incidental uses and disclosures Broader audit trail is advisable under the Security
Rule Scope: Security applies only to electronic PHI,
while Privacy applies to all PHI. Continued monitoring is specifically required in the
language of the Security rule
![Page 5: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/5.jpg)
Philadelphia VA Medical Center
Provides health care for more than 400,000 veterans living in America’s fifth largest metropolitan area and seven counties.
Staffed by more than 1,500 employees who support 135 acute beds, a 240 bed nursing home care unit and four Community Based Outpatient Clinic
Site for over 200 ongoing research projects involving all clinical disciplines
Affiliated with the University of Pennsylvania Schools of Medicine, Nursing and Dental Medicine
![Page 6: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/6.jpg)
The HIPAA Privacy Rule
![Page 7: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/7.jpg)
Introduction and Background
VA has a strong legacy in protecting the privacy and security of veterans’ and employees’ personal information.
In an effort to oversee multiple efforts in VA to protect privacy, the Enterprise Privacy Program was established.
The VHA Privacy Office is responsible for implementing privacy regulations consistently across the Veterans Health Administration.
![Page 8: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/8.jpg)
What is Privacy in the VA? As a federal agency, the VA is subjected to various
regulatory statutes that promote the protection of private and confidential health information.
Namely, there are six statutes with which VA must comply: Health Insurance Portability and Accountability Act of 1996 – 45
CFR 160 & 164 The Privacy Act of 1976 – 5 U.S.C. 552a The Freedom of Information Act – 5 U.S.C. 552 Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse,
Infection with Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records – 38 U.S.C. 7332
Confidentiality of Healthcare Quality Assurance Review Records – 38 U.S.C. 5705
The VA Claims Confidentiality Statute – 38 U.S.C. 5701
![Page 9: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/9.jpg)
Why Privacy Compliance Monitoring?
To ensure program goals for confidential protection of health information are achieved.
To determine if policies, procedures and programs are being followed.
To minimize consequences of privacy failures through early detection and remediation.
To provide feedback necessary for privacy program improvement.
To demonstrate to the workforce and the community at large, organizational commitment to health information privacy.
![Page 10: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/10.jpg)
Acknowledge Common Problems Unclear and inconsistent polices and
procedures. Inconsistencies in enforcement of
policies and procedures. Ineffective or insufficient training and
education. Employee morale and motivation.
![Page 11: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/11.jpg)
The Processes for Monitoring
Establish goals& objectives
Define areas for review
Metricsand methods
Establishfrequency
Performmonitoring
Act onresults
How?
![Page 12: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/12.jpg)
Establishing Goals and Objectives
Identification of monitoring goals should take into consideration several factors:
Privacy program objectives; Risk assessment results; Incident reporting; Feedback from staff; Administrative mandates.
Taking these factors into consideration identifies the desired outcomes of the monitoring process.
![Page 13: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/13.jpg)
Defining the Areas for Review
Choosing which areas of the medical center should be reviewed can be the most difficult process.
Initially, a facility-wide analysis is most helpful to determine which areas are troubled.
The key in future monitoring is to focus on those areas that are high risk, high volume and/or areas subject to environmental/system changes.
Further, reliance on the incident reporting system will identify key areas for review.
![Page 14: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/14.jpg)
Metrics and Methods for Monitoring
The key to identifying the methods for monitoring is to first identify the objectives and metrics of the audit.
Once the objectives and metrics are delineated, creation of a formal audit tool is critical to documenting and analyzing the results.
Critical to the overall compliance program is the presence of written analysis, compiled as a result of the formal audit.
![Page 15: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/15.jpg)
Examples of Monitoring Methods
Interviews (staff and patients) Violation Tracking reports Chart Audits Privacy Rounds Program/Service Self-Assessment Peer Review Simulated Case Studies
![Page 16: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/16.jpg)
Establish Frequency
Ongoing process (monthly, quarterly and annually) monitoring is essential to ensuring that the organization is fulfilling the requirements mandated by law.
Once audits are completed, corrective action plans (CAPs) should be designed and implemented across the department or medical center.
Proceeding the implementation of the CAPs, further audits should take place to monitor compliance with the CAP.
![Page 17: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/17.jpg)
Taking Action… What’s the next step after you analyze the
audit findings? Documented analysis of the findings; Identification of best practices; Documented comparison between the findings and the
program objectives; Identification of non-compliant areas; Identification of trends from one department to another; Identification of problem areas which pose other serious
liability issues for the organization (areas where a root cause analysis committee may be helpful).
![Page 18: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/18.jpg)
Corrective Actions
Examples of corrective actions may include:
Revision of policies and procedures; Focused education and training; and/or Heightened supervision of staff and
enforcement of policies and procedures for safeguarding protected health information.
![Page 19: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/19.jpg)
The HIPAA Security Rule
![Page 20: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/20.jpg)
The HIPAA Security Rule
Builds on and coordinates with organizational requirements under the Privacy Rule.
Addresses the confidentiality, integrity and availability of ePHI the covered entity creates, receives, maintains, or transmits.
![Page 21: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/21.jpg)
The C-I-A Triad
Information Security
Integrity
Confidentiality
Availability
![Page 22: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/22.jpg)
Security Rule Definitions
45 CFR 160.103 – Confidentiality Data or information is not made available or
disclosed to unauthorized persons or processes. 45 CFR 162.103 – Integrity
Data or information have not been altered or destroyed in an unauthorized manner.
45 CFR 164.103 – Availability Data or information is accessible and usable upon
demand by an authorized person.
![Page 23: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/23.jpg)
Background of VA Security Practices
Federal Policies National Institute of Standards and
Technology (NIST) Guidance VA Information Technology Security
Directive
![Page 24: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/24.jpg)
Federal Policies The Computer Act of 1987 Office of Management and Budget Circular A-
130 The Federal Managers Financial Integrity Act
of 1982 (FMFIA) Office of Management and Budget Circular A-
123 The Federal Information Security Management
Act (2003)
![Page 25: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/25.jpg)
NIST Guidance
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-14: Generally Accepted Principles and Practices for Security IT Systems
SP 800-26: Security Self-Assessment Guide for IT Systems
![Page 26: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/26.jpg)
VA Information Security Directive
VA Directive & Handbook 6210: Automated Information Systems Security Policy
VA Directive 6212: Security of External Connections
VA Directive 6213: VA Public Key Infrastructure
VA Directive 6214: Information Technology Security Certification and Accreditation Program
![Page 27: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/27.jpg)
VA Cyber Security Practitioner
Position Title: Information Security Officer
Responsibilities Education and Training
![Page 28: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/28.jpg)
The HIPAA Security Standards
Administrative Safeguards “Actions, policies and procedures, to manage the selection,
development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Physical Safeguards “Security measures to protect a covered entity’s electronic information
systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Technical Safeguards “The technology and the policy and procedures for its use that protect
ePHI and control access to it.”
![Page 29: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/29.jpg)
Administrative Safeguards
Security Management Processes Assigned Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Planning Business Associate Agreements, etc.
![Page 30: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/30.jpg)
Physical Safeguards
Facility Access Controls Workstation Use Workstation Security Device and Media Controls
![Page 31: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/31.jpg)
Technical Safeguards
Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security
![Page 32: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/32.jpg)
Case Study of the PVAMC
HIPAA Program Compliance Plan: Three Phase Risk Assessment:
Departmental Self-Assessment and Surveys (handout 1)
Privacy and Security Steering Committee Assessment (handout 2)
Formal Assessment by Privacy Officer and Information Security Officer (handout 2)
![Page 33: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/33.jpg)
Case Study of the PVAMC Areas for Review:
Discussion of confidential information among staff in public areas (hallways, elevators, parking garage and cafeteria)
Health information in trash or unsecured compartments Health information in open view on desks, in hallways or
medicine carts Health information left on faxes and printers Sharing passwords Computers and workstations not logged off or securely
positioned where feasible
![Page 34: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/34.jpg)
Case Study of the PVAMC Areas for Review (cont.):
Physical arrangement of the area Sign in sheets Use of electronic mail for transmitting protected health
information Staff awareness of and responsibilities for visitors (i.e. Did the
staff challenge visitors for identification?) Dictation conducted in public areas or in areas where the
provider can be easily overheard Business Associate Agreements with contracted
business/service agreements and accrediting organizations
![Page 35: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/35.jpg)
Case Study of the PVAMC Survey of Key Findings:
Employees consistently rely on the fax machine as a means for transmitting protected health information.
Lack of attention to ensuring that health records are appropriately locked and secured.
Continued reliance on garbage cans as a means of destroying protected health information.
Lack of attention to logging off of computers and workstations.
Lack of written policies and procedures governing specific actions within the departments (i.e. Monitoring of Visitors in Surgery)
![Page 36: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/36.jpg)
Case Study of the PVAMC Corrective Actions:
Required departments to implement policies and procedures regarding certain processes within the department which pose a risk to the overall Privacy and Security Program.
Provide ongoing education to all employees through bulletins, seminars, staff meetings, annual privacy and information security training and newsletters.
Develop and implement policies governing the disposal of health information.
Posted signage to remind employees and patients that health information should not be discussed in public forums.
Purchased privacy screens for all computers where repositioning was impossible or impractical.
![Page 37: Demystifying HIPAA: Strategies for Joint Compliance with the HIPAA Privacy and Security Rules Timothy H. Graham, Esq. Privacy and Freedom of Information](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dd45503460f94accb11/html5/thumbnails/37.jpg)
Questions???
Contact Information:Timothy H. Graham, Esq.
Privacy and FOIA Officer, Philadelphia [email protected]
Catherine Reynolds, RN MSN
Information Security Officer, Philadelphia [email protected]
215.823.5159Lydia Duckworth
HIPAA Security Specialist, VHA HIPAA [email protected]