HIPAAHITECH Briefing

IRB Monthly Investigator Meeting

Karen Pagliaro-MeyerPrivacy Officer

Columbia University Medical Centerkpagliaro@columbia.edu

http://www.cumc.columbia.edu/hipaa

June 20101

Administrative Simplification[Accountability]

InsuranceReform

[Portability]

Health Insurance Portability and Accountability

Act (HIPAA)

Transactions, Code Sets, &

Identifiers

Compliance Date: 10/16/2002

and 10/16/03

Transactions, Code Sets, &

Identifiers

Compliance Date: 10/16/2002

and 10/16/03

Privacy

Compliance Date: 4/14/2003

Privacy

Compliance Date: 4/14/2003

Security

Compliance Date: 4/20/2005

Security

Compliance Date: 4/20/2005

Fraud and Abuse (Accountability)

Fraud and Abuse (Accountability)

HITECHHealth Information Technology for Economic and Clinical Health 9/18/2009

HITECH (ARRA) Health Information Technology for Economic & Clinical Health

REQUIREMENT COMPLIANCE DATE1. Breach Notification September 20092. Self-Payment Disclosures February 20103. Business Associates February 20104. Minimum Necessary August 20105. Accounting of Disclosures January 2011/20146. Performance Measures for EHR

– enhanced reimbursement rate

3

HITECH Act (ARRA)Health Information Technology for Economic and Clinical Health

4

New Federal Breach Notification Law – Effective Sept 2009

Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government if

more than 500 individuals effected Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients

Criminal penalties - apply to individual or employee of a covered entity

5

Enforcement Increased penalties for HIPAA Violations (tiered civil monetary penalties) Required Audits and Investigations Increased enforcement and oversight activities State Attorneys General will have enforcement authority and may sue for

damages and injunctive relief.

Tiered Civil Penalties When the person did not know about the violation

$100 per violation (max $25,000) to $50,000 (max $1.5 mil)

Where the violation was due to reasonable cause and not to willful neglect

$1,000 per violation (max $100,000) to $50,000 (max $1.5 mil)

Where the violation was due to willful neglect

$10,000 per violation (max $250,000) and $50,000 (max $1.5 mil)

HITECH Act (ARRA)

6

Laptops.Of the 95 breaches on the Office for Civil Rights (OCR) website as of June 17, 32, or 34%, involved laptop computers. Another 11 incidents involved the loss or theft of portable devices.HITECH mandates that OCR to post the breaches on its website. In its first public posting in February, OCR listed 32 entities that reported the egregious breaches.

7

Self Payment Disclosures If patient pays for service – has the right to limit the disclosure

of that information

Business Associates Standards apply directly to Business Associates Statutory obligation to comply with restrictions on use and

disclosure of PHI New HITECH Privacy provisions must be incorporated into BAA

Minimum Necessary Standards New Definition of Minimum Necessary, determined by the

disclosing party, encourage the use of limited data sets

HITECH Act (ARRA)

HITECH ACT (ARRA) Accounting of Disclosures

Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical information

Electronic Health Record Performance Measures for EHR enhanced reimbursement Patient has a right to electronic copy of records Electronic copy transmission Delivery options 96 hours to make information available to the patient Meet Meaningful Use Standards

8

Who is a Business Associate?

•Individuals who do business with CUMC and have access to protected health information.

•Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.

Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditationconsultantsSoftware used for medical data

9

10

Laptops Paper Desktop Portable Device

Other Network Email Backup tapes

0

5

10

15

20

25

30

35

35

21

1511 9

6 52

HITECH BREACH NOTIFI-CATION

Sept 2009 – June 2010

11

34%

20%14%

11%

9%

6%5%

2%

HITECH BREACH NOTIFICATION REPORTS

Laptops

Paper

Desktop

Portable Device

Other

Network

Email

Backup tapes

New York State SSN/PII Laws

Information Security Breach and Notification Act Effective December 2005 IF… Breach of Personally Identifiable Information occurs

o SSNo Credit Cardo Driver’s License

THEN… Must notifyo patients / customers / employeeso NY State Attorney General o Consumer reporting agencies

o RED FLAG REGULATIONSo New enforcement date June 1, 2010o Medical Identity Theft accounted for 7% of all ID Theft – up from 3% - new threat

13

Types of confidential electronic information:

• ePHI = Electronic Protected Health Information– Medical record number, account number or SSN– Patient demographic data, e.g., address, date of birth, date of death,

sex, e-mail / web address– Dates of service, e.g., date of admission, discharge– Medical records, reports, test results, appointment dates

• PII = Personally Identified Information– Individual’s name + SSN number or Driver’s License # or credit card

#

• Electronic media = computers, laptops, disks, memory sticks, PDAs, servers, networks, dial-modems, cell phones, email, web-sites, etc.

14

Types of Security Failures Failing to encrypt protected health information (PHI)

Sending EPHI outside the institution without encryption – Under HITECH you may be personally liable for losing EPHI data

Losing Laptop or other portable device in transit with unencrypted PHI or PII– Under HITECH and NY State SSN Laws, you may be personally liable, and

you will be disciplined for loss of PHI or PII

Failing to follow basic Security Requirements– Sharing passwords, signing on to applications for another user, failing to

sign off a workstation

15

Types of Security Failure Social Security Numbers

First avoid SSN (and Driver’s License, Credit Card Numbers)REFUSE to take files or reports with SSN if not needed

Do not store SSN long-termDESTROY the file/report as soon as you are done with it. Delete the file from your computer, delete the email that brought the file, etc. Or, using an editor program, cut out SSN from the file.

Do not keep the complete SSNERASE first 5 digits of SSN.

Encrypt SSN, and Obfuscate SSNIf you must keep it, keep SSN in an encrypted file or folder.

Do not show the SSN in an application, or show only the last 4 digits if that meets the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the SSN. Ask why SSN needed.

16

Good Computing Practices: 10 Safeguards for Users

1. User Access Controls (Sign on, restricted access)2. Passwords3. Workstation Security4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore6. Remote Access - VPN7. Recycling Electronic Media & Computers8. E-Mail – Columbia/NYP email account ONLY9. Safe Internet Use 10. Reporting Security Incidents / Breach

Safeguard #1 Unique User Log-In / User Access Controls

Access Controls:– Users are assigned a unique “User ID” for log-in

purposes – Each individual user’s access to ePHI system(s) is

appropriate and authorized– Access is “role-based”, e.g., access is limited to the

minimum information needed to do your job– User access to information systems is logged and

audited for inappropriate access or use– Unauthorized access to ePHI by former employees is

prevented by terminating access

18

Safeguard #2

Password ProtectionTo safeguard YOUR computing accounts, YOU needto take steps to protect your password • Don't share your password — protect it the same as you

would the key to your home. After all, it is a "key" to your identity.

• Do not write down your user ID /password and leave unsecured

• Don't use a word that can easily be found in a dictionary — English or otherwise.

• Use at least eight characters (letters, numbers, symbols).• Don't let your Web browser remember your passwords.

Public or shared computers allow others access to your password. 19

Safeguard #3

Workstation Security• “Workstations” include any electronic computing device, for example, a

laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

• Log-off before leaving a workstation unattended. – This will prevent other individuals from accessing EPHI

under your User-ID and limit access by unauthorized users.

• Lock-up! – Offices, windows, workstations, sensitive papers and PDAs, laptops, mobile devices / media.– Lock your workstation (Cntrl+Alt+Del and Lock) – Windows

XP, Windows 2000– Do not leave sensitive information on remote printers or

copier.

20

Safeguard #4 Security for USB drives & Storage Devices

• USB drives are new devices which pack

a lot of data in tiny packages. e.g., 256MB, 512MB, 1GB. • Approved encrypted devices include:

Lexar or Kingston Data Traveler• Safeguards:

– Don’t store ePHI on USB drives– If you do store it, either de-

identify it or use encryption software

– Delete the ePHI when no longer needed

21

Delete temporary ePHI files from local drives & portable media too!

23

Safeguard #6

Secure Remote Access

Standards for remote network access by laptops, home computers and PDAs (same standard as desktops at work):

Minimum network security standards are:1. Software security patch up-to-date2. Anti-virus software running and up-to-date on every device3. Turn-off unnecessary services & programs 4. Physical security safeguards to prevent unauthorized access

Consider these also:5. Host-based firewall software – running & configured6. Placement to conceal screen content7. No downloads from lesser known web sites8. No peer-to-peer software, use only work related software

24

Apply these same standards to all portable devices & home PCs.

Safeguard # 7Data Disposal: Clean devices before recycling

Destroy ePHI data which is no longer needed: –“Clean” hard-drives, CDs, zip disks, or back-up tapes

before recycling or re-using electronic media.–Have an IT professional overwrite or destroy your

digital media before discarding – via magnets or special software tools; and/or

–Know where to take these items for appropriate safe disposal

–Do not just donate an old workstation without cleaning the disks

25

Safeguard #8

E-Mail SecurityE-mail is like a “postcard”. E-mail may potentially be viewed in transit

by many individuals, since it may pass through several switches enroute to its final destination or never arrive at all!

E-mails containing ePHI needs a higher level of security

1. Do not use personal e-mail accounts to communicate any information related to CUMC.

2. Do not send or forward emails with ePHI from secure addresses to non-institutional accounts, e.g., Hot Mail, Google, Yahoo, etc.

3. Use secure, encrypted email software, if available (e.g. WINZIP)

4. Security at the Subject Line: Avoid using individual names, medical record numbers or account numbers in unencrypted e-mails

26

Safeguard #10

Report Information Security Incidents• You are responsible to:

Report and respond to security incidents and security breaches.

Know what to do in the event of a security breach or incident related to ePHI and/or Personal Information.

Report security incidents & breaches to:Help Desk 305-HELP (ext. 54357)security@columbia.edu

27

Sanctions for ViolatorsWorkforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to corrective & disciplinary action.

Actions taken may include:– Department/Grant responsible for fines, penalties,

notification costs etc.– Counseling & additional training– Suspension– Termination of access to applications– Violation of City, State and Federal laws may carry

additional consequences of prosecution under the law – Knowing, malicious intent can = Penalties, fines, jail!

28

Information Security Reminders

Password protect computer/data

Run Anti-virus & Anti-spam software,

Anti-spywareKeep office secured

ENCRYPT!

Use institutional E-mail

Use Encryption for Portable Devices with PHI

HIPAA and Research

HIPAA Research Use & Disclosures

Authorization signed

by patient for all clinical research

Form A

Waiver Criteriaapplied before

records research

Form B

Exceptions Documented

Preparatory to research

Research on decedents

Form D & E

Limited data-set

Form F

De-identified

Form G

Form CRecruitment Waiver

HIPAA Form AAuthorization signed by patient for all clinical research

• TWO signatures required1. Consent to participate in research2. Authorization to USE information collected

• If Consent is being obtain then HIPAA Authorization must also be obtained

• Information Sheet – must include HIPAA language• Single signature - Combined consent and HIPAA

authorization • International Research

32

HIPAA Form BWaiver Criteria applied before records research

• Mostly retrospective medical record reviews• All 5 questions must be answered and must

explain why subject consent/authorization is not practical.

• Partial waiver of signed authorization is required when information sheet will be used

• Can not waive authorization for records that do not belong to CUMC/NYP

33

HIPAA Form D & EExceptions Documented

Prepatory to Research & Decedent Data Research

• Form D should be attached when investigator will review multiple records, schedules, or other items to identify potential candidates or if involved in preliminary research to establish a thesis

• Form E - Research on decedents – Really only needed when research will focus exclusively on decedents.

34

HIPAA Form FLimited Data-set

• SIGNED agreement when research will include DOB, Date of admission, surgery, event, MRN

• Multi Center studies – whose Data Use Agreement• HIPAA form F is written to reflect that CUMC is the

data owner.• Data sharing should not be initiated until document

is fully executed• A lab not involved in research performing a paid

function is a Business Associate not a research collaborator.

35

Form GDe-identified Data

• Assumes NONE of the 18 identifiers will be COLLECTED during research

• Name, address, email, telephone, photo, ss#, DOB, credit card number

• A code or link back to source data is not permitted

• International research may qualify for de-identified data if the code/link to identifiers is not brought back to CUMC / USA

36

37

FOR ADDITIONAL INFORMATION: http://privacyruleandresearch.nih.gov