the “new” hipaa: what it means for compliance professionals · the blackberry “disruption”...
TRANSCRIPT
The “New” HIPAA: What It Means forCompliance Professionals
Desert Southwest Regional Annual ConferenceNovember 18, 2011
Today’s Discussion
The New World of Privacy & Data
Recent Events
What government is doing to ensure we’re protecting data
What you should be doing to prepare for it
Amount of Data Held Electronically is Exploding
Electronic health records (EHRs) Health information exchanges
(HIEs) Clinical decision support (CDS) Computer physician order entry
(CPOE) All-Payer Claims Databases
(APCDs) Accountable Care Organizations
(ACOs) Etc.
ARRA/HITECH
It’s all about…
Bending the cost curve
Time
Cos
t
Increasing Quality
Decreasing Cost
90 percent of U.S. hospitals have implemented many IT systems underlying electronic health record systems
– 12 percent actually use an EHR system– 2 percent currently would qualify for Meaningful Use
Adoption and use of EHRs ramping up
Market is active - providers consolidate, grow dissatisfied with current systems, and become more sophisticated users of such products.
Survey by Frost & Sullivan; October 14, 2011
EHR Market to Hit $6.5 Billion by 2012
“Privacy in 2011 is a matter of nostalgia, not practice…”
“You have zero privacy anyways. Get over it.”
– Scott McNealy, Sun Microsystems, 1999
Facebook introduces “frictionless sharing”
Verizon told customers it could share their location and search strings with advertisers
2 members of Congress have called for the FTC to investigate “supercookies”
Indications of an accelerating rush to compile, index and disseminate personal data in the digital age…
New World of Cyber Crime
RSA (March 2011)– Boston-based cryptography firm– Suffered massive network intrusion that resulted in theft of
information related to its SecurID tokens– 40M people use tokens to access internal computer networks
of 25,000 corporations, government organizations and financial institutions
Epsilon (April 2011)– Hackers penetrated internal networks of a Texas-based firm
that handles email communications for > 2,500 clients – Companies affected: Ameriprise Financial, BestBuy, Capital
One Bank, Citi, JPMorgan Chase, TiVo, U.S. Bank and dozens more.
– Lockheed Martin (May 2011) Networks penetrated by attackers who used "cloned" RSA
tokens made with data taken in original breach Unconfirmed reports named defense contractors Northrop
Grumman and L-3 Communications as other victims
– Sony (since April 2011) Japanese entertainment and electronics giant has been
fighting various groups of hackers One group stole the personal information of 102 million
registered users of the PlayStation Network (PSN) and other online gaming services.
Cyber Crime, cont.
Had Enough Yet?
NASA's Goddard Space Flight Center
InfraGard, an FBI affiliate The European Commission Blogging platform WordPress The Institute of Electrical and
Electronics Engineers (IEEE) TripAdvisor Gawker Media Speed trap warning service
Trapster And… the Pentagon's official
credit union
“A lax attitude, coupled with cybercriminals who are technologically savvy enough to perform sophisticated network intrusions, has made 2011 a year dozens of major companies will remember — and hopefully never repeat.”
Section 13400 of ARRA/ HITECH
Breach = an “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information”.
– Effective September 23, 2009
– You must notify:– Each affected individual (always)– The federal government (always)– The media (sometimes)
Breach Safe Harbors
Encryption – Successful use
depends upon strength of algorithm
– Decryption key must also be secure
– Federal Information Processing Standards (FIPS) 140-2
Destruction (of paper records)– Standard is can’t be
reconstructed
Breaches under HITECH
HOW: – Theft: 50% – Unauthorized
access disclosure: 20%
– Loss: 16% – Hacking/IT: 7%
WHAT:– Paper records: 24% – Laptop: 23% – Desktop computer:
17% – Portable electronic
device: 16% – Network server: 10%
WHERE: Everywhere; 26% involve BAs
Numbers Don’t Lie
1 in 4: Organizations that have reported a data breach
– Ali Pabrai/HIPAA Academy
34,000*: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals
330*: Organizations reporting breach affecting 500 or more individuals
*OCR; as of October 2011
2011 Set to Be Worst Year Ever for Security Breaches
"In the last 10 years, I don't think we've seen breaches that have affected consumers at this scale. It's been the worst year in a decade.“
– Ondrej Krehel, information security officer for Scottsdale, Ariz.-based Identity Theft 911
"Due to the lax security posture of many large-scale global companies, it has now become almost trivial for a motivated group or individual to find a way in… We should be conscious of the fact that we cannot trust companies to protect our data properly and be cautious who we give our information to.
– Wisniewski
Nemours Healthcare System
Computer backup tapes lost– Records had been locked in cabinet believed to have been removed from a
building during remodeling
Information lost included names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information on 1.6 million patients and their guarantors, vendors and employees
From 5 sites in DE, FL, NJ and PA
Notifying individuals and offering one year of free credit monitoring and identity theft protection
TRICARE Breach – Largest So Far Under HITECH
4.9 million TRICARE military health plan beneficiaries notified of breach of their PHI
Backup tapes stolen from business associate’s employee car (Science Applications International Corp.)
Information may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions
Individuals not offered credit monitoring services
New Offer for TRICARE Breach Victims!
“TRICARE has directed its business associate, Science Applications International Corp., to offer one year's worth of free credit monitoring and restoration services to the 4.9 million beneficiaries affected by a recent breach.”
Earlier, TRICARE had announced that it would not offer credit monitoring services, citing the minimal risk involved in the breach
GovInfo Security, 11/4/2011
New York City Health and Hospitals Corp.
Backup tapes belonging to New York City Health and Hospitals Corp. stolen from truck while being transported to off-site storage
1.7 million individuals may have been affected Stolen data included names, addresses, Social
Security numbers, and more, dating back 20 years
“Although the data were not encrypted, it exists in a proprietary program that scrambles the records and would make it difficult for individuals without specialized technical expertise and access to the right software and computer hardware to view the private information.”
Massachusetts General Hospital Settlement
$1 Million dollar settlement
Entered into Corrective Action Plan (CAP) with federal government
Case stems from paper records lost on a subway
Records Accessed by Unauthorized Employees
University Medical Center (UMC) in Tucson, AZ 3 clinical support staff members and contracted
nurse fired for accessing confidential patient records without authorization
Representative Gabrielle Giffords was being treated at UMC at the time
Technology advances, but human nature stays unchanged…
Weakest Link?
Insiders are responsible for over 70% of data breaches
Most organizations are still extremely vulnerable to insider threats, even after implementing access controls, auditing and monitoring, and other safeguards
What Can You Do?
Encrypt everything that moves or can move
Train everybody on HIPAA and document it
Stress that even in the case of curiosity, HIPAA infractions are serious and punishable
Training: A Powerful Breach Preventer
The Department of Defense Proposed Rule: Requirements for contractors' employees to receive training on
privacy protections; Handling and safeguarding of personally identifiable
information; Restrictions on use of personally owned equipment to process,
access or store personally identifiable information; Prohibition against access by unauthorized users; Breach notification procedures.
http://docs.ismgcorp.com/files/external/2011-26546.pdf
The Cost of Breaching PHI
Average cost of data loss per individual = $204
– 2009 Ponemon Institute/PGP Corporation study
Don’t Forget about State Breach Notification Laws…
Most states have these now
State’s define it differentlyPersonal information + data element(s)= breach
Your Notification Process may have to comply with both laws!
Often:– Much stricter reporting timeframes– More requirements– May not have Harm allowance!
Patients put off treatment due to NHS data breaches
NHS patients withhold information from their doctors due to fears over confidentiality and data breaches
Survey of 1,000 patients:– > 50% either have withheld information or would
withhold information from clinicians– 40 % have or would put off seeking treatment if a
hospital had a poor reputation for security– 37% of the respondents said they would travel 30
miles or more to avoid being treated at a hospital they didn't trust
Data Security
“97% of chief information officers are concerned about data security…
So, who are these other three percent?” Ali Pabrai, a data security expert of HIPAA Academy
and ecfirst, at the 5th national HIPAA Summit West
– Everyone, especially those in healthcare charged with protecting the privacy of patient information, needs to be concerned about data security!
IT’S NOT JUST ABOUT CONFIDENTIALITY
Don’t forget about the Availability and Integrity of Data...
The BlackBerry “Disruption”
Affected millions of customers in Europe and North America
People had to use payphones! Some had to use their personal Droids and iPhones
VA - one-third of the VA's BlackBerry devices were affected by the recent outage
“Good example of why the VA needs to enable staff members to use a wider variety of mobile devices. As we diversify our access methods, we will see less and less impact from outages along these lines“.
- Assistant Secretary Baker
Availability
St. John’s Regional Medical Center, Joplin, MO
WHERE ARE WE TODAY?
HITECH Mandated Regulations “Still in the Works”
Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights:
“Omnibus" rulemaking due out his year to include: Modifications to the HIPAA privacy, security and enforcement
rules The breach notification rule (currently have interim final version) Privacy provisions under the Genetic Information
Nondiscrimination Act (GINA) Accounting for Disclosures proposed rule Additional Rules in coordination with the Office of the National
Coordinator (ONC) for Health Information Technology Additional “New ways to protect against new vulnerabilities”
Already Out
HITECH Law (as part of ARRA) Breach Notification Interim Final Rule HITECH Enforcement Interim Final Rule Notice of Proposed Rule Making: HITECH Notice of Proposed Rule Making: Accounting of
Disclosures (May 2011) Guidance: Specifying the Technologies and Methodologies
That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements
De-identified Data Safe Harbor being Reconsidered
Report due last February Researchers soon to offer
recommendations on best practices for de-identifying data for research studies to protect patient privacy
Team includes University of Chicago & Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC)
Safe harbor: 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research purposes
Meaningful Use Guidance
Under HITECH: default minimum necessary standard defined as limited data set, which strips protected health information of most identifiers
– virtually useless outside research setting
Can use the HIPAA’s minimum necessary if LDS won’t suffice
Proposed rules didn’t address minimum necessary standard except to request public comments on it
Once final rules are issued, HITECH Act section defining minimum necessary as the limited data set will sunset
What You Should Be Worried About
1. Your data – where is it?2. Any data that can move that isn’t encrypted3. Vendors
– What are they doing with your data?4. Buy in from the top
– Are you telling the C-Suite & Board when major incidents happen? Do they care?
5. State laws that allow people to sue for HIPAA violations
What You Should Be Worried About, cont.
6. Your “Designated Record Set” and where it exists
7. HIEs/Connectivity 8. Your Workforce
– Intentional and unintentional acts9. Minimum Necessary 10. Forgetting about the Patient in all of this.
Both Frequency & Severity of Enforcement Is Increasing…
Source: Davis Wright Tremaine LLP; 7.12.11
($1M)
($1M)
($100K) ($4.3M)($865K)
($2.25M)($35K)
Resolution through CIVIL MONETARY PENALTIES
New Civil Monetary Penalties under HITECH in effect since 2/2010
Mandatory penalties for “willful neglect”
Level of Intent/Neglect Each Violation All Identical Violations per CY
Without Knowledge $100 - $25,000 $1,500,000
Based on reasonable cause $1000 – $50,000 $1,500,000
Willful neglect $10,000 – $50,000 $1,500,000
Willful neglect, not corrected $50,000 $1,500,000
40David Holtzman, OCR, HCCA Compliance Institute, April 2010
What to Do While we Wait?
Ensure your Systems and Processes are in Place
Review your Policies; amend as necessary
Almost Everything Regarding Breaches should be set!
– Policies; incidence response; who is involved; reporting to feds, etc.
Create a Plan to guide Your Privacy Compliance
Do a Security Risk Assessment!
Changes Necessary?
New Policies needed?
Existing ones need to be updated?
Watch for duplicates across sections/departments that say different things
If you think you have this problem, create a work group to address this.
Include Everyone
Privacy Security/Information Technology Human Resources Facility Management Business Managers Legal CEO/Board Representative ??
Include all Regulations that Apply
HIPAA FISMA NIST FIPS GLBA FERPA
State law GINA PPACA/ACA ACOs
Remember…
Privacy and security compliance is a journey, not a destination
– Privacy regulations changing constantly
– Security “best practices” evolving exponentially with technology
It’s not possible to be 100% compliant!
On a Positive Note…
“The best thing about the future is that it only comes one day at a time.”
Abraham Lincoln
Erika [email protected]
303-866-2958
Thank you.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html