1 / 44

HIPAA Privacy and Information Security Management Briefing

HIPAA Privacy and Information Security Management Briefing. Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315. Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035. Tuesday, June 14, 2011. Agenda. Privacy

blanca
Télécharger la présentation

HIPAA Privacy and Information Security Management Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAAPrivacy and Information SecurityManagement Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035 Tuesday, June 14, 2011

  2. Agenda Privacy Recent Cases reported –Office for Civil Rights HITECH Update Potential Areas of Risk Information Security Breach Details Risk Assessments Common Security Controls

  3. HITECH = HIPAA Act II and this time we really mean it!

  4. HITECH Update • Breach Notification • As reported by the Office for Civil Rights • At CUMC • Business Associate Agreements • New proposed regulations • Accounting of Disclosures • New Regulations Issued Friday May 28, 2011

  5. HITECH Breach Notification at CUMC • One case reported involved over 500 records required immediate disclosure to the Office for Civil Rights, patient notification and other corrective actions • Additional cases (< 500) requiring annual disclosure in 2010 • Lost/stolen unencrypted laptop (s) • Unauthorized use or disclosure of medical information • Patient information available on the internet

  6. In Response to Breach Reports • New CUMC Policy on system registration and system risk assessment • New Breach risk assessment tool to determine if notification is required • New Confidentiality Agreement for staff • Increased education and staff communication regarding risk areas for breach • Use of new controls to prevent breaches

  7. BusinessAssociates • OCR issued a Proposed Rule • - NPRM Published July 14, 2010 • HIPAA civil and criminal enforcement and penalties apply directly to BAs (and to subcontractors) in addition to contractual liability • – Final Rule expected in 3rd quarter 2011

  8. Business Associates • NPRM modifies BA definition under HIPAA Privacy & Security Rules and clarifies when a BA relationship exists • New duties for Business Associate in NPRM - BAA must directly comply with all HIPAA Security Rule administrative, physical, & technical safeguards & documentation requirements

  9. HITECH & Business Associates • Additional parties added to definition of “BA” • E prescribing gateways • Vendors that offer personal health records to patients on behalf of a covered entity • Organizations that provide data transmission services and that require routine access to PHI including health information organizations • Regional and State Health Information Exchanges

  10. Accounting of Disclosures • Patient has the right to receive a report of workforce members that accessed, used or disclosed information from their “designated record set” including medical and billing records for up to a 3 year period • Includes Business Associates access of the designated record set ! • Must include date, time, name of individual and if available the reason for access • Response must be provided within 30 days to the patient • 60 day comment period – August 2011 • Effective Compliance Date 1/1/2013 or 1/1/2014

  11. Additional Proposed HITECH Regulations • Patient Right to Request restrictions on disclosures to Insurance Companies • CE Must agree to a restriction on disclosure to a insurance company if the patient paid out of pocket in full • HITECH and Fundraising Disclosures • Clear and conspicuous opportunity to opt out • Recommend language changes for Notice of Privacy Practices and statement on fundraising communications

  12. Privacy / Medical Record Management • ERH = Availability of all medical info to all staff • Medical information sent is not consistent with the authorization signed by patient. • Medical information sent to wrong person • Medical information mailed to wrong address • Medical information given to wrong person • Management of medical records of departing faculty

  13. Next Steps / Areas of Risk • Business Associates • Staff education • Medical Record Management • Security of Devices with medical information • Social Media Policy Development • Guidance for removing paper documents with protected health information from CUMC - taking work home or transporting to other locations

  14. Incidents and breaches • Departmental files on NOAA • Departmental computer in Albany • Use of Google calendar (Two clinical departments) • Lost Blackberry of an administrator

  15. Departmental files on NOAA • Pre-HIPAA activity • A physician, leaving CUMC in 2005, wanted to copy electronic copies of journal articles • Relative copied a folder to NOAA public FTP site • Folder contained clinical reports • In 2011, a patient, searching on self, found the files and issued a complaint • HIPAA breach reported to the OCR

  16. Departmental Computer in Albany • Pre-HIPAA activity • In 2004-2005, a division moved location, and purchased new Macintosh desktops • An old desktop was picked up in Albany curbside in 2011. Computer person looking through the content contacted CUMC • Desktop was that of the divisional administrator, and one particular file had grant investigator information, including SSN • Significant faculty of CUMC were listed • Reported to State attorney general’s office

  17. Use of Google Calendar • Use of Google calendar to schedule patients • Care schedule, as well as, research schedule • Patient name or ID or Initials • Location or Clinic name or Physician name • Google agreement permits Google to read and analyze content and use it for whatever they deem appropriate • Google will not sign Business Associate Agreement • All non-institutional storage (DropBox, Wikis, Blogs, Calendars, Emails) without encryption and/or BAA have the same risks

  18. Lost Blackberry • Loss or theft of a blackberry, did not have password • Billing administrator communicated PHI using email for billing verification • Blackberry remained silent for a while, and then it did come back up, and was wiped • Lack of password meant Blackberry encryption was useless as a protection • Identify patients by going through emails on the server • Reported as breach to OCR

  19. CUMC Risk Assessment Program Objective • To assess the information security fitness of CUMC’s systems and advance our collective compliance posture for HIPAA & HITECH • AKA Certification Program • Identified 265 systems that use Protected Healthcare Information (PHI) and or Personally Identifiable Information (PII) • 185 have been evaluated so far

  20. Execution • The Information Security group is executing the program in departmental groups • We have certifications in progress with 19 academic and administrative departments, schools, and centers • Results are discussed with the Chair or Head of the department by the COO of CUMC • Progress and results are reported to the Audit committee of the Columbia University Board

  21. What is Risk Assessment or Certification? • HITRUST Alliance, LLC provided us with a control list to use in the assessments • We also included questions from the previous 2003 HIPAA questionnaire • We perform vulnerability management scans: • Infrastructure • Web applications • We review basic architecture, physical security, etc.

  22. Sample Questions • Do you host PHI or PII? • Is your server in a locked room accessible via a badge reader? • Does one person control every aspect of your system? • Does your system publish any information to the Internet? • Does your system require authentication? • Do you have audit logs?

  23. The Process Discovery NYPH Interfaces System Inventory Clinical Data Warehouse 2007 HIPAA Inventory Assess Interview Sponsors Interview System Custodians Vulnerability Scans Report Identify Risks Develop Impact Make Recommendations

  24. Report Outcomes PASS REMEDIATION Your system has risks to be corrected Implement the recommendations within 90 days or sunset the system Security will return in one year’s time to perform a new assessment after remediation • Your system is protected with adequate system controls • Security will return in one year’s time to perform a new assessment

  25. Program Summary • The program is changing IT security operations in the departments at CUMC • Many defunct systems have been decommissioned • Risks are dealt with based on severity • CUMC IT has developed a security solutions catalog • Systems are being remediated • Senior leaders are engaged in the compliance process • Current inventory will be assessed by Nov. 1st, 2011 • Departments are responsible for annual risk assessment • The program is being incorporated into standard business practice at CUMC

  26. CUMC Privacy and Security Initiatives • Management Controls • System Registration and Certification Policy • established May 13, 2011 • Notices sent to all Deans, Chairs and Department Administrators • Published in DA Manual • Training and Awareness Events • New employee orientation • Online training for faculty • New student orientation • HIPAA training in CUMC schools’ curriculum • Annual Privacy and Information Security Management Briefing • Information bulletins Technical Controls Data Loss Prevention - Scan CUMC websites for the presence of patient data and SSNs Anti Virus - Monitoring PC system health for n systems with Symantec Central AV Server. Vulnerability Management - Scanning CUMC IT hosts for missing patches and configuration errors Bluecoat Internet Proxy - Limit Internet use to safe sites Bradford Network Access Control - Register and scan student devices CUMC IT managed Smart Phones - Enforce strong password Email forwarding and DLP on Email Control – coming this year

  27. http://www.cumc.columbia.edu/hipaa/

  28. Information Security & Privacy Management Briefing

More Related