1 / 31

HIPAA Privacy and Security Update

June 2009. HIPAA Privacy and Security Update. Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315. Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035. In the News - Privacy and Security Problems

herbst
Télécharger la présentation

HIPAA Privacy and Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. June 2009 HIPAAPrivacy and Security Update Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035

  2. In the News - Privacy and Security Problems • Recent theft of electronic devices at CUMC • New Regulations - Privacy and Security • What you need to know about Patient Privacy • What you need to know about Information Security HIPAA Privacy and Security Update

  3. Disruption of Patient Care • Increased cost to the institution • Legal liability and lawsuits • Negative Publicity • Negative Patient perception • Identity theft (monetary loss, credit fraud) • Disciplinary action Consequences of Privacy or Security Failure

  4. In the News: Providence Health System • Lost 365,000 patient records when 10 backup tapes/disks were stolen from an employee’s minivan in 2006 • Agreed to pay $100,000 in fines to the DOJ and implement a detailed Corrective Action Plan to safeguard electronic patient information • Providence reports they have spent over $7 million to respond to the breach including: • Free credit monitoring for patients • Hiring an independent forensic firm to investigate and make recommendations to improve the security of electronically stored patient information • Negative media attention very damaging to their reputation

  5. In the News: NewYork-Presbyterian • A NYP employee (patient admissions representative) was charged with stealing almost 50,000 patient files and selling some of them. • The files stolen probably contained little or no medical information, but did include patient names, phone numbers and social security numbers--fertile ground for identity theft. • McPherson told investigators that a Brooklyn man offered him money in exchange for personal information on male patients born between 1950 and 1970. • McPherson then sold the man 1,000 files for $750.

  6. In the News: NewYork-Presbyterian • NYP sent letters and offered free 2 year credit monitoring to all patients • 50,000 * $15 = $750,000 +++ • NYP senior management were summoned by District Attorney’s office for explanation and steps to improve • An Information Security Enhancement Task Force led by the COO was established, and a consultant was engaged to evaluate NYP security posture • NYP is currently implementing measures to improve information security

  7. Recent theft of electronic devices at CUMC • A large fire in a NYP/CUMC building with immediate evacuation of the entire building • An outside firm was hired to assist with the clean-up and repair of the building • When staff returned it was discovered that laptops, USB drives (thumb drives) and digital cameras had been stolen • Lesson learned – All equipment must be password protected. Portable equipment that includes patient information must also be encrypted. • Consider installing software like PC phone home that may assist in locating stolen portable devices

  8. New Regulations: HITECH Act (ARRA) • (Health Information Technology for Economic and Clinical Health) • New Federal Breach Notification Law – Effective Sept 2009 • Applies to all electronic “unsecured PHI” • Requires immediate notification to the Federal Government if more than 500 individuals effected • Requires notification to a major media outlet • Will be listed on a public website • Requires individual notification to patients • Criminal penalties apply to individual or employee of a covered entity

  9. New Regulations: HITECH Act (ARRA) • Business Associates • Standards apply directly to Business Associates • Statutory obligation to comply with restrictions on use and disclosure of PHI • New HITECH Privacy provisions must be incorporated into BAA • Enforcement • Increased penalties for HIPAA Violations (tiered civil monetary penalties) • Increased enforcement and oversight activities • State Attorneys General will have enforcement authority and may sue for damages and injunctive relief.

  10. Social Security Number Protection Law • Effective December 2007 • Recognizes SSN to be a primary identifier for identity theft • It is Illegal to communicate this information to the general public • Access cards, tags, etc. may not have SSN • SSN may not be transmitted over Internet without encryption • SSN may not be used as a password • SSN may not be printed on envelopes with see-through windows • SSN may not be requested unless required for a business purpose • Fines and Penalties New York State SSN/PII Laws

  11. Information Security Breach and Notification Act • Effective December 2005 • IF… Breach of Personally Identifiable Information occurs • SSN • Credit Card • Driver’s License • THEN… Must notify • patients / customers / employees • NY State Attorney General • Consumer reporting agencies New York State SSN/PII Laws

  12. New Regulations – Red Flag rule • Red Flag – Identity Theft Prevention Program • Requires healthcare organizations to establish written program to identify, detect and respond to and correct reports of potential identity theft • Educate all staff how to identify Red Flags and report them • Appoint program administrator & Report to leadership • FTC law includes fines and penalties $2,500 per violation • Business Associate Agreements will have to be revised to inform CUMC of any Red Flags involving CUMC data

  13. Notice of Privacy Practices • Business Associates • Authorization to Release Medical Information • Privacy Breaches • HIPAA and Research • HIPAA Education and Training 4. What you need to know about Patient Privacy

  14. Examples include: • billing • claims processing or administration • call service management • quality assurance • data processing or analysis • transcription services • utilization review • design or manage an electronic records system Who is a Business Associate? • accounting • accreditation • administrative • data aggregation • consulting • financial services • management

  15. Authorization to Release Medical Information Written Authorization required to release medical information Physician may share information with referring physician without an authorization “patient in common” All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review CUMC or NYP Authorization form

  16. Privacy Breach • Privacy Breaches do not usually involve high profile patients • Most Privacy Breaches involve staff accessing medical information of friends, family members and co-workers • Implementation of CROWN (electronic medical record) will improve the availability of treatment information, but it will also make patient information more available • It is important that staff are aware that ANYaccess of medical information WITHOUT a business purpose will result in disciplinary action

  17. HIPAA and Research • In 2008 combined the Privacy Board and IRB review process • Improved communication between researchers, the IRB and the HIPAA research during the review process • Conducted several educational sessions with researchers and research staff to inform them of the review process and respond to questions • RASCAL research training program updated to include the HIPAA review process and respond to FAQ’s 20

  18. Privacy and Security Education • New Hire Welcome Program Staff Education • On-line HIPAA Education (Professional Staff) • HIPAA for Researchers (RASCAL) • Email reminders / alerts • Department specific – as requested • HIPAA Web Site • HIPAA training for all staff will be increased Professional and Support Staff Education

  19. What you need to know in Information Security

  20. Laptop and File Encryption WinZip (password protect + encrypt) 7-zip (free, password protect + encrypt) Truecrypt (free, complete folder encryption) FileVault (folder encryption on Macintosh) Encrypted USB Drives Kingston Data Traveler Iron Key (Fully encrypted) Security Controls

  21. Sharing Passwords • You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access • Not signing off systems • You are responsible and will be disciplined if another person uses your ‘not-signed-off’ system and application • Downloading and executing unknown software • If the software is malicious, you will lose your passwords and data. If the machine misbehaves, your machine will be disconnected from the network Types of Security Failure

  22. Digital Piracy statistics for Top Universities BitTorrent & eDonkey are used the most ! -- BAY TSP 2008 Report

  23. Sending EPHI outside the institution without encryption • Under HITECH you may be personally liable for losing EPHI data • Losing PDA and Laptop in transit with unencrypted PHI or PII • Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII • Not questioning, reporting, or challenging suspicious or improper behavior • You put the institution and areas under your supervision at risk Types of Security Failure

  24. Not being extremely careful with Social Security Numbers • First avoid SSN (and Driver’s License, Credit Card Numbers)REFUSE to take files or reports with SSN if you do not need them. Tell the sender to take SSN out before you will accept file or report. • Do not store SSN long-termDESTROY the file/report as soon as you are done with it. Delete the file from your computer, delete the email that brought the file, etc. Or, using an editor program, cut out SSN from the file. Types of Security Failure

  25. Not being extremely careful with Social Security Numbers (contd.) • Do not keep the complete SSNERASE first 5 digits of SSN. • Encrypt SSN, and Obfuscate SSNIf you must keep it, keep SSN in an encrypted file or folder.Do not show the SSN in an application, or show only the last 4 digits if that meets the needs. AUTHENTICATE again if complete SSN is shown, and LOG who saw the SSN. Ask why they must see the SSN. Types of Security Failure

  26. Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously) • Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination • Do not copy, duplicate, or move EPHI without a proper authorization • Do not email EPHI without encryption to addresses outside the institution Methods to Protect against Failures

  27. PATIENT PRIVACY At some point in our lives we will all be a patient Treat all information as though it was your own

More Related