Health InsurancePortability & Accountability Act (HIPAA) 1996 Introduction Privacy Rule Security Rule
Acknowledgments Material is from: • HIPAA Compliance, Carlene Dalgleish • Legal Issues in Information Security, Joanna Lyn Grama Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributor: Misty Lowery Reviewers: Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Reasons for Legislation • Records of patients or insurance claims made publicly available by accident • Email reminder to take Prozac sent to 600 (not blind cc’d) • Woman fired from job after positive review but expensive illness • 35% of Fortune 500 companies admitted checking medical records before hiring or promoting • People avoid using insurance when they have AIDS, cancer, STD, substance abuse or mental illness
Medical Identity Theft: When a person’s name and other parts of his/her medical identity are stolen for the purpose of getting medical services and goods.
Medical Identity Theft: Problems: • Medical info is for wrong person • Inaccurate health records • Wrong diagnosis • Fatal treatments • Imposter claims health care • Medical Insurance Fraud • Inaccurate Credit History: Bills sent elsewhere
Medical Identity Thieves:Who can commit this crime? 2003: An employee at a cancer center stole the identity of a center patient. The identity thief was sentenced to 16 mos. In prison and ordered to pay restitution. 2006: A desk clerk at a Florida clinic stole the health info of over 1,000 patients. The clerk sold the data to another person. That person used the information to submit $2.8M in fraudulent Medicare claims to the U.S. government. Computer hackers Members of organized crime rings Health care providers (doctor’s, dentists, hospital employees)
Business Challenges Facing the Health Care Industry Organizations MUST maintain the security of computer systems that hold health data. Hospital computer systems contain notes from hospital employees and primary care physicians. Health Insurance Companies collect and compile patient data from different providers.
HIPAA • Introduced by Senators Edward Kennedy & Nancy Kassebaum • Portability: Workers can continue health care between different employers • Group insurance cannot reject, not renew, or charge higher premiums of certain individuals • Simplify administration by creating a health care transaction standard • Accountability: • Penalties for non-compliance • Tax provisions
HIPAA Titles • Title 1: Health Care Insurance Access, Portability, and Renewability • Title 2: Preventing Health Care Fraud & Abuse, Administrative Simplification, Medical Liability Reform • Title 3: Tax-related Health Provisions • Standardizes medical savings accounts • Title 4: Application and Enforcement of Group Health Insurance Requirements • Title 5: Revenue Offsets • Defines how employers can deduct company-owned life insurance premiums from income tax
Title 2 Has Three Rules Transactions, Code Sets, and Identifiers: Standards for electronic transmission • Electronic Data Interchange: Standardized records for health care transactions The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information The Security Rule: Security Standard for electronic patient health
Criminal Penalties Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Health Care OrganizationCovered Entities (CE) Health plan (e.g., HMO, PPO) Standard bills/records Standard bills/records Health care Clearinghouse Nonstandard bills/records Health Care Provider (e.g., doctor, hospital)
Health Care Organization Business Associates (BA) Covered Entities (CE) Works for Health plan Performs: Claims Processing Transcription Billing Data Analysis Independent organization Work involves health info Not bank or post office Health care Clearinghouse Health Care Provider
Protected Health Information (PHI) Health Information Relates to Physical or Mental health or past/present/ future payment Individually Identifiable Health Information Created or maintained by CE or BA Protected Health Information (PHI) Covered by HIPAA Identifiers Name SSN city or county zip code phone or fax medical record # fingerprint If YOU had Aids, how could such identifiers Identify you?
Treatment, Payment & Health Care Operations (TPO) Health Care Operations Administrative functions related to health care: financial or legal or quality improvement, training, certification, case mgmt, business planning Treatment Provision & coordination of health care among health care providers, including referral Payment Any activities involved in compensation for health care: billing, determining coverage or eligibility analyzing services $
HIPAA Standard Transactions Health plan (e.g., HMO, PPO) Health Plan Eligibility Inquiry Certification & Authorization of Referral Health Care Claim Health Care Claim Status Request Health Plan Premium Payment Enrollment or Disenrollment into Health Plan Health Care Claim Payment Certification & Authorization of Referral Health Care Provider (e.g., doctor, hospital) Plan Sponsor (Employer)
Breach Notification Laws The Oregonian, May 2006 In one of Oregon’s largest security breaches, Providence Health System disclosed that a burglar stole unencrypted medical records on 365,000 patients kept on disks and tapes left overnight in an employee’s van State Laws, called Breach Notification Laws require CEs to notify patients when their PHI has been breached If data is encrypted and laptop is lost, notification is not required This often applies to any industry that uses personal information, such as Social Security Numbers
HITECH: Health Information Technology for Economic and Clinical Health Act (2009) Breach Notification Rule Introduced notification requirements PHI shall be encrypted in a way that is approved by HHS. PHI shall be shredded or destroyed and disposed of properly. Specifies how to notify individuals and agencies if a breach of information occurs
The Genetic Information Nondiscrimination Act of 2008 • Protects against some types of genetic testing discrimination. • Insurance companies can’t make eligibility decision based on genetic testing results. • Insurance companies can’t base cost of premiums on genetic testing results. • Employers can’t hire, fire or make job decisions based on the use genetic testing. • Employers/Health Insurance Plans can not requiring genetic testing.
The HIPAA Privacy Rule + SHHhhh...
Privacy Rule:CEs Shall Develop Policies • CEs shall develop policies, procedures, and standards for how it will adhere to Privacy Rule. How will CE: • use and disclose PHI? • protect patient rights? • CEs shall regularly review policies and procedures • CEs shall update policies when new requirements emerge • CEs shall monitor that policies/procedures are consistently applied throughout the organization
Privacy Rule:No NonHealth Usage of PHI The National Law Journal, May 30, 1994 A banker who also served on his county’s health board cross-referenced customer accounts with patient Information. He called due the mortgages of anyone suffering from cancer. Health information is not to be used for nonhealth purposes, unless an individual gives explicit permission
Privacy Rule:Need-to-Know Access Washington Post, March 1, 1995 The 13-year-old daughter of a hospital employee took a list of patients’ names and phone numbers from the hospital when visiting her mother at work. As a joke, she contacted patients and told them they were diagnosed with HIV. Employees should have access only to what is absolutely required as part of their jobs. • What individuals should have access to PHI? • What categories of PHI should individuals have access to? • What conditions are required for access? • How will Business Associates & Trading Partners be informed and controlled?
Privacy Rule:Protections against Marketing Boston Globe, August 1, 2000 A patient at Brigham and Women’s Hospital in Boston learned that employees had accessed her medical record more than 200 times. CE must obtain permission before sending any marketing materials, with limited exceptions
Required Shut or locked doors Keep voice down Clear desk policy Password protection Auto screen savers Privacy curtains Locked cabinets Paper shredders Not Required Soundproof rooms Redesign office space Private hospital rooms (semiprivate ok) OK for doctors to talk to nurses at nurse stations Privacy Rule:Establish Privacy Safeguards Safeguards should be REASONABLE
Privacy Rule:Employee Training & Accountability New York Times, Jan. 19, 2002 Eli Lilly and Co. inadvertently revealed over 600 patient e-mail addresses when it sent an all message to every individual registered to receive reminders about taking Prozac. • Each CE organization shall name one person who is accountable for Privacy Rule compliance • Each employee, volunteer, contractor shall be trained in privacy policies and procedures • Full and Part-time
Privacy Rule: Individual Privacy Rights Patients have the Right to: • See or obtain copies of medical information (except for psychotherapy notes) • Request correction to health record • Receive a Notice of Privacy Practices • Request restrictions as to who can see PHI • Request specific method of contact for sake of privacy • Know who has accessed PHI • File a complaint if their rights have been violated • Allow and withdraw authorizations for use and disclosure CE must: • Respond to requests within 30 days • May extend delay with notice for another 30 days • Keep records of how PHI is disclosed
Notice of Privacy Practices Privacy • NPP must be available when asked for • NPP must be displayed prominently in the office • Health Plan must provide upon enrollment • Health Provider must provide on first service delivery • Both must request written acknowledgment of receipt of NPP • After change, revised NPP must be issued to clients within 60 days Electronic • Must be displayed prominently on web page • Must be emailed to customers after a change in NPP
Required & Permitted Disclosures Required Disclosure: • Patient • or personal representative, e.g., parent, next of kin • Office of Civil Rights Enforcement: Investigates potential violations to Privacy Rule Permitted Disclosure: • Minimum-Necessary PHI may be disclosed without authorization for: judicial proceedings, coroner/funeral, organ donation, approved research, military-related situations, government-provided benefits, worker’s compensation, domestic violence or abuse, some law enforcement activities • ID must be verified by proof of identity/badge and documentation
More Disclosures Routine Disclosure • Disclosures that happen periodically should be addressed in policies, procedures, forms • E.g.: Referral to another provider, school immunization, report communicable disease, medical transcription, births, deaths & other vital statistics Non-routine Disclosure • CEs shall have reasonable criteria to review requests for non-routine PHI disclosures • E.g., Research disclosures Incidental Disclosure • CEs shall have reasonable safeguards • E.g. Patient overhears advice given to another patient Accidental Disclosure • Computer is stolen with PHI
Disclosures Requiring Authorization • Research project (special conditions may allow) • Person outside health care system • Employer • However, employer may require authorization for drug test before hiring • Other insurance companies • Health care provider not involved in patient’s health care • Insurance company not paying patient’s claims • Lawyer Patient should get copy of authorization
Sample Authorization Form Disclosure Authorization Form Description of Information:_____________________________________ Patient making authorized disclosure____________________________ Person receiving information:__________________________________ Purpose of the disclosure: Authorization Expiration Date:________________ Patient Signature__________________________ Date:____________ A form to revoke authorization must be completed to terminate authorization. Must be retained by CE for 6 years
Implementing ‘Minimum Necessary’ Minimum necessary: Just enough info to accomplish the main purpose • E.g., Send prescription for glasses to optician, not medical history • Data Classification • Sensitivity of information • Type of treatment required • Questions to Answer • What parts of record can each user type access? • How will we constrain access to implement view?
Business Associates (BA) Not Business Associates Must also be responsible with PHI $$$ Accreditation Janitorial Electrical Phone Vending Copy Conduit: Mail Financial Institution: Banks Accounting & Finance Consulting Legal Administration &Management Actuarial
Business Associate Contract (BAC) CEs must request BA to sign a BAC: • BA will not disclose PHI • BA is liable for damage due to disclosure or misuse • BA will use safeguards to prevent misuse • BA will report any security incident or violation of agreement • BA will destroy or protect PHI upon termination of contract • CE can terminate contract if violation occurs • CE will provide BA copies of policies, procedures and materials for safeguarding • Etc.
BA Violates BAC CE is not required to actively monitor BA If BA is violating contract CE must take reasonable steps to correct If CE takes no action then CE=willful neglect, subject to penalties If BA takes no action CE must terminate relationship OR Contact Health & Human Services
HITECH: Health Information Technology for Economic and Clinical Health Act (2009) • BA’s must follow the HIPAA Security Rule. • BA’s are held to the same standard as CE’s. • Health & Human Services (HHS) can: • require BA’s to comply with HIPAA. • enforce penalties on noncompliant BA’s.
Violation of HIPAA Privacy Rule: To see the above article, go to: http://www.wthr.com/global/Category.asp?c=83157 WTHR Investigation Leads to Record $2.25M HIPAA Settlement, Indianapolis, IN, 2006: Reported that CVS was “throwing sensitive personal information in the trash” (e.g.: unredacted pill bottles, prescription instruction sheets, pharmacy receipts with credit card information and health insurance account numbers. After this, other CVS pharmacies were investigated and it was found that they also were improperly disposing of PHI.
Security Rule Enforces Privacy Rule on Computers Privacy Rule Security Rule With or w/o computer With computer Protect PHI Protect EPHI Minimum Necessary Authentication & Access Control Accounting of Disclosures Unique Login Credentials Authentication Track modifications to EPHI: Who did what when?
Security Vocabulary Asset: Diamonds Threat: Theft Vulnerability: Open door or windows Threat agent: Burglar Owner: Those accountable or who value the asset Risk: Danger to assets
Security Rule Assures… Confidentiality Integrity Availability
Security Services • Authentication • Access Control • Data confidentiality • Data integrity • Data backup & recovery • Nonrepudiation = Cannot say it wasn’t you who sent or received data • Risk Management
Risk Management • Risk assessment • Policy & Procedures Maintenance • Security Program Enforcement • Audit logs, vulnerability assessments, audit for procedure adherence and control effectiveness • Patches are applied to software • Data is available, confidential, & integrity is protected
Security Rule Standards Comprehensive Technology Neutral Scalable Administrative Controls Security Rule Small or Large Physical Controls Security Rule Technical Controls Look to Best Practices for Technology Answers e.g. NIST
Three Areas of Safeguards Administrative: Administrative policies, procedures, and actions to implement and maintain security controls to protect EPHI, including risk mgmt, access control, contingency plans, incident response. Security Rule Physical: Protection of the physical access to terminals, laptops, servers, backup tapes, CDs, memory, including viewing, access, maintenance and disposal. Technical: Protection using technology tools to protect EPHI, including logs, encryption, authentication
Policies & Procedures Policies and Procedures MUST BE: • Retained for 6 years after date of creation or last effect • Available to workers responsible for them • Must be updated regularly accommodating changes in environment & operations
Security Rule Standard This is recommended… Address this in some way… Implement at least some alternatives…. If it doesn’t apply, document well why not… R=Required DO IT! A=Addressable We do this instead: …..
Security Mgmt Implications We will need an IT person to regularly check logs to be sure our system was not broken into Risk assessment must be ‘accurate and thorough’ – that will be a challenge! And all are Rs… The Sanction policy basically requires we all sign a confidentiality agreement and if someone breaks the rule, they could be fired. Security Mgmt Process