HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of...

HIPAA Implementation at HIPAA Implementation at UNC School of MedicineUNC School of Medicine

Dennis A. Schmidt, MS, CISSP

Director, Office of Information Systems

HIPAA Security Officer

UNC School of Medicine

March 12, 2007

AgendaAgenda

• Overview of HIPAA• Overview of the Privacy Regulation• Protected Health Information• Parts of the Privacy Regulation• Patient Rights• Penalties• HIPAA Security Regulations• Implementation at UNC School of

Medicine

What is HIPAA?What is HIPAA?

• HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries.

HIPAA Parts HIPAA Parts

• HIPAA has several parts:» Electronic Transactions and Code Sets

Standards

» Privacy Requirements

» Security Requirements

» National Identifier Requirements (NPI)

• This presentation will focus on the Privacy and Security Requirements.

Who Is Subject to HIPAA?Who Is Subject to HIPAA?

• Health Care Providers» Any provider of health care or other health

services, or supplies, who transmits health information in electronic form in connection with a transaction for which standard requirements have been adopted.

• Health Plans» Any individual or group plan that provides or

pays the cost of health care.

• Health Care Clearinghouses » A public or private entity that transforms health

care transactions from one format to another.

04/18/23 5

Affiliated Covered EntitiesAffiliated Covered Entities

• Any organization that provides patient care and bills electronically is subject to HIPAA.

• Those organizations are classed as “Covered Entities”

• UNC Health Care is a Single Affiliated Covered Entity, consisting of:» UNC Hospitals

» UNC Physicians and Associates

» UNC School of Medicine

» Rex Hospital

04/18/23 6

HIPAA Cost Neutral (????)HIPAA Cost Neutral (????)

• Streamlining codes and transactions sets theoretically offsets the overhead costs incurred to support privacy and security.

• No real savings have yet been realized from codes and transaction sets.

• Many organizations do not benefit from codes and transactions savings.

04/18/23 7

HIPAA Privacy RuleHIPAA Privacy Rule

• Went into effect April 14, 2003• The main goal of the Privacy Regulation is to

protect the use and sharing of Protected Health Information (PHI).

What is PHI?What is PHI?

• Protected Health Information

PHI is any health information that can be used to identify a patient and which relates to the patient, healthcare services provided to the patient, or the payment for these services.

Examples of PHI IdentifiersExamples of PHI Identifiers• Employer• Relatives’

Names• Telephone

Numbers• Fax Numbers• E-Mail Address• Medical Record

Number

• Social Security Number

• Codes• Fingerprints• Occupation• Photographs• Certificate

Numbers

Privacy Regulation RequiresPrivacy Regulation Requires

• We cannot use or disclose PHI unless it is required or allowed by law, or when the patient has given permission.

Privacy Rule PrinciplesPrivacy Rule Principles

• The Privacy Regulation, or Privacy Rule, is made up of several parts.

These include the following:• Accountability:

» Anyone who misuses PHI will be subject to losing their job along with civil and/or criminal penalties.

Privacy Rule Principles cont…Privacy Rule Principles cont…

• Responsibility to the public:» Addresses the need to keep the public healthy

and safe, but at the same time protect the privacy of all patients.

• Boundaries:» PHI should be used for healthcare purposes

only.

Privacy Rule Principles cont…Privacy Rule Principles cont…

• Security:» PHI needs to be kept confidential and

accessed on a need to know basis.

• Patient Control:» The Patient has the right to ask us for a

listing showing when and to whom their PHI has been shared. (Accounting for Disclosures.)

Patient RightsPatient Rights

• The Privacy Rule calls for letting patients know their privacy rights.

These rights are as follows:• The patient has the right to obtain a copy of

our Notice of Privacy Practices.

• The patient has the right to access their PHI. It’s their information, not ours.

• The patient has the right to ask for corrections in their own PHI.

Patient Rights (cont’d)Patient Rights (cont’d)

• The patient has the right to control how PHI about them is shared.

• The patient has the right to “opt out” of being listed in hospital directories.

• The patient has the right to file a complaint if we do not follow our privacy policies.

PenaltiesPenalties

There are penalties for not following HIPAA requirements.

• You can lose your job.

• You and your facility can be forced to pay up to $250,000 and spend up to 10 years in jail.

HIPAA HIPAA Security RuleSecurity Rule

Final Security RuleFinal Security Rule

• Published in Federal Register on February 20, 2003

• Effective Date: April 21, 2005• Scope narrowed to Electronic PHI Only• All other PHI covered by Privacy Rule

Protected Health Protected Health Information (PHI)Information (PHI)

• Identifiable Health Information that is» Transmitted by electronic media» Maintained in electronic media» Transmitted or maintained in any other

form or medium

• Excludes health information in» Education records covered by Family

Educational Rights and Privacy Act» Employment records held by a covered

entity in its role as employer

DefinitionsDefinitions

• Standards• Required Implementation

» Covered entity must implement the implementation specifications

• Addressable Implementation» Entity must assess whether

implementation specification is reasonable and appropriate safeguard

» Implement if reasonable» If not reasonable

• Document why• Implement alternative measure if reasonable

and appropriate

Security Standards MatricesSecurity Standards Matrices

• Administrative Safeguards• Physical Safeguards• Technical Safeguards• Security Standards are required to be

implemented• Implementation Specification is either

» Required or

» Addressable

Administrative SafeguardsAdministrative Safeguards

• Security Management Process» Risk Analysis Required» Risk Management Required» Sanction Policy Required» Information System Activity Review Required

• Assigned Security Responsibility Required• Workforce Security

» Authorization and/or Supervision Addressable» Workforce Clearance Procedure Addressable» Termination Procedures Addressable


• Information Access Management» Isolating Healthcare Clearinghouse Function Required

» Access Authorization Addressable

» Access Establishment and Modification Addressable

• Security Awareness and Training Required» Security Reminders

Addressable

» Protection form Malicious Software Addressable

» Login Monitoring Addressable

» Password Management Addressable


• Security Incident Procedures Required• Contingency Plan

» Data Backup Plan Required

» Disaster Recovery Plan Required

» Emergency Mode Operation Plan Required

» Testing and Revision Procedure Addressable

» Applications and Data Criticality Analysis Addressable

• Evaluation (replaces Certification) Required• Business Associate Contracts (Written) Required

Physical SafeguardsPhysical Safeguards

• Facility Access Controls Required» Contingency Operations Addressable» Facility Security Plan Addressable» Access Control and Validation Procedures Addressable» Maintenance Records Addressable

• Workstation Use Required• Workstation Security Required• Device and Media Controls

» Disposal Required» Media Re-use Required» Accountability Addressable» Data Backup and Storage

Addressable

Technical SafeguardsTechnical Safeguards

• Access Control» Unique User ID Required» Emergency Access Procedure Required» Automatic Logoff Addressable» Encryption and Decryption Addressable

• Audit Controls Required• Integrity Required

» Mechanism to Authenticate Electronic PHI Addressable

• Person or Entity Authentication Required• Transmission Security

» Integrity Controls Addressable» Encryption Addressable

““Due Diligence”Due Diligence”

• HIPAA expects entities to use Due Diligence when protecting PHI.

• Definition of Due Diligence is constantly changing/evolving and subject to interpretation.

• Your definition of Due Diligence may be different from a plaintiff’s definition.

• Following industry standards probably fits in Due Diligence – but that’s just MY interpretation.

04/18/23 28

HIPAA Implementation at UNC HIPAA Implementation at UNC

04/18/23 29

Implementation StructureImplementation Structure

• UNC HCS HIPAA Oversight Committee

• UNC HCS HIPAA Policy Committee• HIPAA Implementation Teams

» UNC Hospitals» Rex Healthcare» UNC P&A» UNC School of Medicine

HIPAA CommitteesHIPAA Committees

• UNC HCS » HIPAA Oversight Committee » HIPAA Policy Committee» HIPAA Education Committee» HIPAA Privacy Subcommittee» HIPAA Security Subcommittee» HCS Physical Inspection Team» Security Incident Response Team (SIRT)

• SOM» HIPAA Planning and Oversight Counsel» HIPAA Security Team

• UNC » HIPAA Security Liaisons» HIPAA Planning Committee

04/18/23 31

HIPAA Implementation HIPAA Implementation ApproachApproach

• Health Care System Approach

» Standard Policies Across HCS • UNC Hospitals• UNC Physicians & Associates• Rex Hospital• School of Medicine

Implementation TasksImplementation Tasks

• Inventory of individually identifiable electronic health information, including information kept on personal computers and research databases

• Risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information

• Collect and review existing privacy and security policies

• Create new, compliant UNC HCS privacy and security policies

Implementation Tasks cont.Implementation Tasks cont.

• Review and revise admission, treatment, and consent forms

• Create additional HIPAA-required forms (including Notice of Privacy Practices, Business Associate Agreements, Chain of Trust Agreements)

• Educate staff about privacy and security policies, including sanctions for violations - incorporate into compliance program


• Designate privacy and security officers in each entity

• Review and revise vendor contracts to ensure that business associates protect privacy of identifiable health information

• Enter into Business Associate Agreements with business associates

• Evaluate audit trails and develop additional tracking techniques to ensure a record of all use/disclosure of patient information

• High Level Assessment & Gap Analysis» Inventory of Patient Information (PHI)

• Information Flow Assessment» Detailed Security Assessment and

Risk Analysis• Must be done by Every

Department/Division• Risk Doctor


• Education & Training – Entire Workforce» On-line Modules developed by UNC HCS» Initial Module – HIPAA 101 for all» Follow on Modules based on job function» Training to be conducted and tracked by

Departments/Divisions


• Security Related Requirements» Formal mechanism for processing records

• Creation, receipt, storage, transfer, disposal of PHI

» Personnel Security Clearance Process» Written procedures for access to PHI» Documented termination procedures to

include notification of IS organizations» Workstation controls» Disaster Recovery Plan


SOM HIPAA PoliciesSOM HIPAA Policies

• UNC HCS Information Security Policy• UNC HCS Privacy/Confidentiality of PHI• Electronic Media Disposal Policy• End User Account Policy• Orientation and Termination Checklists• Network Security Policy• Desktop Configuration Policy• Password Policy• Remote Access Policy• Handheld Computing Devices Policy• Audit Policy • Web Security Policy

04/18/23 39

Implementation Team Implementation Team ResponsibilitiesResponsibilities

• Education & Training• Coordinate assessments and

information gathering• Participate on HIPAA workgroups• Develop and implement unit-specific

policies• Assist in the development and

dissemination of new global policies and procedures

• Assess physical security (higher level policies anticipated)

• Ongoing…..

Specific Issues & Specific Issues & Concerns with HIPAA Concerns with HIPAA

ImplementationImplementation

04/18/23 41

DocumentationDocumentation

• To prepare for HIPAA, we did not make many changes to our architecture or procedures.

• We just had to document what we were already doing.

04/18/23 42

Cultural Change for our Cultural Change for our UsersUsers

04/18/23 43

People Do Not Like ChangePeople Do Not Like Change

• “When an opportunity comes to consign you all to the nether regions there will be a rush to make it so.” -Basic Sciences PHD in response to password change requirement

• “…if this was the private world, I would FIRE YOU…and if I saw you in the hall I would tell you to ‘flip off!’” - Physician in response to password change requirement

HIPAA Extends Well Beyond ITHIPAA Extends Well Beyond IT

• Protect information regardless of media• Provide physical safeguards• Personnel issues (training, sanctions)• Liability protections (contracts, insurance)• Revise business & clinical processes to

comply

Policy DevelopmentPolicy Development

• Wrote higher level Information Security Policy to cover all of HCS

• Formed numerous committees to help write lower level policies for School of Medicine

• Important to get user “buy-in” • Enforcement is still an issue

» Not enough resources to audit units

• Policies approved by the Dean ‘s Office

04/18/23 46

Media Disposal Policy

• First HIPAA related policy • Requires all media (hard drives, etc.) to be

sanitized properly with disk wiping software before leaving university control.

• Written by School of Medicine, adopted by UNC and UNC Hospitals.

• Developed in response to actual incident.

Password PolicyPassword Policy

• New requirements:» Strong passwords» Change every 90 days» No “group” accounts

• Most significant HIPAA change for our users

04/18/23 48

Risk AssessmentsRisk Assessments

• Very resource intensive• Difficult to get units to do their own• Used Raytheon “Risk Doctor” for first round• Purchased “HIPAA Watch” for second round

» Allowed us to push questions out electronically to departments

• On going risk assessments are constant resource drain.

04/18/23 49

Disaster Recovery PlansDisaster Recovery Plans

• Very difficult to do• Using Living Disaster Recovery Plan System

(LDRPS)

04/18/23 50

EncryptionEncryption

• Addressable item in HIPAA Security Rule• Currently using “other” means of protection• Exploring encryption solution for laptops and

desktops• Due Diligence has evolved to now include

encryption of data.

04/18/23 51

Changes in Network SecurityChanges in Network Security

• Additional Router filters for firewall like protection

• Tipping Point intrusion prevention» Early detection of malicious activity

» Blocking Peer to Peer traffic in SOM

» Blocking Skype traffic in SOM

• VPN• Firewalled Secure Zone • Expanded VLAN (802.1Q) technology• Switches and routers in private IP space

04/18/23 52

Physical SecurityPhysical Security

• All School of Medicine buildings are alarmed and card swipe access after hours

• Sensitive floors are card swipe access 24/7• ID Badge policy• Additional secure server rooms for

departmental servers

04/18/23 53

Patient E-mailPatient E-mail

• Tumbleweed Secure Server• Activated when user puts (secure) in subject

line.• Stores message on secure server• Sends “you’ve got mail” link to recipient • Recipient clicks on link to read secure

message• Weak security if users are not authenticated

when viewing message

04/18/23 54

Mobile Memory Devices

• Wide scale proliferation of Mobile Memory Devices (PDAs, Smartphones, Blackberries, etc.) is major problem in Health Care organizations

• Easily lost or misplaced.• Lack of centralized control• Task force formed by NCHICA (North

Carolina Healthcare Information and Communications Alliance, Inc.) to address the problem

HIPAA Resources

• www.hhs.gov/ocr/hipaa/• www.med.unc.edu/hipaa• www.nchica.org• Academic Medical Center Conference on

Privacy & Security» Friday Center, Chapel Hill

» June 10-13

Questions??Questions??

04/18/23 57

HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of...

Documents

Transcript of HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of...