1 / 57

HIPAA Implementation at UNC School of Medicine

HIPAA Implementation at UNC School of Medicine. Dennis A. Schmidt , MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of Medicine March 12, 2007. Agenda. Overview of HIPAA Overview of the Privacy Regulation Protected Health Information

betty_james
Download Presentation

HIPAA Implementation at UNC School of Medicine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of Medicine March 12, 2007

  2. Agenda • Overview of HIPAA • Overview of the Privacy Regulation • Protected Health Information • Parts of the Privacy Regulation • Patient Rights • Penalties • HIPAA Security Regulations • Implementation at UNC School of Medicine

  3. What is HIPAA? • HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries.

  4. HIPAA Parts • HIPAA has several parts: • Electronic Transactions and Code Sets Standards • Privacy Requirements • Security Requirements • National Identifier Requirements (NPI) • This presentation will focus on the Privacy and Security Requirements.

  5. Who Is Subject to HIPAA? • Health Care Providers • Any provider of health care or other health services, or supplies, who transmits health information in electronic form in connection with a transaction for which standard requirements have been adopted. • Health Plans • Any individual or group plan that provides or pays the cost of health care. • Health Care Clearinghouses • A public or private entity that transforms health care transactions from one format to another.

  6. Affiliated Covered Entities • Any organization that provides patient care and bills electronically is subject to HIPAA. • Those organizations are classed as “Covered Entities” • UNC Health Care is a Single Affiliated Covered Entity, consisting of: • UNC Hospitals • UNC Physicians and Associates • UNC School of Medicine • Rex Hospital

  7. HIPAA Cost Neutral (????) • Streamlining codes and transactions sets theoretically offsets the overhead costs incurred to support privacy and security. • No real savings have yet been realized from codes and transaction sets. • Many organizations do not benefit from codes and transactions savings.

  8. HIPAA Privacy Rule • Went into effect April 14, 2003 • The main goal of the Privacy Regulation is to protect the use and sharing of Protected Health Information (PHI).

  9. What is PHI? • Protected Health Information PHI is any health information that can be used to identify a patient and which relates to the patient, healthcare services provided to the patient, or the payment for these services.

  10. Examples of PHI Identifiers • Employer • Relatives’ Names • Telephone Numbers • Fax Numbers • E-Mail Address • Medical Record Number • Social Security Number • Codes • Fingerprints • Occupation • Photographs • Certificate Numbers

  11. Privacy Regulation Requires • We cannot use or disclose PHI unless it is required or allowed by law, or when the patient has given permission.

  12. Privacy Rule Principles • The Privacy Regulation, or Privacy Rule, is made up of several parts. These include the following: • Accountability: • Anyone who misuses PHI will be subject to losing their job along with civil and/or criminal penalties.

  13. Privacy Rule Principles cont… • Responsibility to the public: • Addresses the need to keep the public healthy and safe, but at the same time protect the privacy of all patients. • Boundaries: • PHI should be used for healthcare purposes only.

  14. Privacy Rule Principles cont… • Security: • PHI needs to be kept confidential and accessed on a need to know basis. • Patient Control: • The Patient has the right to ask us for a listing showing when and to whom their PHI has been shared. (Accounting for Disclosures.)

  15. Patient Rights • The Privacy Rule calls for letting patients know their privacy rights. These rights are as follows: • The patient has the right to obtain a copy of our Notice of Privacy Practices. • The patient has the right to access their PHI. It’s their information, not ours. • The patient has the right to ask for corrections in their own PHI.

  16. Patient Rights (cont’d) • The patient has the right to control how PHI about them is shared. • The patient has the right to “opt out” of being listed in hospital directories. • The patient has the right to file a complaint if we do not follow our privacy policies.

  17. Penalties There are penalties for not following HIPAA requirements. • You can lose your job. • You and your facility can be forced to pay up to $250,000 and spend up to 10 years in jail.

  18. HIPAA Security Rule

  19. Final Security Rule • Published in Federal Register on February 20, 2003 • Effective Date: April 21, 2005 • Scope narrowed to Electronic PHI Only • All other PHI covered by Privacy Rule

  20. Protected Health Information (PHI) • Identifiable Health Information that is • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form or medium • Excludes health information in • Education records covered by Family Educational Rights and Privacy Act • Employment records held by a covered entity in its role as employer

  21. Definitions • Standards • RequiredImplementation • Covered entity must implement the implementation specifications • Addressable Implementation • Entity must assess whether implementation specification is reasonable and appropriate safeguard • Implement if reasonable • If not reasonable • Document why • Implement alternative measure if reasonable and appropriate

  22. Security Standards Matrices • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Security Standards are required to be implemented • Implementation Specification is either • Required or • Addressable

  23. Administrative Safeguards • Security Management Process • Risk Analysis Required • Risk Management Required • Sanction Policy Required • Information System Activity Review Required • Assigned Security Responsibility Required • Workforce Security • Authorization and/or Supervision Addressable • Workforce Clearance Procedure Addressable • Termination Procedures Addressable

  24. Administrative Safeguards • Information Access Management • Isolating Healthcare Clearinghouse Function Required • Access Authorization Addressable • Access Establishment and Modification Addressable • Security Awareness and Training Required • Security Reminders Addressable • Protection form Malicious Software Addressable • Login Monitoring Addressable • Password Management Addressable

  25. Administrative Safeguards • Security Incident Procedures Required • Contingency Plan • Data Backup Plan Required • Disaster Recovery Plan Required • Emergency Mode Operation Plan Required • Testing and Revision Procedure Addressable • Applications and Data Criticality Analysis Addressable • Evaluation (replaces Certification) Required • Business Associate Contracts (Written) Required

  26. Physical Safeguards • Facility Access Controls Required • Contingency Operations Addressable • Facility Security Plan Addressable • Access Control and Validation Procedures Addressable • Maintenance Records Addressable • Workstation Use Required • Workstation Security Required • Device and Media Controls • Disposal Required • Media Re-use Required • Accountability Addressable • Data Backup and Storage Addressable

  27. Technical Safeguards • Access Control • Unique User ID Required • Emergency Access Procedure Required • Automatic Logoff Addressable • Encryption and Decryption Addressable • Audit Controls Required • Integrity Required • Mechanism to Authenticate Electronic PHI Addressable • Person or Entity Authentication Required • Transmission Security • Integrity Controls Addressable • Encryption Addressable

  28. “Due Diligence” • HIPAA expects entities to use Due Diligence when protecting PHI. • Definition of Due Diligence is constantly changing/evolving and subject to interpretation. • Your definition of Due Diligence may be different from a plaintiff’s definition. • Following industry standards probably fits in Due Diligence – but that’s just MY interpretation.

  29. HIPAA Implementation at UNC

  30. Implementation Structure • UNC HCS HIPAA Oversight Committee • UNC HCS HIPAA Policy Committee • HIPAA Implementation Teams • UNC Hospitals • Rex Healthcare • UNC P&A • UNC School of Medicine

  31. HIPAA Committees • UNC HCS • HIPAA Oversight Committee • HIPAA Policy Committee • HIPAA Education Committee • HIPAA Privacy Subcommittee • HIPAA Security Subcommittee • HCS Physical Inspection Team • Security Incident Response Team (SIRT) • SOM • HIPAA Planning and Oversight Counsel • HIPAA Security Team • UNC • HIPAA Security Liaisons • HIPAA Planning Committee

  32. HIPAA Implementation Approach • Health Care System Approach • Standard Policies Across HCS • UNC Hospitals • UNC Physicians & Associates • Rex Hospital • School of Medicine

  33. Implementation Tasks • Inventory of individually identifiable electronic health information, including information kept on personal computers and research databases • Risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information • Collect and review existing privacy and security policies • Create new, compliant UNC HCS privacy and security policies

  34. Implementation Tasks cont. • Review and revise admission, treatment, and consent forms • Create additional HIPAA-required forms (including Notice of Privacy Practices, Business Associate Agreements, Chain of Trust Agreements) • Educate staff about privacy and security policies, including sanctions for violations - incorporate into compliance program

  35. Implementation Tasks cont. • Designate privacy and security officers in each entity • Review and revise vendor contracts to ensure that business associates protect privacy of identifiable health information • Enter into Business Associate Agreements with business associates • Evaluate audit trails and develop additional tracking techniques to ensure a record of all use/disclosure of patient information

  36. Implementation Tasks cont. • High Level Assessment & Gap Analysis • Inventory of Patient Information (PHI) • Information Flow Assessment • Detailed Security Assessment and Risk Analysis • Must be done by Every Department/Division • Risk Doctor

  37. Implementation Tasks cont. • Education & Training – Entire Workforce • On-line Modules developed by UNC HCS • Initial Module – HIPAA 101 for all • Follow on Modules based on job function • Training to be conducted and tracked by Departments/Divisions

  38. Implementation Tasks cont. • Security Related Requirements • Formal mechanism for processing records • Creation, receipt, storage, transfer, disposal of PHI • Personnel Security Clearance Process • Written procedures for access to PHI • Documented termination procedures to include notification of IS organizations • Workstation controls • Disaster Recovery Plan

  39. SOM HIPAA Policies • UNC HCS Information Security Policy • UNC HCS Privacy/Confidentiality of PHI • Electronic Media Disposal Policy • End User Account Policy • Orientation and Termination Checklists • Network Security Policy • Desktop Configuration Policy • Password Policy • Remote Access Policy • Handheld Computing Devices Policy • Audit Policy • Web Security Policy

  40. Implementation Team Responsibilities • Education & Training • Coordinate assessments and information gathering • Participate on HIPAA workgroups • Develop and implement unit-specific policies • Assist in the development and dissemination of new global policies and procedures • Assess physical security (higher level policies anticipated) • Ongoing…..

  41. Specific Issues & Concerns with HIPAA Implementation

  42. Documentation To prepare for HIPAA, we did not make many changes to our architecture or procedures. We just had to document what we were already doing. 3/10/2014 42

  43. Cultural Change for our Users

  44. People Do Not Like Change • “When an opportunity comes to consign you all to the nether regions there will be a rush to make it so.” -Basic Sciences PHD in response to password change requirement • “…if this was the private world, I would FIRE YOU…and if I saw you in the hall I would tell you to ‘flip off!’” - Physician in response to password change requirement

  45. HIPAA Extends Well Beyond IT • Protect information regardless of media • Provide physical safeguards • Personnel issues (training, sanctions) • Liability protections (contracts, insurance) • Revise business & clinical processes to comply

  46. Policy Development • Wrote higher level Information Security Policy to cover all of HCS • Formed numerous committees to help write lower level policies for School of Medicine • Important to get user “buy-in” • Enforcement is still an issue • Not enough resources to audit units • Policies approved by the Dean ‘s Office

  47. Media Disposal Policy • First HIPAA related policy • Requires all media (hard drives, etc.) to be sanitized properly with disk wiping software before leaving university control. • Written by School of Medicine, adopted by UNC and UNC Hospitals. • Developed in response to actual incident.

  48. Password Policy • New requirements: • Strong passwords • Change every 90 days • No “group” accounts • Most significant HIPAA change for our users

  49. Risk Assessments • Very resource intensive • Difficult to get units to do their own • Used Raytheon “Risk Doctor” for first round • Purchased “HIPAA Watch” for second round • Allowed us to push questions out electronically to departments • On going risk assessments are constant resource drain.

  50. Disaster Recovery Plans • Very difficult to do • Using Living Disaster Recovery Plan System (LDRPS)

More Related