580 likes | 908 Views
HIPAA Implementation at UNC School of Medicine. Dennis A. Schmidt , MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of Medicine March 12, 2007. Agenda. Overview of HIPAA Overview of the Privacy Regulation Protected Health Information
E N D
HIPAA Implementation at UNC School of Medicine Dennis A. Schmidt, MS, CISSP Director, Office of Information Systems HIPAA Security Officer UNC School of Medicine March 12, 2007
Agenda • Overview of HIPAA • Overview of the Privacy Regulation • Protected Health Information • Parts of the Privacy Regulation • Patient Rights • Penalties • HIPAA Security Regulations • Implementation at UNC School of Medicine
What is HIPAA? • HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries.
HIPAA Parts • HIPAA has several parts: • Electronic Transactions and Code Sets Standards • Privacy Requirements • Security Requirements • National Identifier Requirements (NPI) • This presentation will focus on the Privacy and Security Requirements.
Who Is Subject to HIPAA? • Health Care Providers • Any provider of health care or other health services, or supplies, who transmits health information in electronic form in connection with a transaction for which standard requirements have been adopted. • Health Plans • Any individual or group plan that provides or pays the cost of health care. • Health Care Clearinghouses • A public or private entity that transforms health care transactions from one format to another.
Affiliated Covered Entities • Any organization that provides patient care and bills electronically is subject to HIPAA. • Those organizations are classed as “Covered Entities” • UNC Health Care is a Single Affiliated Covered Entity, consisting of: • UNC Hospitals • UNC Physicians and Associates • UNC School of Medicine • Rex Hospital
HIPAA Cost Neutral (????) • Streamlining codes and transactions sets theoretically offsets the overhead costs incurred to support privacy and security. • No real savings have yet been realized from codes and transaction sets. • Many organizations do not benefit from codes and transactions savings.
HIPAA Privacy Rule • Went into effect April 14, 2003 • The main goal of the Privacy Regulation is to protect the use and sharing of Protected Health Information (PHI).
What is PHI? • Protected Health Information PHI is any health information that can be used to identify a patient and which relates to the patient, healthcare services provided to the patient, or the payment for these services.
Examples of PHI Identifiers • Employer • Relatives’ Names • Telephone Numbers • Fax Numbers • E-Mail Address • Medical Record Number • Social Security Number • Codes • Fingerprints • Occupation • Photographs • Certificate Numbers
Privacy Regulation Requires • We cannot use or disclose PHI unless it is required or allowed by law, or when the patient has given permission.
Privacy Rule Principles • The Privacy Regulation, or Privacy Rule, is made up of several parts. These include the following: • Accountability: • Anyone who misuses PHI will be subject to losing their job along with civil and/or criminal penalties.
Privacy Rule Principles cont… • Responsibility to the public: • Addresses the need to keep the public healthy and safe, but at the same time protect the privacy of all patients. • Boundaries: • PHI should be used for healthcare purposes only.
Privacy Rule Principles cont… • Security: • PHI needs to be kept confidential and accessed on a need to know basis. • Patient Control: • The Patient has the right to ask us for a listing showing when and to whom their PHI has been shared. (Accounting for Disclosures.)
Patient Rights • The Privacy Rule calls for letting patients know their privacy rights. These rights are as follows: • The patient has the right to obtain a copy of our Notice of Privacy Practices. • The patient has the right to access their PHI. It’s their information, not ours. • The patient has the right to ask for corrections in their own PHI.
Patient Rights (cont’d) • The patient has the right to control how PHI about them is shared. • The patient has the right to “opt out” of being listed in hospital directories. • The patient has the right to file a complaint if we do not follow our privacy policies.
Penalties There are penalties for not following HIPAA requirements. • You can lose your job. • You and your facility can be forced to pay up to $250,000 and spend up to 10 years in jail.
Final Security Rule • Published in Federal Register on February 20, 2003 • Effective Date: April 21, 2005 • Scope narrowed to Electronic PHI Only • All other PHI covered by Privacy Rule
Protected Health Information (PHI) • Identifiable Health Information that is • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form or medium • Excludes health information in • Education records covered by Family Educational Rights and Privacy Act • Employment records held by a covered entity in its role as employer
Definitions • Standards • RequiredImplementation • Covered entity must implement the implementation specifications • Addressable Implementation • Entity must assess whether implementation specification is reasonable and appropriate safeguard • Implement if reasonable • If not reasonable • Document why • Implement alternative measure if reasonable and appropriate
Security Standards Matrices • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Security Standards are required to be implemented • Implementation Specification is either • Required or • Addressable
Administrative Safeguards • Security Management Process • Risk Analysis Required • Risk Management Required • Sanction Policy Required • Information System Activity Review Required • Assigned Security Responsibility Required • Workforce Security • Authorization and/or Supervision Addressable • Workforce Clearance Procedure Addressable • Termination Procedures Addressable
Administrative Safeguards • Information Access Management • Isolating Healthcare Clearinghouse Function Required • Access Authorization Addressable • Access Establishment and Modification Addressable • Security Awareness and Training Required • Security Reminders Addressable • Protection form Malicious Software Addressable • Login Monitoring Addressable • Password Management Addressable
Administrative Safeguards • Security Incident Procedures Required • Contingency Plan • Data Backup Plan Required • Disaster Recovery Plan Required • Emergency Mode Operation Plan Required • Testing and Revision Procedure Addressable • Applications and Data Criticality Analysis Addressable • Evaluation (replaces Certification) Required • Business Associate Contracts (Written) Required
Physical Safeguards • Facility Access Controls Required • Contingency Operations Addressable • Facility Security Plan Addressable • Access Control and Validation Procedures Addressable • Maintenance Records Addressable • Workstation Use Required • Workstation Security Required • Device and Media Controls • Disposal Required • Media Re-use Required • Accountability Addressable • Data Backup and Storage Addressable
Technical Safeguards • Access Control • Unique User ID Required • Emergency Access Procedure Required • Automatic Logoff Addressable • Encryption and Decryption Addressable • Audit Controls Required • Integrity Required • Mechanism to Authenticate Electronic PHI Addressable • Person or Entity Authentication Required • Transmission Security • Integrity Controls Addressable • Encryption Addressable
“Due Diligence” • HIPAA expects entities to use Due Diligence when protecting PHI. • Definition of Due Diligence is constantly changing/evolving and subject to interpretation. • Your definition of Due Diligence may be different from a plaintiff’s definition. • Following industry standards probably fits in Due Diligence – but that’s just MY interpretation.
Implementation Structure • UNC HCS HIPAA Oversight Committee • UNC HCS HIPAA Policy Committee • HIPAA Implementation Teams • UNC Hospitals • Rex Healthcare • UNC P&A • UNC School of Medicine
HIPAA Committees • UNC HCS • HIPAA Oversight Committee • HIPAA Policy Committee • HIPAA Education Committee • HIPAA Privacy Subcommittee • HIPAA Security Subcommittee • HCS Physical Inspection Team • Security Incident Response Team (SIRT) • SOM • HIPAA Planning and Oversight Counsel • HIPAA Security Team • UNC • HIPAA Security Liaisons • HIPAA Planning Committee
HIPAA Implementation Approach • Health Care System Approach • Standard Policies Across HCS • UNC Hospitals • UNC Physicians & Associates • Rex Hospital • School of Medicine
Implementation Tasks • Inventory of individually identifiable electronic health information, including information kept on personal computers and research databases • Risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information • Collect and review existing privacy and security policies • Create new, compliant UNC HCS privacy and security policies
Implementation Tasks cont. • Review and revise admission, treatment, and consent forms • Create additional HIPAA-required forms (including Notice of Privacy Practices, Business Associate Agreements, Chain of Trust Agreements) • Educate staff about privacy and security policies, including sanctions for violations - incorporate into compliance program
Implementation Tasks cont. • Designate privacy and security officers in each entity • Review and revise vendor contracts to ensure that business associates protect privacy of identifiable health information • Enter into Business Associate Agreements with business associates • Evaluate audit trails and develop additional tracking techniques to ensure a record of all use/disclosure of patient information
Implementation Tasks cont. • High Level Assessment & Gap Analysis • Inventory of Patient Information (PHI) • Information Flow Assessment • Detailed Security Assessment and Risk Analysis • Must be done by Every Department/Division • Risk Doctor
Implementation Tasks cont. • Education & Training – Entire Workforce • On-line Modules developed by UNC HCS • Initial Module – HIPAA 101 for all • Follow on Modules based on job function • Training to be conducted and tracked by Departments/Divisions
Implementation Tasks cont. • Security Related Requirements • Formal mechanism for processing records • Creation, receipt, storage, transfer, disposal of PHI • Personnel Security Clearance Process • Written procedures for access to PHI • Documented termination procedures to include notification of IS organizations • Workstation controls • Disaster Recovery Plan
SOM HIPAA Policies • UNC HCS Information Security Policy • UNC HCS Privacy/Confidentiality of PHI • Electronic Media Disposal Policy • End User Account Policy • Orientation and Termination Checklists • Network Security Policy • Desktop Configuration Policy • Password Policy • Remote Access Policy • Handheld Computing Devices Policy • Audit Policy • Web Security Policy
Implementation Team Responsibilities • Education & Training • Coordinate assessments and information gathering • Participate on HIPAA workgroups • Develop and implement unit-specific policies • Assist in the development and dissemination of new global policies and procedures • Assess physical security (higher level policies anticipated) • Ongoing…..
Documentation To prepare for HIPAA, we did not make many changes to our architecture or procedures. We just had to document what we were already doing. 3/10/2014 42
People Do Not Like Change • “When an opportunity comes to consign you all to the nether regions there will be a rush to make it so.” -Basic Sciences PHD in response to password change requirement • “…if this was the private world, I would FIRE YOU…and if I saw you in the hall I would tell you to ‘flip off!’” - Physician in response to password change requirement
HIPAA Extends Well Beyond IT • Protect information regardless of media • Provide physical safeguards • Personnel issues (training, sanctions) • Liability protections (contracts, insurance) • Revise business & clinical processes to comply
Policy Development • Wrote higher level Information Security Policy to cover all of HCS • Formed numerous committees to help write lower level policies for School of Medicine • Important to get user “buy-in” • Enforcement is still an issue • Not enough resources to audit units • Policies approved by the Dean ‘s Office
Media Disposal Policy • First HIPAA related policy • Requires all media (hard drives, etc.) to be sanitized properly with disk wiping software before leaving university control. • Written by School of Medicine, adopted by UNC and UNC Hospitals. • Developed in response to actual incident.
Password Policy • New requirements: • Strong passwords • Change every 90 days • No “group” accounts • Most significant HIPAA change for our users
Risk Assessments • Very resource intensive • Difficult to get units to do their own • Used Raytheon “Risk Doctor” for first round • Purchased “HIPAA Watch” for second round • Allowed us to push questions out electronically to departments • On going risk assessments are constant resource drain.
Disaster Recovery Plans • Very difficult to do • Using Living Disaster Recovery Plan System (LDRPS)