1 / 32

HITECH Management Briefing

HITECH Management Briefing. Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315. Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035. June 23, 2010. AGENDA. HITECH update Privacy & Information Security Training

nijole
Download Presentation

HITECH Management Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HITECH Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035 June 23, 2010

  2. AGENDA • HITECH update • Privacy & Information Security Training • Privacy Issue Log Summary • Encryption • Risk Assessment • Data Leakage Prevention

  3. Health Insurance Portability and Accountability Act (HIPAA) Fraud and Abuse (Accountability) Administrative Simplification (Accountability) Insurance Reform (Portability) HITECH Health Information Technology for Economic and Clinical Health 9/18/2009 Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 and 10/16/03 Privacy Compliance Date: 4/14/2003 Security Compliance Date: 4/20/2005

  4. HITECH Act (ARRA) REQUIREMENT COMPLIANCE DATE • Breach Notification September 2009 • Self-Payment Disclosures February 2010 • Business Associates February 2010 • Minimum Necessary August 2010 • Marketing • Fundraising • Accounting of Disclosures January 2011/2014 • Performance Measures for EHR • enhanced reimbursement rate

  5. HITECH Act (ARRA) • New Federal Breach Notification Law – Effective Sept 2009 • Applies to all electronic “unsecured PHI” • Requires immediate notification to the Federal Government if more than 500 individuals effected • Annual notification if less that 500 individuals effected • Requires notification to a major media outlet • Breach will be listed on a public website • Requires individual notification to patients • Criminal penalties - apply toindividualor employee of a covered entity

  6. HITECH Act (ARRA) • Self Payment Disclosures • If patient pays for service – has the right to limit the disclosure of that information to their health insurance • Business Associates • Standards apply directly to Business Associates • Statutory obligation to comply with restrictions on use and disclosure of PHI • New HITECH provisions must be incorporated into BAA • Minimum Necessary Standards • New Definition of Minimum Necessary, determined by the disclosing party, encourage the use of limited data sets

  7. HITECH Act (ARRA) • Accounting of Disclosures • Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical information • Electronic Health Record • Performance Measures for EHR enhanced reimbursement • Patient has a right to electronic copy of records • Electronic copy transmission • Delivery options • 96 hours or 48 hours w/o ancillary - information available to the patient • Meet Meaningful Use Standards

  8. Who is a Business Associate? • Individuals who do business with CUMC and have access to protected health information. • Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen. Examples of BAAs include: • billing companies or claims processing • voice mail or appointment reminder service management • transcription services or coding companies • accreditation • consultants • Software used for medical data

  9. Summary of Breaches Reported to Office of Civil Rights Sept. 2009 – June 2010 Breaches of over 500 records: 100 • 72% of breaches are computer related • 64% of breaches the result of a theft Type of Facility • 39% from hospital / medical center • 29% from a private practice / corporation • 20% from a health plan / insurance company

  10. Privacy & Information Security Training • HITECH changed the definition and reporting requirements of Protect Health Information • Technology has increased the potential exposure of data theft / loss (portable data) • All staff benefit from refresher HIPAA training • Tracking of workforce members to verify that they complete HIPAA training has improved

  11. Privacy & Information Security Training

  12. Privacy & Information Security Training Management Follow-up • Scheduling refresher HIPAA training for staff • Verify that all new workforce members (employees, faculty, students, volunteers) receive HIPAA training • Review policies and procedures related to information security and privacy • Distribute “HIPAA reminders” to staff

  13. Privacy Issue Summary 2010 • Privacy Breach Allegation 15 • Access to Medical Record 9 • Theft of Electronic Device 8 • Registration Issue 5 • Medical Record Sent to wrong patient 3 • Paper Data Loss 1 • Development 1 • Marketing 1

  14. Cost of Data Breach • Ponemon annual study on breach costs • Loss of 10,000 records means $2,000,000 • The cost includes Detection, Notification, Post-response & Lost business • Qn: Who will pay this cost?

  15. What does OCR’s Privacy Breach reporting tells us? • 46% of reported breaches are for lost/stolen laptops, PDA, and Back up tapes • HITECH permits non-notification if the information is “encrypted.” • So, encrypt already, or stop carrying sensitive data • Our encryption help page is:https://secure.cumc.columbia.edu/cumcit/secure/security/encryption.html Risk of incurring a breach cost Encryption

  16. What’s new from OCR? • Office for Civil Rights Guidance • May 7, 2010 • HIPAA Security Standards • Guidance on Risk Analysis • Based on NIST recommendation NIST 800 Special Publication 30 Risk Management Guide for Information Technology Systems

  17. OCR Risk Analysis Guidance Steps • Scope of the Analysis • Collect all Assets • Identify and document Potential Threats and Vulnerabilities • Assess current Security Measures (Controls) • Determine the Likelihood and Impact of Threat Occurrence to determine the Level of Risk • Finalize Documentation • Periodic Review and Updates to the Risk Assessment

  18. Scope of the Analysis at CUMC • G.R.O.W.I.N.G… • Protected Health Information • Personally Identifiable Information (SSN, Driver’s License, Credit cards) • Payment Card Industry Data Security Standard • FDA Approved Research - 21 CFR Part 11 • FERPA (Student information) • Etc. • Has to fit in a common framework

  19. Threats and Vulnerabilities + Likelihoods + Impact • Original analysis of HIPAA issues at CUMC • Used a classification method • Threat Source: Internal/External • Type: Opportunistic/Accidental/Deliberate/Environmental • Likelihood: Very likely/Likely/Unlikely/Very unlikely • Costs/Severity: Operational Impact/Monetary Impact/Regulatory Impact/Reputation Impact • New threats • Social networks • Wireless devices

  20. Threats and Vulnerabilities + Likelihoods + Impact • Examples: • Internal user, accidentally, infects a workstation with a virus through a personal USB drive • External user, deliberately, uses a server to distribute music or DVD or to send SPAM • Internal user, deliberately, looks up clinical data of a celebrity

  21. Security Controls • Examples of controls that address threats

  22. Asset Inventory Program at CUMC • Work starts July 2010 • Ask departments to Identify a Primary Person responsible for all matters Privacy and Security communications, incidents, and resolutions • Ask Primary Person to identify Servers and Workstations with PII, PHI, FDA Research • Description, responsibility, IP address, etc.

  23. Asset Inventory • CUMC IT will establish Asset inventory database of PHI, PII, and FDA systems • IT Security group will conduct vulnerability scans using automated tools, and return results and recommendations to Primary Person • Departments will address deficiencies with their IT custodians and take corrective actions; with follow up re-scan • Departments will be provided with a comprehensive list of assets from the inventory

  24. Asset Inventory • Non-compliant systems after a specified time period will be disconnected from the network • Non-compliant systems after a specified time period will be reported to CUMC HIPAA/InfoSec Committee, department management, and CUMC senior management • The inventory will be updated by self-reporting and by annual recertification

  25. New control: Data Leakage Prevention • DLP technology is a set of tools that look at • Our networks • Our incoming and outgoing emails • Our workstations and servers And • Alert on leakage of PHI, PII and other sensitive data (Data at rest) • Report on where such data reside (Data in motion) • Control how such data are used (Data in use)

  26. Data Leakage Statistics

  27. Data Leakage Prevention • A pilot study showed • Sensitive PHI data are sent to billers, vendors without encryption • Sensitive data are accidentally left on workstations • Old, forgotten, sensitive data stay forever on servers • Users are using social networks and systems such as wikis and GoogleDocs to store sensitive, institutional data without proper authorization

  28. Data Leakage Prevention • A 2010 project to start alerting on what is found on the networks • Reports to the department Primary Person • Reports to CUMC senior management • Development of a process to address the findings comprehensively

  29. HITECH Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212) 305-7035

More Related