1 / 53

HIPAA, Privacy, & Cybersecurity

HIPAA, Privacy, & Cybersecurity. Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007. A New Mind Set. “Old habit of mind is one of the toughest things to get away from in the world. It transmits itself like physical form and features…” Mark Twain

taro
Download Presentation

HIPAA, Privacy, & Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA, Privacy, & Cybersecurity Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007

  2. A New Mind Set “Old habit of mind is one of the toughest things to get away from in the world. It transmits itself like physical form and features…” Mark Twain A Connecticut Yankee in King Author’s Court

  3. VHA & Privacy • VHA privacy program is “complex” • VHA must comply with 6 statutes that govern collection, maintenance & release of information

  4. Privacy Related Statutes • HIPAA • Privacy Act of 1974 • FOIA • VA Claims Confidentiality • Confidentiality of Drug Abuse, Alcoholism & Alcohol Abuse, HIV, and Sickle Cell Anemia Medical Records • Confidentiality of Healthcare Quality Assurance Review Records

  5. HIPAA Title II: The Privacy Rule (45 CFR 160 and 164)

  6. HIPAA Topics To Be Covered • HIPAA & the Common Rule • HIPAA Identifiers • Limited Data Sets • Business Associate Agreements • De-identification • Waiver of Authorization • VA & HHS Differences

  7. HIPAA & the Privacy Rule • Title I: Health Care Access, Portability, & Renewability • Title II: Preventing Healthcare Fraud & Abuse; Administrative Simplification; Medical Liability & Reform • Privacy Rule, • Transactions, • Security & • Enforcement)

  8. HIPAA & The Common Rule • Represents 2 different but not contradictory regulations • Many terms similar but not alike • IRB must make 2 separate determinations when reviewing & approving applicable research

  9. HIPAA “Identifiers”:Remove to De-identify for HIPAA (1) Names (2) All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people (3) All elements of dates except year and all ages over 89 (4) Telephone numbers (5) Fax numbers (6) E-mail addresses (7) Social security numbers (8) Medical record numbers

  10. HIPAA “Identifiers” (Cont.) (9) Health plan beneficiary numbers (10) Account numbers (11) Certificate or license numbers (12) Vehicle identifiers and license plate numbers (13) Device identifiers and serial numbers (14) URLs (15) IP addresses (16) Biometric identifiers • Full-face photographs and any comparable images

  11. HIPAA Identifiers (Cont.) • Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification • Scrambled SSNs • Initials • Last four digits of SSN • Employee numbers • Etc. (“19”) A caveat: HIPAA also states that the entity does not have actual knowledge that the [remaining] information could be used alone or in combination with other information to identify an individual who is the subject of the information • If you can strip all 18 identifiers, it still may not be de-identified

  12. Applicability of Identifiers • HIPAA identifiers apply to: • The individual • The individual’s relatives • The individual’s employers • The individual’s household members

  13. What’s De-identified? • If some one tells you data is de-identified, ask them how they define it! • Definition of “de-identified”: • All HIPAA identifiers must be removed, plus “The entity must have no knowledge…” [the caveat from the last slide] and • It meets the Common Rule definition of de-identified

  14. Limited Data Sets • Does not require a HIPPA authorization or waiver of authorization • Only allowed for research , public health, or health care operations • Requires a DUA • May contain identifiable information such as scrambled SSNs, & are still PHI • May still be human subjects research

  15. Limited Data Set (Cont.) • Excludes certain direct identifiers • Excluded identifiers apply to: • The individual, • The individual’s relatives • The individual’s employers • The individual’s household members • May contain: • City, state, ZIP code, • Elements of a date & other numbers, • Characteristics or codes not listed as direct identifiers

  16. Limited Data Sets: Direct Identifiers (1) Names (2) Postal address other than town, city, state, and ZIP code (3) Telephone numbers (4) Fax numbers (5) SSNs (6) Medical Record number (7) Health plan beneficiary numbers (8) Account numbers

  17. Limited Data Set: Direct Identifiers (Cont.) (9) Certificate/license numbers (10) Vehicle identifiers and serial numbers including license plate numbers (11) Device identifiers & serial numbers (12) Web universal resource locators (URLs) (13) Internet protocol (IP) address (14) Biometric identifiers, including fingerprints & voice prints (15) Full-face photographic images and any comparable images

  18. Business Associate Agreements • Business Associate: An individual or entity who on behalf of VHA • Performs or assists in performing functions or activities involving the use or disclosure of PHI or • Activities must be related to treatment, payment, or health care operations

  19. Business Associate Agreements • BAA’s not required for research or research sponsors • Research is not a function or activity regulated by HIPAA (treatment, payment, or health care operations)

  20. Waiver of Authorization • IRB or Privacy Board (PB) may approve: • Full waiver of authorization • Partial waiver of authorization • Alteration of the disclosure • IRB or Privacy Board: • Must make specific determination prior to approving waiver • Must document specific findings

  21. Required Determinations:3 Criteria 1. The use or disclosure of PHI involves no more than a minimal risk to the individual based on at least the presence of the following elements: • An adequate plan to Protect the identifiers from improper use & disclosure • An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research unless there is health or research justification for retaining them or retention or the retention is required by law; and • Adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use of disclosure of PHI would be permitted by this subpart

  22. Required Determinations: 3 Criteria (Cont.) 2. The research could not practicably be conducted without the waiver 3. The research could not practicably be conducted without access to and use of the protected health information

  23. Required Documentation • Name of IRB or PB & date approved • Statement: IRB or PB determined the alteration or waiver of authorization, in whole or in part, satisfies the 3 criteria in the Rule AND include the criteria • A brief description of the PHI for which use or access has been determined to be necessary • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, and • Signature of the chair or other member, as designated by the chair, of the IRB or PB, as applicable.

  24. Investigator’s Responsibility • Include all necessary information in the submission to the IRB or PB • Request use of the minimal necessary information to conduct the research • Use of data consistent with the protocol • No re-use or sharing of data without approvals

  25. Differences: VHA vs. HHS • Preparatory To Research • Authorization Elements • Accounting for Disclosures • Data Use Agreements

  26. Preparatory to Reach • VHA Handbook 1605.1 states that contacting research subjects or conducting pilot studies are not “Preparatory to Research” activities • HHS states that the “Preparatory to Research” provisions allow an investigator to use PHI to contact prospective research subjects

  27. HIPAA Authorization • VHA requirements differ from HHS’s • A description of the information to be used or disclosed AND specifically identify HIV, Sickle cell anemia, drug and/or alcohol abuse treatment information

  28. Accounting for disclosure • Not so much a “difference” but a clarification • VHA research is conducted inside a single covered entity; MOST research does not involve “disclosure,” only “use” of PHI

  29. Data Use Agreements • VHA and HHS requires DUA for use of limited data sets only • ORD policy will additionally require a DUA (Data Transfer Agreement) for anytime you transfer data within VHA for research purposes

  30. Privacy Act of 1974

  31. An American has no sense of privacy. He does not know what it means. There is no such thing in the country. George Bernard Shaw

  32. Privacy Act of 1974 • Purpose: To balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy • Background: Watergate era and Congress concerned with: • Curbing illegal surveillance & investigations • Potential abuses presented by government’s increasing use of computers to store & retrieve personal data

  33. Privacy Act Objectives • Restrict disclosure of personally identifiable records by agencies • Grant individuals • Increased rights of access to agency records • The right to seek amendment of agency records • Establish code of fair information practices for agencies

  34. A Privacy Act Requirement • Agencies that maintain a system of records "shall promulgate rules, in accordance with notice and comment rulemaking” • Systems of Records (SOR): “A group of records under agency control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

  35. System of Records Content • Category of individuals covered by the system • Categories of records in the system • Purpose of the records • Routine uses of records • Storage (storage medium) • Retrievability (name, numbers or identifier)

  36. SORs and Research • 34VA12 -- Veteran, Patient, Employee, and Volunteer Research and Development Project Records • 121VA19 -- National Patient Databases - VA

  37. SOR’s Impact on Research • All release/disclosure of information must be consistent with the SOR and routine uses • Investigators can not release information to non-VA investigators or institutions unless: • Written permissions/authorization from individual or • Permission of the USH • Release of information is through the Privacy Office

  38. Privacy Issues Resources • VHA Privacy Officer: Stephania Putt • Local privacy officer • VHA privacy program: • http://vaww.vhaco.va.gov/privacy/ • Links to all Federal statutes, regulations, & policies including security policies • Privacy Fact Sheets

  39. Cybersecurity

  40. To err is human– and to blame it on a computer is even more so. Robert Orben Magician and Comedy Writer

  41. A Changing Climate • Security must be addressed in: • Protocol, appendices, or other document • Facility SOPs • New policies (VA & VHA) and requirements • Sensitive data must be controlled at all times

  42. It is VA policy that: • VA information may not reside on non-VA systems or devices unless specifically authorized by VA guidance/policy • Federal Information Security Management Act of 2002 (FISMA): Federal Security requirements apply to when contractors or “other organizations on behalf of an agency” possess or use Federal information • You must obtain authorization to remove confidential & Privacy Act protected information • Approved protocol • Consult with supervisors/obtain permission • “Consult with supervisor and ISO to ensure that the data is properly encrypted and password protected in accordance with VA policy” Secretary’s memo June.6, 2006

  43. VA Policy on Protection of Data • Data & system backups or copies: • Same confidentiality classification as originals • Laptops & portable media must NOT contain the only copy of the data • VAPI stored on computers or other storage media outside VA facilities must be encrypted per VA approved protection mechanisms • Password or other authentication information: • Do not store on remote systems unless encrypted • Data can not be transmitted by remote access without VA-approved protection mechanisms

  44. VA policy on Government Laptops or Other Equipment • Updated property pass • Updated virus protection • “House & protect” it from: • Environmental threats & hazards • Unauthorized access, use, or removal • Laptops, external hard drives, or other storage devices must be under lock & key when not in your immediate vicinity if it: • Contains sensitive/protected information (VAPI) or • Software to access VA private networks

  45. What You Must Do • Prior to receiving laptop or “sensitive” data: • Know the policies on protecting or responding to lost/stolen laptops or data. • Always be on guard: • Use common sense about where you leave it, who can access it • Once laptop or data is discovered to be missing: • Report it to the police • Obtain a copy of the police report (name of officer, case number, etc.) • Try to “inventory” what is on the laptop or the missing data. • Make required notifications

  46. Reporting of Security Incidents • OMB requires reporting of an incident within 1 hour of discovery to US-CERT • US-CERT: US Computer Emergency Readiness Team is the operational arm of National Cyber Security Division (NCSD), Department of Homeland Security (DHS). • Suspected and confirmed breaches must be reported

  47. How to Report Security Incidents • Immediately report to: • Supervisor • ISO • Privacy Officer • Others (Your facility may require reporting to other facility administrators) • ISO will report it to the VA-Security Operations Center (VA-SOC) • Privacy Officer will enter it into the Privacy Violations Tracking System (PVTS) • VA-SOC will notify US-CERT & key VHA/VA officials

  48. Investigator’s Responsibilities • Protocols contain sufficient information on security issues • Who uses information; • How it will be stored and secured; • Who has copies where; • Will it remain within VA – if not, will all data be returned to VA – if not why; • Disposition of the data after protocol completed) • Allowing access only to authorized individuals

  49. Investigator’s Responsibilities (Cont.) • Safeguarding laptops, portable drives, flash drives, and other medium • Ensuring all contracts, DUAs, and BAAs contain required language • Encrypting/password protecting all sensitive data

  50. Policy Documents • VA Directive 6504 – Waiver of requirements • Granted only by the VA Chief Information Officer in CO • Waiver request only from an Administration Head, Assistant Secretary, or other key official • Majority of IT & security documents being redrafted on a very fast track

More Related