Скачать презентацию Information Security and Privacy HIPAA s Potential Impact Gordon Скачать презентацию Information Security and Privacy HIPAA s Potential Impact Gordon

4b2c5dabea2611e38b51f44c8a7e17e9.ppt

  • Количество слайдов: 60

Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information Security Officer, Mayo Foundation, Rochester, MN

Program Objectives Overview of data security/privacy issues l Review of HIPAA security standards l Program Objectives Overview of data security/privacy issues l Review of HIPAA security standards l Review of HIPAA privacy standards l Facing HIPAA challenges l

Existing Data Protection Requirements State law l Federal law l JCAHO l Conditions of Existing Data Protection Requirements State law l Federal law l JCAHO l Conditions of Participation l Professional codes l

New HIPAA Requirements Standards for electronic transactions and code sets l National standard health New HIPAA Requirements Standards for electronic transactions and code sets l National standard health care provider identifier l National standard employer identifier l Security and electronic signature standards l

New HIPAA Requirements cont’d Standards for privacy of individually identifiable health information l National New HIPAA Requirements cont’d Standards for privacy of individually identifiable health information l National standard for health claims attachment l National standard identifiers for health plans l

I. Overview of Data Security and Privacy Issues I. Overview of Data Security and Privacy Issues

Privacy l “The right to privacy is an integral part of our humanity; one Privacy l “The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close. ” l Minnesota Supreme Court 582 N. W. 2 d 231, 1998

The Power of Anecdotes l The Power of Anecdotes l

Data Mining Develop clinical pathways to improve patient care l Develop drug formularies l Data Mining Develop clinical pathways to improve patient care l Develop drug formularies l Develop marketing opportunities? l

CVS Case Pharmacy records l Alleged misuse l PR firestorm l Class action litigation CVS Case Pharmacy records l Alleged misuse l PR firestorm l Class action litigation l

“It is only slightly facetious to say that digital information lasts forever - or “It is only slightly facetious to say that digital information lasts forever - or five years, whichever comes first. ” Jeff Rothenberg Scientific American, Jan. 1995

Geek Speak Firewall l Hacker l Bandwidth l Router l Port l Probes l Geek Speak Firewall l Hacker l Bandwidth l Router l Port l Probes l TTP l

Geek Speak II CA l PKI l PKE l LAN l ISP l Geek Speak II CA l PKI l PKE l LAN l ISP l

Wetware Wetware

II. General Review of HIPAA Security Standards II. General Review of HIPAA Security Standards

Security “The purpose of security is to protect both the system and the information Security “The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within. ” l Three aspects to consider l – confidentiality – integrity – availability

Security Standards: Applicability Applies to any health plan, provider or clearinghouse that electronically maintains Security Standards: Applicability Applies to any health plan, provider or clearinghouse that electronically maintains or transmits any individually identifiable health information, internally or externally

Security is risk management Security is risk management

Risk Management Process l l l Quantify assets, risks and threats – a mix Risk Management Process l l l Quantify assets, risks and threats – a mix of the objective and subjective – need not be complicated Determine cost-effective security controls – protect what’s worth protecting & don’t worry about the rest The government is big on this – mainly because the government is big – approach statistical mean

Risks l Passive, always in the background – fires, floods, power outages, equipment failure Risks l Passive, always in the background – fires, floods, power outages, equipment failure – predictable on a large scale & statistical in nature

Threats l l Active, evolving, never static Goal: defeat security – people oriented – Threats l l Active, evolving, never static Goal: defeat security – people oriented – hackers, viruses, insiders, disgruntled persons – must be actively managed by security professionals

1. Administrative Procedures Guard data confidentiality, integrity and availability l Policies and procedures l 1. Administrative Procedures Guard data confidentiality, integrity and availability l Policies and procedures l – written – communicated – enforced

Administrative Requirements Certification Chain of trust partner agreements Organizational policies, practices and procedures Access Administrative Requirements Certification Chain of trust partner agreements Organizational policies, practices and procedures Access controls Internal audit Personnel security Configuration management Incident response Termination procedures Training

2. Physical Safeguards l l l l Appointment of security czar Physical access control 2. Physical Safeguards l l l l Appointment of security czar Physical access control Workstation usage Media & output controls Locks, keys, tokens… Termination procedures Backup

3. Technical Security Services l System Level Features l System access – user identification 3. Technical Security Services l System Level Features l System access – user identification and authentication l l l Entity authentication Data authentication Authorization control – discretionary access to data – least privilege principle l Audit controls

4. Technical Security Mechanisms l Communications & network controls – – – – firewall 4. Technical Security Mechanisms l Communications & network controls – – – – firewall management access controls alarms audit trail encryption event reporting integrity controls

5. Electronic Signature l Must implement three characteristic features: – message integrity – non-repudiation 5. Electronic Signature l Must implement three characteristic features: – message integrity – non-repudiation – user authentication l Digital signature provides these

Getting Started: Gathering Current State Information l Translate requirements – 38 pages of single-spaced Getting Started: Gathering Current State Information l Translate requirements – 38 pages of single-spaced legalese-- don’t try this at home l HIPAA Early. View. TM tool – – – developed by NC Information & Communication Alliance cost effective, uncomplicated, user friendly license saves lots of work generates reports useful for gap analysis http: //www. nchica. org/activities/Early. View/More_info. htm

Organizational Assessment Conduct survey in bite-sized chunks l Different systems & applications have different Organizational Assessment Conduct survey in bite-sized chunks l Different systems & applications have different security attributes l – Clinical systems – Clinical operations support – Finance & electronic commerce – Laboratory services – Business & HR systems, etc.

Logistical Considerations Consider geography, complexities & capabilities l Who will collect & analyze the Logistical Considerations Consider geography, complexities & capabilities l Who will collect & analyze the data? l – Information Security Officer’s role – Stewards & Administrators’ roles

Pitfalls to Avoid l Overanalyzing the requirements & process – Leads to corporate constipation Pitfalls to Avoid l Overanalyzing the requirements & process – Leads to corporate constipation – Academics need to put on their operational hats l Garbage in, garbage out – Must understand the goal & process – Effective communication & buy-in essential l Don’t sweat the details…. for now – Use a top down approach, not Band Aids

Develop Implementation Plan l Strategy must address both administrative & technical levels – coordinate Develop Implementation Plan l Strategy must address both administrative & technical levels – coordinate with e-commerce – awareness & education – initiate process changes – modify systems & applications – replace systems & applications l Final rule may necessitate minor course changes

Sources Minnesota Health Data Institute http: //zen. mhdi. org/ North Carolina Healthcare Information and Sources Minnesota Health Data Institute http: //zen. mhdi. org/ North Carolina Healthcare Information and Communication Alliance http: //www. nchica. org/ Massachussetts Health Data Consortium http: //www. mahealthdata. org Workgroup for Electronic Data Interchange http: //www. wedi. org HIPAAlert news briefs published by Phoenix Health Systems, Inc. http: //hipaalert. com

III. General review of HIPAA Privacy Standards III. General review of HIPAA Privacy Standards

Covered Entities Health plans l Health care providers who transmit PHI in electronic form Covered Entities Health plans l Health care providers who transmit PHI in electronic form in connection with standard transactions l Health care clearinghouses l Short list indirectly expanded through business partner requirements l

HIPAA Data Heath information l Individually identifiable health information l l Protected (PHI) health HIPAA Data Heath information l Individually identifiable health information l l Protected (PHI) health information

Protected Health Information l Individually Identifiable Health Information that is or has been electronically Protected Health Information l Individually Identifiable Health Information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form (printout of electronic data) 45 CFR 164. 504

Uses and Disclosures of Protected Health Information To carry out treatment, payment or health Uses and Disclosures of Protected Health Information To carry out treatment, payment or health care operations l With patient consent l No consent, but for public health, health oversight, judicial/administrative proceedings, coroners/MEs, law enforcement, …. 45 CFR 164. 510 l

Uses and Disclosures Requiring Patient Consent Requests by patient l Request by CEs re: Uses and Disclosures Requiring Patient Consent Requests by patient l Request by CEs re: marketing, fundraising, employers for employment determinations, non-health related divisions of the CE… l 45 CFR 164. 508

Fair Information Practices l Series of individual rights l General rule on disclosure – Fair Information Practices l Series of individual rights l General rule on disclosure – “Minimum necessary”

Minimum Necessary To meet the purpose of the use or disclosure l To limit Minimum Necessary To meet the purpose of the use or disclosure l To limit access only to those people who need access to the information to accomplish the use or disclosure. l

Notice of Information Practices l An individual has a right to adequate notice of Notice of Information Practices l An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information 45 CFR 164. 512

Access of Individuals to Protected Health Information l Right of access includes access to Access of Individuals to Protected Health Information l Right of access includes access to PHI with – – – l Health plan Health care provider Business partner if records not a duplicate Access as long as records maintained 45 CFR 164. 514

Accounting for Disclosures of Protected Health Information Right to full accounting of disclosures from Accounting for Disclosures of Protected Health Information Right to full accounting of disclosures from CEs except for treatment, payment and health care operations and for certain disclosures to health oversight or law enforcement agencies. l Right of accounting also applies to business partners l 45 CFR 164. 515

Right to Request Amendment or Correction Requests will have to be either accepted or Right to Request Amendment or Correction Requests will have to be either accepted or rejected within 60 days l Rejections will require an explanation in plain language l Patients can still file statement of disagreement - for the record l 45 CFR 164. 516

Administrative Requirements Privacy officer l Training l – l Everyone likely to obtain access Administrative Requirements Privacy officer l Training l – l Everyone likely to obtain access to PHI Safeguards – Administrative, technical and physical safeguards to protect privacy l Complaint 45 CFR 164. 518 process

Documentation, Compliance and Enforcement l Documentation – – l Uses and disclosures Individual rights Documentation, Compliance and Enforcement l Documentation – – l Uses and disclosures Individual rights Administrative requirements 6 years Keep records of compliance activities, permit DHHS access and be nice! 45 CFR 164. 520 -522

Penalties & Claims Civil penalties l Criminal penalties l No private cause of action Penalties & Claims Civil penalties l Criminal penalties l No private cause of action l Third party beneficiary contract claims l

Business Partners? Business Partners?

Business Partners Insurance companies l Law firms l Accountants l IT contractors l Compliance Business Partners Insurance companies l Law firms l Accountants l IT contractors l Compliance consultants l Insurance brokers l

Business Partners How well do you know them? l How well do you want Business Partners How well do you know them? l How well do you want to know them? l How well should you know them? l Business partners - winners and losers l

Satisfactory Assurance BP will…. Ensure that subcontractors are bound to HIPAA requirements l Make Satisfactory Assurance BP will…. Ensure that subcontractors are bound to HIPAA requirements l Make PHI available upon appropriate request l Have an open door for DHHS l Abide by contract termination req’s l Be able to amend/correct PHI upon CE notice l

CE Responsibility for BP Violations l Reasonable steps to ensure compliance – K due CE Responsibility for BP Violations l Reasonable steps to ensure compliance – K due diligence l Tainted by BP breach if CE “knew or should have known” of BP breach and…. DID NOTHING…AKA as “Ostrich Syndrome”

Business Partners l Basic contract provisions – – – Follow HIPAA use and disclosure Business Partners l Basic contract provisions – – – Follow HIPAA use and disclosure limits Require technical and administrative safeguards for security and privacy Reps, warranties, indemnification and deep pockets or certificate of insurance Third party beneficiary language Termination - give it back or destroy

De-identified PHI l Issue of ownership – – Sale Licensing Requires data be stripped De-identified PHI l Issue of ownership – – Sale Licensing Requires data be stripped of listed elements l Protections against re-identification l

IV. Facing HIPAA Challenges IV. Facing HIPAA Challenges

Group Discussion of HIPAA Challenges What are facilities doing now? l Will it be Group Discussion of HIPAA Challenges What are facilities doing now? l Will it be possible to develop uniformity across complex systems? l Should HIPAA standards be adopted for DTM records? l

The Corporate Compliance Model l Who leads? – – – l Compliance Officer Security The Corporate Compliance Model l Who leads? – – – l Compliance Officer Security Officer Privacy Officer Gap analysis – – Security standards Privacy standards

The Corporate Compliance Model cont’d l Defining areas of exposure – – – l The Corporate Compliance Model cont’d l Defining areas of exposure – – – l The Mayo model Internal External Plan development, implementation and training – Integration with compliance program?