Post on 21-Dec-2015
1
HIPAA Privacy and Security
Management Update
January 28, 2008January 28, 2008
Karen Pagliaro-MeyerPrivacy Officer
kpagliaro@columbia.edu
(212) 305-7315
Soumitra SenguptaInformation Security Officer
sen@columbia.edu
(212) 305-7035
2
PRIVACYPRIVACY
Refers to WHATWHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information
HIPAA: PRIVACY vs. SECURITY
What’s the Difference?What’s the Difference?
SECURITYSECURITYRefers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss
3
HIPAA Privacy and Security Update
Security Update
1. Policy & Procedure Update
2. HIPAA & SSN Asset Identification
3. Other Security Information
Privacy Update
1. Policy & Procedure Update
2. HIPAA Staff Education
3. Business Associate Agreements
4
Why do we care about HIPAA?
Privacy Breaches George Clooney
Information Security V.A. Hospital lost hard drive with patient
medical and physician information
Identity Theft Social Security Notification Act
5
1. Privacy Policy and Procedure Update
• Notice of Privacy Practices• Notice – English and Spanish
• Acknowledgement form
• Posters
•Release of patient information
•Privacy and Security Audit tools
•Reporting Privacy Breach Allegation
6
7
8
9
10
11
2. Staff Education
Current Privacy and Security Education– New Hire Staff Education
– On-line HIPAA Education (Professional Staff)
– HIPAA for Researchers (RASCAL)
Additional Education Planned– Quarterly HIPAA Training for managers (refresher and new hire)
– Quarterly HIPAA Training for staff (refresher)
– Quarterly Email reminders / alerts
– Department specific – as requested
– Web Site
12
3. Business Associate
Definition: A person or organization:
• who is not a member of your staff;
• And not another healthcare provider,
• receives, uses, or discloses protected health information (patient information);
• in connection with providing any of the following services to or for your practice
13
3. Who is a Business Associate?
Examples include:
• billing
• claims processing or administration
• call service management
• quality assurance
• data processing or analysis
• transcription services
• utilization review
• design or manage an electronic records system
• accounting
• accreditation
• administrative
• data aggregation
• consulting
• financial services
• management
14
HIPAA Information Security Recap
Confidentiality• Prevent unauthorized access or release of EPHI
• Prevent abuse of access (identity theft, gossip)
Integrity• Prevent unauthorized changes to EPHI
Availability• Prevent service disruption due to malicious or
accidental actions, or natural disasters.
15
Administrative Safeguards• Policies and Procedures• Responsibility• Awareness and Training• Incident Processing, Sanctions
Physical Safeguards• Workstation Use and Security• Facility Access Control• Device and Media Control
Technical Safeguards• Access Control• Audit Control• Encryption and Integrity control
Regulation specification
16
Information Security Mgmt Process
Information Access Mgmt & Control
General Info Security Info Sec: Audit and Evaluation
Workstation Use and Security Workforce Security Clearance, Term and Auth
Info Sec: Backup, Device & Media Control
Info Sec: Facility Access Control & Security
Info Sec: Disaster Contingency & Recovery Plan
Info Sec: Security Incident Procedure
Policies and Procedures
Information Security Best PracticesInformation Security Best Practices
17
Information Asset Owner responsibility– Risk Assessment and management
– Implementation of Security Controls• Access, Authorization, Termination
– Audit and evaluation
– Disaster Contingency and Recovery Plan
– Additional information in Policy documents
Responsibility action items
18
Manager responsibility– Workforce Clearance, Termination and Authorization
– Facilities access to sensitive information assets
– Education, security reminders, sanctions
End User responsibility– “Acceptable Use”
– Safe practices
– Sensitivity towards patient privacy
Responsibility action items
19
• Disruption of Patient Care
• Increased cost to the institution
• Legal liability and lawsuits
• Negative Publicity
• Identity theft (monetary loss, credit fraud)
• Disciplinary action
Consequences of Security Failure
20
Intentional Attacks– Malicious Software (Bots, Spyware)
– Theft of copyrighted material (Torrent, Limewire, Emule, etc.)
– Stolen Passwords (Keyloggers, Trojans)
– Impostors e-mailing to infect and steal info (Phishing)
– Abuse of privilege (Employee/VIP clinical data)
…and an important development…
Types of Security Failure
21
Privacy & Security Concerns
Risk to Clinical Information
• Loss of Laptops, USB/flash drives, CD/DVD, Blackberry/Palm, etc.
• Failure to safeguard equipment • Physically locked / secured ?
• Password protected ?
• Encrypted ?
Eg. Kingston DataTraveler Secure Privacy EditionUSB Flash drive
22
Employee Carelessness– Sharing Passwords
– Not signing off systems
– Downloading and executing unknown software
– Sending EPHI outside the institution without encryption
– Losing PDA and Laptop in transit
– Pursuing risky behavior – Improper web surfing, and instant messaging
– Not questioning, reporting, or challenging suspicious or improper behavior
Types of Security Failure
24
• Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously)
• Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination
• Do not copy, duplicate, or move EPHI without a proper authorization
• Do not email EPHI without encryption to addresses outside the institution
Methods to Protect against Failures
25
Strictly follow principles of ‘Minimum necessary’ and ‘Need-to-know’ for all accesses– the 3 fundamental missions of the institution are Care, Education and Research.
Challenge improper behavior, question suspicious behavior, report violations and security problems to proper authorities – email to hipaa@columbia.edu or security@cumc.columbia.edu or call Privacy Office (1-212-305-7315) or call CUMC IT Helpdesk (1-212-305-HELP)
Communicate with colleagues and staff about secure and ethical behavior
Methods to Protect against Failures
26
HIPAA & SSN Asset Identification Project
• Identify electronic storage of patient information and of any SSN (patient, provider, employee)
• Storage includes– Applications, Databases, Files.
– Application/Database/File servers, Workstations/PC/Laptops, USB/Flash devices, CD/DVDs, Home computers
• Started on 12/7 by Bob Sideli, CIO, CUMC (cc to Chairs). So far:
– 43% of departments / centers have responded
– 83 assets with Social Security Numbers
– 70 assets with Protected Health Information
27
Information Systems Security
Name of Individual responsible for Application/Database/File Store)
Brief description of application(Database/File Store) and its use:
Enter Application (Database/File Store) Name:
Does it contain Social Security Number?
Does it contain Protected Health Information?
Application/database/file store Information: List all Applications/databases/file stores for which the Department is responsible. Repeat this information for each application/dabase/file store, one in each worksheet. Protected Health
Information (PHI) is any patient related information including name, DOB, SSN, address, diagnosis, treatment, etc.
When in doubt - report
Title:UNI:
Works in…
Phone:Email:
YES NO Don’t' Know
YES NO Don’t Know
Columbia Dept (Specify name below) CUbhis
Third party vendor (Specify name below)
28
New York State SSN Laws
• Information Security Breach and Notification Act– December 2005
– If… Breach of Personally Identifiable Information• SSN
• Credit Card
• Driver’s License
– Then… Notify consumers, NY State, consumer reporting agencies
– Loss of 100s of thousands for notification and credit report help
– Penalties
29
New York State SSN Laws
• Social Security Number Protection Law– December 2007
– Recognizes SSN to be primary identifier for identity theft
– Illegal to communicate to general public
– Access cards, tags, etc. may not have SSN
– SSN may not be transmitted over Internet without encryption
– SSN may not be used as password
– SSN may not be printed on envelopes with see-through windows
– Penalties
• Identification of SSN assets is the first step towards reducing the risk of violating laws.
30
31