1

HIPAA Privacy and Security

Management Update

January 28, 2008January 28, 2008

Karen Pagliaro-MeyerPrivacy Officer

kpagliaro@columbia.edu

(212) 305-7315

Soumitra SenguptaInformation Security Officer

sen@columbia.edu

(212) 305-7035

2

PRIVACYPRIVACY

Refers to WHATWHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information

HIPAA: PRIVACY vs. SECURITY

What’s the Difference?What’s the Difference?

SECURITYSECURITYRefers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss

3

HIPAA Privacy and Security Update

Security Update

1. Policy & Procedure Update

2. HIPAA & SSN Asset Identification

3. Other Security Information

Privacy Update

1. Policy & Procedure Update

2. HIPAA Staff Education

3. Business Associate Agreements

4

Why do we care about HIPAA?

Privacy Breaches George Clooney

Information Security V.A. Hospital lost hard drive with patient

medical and physician information

Identity Theft Social Security Notification Act

5

1. Privacy Policy and Procedure Update

• Notice of Privacy Practices• Notice – English and Spanish

• Acknowledgement form

• Posters

•Release of patient information

•Privacy and Security Audit tools

•Reporting Privacy Breach Allegation

6

7

8

9

10

11

2. Staff Education

Current Privacy and Security Education– New Hire Staff Education

– On-line HIPAA Education (Professional Staff)

– HIPAA for Researchers (RASCAL)

Additional Education Planned– Quarterly HIPAA Training for managers (refresher and new hire)

– Quarterly HIPAA Training for staff (refresher)

– Quarterly Email reminders / alerts

– Department specific – as requested

– Web Site

12

3. Business Associate

Definition: A person or organization:

• who is not a member of your staff;

• And not another healthcare provider,

• receives, uses, or discloses protected health information (patient information);

• in connection with providing any of the following services to or for your practice

13

3. Who is a Business Associate?

Examples include:

• billing

• claims processing or administration

• call service management

• quality assurance

• data processing or analysis

• transcription services

• utilization review

• design or manage an electronic records system

• accounting

• accreditation

• administrative

• data aggregation

• consulting

• financial services

• management

14

HIPAA Information Security Recap

Confidentiality• Prevent unauthorized access or release of EPHI

• Prevent abuse of access (identity theft, gossip)

Integrity• Prevent unauthorized changes to EPHI

Availability• Prevent service disruption due to malicious or

accidental actions, or natural disasters.

15

Administrative Safeguards• Policies and Procedures• Responsibility• Awareness and Training• Incident Processing, Sanctions

Physical Safeguards• Workstation Use and Security• Facility Access Control• Device and Media Control

Technical Safeguards• Access Control• Audit Control• Encryption and Integrity control

Regulation specification

16

Information Security Mgmt Process

Information Access Mgmt & Control

General Info Security Info Sec: Audit and Evaluation

Workstation Use and Security Workforce Security Clearance, Term and Auth

Info Sec: Backup, Device & Media Control

Info Sec: Facility Access Control & Security

Info Sec: Disaster Contingency & Recovery Plan

Info Sec: Security Incident Procedure

Policies and Procedures

Information Security Best PracticesInformation Security Best Practices

17

Information Asset Owner responsibility– Risk Assessment and management

– Implementation of Security Controls• Access, Authorization, Termination

– Audit and evaluation

– Disaster Contingency and Recovery Plan

– Additional information in Policy documents

Responsibility action items

18

Manager responsibility– Workforce Clearance, Termination and Authorization

– Facilities access to sensitive information assets

– Education, security reminders, sanctions

End User responsibility– “Acceptable Use”

– Safe practices

– Sensitivity towards patient privacy

Responsibility action items

19

• Disruption of Patient Care

• Increased cost to the institution

• Legal liability and lawsuits

• Negative Publicity

• Identity theft (monetary loss, credit fraud)

• Disciplinary action

Consequences of Security Failure

20

Intentional Attacks– Malicious Software (Bots, Spyware)

– Theft of copyrighted material (Torrent, Limewire, Emule, etc.)

– Stolen Passwords (Keyloggers, Trojans)

– Impostors e-mailing to infect and steal info (Phishing)

– Abuse of privilege (Employee/VIP clinical data)

…and an important development…

Types of Security Failure

21

Privacy & Security Concerns

Risk to Clinical Information

• Loss of Laptops, USB/flash drives, CD/DVD, Blackberry/Palm, etc.

• Failure to safeguard equipment • Physically locked / secured ?

• Password protected ?

• Encrypted ?

Eg. Kingston DataTraveler Secure Privacy EditionUSB Flash drive

22

Employee Carelessness– Sharing Passwords

– Not signing off systems

– Downloading and executing unknown software

– Sending EPHI outside the institution without encryption

– Losing PDA and Laptop in transit

– Pursuing risky behavior – Improper web surfing, and instant messaging

– Not questioning, reporting, or challenging suspicious or improper behavior

Types of Security Failure

24

• Do not abuse clinical access privilege, report if you observe an abuse (if necessary, anonymously)

• Do not be responsible for another person’s abuse by neglecting to sign off, this negligence may easily lead to your suspension and termination

• Do not copy, duplicate, or move EPHI without a proper authorization

• Do not email EPHI without encryption to addresses outside the institution

Methods to Protect against Failures

25

Strictly follow principles of ‘Minimum necessary’ and ‘Need-to-know’ for all accesses– the 3 fundamental missions of the institution are Care, Education and Research.

Challenge improper behavior, question suspicious behavior, report violations and security problems to proper authorities – email to hipaa@columbia.edu or security@cumc.columbia.edu or call Privacy Office (1-212-305-7315) or call CUMC IT Helpdesk (1-212-305-HELP)

Communicate with colleagues and staff about secure and ethical behavior

Methods to Protect against Failures

26

HIPAA & SSN Asset Identification Project

• Identify electronic storage of patient information and of any SSN (patient, provider, employee)

• Storage includes– Applications, Databases, Files.

– Application/Database/File servers, Workstations/PC/Laptops, USB/Flash devices, CD/DVDs, Home computers

• Started on 12/7 by Bob Sideli, CIO, CUMC (cc to Chairs). So far:

– 43% of departments / centers have responded

– 83 assets with Social Security Numbers

– 70 assets with Protected Health Information

27

Information Systems Security

Name of Individual responsible for Application/Database/File Store)

Brief description of application(Database/File Store) and its use:

Enter Application (Database/File Store) Name:

Does it contain Social Security Number?

Does it contain Protected Health Information?

Application/database/file store Information: List all Applications/databases/file stores for which the Department is responsible. Repeat this information for each application/dabase/file store, one in each worksheet. Protected Health

Information (PHI) is any patient related information including name, DOB, SSN, address, diagnosis, treatment, etc.

When in doubt - report

Title:UNI:

Works in…

Phone:Email:

YES NO Don’t' Know

YES NO Don’t Know

Columbia Dept (Specify name below) CUbhis

Third party vendor (Specify name below)

28

New York State SSN Laws

• Information Security Breach and Notification Act– December 2005

– If… Breach of Personally Identifiable Information• SSN

• Credit Card

• Driver’s License

– Then… Notify consumers, NY State, consumer reporting agencies

– Loss of 100s of thousands for notification and credit report help

– Penalties

29

New York State SSN Laws

• Social Security Number Protection Law– December 2007

– Recognizes SSN to be primary identifier for identity theft

– Illegal to communicate to general public

– Access cards, tags, etc. may not have SSN

– SSN may not be transmitted over Internet without encryption

– SSN may not be used as password

– SSN may not be printed on envelopes with see-through windows

– Penalties

• Identification of SSN assets is the first step towards reducing the risk of violating laws.

30

31