HIPAA: Introduction to the Security Rules Lorman Education ServiceAugust 22, 2007Tacoma, Washington

Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126stephen.rose@klgates.com

Presentation By:

Stephen D. Rose, J.D., M.B.A.K&L Gates

925 Fourth Avenue, Suite 2900Seattle, Washington 98104

(206) 370-8126stephen.rose@klgates.com

HIPAA: Introduction to the Security Rules

The Health Insurance Portability and Accountability Act of 1996

(Public Law 104-191)Signed August 21, 1996

Title IISubtitle F—Administrative Simplification

“HIPAA”

Pythagorean Theorem 24 WordsArchimedes’ Principle 67 WordsThe Ten Commandments 179 WordsLincoln’s Gettysburg Address 286 WordsU.S. Declaration of Independence 1,300 WordsHIPAA Privacy 401,034 Words

. . . the square of the hypotenuse is equal to the sum of the

squares of the other two sides: a2 + b2 = c2

Perspectives

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Health Insurance Portability and Accountability Act of 1996

TransactionsTransactions Code SetsCode Sets IdentifiersIdentifiers

Insurance Portability

Administrative

Simplification

Fraud and AbuseMedical Liability Reform

Title ITitle I Title IITitle II Title IIITitle III Title IVTitle IV Title VTitle V

SecuritySecurityPrivacyPrivacyEDIEDI

Tax RelatedHealth Provision

Group HealthPlan Requirements

RevenueOff-sets

HIPAA Administrative Simplification Law

Effective Dates of HIPAA Rules

Privacy Rules: April 14, 2003 Security Rules: April 21, 2005

Purpose of HIPAA Provisions

Improve efficiency and effectiveness of the health care system

by standardizing

the electronic exchange ofadministrative and financial data

Two Key Privacy Rule Goals

Provide strong Federal protections for privacy rights for health care information

Preserve (i.e., don’t interfere with) quality health care delivery

Privacy Rules focus on the rights and expectations of patients with respect to how their private medical information is handled by providers and organizations.

Security Standards provide guidance to organizations and providers on how to protect the integrity and confidentiality of medical information.

Privacy Rules vs. Security Standards

The Importance of Privacy and Security

In 2001 a NV woman purchased a used computer only to find its previous owner, a drugstore, left on it the pharmacy records of thousands of patients.

In 2000 a FL man purchased a laptop only to discover mental health records from a local institution on it – he contacted the news who interviewed patients about the matter.

The Importance of Privacy and Security

In 2000 a hacker downloaded medical records, health information, and social security numbers on more than 5,000 patients at the University of Washington Medical Center. The hacker was motivated by a desire to expose the vulnerability of electronic medical records. (R. O’Harrow, "Hacker Accesses Patient Records," The Washington Post, 9 December 2000, p. E1)

The hacker claimed all the records were taken via the Internet and that the Institution lacked firewalls. The cracker was able to capture user ID and passwords by capturing key strokes.

The Importance of Privacy and Security

In 2000 a teenage girl, while visiting her mother at work, retrieved the names and phone numbers of patients who had visited the ER from a hospital computer. As a prank, she called them and told them they were pregnant or had AIDS. One victim attempted suicide.

The Importance of Privacy and Security CD with Medical Data of 75,000 is Found

A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday

A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January

No way to track whether copies of the CD were made

The Importance of Privacy and Security

In 1994, administrators of a new computerized medical record system for an HMO in Oregon were shocked to find that 141 employees had peeked at the record of a celebrity who came in to be treated for a sprained wrist.

The Importance of Privacy and Security Most Data Breaches Traced to Company Errors

Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders

Looked at 550 data breaches that received media coverage between 1980 and 2006

Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors

Less than one-third of the breaches were the work of outside attackers

Washington State Data Breach Notification LawRCW 19.255.010 Businesses and individuals that own or license computerized data that includes “personal information” must notify state residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.

Notice of the data breach must be sent in “the most expedient time possible and without unreasonable delay.”

Other Federal Laws

The Computer Fraud and Abuse Act 18 U.S.C. § 1030 Penalizes intentionally accessing a computer without authorization (or exceeding authorization) and thereby causing damage.

Also contains a private right of action under 18 U.S.C. § 1030(g) designed to supplement the criminal sanctions under 18 U.S.C. § 1030(c).

Regulation Themes Scalability/Flexibility

Covered entities can take into account: Size Complexity Capabilities Technical Infrastructure Cost of procedures to comply Potential security risks

Compliance

162.530: a Covered Entity must develop and implement policies and procedures relating to PHI designed to comply with the [HIPAA] regulations.

Compliance is mandatory.

Duty to Safeguard PHI

HIPAA requires a Covered Entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI.

Assigning Responsibility

Privacy Officer 45 CFR 164.530(a)(1)(i)

Designated person to receive complaints 45 CFR 164.530(a)(1)(ii)

The Security Rules

Published: February 20, 2003

Effective Date: April 21, 2003

Compliance Date: April 21, 2005 for all covered entities except small health plans.

CIA

Confidentiality Integrity Availability

General Requirements164.306(a)

Confidentiality (only the right people see it)

Integrity (the information is what it is supposed to be – it hasn’t been changed)

Availability (the right people can see it when needed)

Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI.

Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required.

Additional Requirements of the Security Rule

Ensure compliance by the workforce.

Investigate, mitigate, and document the resolution of any inadvertent release.

Additional Requirements of the Security Rule

“Required” versus “Addressable”

The HIPAA Security Rule requires standard implementation through written policies and procedures.

These standards have “required” and “addressable” implementation specifications.

“Required”

Required implementation specifications are mandatory.

“Addressable”

WARNING: “addressable” does NOT mean “optional.”

If a given addressable implementation specification is determined to be reasonable and appropriate, the entity must adopt it.

“Addressable”

If a given “addressable” implementation specification is determined to be inappropriate or unreasonable, the entity may implement an alternative measure that accomplishes the same end.

This determination and its rationale must be documented.

HIPAA Security Standards

Administrative Safeguards (55%) 12 Required, 11 Addressable

Physical Safeguards (24%) 4 Required, 6 Addressable

Technical Safeguards (21%) 4 Required, 5 Addressable

Administrative Safeguards

This section is concerned with the policies, procedures, and processes relating to the “workforce” and not the physical and technical security which is the subject of later sections.

Administrative Safeguards

Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)

Risk AssessmentRisk Analysis Assess you own security risks Determine your risk tolerance or risk aversion

Devise, implement, and maintain appropriate security to address your business requirements

Document your decisions

Risk Analysis

Two types: Qualitative – (Easiest and most common) Rating risks on a scale such as:

Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations

Risk Calculations

The higher the number, the greater your risks. Im

pa

ct

Probability of Occurrence

H 7 8 9

M 4 5 6

L 1 2 3

L M H

Administrative Safeguards

Assign a Security Officer who is responsible for HIPAA Security Rule compliance.

Can be same person as the HIPAA Privacy Officer or a different person.

Administrative Safeguards

Workforce Security Authorization and/or Supervision (A) Workforce clearance procedures (A) Termination Procedures (A)

Administrative Safeguards

Information Access Management Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A)

Administrative Safeguards

Security Awareness and Training Security Reminders (A) Protection from malicious software (A) Log-In Monitoring (A) Password Management (A)

Administrative Safeguards

Security Incident Procedures Response and reporting (R)

Administrative Safeguards

Contingency Planning Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A)

Administrative Safeguards

Evaluation (R) Periodic review Non-technical review Technical review

Administrative Safeguards

Business Associate Agreements and Other Arrangements

The Physical Safeguards (§ 164.310) relate to the physical actions the practice must undertake to implement the Security Rule. Small practices will want to focus on limiting physical access to electronic information within the office by unauthorized personnel by simple means such as physical barriers, locks, and supervision.

Physical Safeguards

Physical Safeguards

Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A)

Maintenance Records (A)

Physical Safeguards

Workstation Use Workstation Security

Physical Safeguards

Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)

This section of the Security Rule (§164.312) addresses technical items that need to be implemented to meet the requirements of the Security Rule.

Technical Safeguards

Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)

Technical Safeguards

Audit Controls (R)

Technical Safeguards

Integrity Mechanism to Authenticate ePHI

Technical Safeguards

Person or Entity Authentication (R)

Technical Safeguards

Transmission Security Integrity Controls (A) Encryption (A)

Technical Safeguards

Documentation—A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule

Policies and Procedures and Documentation Requirements

Make the documentation available to those persons responsible for implementing the procedures to which the documentation pertains. This is a required implementation specification.

Retain the documentation required for 6 years from the date of its creation or the date it was last in effect, whichever is later in time. This is a required implementation specification.

Documentation

These materials are provided for educational purposes only, and are not legal advice or intended to be substituted for legal advice Parties affected by the issues discussed in these materials should consult with their legal counsel as the specific facts of any given case will greatly influence the legal advice given.

It is important to note that these materials address an area of the law that is volatile and expected to have significant changes in the very near future which may completely alter the applicability of these materials to any situation.

Disclaimer

Questions

Contact

Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126

stephen.rose@klgates.com