HIPAA Security Rule Awareness For IRB Members

1
HIPAA Security RuleAwareness For IRB Members

• James McNamee, PhD
• Assoc. Dean of Information Services CIO
• University of Maryland School of Medicine

2
Overview

• The Health Insurance Portability and
  Accountability Act 1996 provides privacy and
  confidentiality for protected health information
  (PHI)
• PHI is information about an individuals health,
  healthcare services, or payment for healthcare
  services that identifies the individual
• Removal of all personal identifiers makes PHI
  de-identified data
• Name, address, SS , medical record number, etc.

3
Overview

• Security rule is the next phase of HIPAA
• Takes effect April 20, 2005
• It requires special protections for healthcare
  information in electronic form (e-PHI)
• Stored (e.g., on servers, in computers)
• Saved (e.g., in PDAs, on CDs)
• Sent electronically (e.g., email, FTP)
• Does not cover de-identified data
• Compare requirements of TPO vs. Research

4
(No Transcript)
5
CIA Principles for e-PHI Care

• Confidentiality is not to be used by or
  disclosed to unauthorized persons
• Integrity - is complete, accurate and has not
  been altered or destroyed in an unauthorized way
• Availability - is accessible and usable when
  needed.

6
Confidentiality

• Case Study
• A hospital resident who volunteered for a
  research study claims her research records which
  contain portions of her medical history were
  accessed inappropriately by a post-doctoral
  fellow working on a different project. The
  post-doc claims it was unavoidable The lab
  stores records from all its studies in the same
  database.

7
Integrity

• Case Study
• A lab technician moved data about three
  volunteers in the treatment group into the
  control group by mistake. That mix-up lowered
  statistical significance and led to weaker
  scientific conclusions.

8
Availability

• Case Study
• An infected office computer sent torrents of data
  through the network. Spurious traffic overwhelmed
  the network preventing others from accessing
  their data for two days.

9
Security Awareness

• The HIPAA sets standards that
• Manage risk to e-PHI
• Maintain physical and technical controls
• Look for, report computer security breaches

10
Risk Management

• Determine where e-PHI is stored and how it is
  used
• Assess threats to and vulnerabilities of data
  systems
• Take steps to mitigate CIA risks

11
Physical Access Controls

• Restrict access to places containing e-PHI
• Position workstation screens to avoid
  unauthorized viewing
• Employ locking screen savers and automatic logoff
  after inactivity
• Avoid storing e-PHI on workstations

12
Technical Access Controls

• Set access permission role- or rule-based
• Requests for e-PHI access must be authorized
• Revoke access immediately upon termination
• Provide authentication through unique user IDs
  and passwords
• Require strong, hard-to-guess passwords

13
Password Management

• DO NOT leave passwords in easily accessible
  places
• DO NOT share passwords
• Pick passwords that
• Are at least 8 characters long
• Have a mix of upper- and lower-case letters
  (GtwP)
• Include numbers and punctuation marks (G4w?p7)
• Dont contain words found in dictionaries

14
System Activity Review

• Systems storing e-PHI must log
• Who, when and what
• Review activity logs regularly to look for
  break-ins or inappropriate activities
• Report and investigate suspicious findings
• Sanction violations of security policies

15
Points of Particular Concern

• Electronic Communication
• Information Portability
• Incident Reporting
• Un-auditable systems

16
Electronic Communication

• Most email systems cannot encrypt, guarantee the
  integrity of, or prove authorship of a message.
• Use great care when sending/receiving sensitive
  information via email
• Dont email e-PHI
• SoM and UPI plan to meet secure messaging and
  file sharing needs.

17
Information Portability

• Technologies let investigators work with data
  on-the-go
• Mobile devices
• Remote network access
• Removable media

18
Mobile Devices

• Laptop computers and PDAs can hold lots of data
• Easily stolen, forgotten or lost
• Departments must define when benefits of mobility
  outweigh risks
• Register mobile devices containing e-PHI with
  departments
• Employ strong passwords wireless encryption

19
Remote Access

• Remote access carries e-PHI out of our network
• Use same measures at home and work
• Protect computers with anti-virus, software
  updates, separate login accounts, strong
  passwords, etc
• Dont let family members access e-PHI
• Encrypt wireless connections

20
Removable Media

• CDs and USB drives hold vast amounts of data
• Keep removable media secure at all times
• Permanently erase or destroy media holding e-PHI
  when data are no longer needed

21
Incident Reporting

• Staff involvement is key to identifying security
  issues
• Instruct them to report suspicious behaviors to
  department security liaisons
• Liaisons will inform SoM/UPI/UMMS Security
  Officers

22
Un-Auditable Systems

• Common workstation or office applications cant
  track who, when or what
• MS Excel
• MS Access
• Text files
• They should NOT be used to store e-PHI

23
Administrative Measures

• HIPAA Security Officers oversee the security of
  information systems
• For UPI Chuck Henck, CIO
• For SoM Dr. James McNamee, Assoc. Dean CIO
• Their HIPAA responsibilities are to
• Create and administer information system security
  policies
• Evaluate operation of networks systems
• Coordinate contingency planning and other
  security requirements

24
Administrative Measures

• Departments that use e-PHI will designate a
  Security Liaison with responsibility to
• Coordinate the departments risk analysis and
  risk management plan with the Security Officer
• Coordinate implementation of security policies
  and procedures
• Coordinate the training on HIPAA security
  policies
• Monitor compliance with those policies
• Report and respond to department security
  incidents.

25
Summary

• HIPAA Security rule complements the Privacy rule
• Specifically protects e-PHI
• Security measures are Best Practices long used in
  many other industries
• Research e-PHI receives the same protections as
  clinical e-PHI

26
Additional Resources

• HHS
• aspe.hhs.gov/admnsimp
• Centers for Medicare Medicaid Services
• www.cms.hhs.gov/hipaa
• Phoenix Health Systems
• www.hipaadvisory.com/action/models.htm

27
Questions?