HIPAA Privacy

1
HIPAAPrivacy Security Update HITECH Breach
Notification Regulations Practice Management
Forum
Karen Pagliaro-Meyer Privacy Officer kpagliaro_at_col
umbia.edu (212) 305-7315
Soumitra Sengupta Information Security
Officer sen_at_columbia.edu (212) 305-7035

• November 12, 2009

2
This presentation focuses on two types of
confidential electronic information

• ePHI Electronic Protected Health Information
• Medical record number, account number or SSN
• Patient demographic data, e.g., address, date of
  birth, date of death, sex, e-mail / web address
• Dates of service, e.g., date of admission,
  discharge
• Medical records, reports, test results,
  appointment dates
• PII Personally Identified Information
• Individuals name SSN number or Drivers
  License or credit card
• Electronic media includes computers, laptops,
  disks, memory stick, PDAs, servers, networks,
  dial-modems, cell phones, eMail, web-sites, etc.

3
HITECH (ARRA)Health Information Technology
for Economic and Clinical Health

• REQUIREMENT COMPLIANCE DATE
• Breach Notification September 2009
• Self-Payment Disclosures February 2010
• Business Associates February 2010
• Minimum Necessary August 2010
• Accounting of Disclosures January 2011/2014
• Performance Measures for EHR enhanced
  reimbursement rate

4
HITECH Act (ARRA)Health Information Technology
for Economic and Clinical Health

• New Federal Breach Notification Law Effective
  Sept 2009
• Applies to all electronic unsecured PHI
• Requires immediate notification to the Federal
  Government if more than 500 individuals effected
• Annual notification if less that 500 individuals
  effected
• Requires notification to a major media outlet
• Breach will be listed on a public website
• Requires individual notification to patients
• Criminal penalties - apply to individual or
  employee of a covered entity

5
HITECH Act (ARRA)

• Enforcement
• Increased penalties for HIPAA Violations
• tiered civil monetary penalties from 10,000 to
  1.5 mil
• Expected Increased enforcement and oversight
  activities
• State Attorneys General will have enforcement
  authority and may sue for damages and injunctive
  relief.
• Business Associates
• Standards apply directly to Business Associates
• Statutory obligation to comply with restrictions
  on use and disclosure of PHI
• New HITECH Privacy provisions must be
  incorporated into BAA

6
New York State SSN/PII Laws

• Social Security Number Protection Law
• Effective December 2007
• Recognizes SSN to be a primary identifier for
  identity theft
• It is Illegal to communicate this information to
  the general public
• Access cards, tags, etc. may not have SSN
• SSN may not be transmitted over Internet without
  encryption
• SSN may not be used as a password
• SSN may not be printed on envelopes with
  see-through windows
• SSN may not be requested unless required for a
  business purpose
• Fines and Penalties for unauthorized use or
  disclosure

7
New York State SSN/PII Laws

• Information Security Breach and Notification Act
• Effective December 2005
• IF Breach of Personally Identifiable Information
  occurs
• SSN
• Credit Card
• Drivers License
• THEN Must notify
• patients / customers / employees
• NY State Attorney General
• Consumer reporting agencies

8
New Regulations Red Flag rule

• Red Flag Identity Theft Prevention Program
• Requires healthcare organizations to establish
  written program to identify, detect and respond
  to and correct reports of potential identity
  theft
• Educate all staff how to identify Red Flags and
  report them
• Appoint program administrator Report to
  leadership
• FTC law includes fines and penalties 2,500 per
  violation
• Business Associate Agreements will have to be
  revised to inform CUMC of any Red Flags involving
  CUMC data
• Enforcement delayed until February 2010

9
What you need to know in Information Security
10
Types of Information Security Failures

• Lost/Stolen Laptop with unencrypted ePHI or PII
• Under HITECH and NY State SSN Laws, you may be
  personally liable, and you will be disciplined
  for loss of unencrypted PHI or PII
• Sending EPHI outside the institution without
  encryption
• Under HITECH you may be personally liable for
  losing EPHI data
• Sharing Passwords
• You are responsible for your password. If you
  shared your password, you will be disciplined
  even if other person does no inappropriate access
• Not signing off systems
• You are responsible and will be disciplined if
  another person uses your not-signed-off system
  and application

11
Security Controls

• Laptop and File Encryption
• WinZip (password protect encrypt)
• 7-zip (free, password protect encrypt)
• Truecrypt (free, complete folder encryption)
• FileVault (folder encryption on Macintosh)
• Encrypted USB Drives
• Iron Key (Fully encrypted)
• Kingston Data Traveler

12
Columbia University Medical Center

• Two of the laptops reported stolen at CUMC last
  year
• Laptop was located in a physician office
• Laptop was not encrypted and not password
  protected
• Included 300 patient names, medical record
  numbers and test results
• Laptop was located in a patient testing area
• Laptop was password protected but not encrypted
• Included approximately 150 patient names, data of
  birth, medical record number and test result
• Prior to HITECH, these patient were not required
  to be notified because the data on the laptops
  did not include social security numbers, however
  the new breach notification act would require
  notification of each patient and remediation
  (free credit monitoring)

13
NewYork-Presbyterian Hospital

• A NYP employee (patient admissions
  representative) was charged with stealing almost
  50,000 patient files and selling some of them.
• The files stolen probably contained little or no
  medical information, but did include patient
  names, phone numbers and social security
  numbers--fertile ground for identity theft.
• Employee report that he sold the demographic
  info of 1,000 patients and was paid 750.
• NewYork Presbyterian Hospital has reported that
  the cost of the breach was over 1.5 million
  dollar including cost of mailing to all 50,000
  patients and offering free credit monitoring. In
  addition to the cost associated with the negative
  publicity.

14
Security Reminders
Password Required
Use Encryption for Portable Devices with PHI
Password protect your computer
Run Anti-virus Anti-spam software,
Anti-spyware
Dispose of Information Correctly
Keep office secured
15
HITECH Action Plan

• REMINDER Workforce members are required to
  report the loss or theft of any Protected Health
  Information
• Include in New Hire / Welcome Program Staff
  Education
• Email reminders / alerts for staff
• Department specific as requested
• Review existing Policies and Procedures
• Implement Confidentiality Agreement

HIPAA SECURITY