Health Information Privacy and Security

Health Information Privacy and Security

John Rasmussen MBA

Learning Objectives

After reviewing the presentation, viewers should be able to:

Explain the importance of confidentiality, integrity, and availability

Describe the regulatory environment and how it drives information privacy and security programs within the health care industry

Recognize the importance of data security and privacy as related to public perception, particularly regarding data breach and loss

Identify different types of threat actors and their motivations

Identify different types of controls used and how they are used to protect information

Describe emerging risks and how they impact the health care sector

Confidentiality refers to the prevention of data loss, and is the category most easily identified with HIPAA privacy and security within healthcare environments. Usernames, passwords, and encryption are common measures implemented to ensure confidentiality

Three Pillars of Data Security

Availability refers to system and network accessibility, and often focuses on power loss or network connectivity outages. Loss of availability may be attributed to natural or accidental disasters such as tornados, earthquakes, hurricanes or fire, but also refer to man-made scenarios, such as a Denial of Service (DoS) attack or a malicious infection which compromises a network and prevents system use. To counteract such issues, backup generators, continuity of operations planning and peripheral network security equipment are used to maintain availability

Three Pillars of Data Security

Integrity describes the trustworthiness and permanence of data, an assurance that the lab results or personal medical history of a patient is not modifiable by unauthorized entities or corrupted by a poorly designed process. Database best practices, data loss solutions, and data backup and archival tools are implemented to prevent data manipulation, corruption, or loss; thereby maintaining the integrity of patient data

Three Pillars of Data Security

Data must be classified to determine its risk

Healthcare organizations must develop a set of controls to protect confidentiality, integrity and availability of data

One layer of defense is not likely to be adequate

Healthcare organizations will need technical, administrative and physical safeguards

Defense in Depth for Healthcare

Administrative Safeguards

Administrative Safeguards

Security management processes to reduce risks and vulnerabilities

Security personnel responsible for developing and implementing security policies

Information access management-minimum access to perform duties

Workforce training and management

Background checks, drug screens, etc. for new employees

Evaluation of security policies and procedures

Physical Safeguards

Limit physical access to facilities

Workstation and device security policies and procedures covering transfer, removal, disposal, and re-use of electronic media

Badge with photo

Physical Safeguards

Technical Safeguards

Access control that restricts access to authorized personnel

Audit controls for hardware, software, and transactions

Integrity controls to ensure data is not altered or destroyed

Transmission security to protect against unauthorized access to data transmitted on networks and via email

Unique usernames and passwords, encrypted software, anti-virus software, secure email, firewalls, etc.

Technical Safeguards

Healthcare Regulatory Environment

Health Insurance Portability & Accountability Act (HIPAA – 1996)

Laid ground work for privacy and security measures in healthcare . Initial intent was to cover patients who switched physicians or insurers (portability)

Next important Act was the American Recovery and Reinvestment Act (ARRA – 2209) & HITECH Act that imposed new requirements for breach notification and stiffer penalties

Health Plans: Health insurers, HMOs, Company health plans, Government programs such as Medicare and Medicaid

Health Care Providers who conduct business electronically: Most doctors, Clinics, Hospitals, Psychologists, Chiropractors, Nursing homes, Pharmacies, Dentists

Health care clearinghouses

Covered Entities or Those Who Must Follow HIPAA Privacy Rule

Request and receive a copy of their health records

Request an amendment to their health record

Receive a notice that discusses how health information may be used and shared, the Notice of Privacy Practices

Request a restriction on the use and disclosure of their health information

Receive a copy of their “accounting of disclosures”

Restrict disclosure of the health information to an insurer if the encounter is paid for out of pocket

File a complaint with a provider, health insurer, and/or the U.S. Government if patient rights are being denied or health information is not being protected.

Covered Entities: Patient Rights

Life insurers

Employers

Workers compensation carriers

Many schools and school districts

Many state agencies like child protective service agencies

Many law enforcement agencies

Many municipal offices

Organizations That Do Not Need To Follow HIPAA Privacy Rule

Individually identifiable health information:

Information created by a covered entity

And “relates to the past, present, or future physical or mental health or condition of an individual”

Or identifies the individual or there is a reasonable basis to believe that the individual can be identified from the information.

Protected Health Information (PHI)

HIPAA

Protections apply to all personal health information (PHI), whether in hard copy records, electronic personal health information (ePHI) stored on computing systems, or even verbal discussions between medical professionals

Covered entities must put safeguards in place to ensure data is not compromised, and that it is only used for the intended purpose

The HIPAA rules are not designed to and should not impede the treatment of patients

Privacy Rule Mandates Removal of 18 Identifiers

Names

All geographic subdivisions smaller than a state

All elements of dates (except year)

Telephone numbers

Facsimile numbers

Electronic mail addresses

Social security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web universal resource locators (URLs)

Internet protocol (IP) address numbers

Biometric identifiers, including fingerprints and voiceprints

Full-face photographic images and any comparable images

Any other unique identifying number, characteristic, or code

Permitted Uses and Disclosures of Patient Data

To the individual

For treatment, payment or health care operations

Uses and disclosures with opportunity to agree or object

Facility directories

For notification and other purposes

Incidental use and disclosure

Public interest and benefit activities

Required by law

Public health activities

Victims of abuse, neglect or domestic violence

Health oversight activities

Judicial and administrative proceedings

Law enforcement purposes

Decedents

Cadaveric organ, eye, or tissue donation

Research

Serious threat to health or safety

Essential government functions

Workers’ compensation

BAs are related to the covered entity (CE), such as an EHR vendor or a transcription service

They must have a BA agreement with the CE

This forces the BA to comply with all security requirements

The BA can be penalized for violating HIPAA requirements

Business Associate (BA)

Unauthorized acquisition, access or use. Exceptions:

Data is encrypted. This is considered a safe harbor; or

“Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”; or

“Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed”; or

“A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.”

Breach Requirements under HIPAA

If a breach is determined, the covered entity must notify the individual(s) impacted by the breach. They must inform them within 60 days of when the breach is identified. The notification must include:

A description of what happened

A description of the type of PHI that was breached

Steps the individual can take to protect themselves

What the covered entity is doing to investigate the breach and mitigate harm

Contact information for the individual to contact the covered entity 23

If a breach exceeds 500 individuals, the covered entity must notify the media and must report the breach to the Office for Civil Rights (OCR).

Regardless of the number of individuals impacted by a breach, all breaches must be reported to the OCR annually

Breach Notification

Administrative Requirements for the Privacy Rule

Develop and implement written privacy policies and procedures

Designate a privacy official

Workforce training and management

Mitigation strategy for privacy breaches

Data safeguards – administrative, technical, and physical

Designate a complaint official and procedure to file complaints

Establish retaliation and waiver policies and restrictions

Documentation and record retention – six years

Fully-insured group hea