Health Information Privacy and Security
John Rasmussen MBA
Learning Objectives
After reviewing the presentation, viewers should be able to:
Explain the importance of confidentiality, integrity, and availability
Describe the regulatory environment and how it drives information privacy and security programs within the health care industry
Recognize the importance of data security and privacy as related to public perception, particularly regarding data breach and loss
Identify different types of threat actors and their motivations
Identify different types of controls used and how they are used to protect information
Describe emerging risks and how they impact the health care sector
Confidentiality refers to the prevention of data loss, and is the category most easily identified with HIPAA privacy and security within healthcare environments. Usernames, passwords, and encryption are common measures implemented to ensure confidentiality
Three Pillars of Data Security
Availability refers to system and network accessibility, and often focuses on power loss or network connectivity outages. Loss of availability may be attributed to natural or accidental disasters such as tornados, earthquakes, hurricanes or fire, but also refer to man-made scenarios, such as a Denial of Service (DoS) attack or a malicious infection which compromises a network and prevents system use. To counteract such issues, backup generators, continuity of operations planning and peripheral network security equipment are used to maintain availability
Three Pillars of Data Security
Integrity describes the trustworthiness and permanence of data, an assurance that the lab results or personal medical history of a patient is not modifiable by unauthorized entities or corrupted by a poorly designed process. Database best practices, data loss solutions, and data backup and archival tools are implemented to prevent data manipulation, corruption, or loss; thereby maintaining the integrity of patient data
Three Pillars of Data Security
Data must be classified to determine its risk
Healthcare organizations must develop a set of controls to protect confidentiality, integrity and availability of data
One layer of defense is not likely to be adequate
Healthcare organizations will need technical, administrative and physical safeguards
Defense in Depth for Healthcare
Administrative Safeguards
Administrative Safeguards
Security management processes to reduce risks and vulnerabilities
Security personnel responsible for developing and implementing security policies
Information access management-minimum access to perform duties
Workforce training and management
Background checks, drug screens, etc. for new employees
Evaluation of security policies and procedures
Physical Safeguards
Limit physical access to facilities
Workstation and device security policies and procedures covering transfer, removal, disposal, and re-use of electronic media
Badge with photo
Physical Safeguards
Technical Safeguards
Access control that restricts access to authorized personnel
Audit controls for hardware, software, and transactions
Integrity controls to ensure data is not altered or destroyed
Transmission security to protect against unauthorized access to data transmitted on networks and via email
Unique usernames and passwords, encrypted software, anti-virus software, secure email, firewalls, etc.
Technical Safeguards
Healthcare Regulatory Environment
Health Insurance Portability & Accountability Act (HIPAA – 1996)
Laid ground work for privacy and security measures in healthcare . Initial intent was to cover patients who switched physicians or insurers (portability)
Next important Act was the American Recovery and Reinvestment Act (ARRA – 2209) & HITECH Act that imposed new requirements for breach notification and stiffer penalties
Health Plans: Health insurers, HMOs, Company health plans, Government programs such as Medicare and Medicaid
Health Care Providers who conduct business electronically: Most doctors, Clinics, Hospitals, Psychologists, Chiropractors, Nursing homes, Pharmacies, Dentists
Health care clearinghouses
Covered Entities or Those Who Must Follow HIPAA Privacy Rule
Request and receive a copy of their health records
Request an amendment to their health record
Receive a notice that discusses how health information may be used and shared, the Notice of Privacy Practices
Request a restriction on the use and disclosure of their health information
Receive a copy of their “accounting of disclosures”
Restrict disclosure of the health information to an insurer if the encounter is paid for out of pocket
File a complaint with a provider, health insurer, and/or the U.S. Government if patient rights are being denied or health information is not being protected.
Covered Entities: Patient Rights
Life insurers
Employers
Workers compensation carriers
Many schools and school districts
Many state agencies like child protective service agencies
Many law enforcement agencies
Many municipal offices
Organizations That Do Not Need To Follow HIPAA Privacy Rule
Individually identifiable health information:
Information created by a covered entity
And “relates to the past, present, or future physical or mental health or condition of an individual”
Or identifies the individual or there is a reasonable basis to believe that the individual can be identified from the information.
Protected Health Information (PHI)
HIPAA
Protections apply to all personal health information (PHI), whether in hard copy records, electronic personal health information (ePHI) stored on computing systems, or even verbal discussions between medical professionals
Covered entities must put safeguards in place to ensure data is not compromised, and that it is only used for the intended purpose
The HIPAA rules are not designed to and should not impede the treatment of patients
Privacy Rule Mandates Removal of 18 Identifiers
Names
All geographic subdivisions smaller than a state
All elements of dates (except year)
Telephone numbers
Facsimile numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers, including fingerprints and voiceprints
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
Permitted Uses and Disclosures of Patient Data
To the individual
For treatment, payment or health care operations
Uses and disclosures with opportunity to agree or object
Facility directories
For notification and other purposes
Incidental use and disclosure
Public interest and benefit activities
Required by law
Public health activities
Victims of abuse, neglect or domestic violence
Health oversight activities
Judicial and administrative proceedings
Law enforcement purposes
Decedents
Cadaveric organ, eye, or tissue donation
Research
Serious threat to health or safety
Essential government functions
Workers’ compensation
BAs are related to the covered entity (CE), such as an EHR vendor or a transcription service
They must have a BA agreement with the CE
This forces the BA to comply with all security requirements
The BA can be penalized for violating HIPAA requirements
Business Associate (BA)
Unauthorized acquisition, access or use. Exceptions:
Data is encrypted. This is considered a safe harbor; or
“Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”; or
“Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed”; or
“A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.”
Breach Requirements under HIPAA
If a breach is determined, the covered entity must notify the individual(s) impacted by the breach. They must inform them within 60 days of when the breach is identified. The notification must include:
A description of what happened
A description of the type of PHI that was breached
Steps the individual can take to protect themselves
What the covered entity is doing to investigate the breach and mitigate harm
Contact information for the individual to contact the covered entity 23
If a breach exceeds 500 individuals, the covered entity must notify the media and must report the breach to the Office for Civil Rights (OCR).
Regardless of the number of individuals impacted by a breach, all breaches must be reported to the OCR annually
Breach Notification
Administrative Requirements for the Privacy Rule
Develop and implement written privacy policies and procedures
Designate a privacy official
Workforce training and management
Mitigation strategy for privacy breaches
Data safeguards – administrative, technical, and physical
Designate a complaint official and procedure to file complaints
Establish retaliation and waiver policies and restrictions
Documentation and record retention – six years
Fully-insured group hea
What Students Are Saying About Us
.......... Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐"Honestly, I was afraid to send my paper to you, but splendidwritings.com proved they are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
.......... Customer ID: 14***| Rating: ⭐⭐⭐⭐⭐
"The company has some nice prices and good content. I ordered a term paper here and got a very good one. I'll keep ordering from this website."