demystifying hipaa: strategies for joint compliance with the hipaa privacy and security rules...
TRANSCRIPT
Demystifying HIPAA: Strategies for Joint Compliance with the
HIPAA Privacy and Security Rules
Timothy H. Graham, Esq.
Privacy and Freedom of Information Act OfficerPhiladelphia VA Medical Center, Philadelphia, PA
Catherine Reynolds, RN, MSN
Information Security OfficerPhiladelphia VA Medical Center, Philadelphia, PA
Lydia Duckworth
HIPAA Security Specialist, VHA HIPAA Project Management OfficeChief Business Office, Washington, D.C.
Program Agenda
Security and Privacy Rules: Similarities and Differences
Overview of the Philadelphia VA Medical Center
Privacy Rule Security Rule Case Study Questions
Comparison of the Rules
Several similarities exist between the HIPAA Privacy and Security Rules:
Intended to be compatible Both protect confidentiality of electronic PHI (“ePHI”) Both provide workforce access controls and protections Coordinated compliance infrastructure Both require written and documented policies and
procedures relating to privacy and security. Both require business associate agreements
Comparison of the Rules
Likewise, several differences exist between the HIPAA Privacy and Security Rules:
No exceptions for incidental uses and disclosures Broader audit trail is advisable under the Security
Rule Scope: Security applies only to electronic PHI,
while Privacy applies to all PHI. Continued monitoring is specifically required in the
language of the Security rule
Philadelphia VA Medical Center
Provides health care for more than 400,000 veterans living in America’s fifth largest metropolitan area and seven counties.
Staffed by more than 1,500 employees who support 135 acute beds, a 240 bed nursing home care unit and four Community Based Outpatient Clinic
Site for over 200 ongoing research projects involving all clinical disciplines
Affiliated with the University of Pennsylvania Schools of Medicine, Nursing and Dental Medicine
The HIPAA Privacy Rule
Introduction and Background
VA has a strong legacy in protecting the privacy and security of veterans’ and employees’ personal information.
In an effort to oversee multiple efforts in VA to protect privacy, the Enterprise Privacy Program was established.
The VHA Privacy Office is responsible for implementing privacy regulations consistently across the Veterans Health Administration.
What is Privacy in the VA? As a federal agency, the VA is subjected to various
regulatory statutes that promote the protection of private and confidential health information.
Namely, there are six statutes with which VA must comply: Health Insurance Portability and Accountability Act of 1996 – 45
CFR 160 & 164 The Privacy Act of 1976 – 5 U.S.C. 552a The Freedom of Information Act – 5 U.S.C. 552 Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse,
Infection with Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records – 38 U.S.C. 7332
Confidentiality of Healthcare Quality Assurance Review Records – 38 U.S.C. 5705
The VA Claims Confidentiality Statute – 38 U.S.C. 5701
Why Privacy Compliance Monitoring?
To ensure program goals for confidential protection of health information are achieved.
To determine if policies, procedures and programs are being followed.
To minimize consequences of privacy failures through early detection and remediation.
To provide feedback necessary for privacy program improvement.
To demonstrate to the workforce and the community at large, organizational commitment to health information privacy.
Acknowledge Common Problems Unclear and inconsistent polices and
procedures. Inconsistencies in enforcement of
policies and procedures. Ineffective or insufficient training and
education. Employee morale and motivation.
The Processes for Monitoring
Establish goals& objectives
Define areas for review
Metricsand methods
Establishfrequency
Performmonitoring
Act onresults
How?
Establishing Goals and Objectives
Identification of monitoring goals should take into consideration several factors:
Privacy program objectives; Risk assessment results; Incident reporting; Feedback from staff; Administrative mandates.
Taking these factors into consideration identifies the desired outcomes of the monitoring process.
Defining the Areas for Review
Choosing which areas of the medical center should be reviewed can be the most difficult process.
Initially, a facility-wide analysis is most helpful to determine which areas are troubled.
The key in future monitoring is to focus on those areas that are high risk, high volume and/or areas subject to environmental/system changes.
Further, reliance on the incident reporting system will identify key areas for review.
Metrics and Methods for Monitoring
The key to identifying the methods for monitoring is to first identify the objectives and metrics of the audit.
Once the objectives and metrics are delineated, creation of a formal audit tool is critical to documenting and analyzing the results.
Critical to the overall compliance program is the presence of written analysis, compiled as a result of the formal audit.
Examples of Monitoring Methods
Interviews (staff and patients) Violation Tracking reports Chart Audits Privacy Rounds Program/Service Self-Assessment Peer Review Simulated Case Studies
Establish Frequency
Ongoing process (monthly, quarterly and annually) monitoring is essential to ensuring that the organization is fulfilling the requirements mandated by law.
Once audits are completed, corrective action plans (CAPs) should be designed and implemented across the department or medical center.
Proceeding the implementation of the CAPs, further audits should take place to monitor compliance with the CAP.
Taking Action… What’s the next step after you analyze the
audit findings? Documented analysis of the findings; Identification of best practices; Documented comparison between the findings and the
program objectives; Identification of non-compliant areas; Identification of trends from one department to another; Identification of problem areas which pose other serious
liability issues for the organization (areas where a root cause analysis committee may be helpful).
Corrective Actions
Examples of corrective actions may include:
Revision of policies and procedures; Focused education and training; and/or Heightened supervision of staff and
enforcement of policies and procedures for safeguarding protected health information.
The HIPAA Security Rule
The HIPAA Security Rule
Builds on and coordinates with organizational requirements under the Privacy Rule.
Addresses the confidentiality, integrity and availability of ePHI the covered entity creates, receives, maintains, or transmits.
The C-I-A Triad
Information Security
Integrity
Confidentiality
Availability
Security Rule Definitions
45 CFR 160.103 – Confidentiality Data or information is not made available or
disclosed to unauthorized persons or processes. 45 CFR 162.103 – Integrity
Data or information have not been altered or destroyed in an unauthorized manner.
45 CFR 164.103 – Availability Data or information is accessible and usable upon
demand by an authorized person.
Background of VA Security Practices
Federal Policies National Institute of Standards and
Technology (NIST) Guidance VA Information Technology Security
Directive
Federal Policies The Computer Act of 1987 Office of Management and Budget Circular A-
130 The Federal Managers Financial Integrity Act
of 1982 (FMFIA) Office of Management and Budget Circular A-
123 The Federal Information Security Management
Act (2003)
NIST Guidance
SP 800-12: An Introduction to Computer Security: The NIST Handbook
SP 800-14: Generally Accepted Principles and Practices for Security IT Systems
SP 800-26: Security Self-Assessment Guide for IT Systems
VA Information Security Directive
VA Directive & Handbook 6210: Automated Information Systems Security Policy
VA Directive 6212: Security of External Connections
VA Directive 6213: VA Public Key Infrastructure
VA Directive 6214: Information Technology Security Certification and Accreditation Program
VA Cyber Security Practitioner
Position Title: Information Security Officer
Responsibilities Education and Training
The HIPAA Security Standards
Administrative Safeguards “Actions, policies and procedures, to manage the selection,
development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Physical Safeguards “Security measures to protect a covered entity’s electronic information
systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Technical Safeguards “The technology and the policy and procedures for its use that protect
ePHI and control access to it.”
Administrative Safeguards
Security Management Processes Assigned Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Planning Business Associate Agreements, etc.
Physical Safeguards
Facility Access Controls Workstation Use Workstation Security Device and Media Controls
Technical Safeguards
Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security
Case Study of the PVAMC
HIPAA Program Compliance Plan: Three Phase Risk Assessment:
Departmental Self-Assessment and Surveys (handout 1)
Privacy and Security Steering Committee Assessment (handout 2)
Formal Assessment by Privacy Officer and Information Security Officer (handout 2)
Case Study of the PVAMC Areas for Review:
Discussion of confidential information among staff in public areas (hallways, elevators, parking garage and cafeteria)
Health information in trash or unsecured compartments Health information in open view on desks, in hallways or
medicine carts Health information left on faxes and printers Sharing passwords Computers and workstations not logged off or securely
positioned where feasible
Case Study of the PVAMC Areas for Review (cont.):
Physical arrangement of the area Sign in sheets Use of electronic mail for transmitting protected health
information Staff awareness of and responsibilities for visitors (i.e. Did the
staff challenge visitors for identification?) Dictation conducted in public areas or in areas where the
provider can be easily overheard Business Associate Agreements with contracted
business/service agreements and accrediting organizations
Case Study of the PVAMC Survey of Key Findings:
Employees consistently rely on the fax machine as a means for transmitting protected health information.
Lack of attention to ensuring that health records are appropriately locked and secured.
Continued reliance on garbage cans as a means of destroying protected health information.
Lack of attention to logging off of computers and workstations.
Lack of written policies and procedures governing specific actions within the departments (i.e. Monitoring of Visitors in Surgery)
Case Study of the PVAMC Corrective Actions:
Required departments to implement policies and procedures regarding certain processes within the department which pose a risk to the overall Privacy and Security Program.
Provide ongoing education to all employees through bulletins, seminars, staff meetings, annual privacy and information security training and newsletters.
Develop and implement policies governing the disposal of health information.
Posted signage to remind employees and patients that health information should not be discussed in public forums.
Purchased privacy screens for all computers where repositioning was impossible or impractical.
Questions???
Contact Information:Timothy H. Graham, Esq.
Privacy and FOIA Officer, Philadelphia [email protected]
Catherine Reynolds, RN MSN
Information Security Officer, Philadelphia [email protected]
215.823.5159Lydia Duckworth
HIPAA Security Specialist, VHA HIPAA [email protected]