HealthCare Information SecurityAn Evolving Regulatory Landscape with Increasing Stakes

Thomas J. DeMayoDirectorIT Audit and Consulting ServicesTDeMayo@odpkf.com

2

HIPAA – The History• Health Insurance Portability and Accountability Act (“HIPAA”)

was passed in 1996 to encourage electronic transmission of payer/patient information and payment

• Privacy Rule – (2003) Designed to ensure patient health information was guaranteed a minimum level of protection across all states

• Security Rule – (2005) Added administrative, technical and procedural safeguards to electronic protected health information (ePHI)– Compliments the Privacy Rule

3

HIPAA – The History• HITECH – (2009) Enacted to promote and expand the

adoption of Health Information Technology– Added increased restrictions (e.g. Privacy and Security Rules now

apply to Business Associates (“BA”)

– enhanced civil monetary penalties – e.g. Tiered penalty structured with penalties up to $1.5m per year for each violation

– Introduced the Breach Notification Rule

– Required HHS to perform periodic audits of Covered Entities (“CE”)

4

HIPAA – The History

• Omnibus Rule (2013) – Finalized and/or modified provisions of the Interim Rule and/or added additional provisions

5

Privacy Rule!!!!!

• Sorry - We will not be discussing the Privacy Rule

6

Security Rule Changes • The Final Rule did not make any changes to

the Security Rule– Confirmed that the Security Rule applies to

business associates

– Extended the application of the rule to subcontractors

– Expanded liability for storage providers (e.g. Cloud Providers)

7

Security Rule Clarification

• Health and Human Services (“HHS”) clarified:• “Flexibility of approach” or “Reasonableness” of the controls continue

to apply; however, documentation of the approach and rationale is required

• Internet, Extranets, and Intranets are forms of electronic transmission media – If they transmit ePHI they are in scope– Certain transmissions including paper via facsimile and of voice via

telephone, are not considered transmission via electronic media if the information did not exist in electronic form immediately prior to transmission.

• Copiers and fax machines that store ePHI are subject to the Security Rule requirements

8

What exactly is the Security Rule?

• Consists of 78 standards that encompass administrative, technical, and physical safeguards– Administrative – policies, awareness training,

assigning a security officer– Technical – passwords, antivirus, firewalls– Physical – physical storage of electronic media,

positioning of equipment

9

What exactly is the Security Rule?

• The standards (what must be done) contain implementation specifications (how it must be done)

• Implementation Specifications are either:– Required – the specification must be implemented

as stated

10

What exactly is the Security Rule?• Implementation Specifications are either: (cont…)– Addressable - Must perform an assessment to determine

whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:• Implement the addressable implementation specification as stated;• Implement an equivalent alternative measure that allows the entity to

comply with the standard; or,• Not implement the addressable specification or any alternative

measures, if equivalent measures are not reasonable and appropriate within its environment

11

What exactly is the Security Rule?

• Of the 78 standards:– 26 are Addressable– 52 are Required

***Addressable Does NOT imply OPTIONAL***

12

Results of Office For Civil Rights Audit

• Audits in 2012 showed that the Security Rule requirements are not being met by covered entities– Office for Civil Rights (“OCR”) officials have

publicly stated this must change• Of the 159 covered entities audited– 10% of selectees had no audit findings – 10% of selectees were totally unprepared for audit

13

Results of OCR Audit

• Of the 159 covered entities audited (cont…)– Security accounted for more than 60% of audit findings – Providers had greatest proportion of findings – 65% – Smallest entities struggled the most in all three areas – Significantly fewer findings for those entities who fully

implemented addressable specifications – Most common excuse heard for non-compliance –

“unaware of the requirement” – Lack of application of sufficient resources, incomplete

implementation, complete disregard

14

Results of OCR Audit

• Top Areas Reported– Privacy

• Notice of privacy practices

• Access of individuals • Minimum necessary, and • Authorizations

– Security • Risk analysis • Access control • Contingency planning • Media movement and

disposal,• Audit controls and

monitoring

Results of OCR Audit

15

Risk Assessment – Why the Fuss?

16

• Conducting a formalized Risk Assessment is essential

• The HIPAA Security and Breach Rule Framework is built on the results of the Risk Assessment process– The results of the risk assessment are what will

drive the compliance initiative and will be the foundation on which the security activities are built

Risk Assessment – Why the Fuss?

17

• OCR has made it very clear that all covered entities must have a formalized risk assessment – Prediction – if your organization is selected for an

audit your documented risk assessment will be one of the items selected for review

18

Risk Assessment Requirement

• Required implementation specification at §164.308(a)(1)(ii)(A)– Requires a covered entity to “[c]onduct an

accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

19

Risk Management Requirement

• Once the risks are identified they must be managed

• Required implementation specification at §164.308(a)(1)(ii)(b) - – “Implement security measures sufficient to reduce

risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

20

§164.306 Security standards: General rules

• §164.306(a) - Covered entities and business associates must do the following:– (1) Ensure the confidentiality, integrity, and availability of all electronic

protected health information the covered entity or business associate creates, receives, maintains, or transmits

– (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information

– (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part

– (4) Ensure compliance with this subpart by its workforce

21

Risk in Perspective

22

What are the steps?• Scope of the Analysis - the scope of the risk analysis includes all the

people, processes and technology that are involved in the creation, transmission, maintenance and/or storage of ePHI

• Data Collection – an organization must identify where data is being stored, received, maintained or transmitted. If your organization is hosting health information at a HIPAA compliant data center, the organization will need to contact their hosting provider to document where and how the data is stored

• Identify and Document Potential Threats and Vulnerabilities – identify and document any reasonably anticipated threats to ePHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution

23

What are the steps?• Assess Current Security Measures – inventory all of the existing security

controls implemented by the organization and determine how effective they are in managing the threats and vulnerabilities identified in the previous step

• Determine the Likelihood of Threat Occurrence – for each threat event, determine how likely the event is to occur relative to the organization’s specific circumstances

• Determine the Potential Impact of Threat Occurrence – by using either qualitative or quantitative methods, assess the maximum impact that a data threat would have on your organization– How many people could be affected? What extent of private data could be

exposed – just medical records, or both health information and billing information combined?

24

What are the steps?• Determine the Level of Risk – combine the likelihood of the occurrence with

the potential impact to determine the ultimate risk level. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk, should the resulting risk be too high

• Finalize Documentation – summarize everything in an organized document – HHS doesn’t specify a specific format, but they do require the analysis in writing

• Periodic Review and Updates to the Risk Assessment – it is important to ensure that the risk analysis process is ongoing – one requirement includes conducting a risk analysis on a regular basis

***Be sure the person conducting the risk assessment has the technical capacity to understand and communicate all the risks***

25

Penalties for Non-Compliance• Tiered structure based on the level of culpability:

– Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation

– Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect

– Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery

– Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery

26

Penalties for Non-Compliance

* CMP = Civil Monetary Penalty

27

Penalties for Non-Compliance• While the Final Rule includes many provisions

that amplify the penalties associated with a violation of HIPAA, there is some flexibility built into the Final Rule with respect to imposition of such penalties as long as the violations are NOT due to Willful Neglect

28

Breach Notification Rule

• HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI

• Under the interim rule, the phrase “compromise” meant the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm– Risk of harm standard was too subjective

29

Breach Notification Rule

The Final Rule changed the term “compromise” to mean that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment

30

Breach Notification Rule• Four part Risk Assessment:

– The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification

– The unauthorized person who used the PHI or to whom the disclosure of PHI was made

– Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired

– The extent to which the risk to the PHI has been mitigated

***The Risk Assessment and results thereof must be documented and stored for reference***

31

Notification Requirements• Varies based on the number of affected individuals

– Must notify the individual, without unreasonable delay and in no case later than 60 days from discovery of the breach

– If less than 500 people are affected, must notify the Secretary annually within 60 days after the end of the calendar year in which the breach occurred

– If greater than 500 people affected, must notify the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach

– If greater than 500 people affected in a single state or jurisdiction, must notify prominent media outlets

32

Notification Requirements

Covered entities are ultimately responsible for notifying individuals. The task can be contracted to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner

33

Questions?Tom DeMayo, CISSP, CIPP, CPT, CEH, MCSEDirector, IT Audit and Consulting ServicesTDeMayo@odpkf.com646.449.6353