Demystifying HIPAA: Strategies for Joint Compliance with the

HIPAA Privacy and Security Rules

Timothy H. Graham, Esq.

Privacy and Freedom of Information Act OfficerPhiladelphia VA Medical Center, Philadelphia, PA

Catherine Reynolds, RN, MSN

Information Security OfficerPhiladelphia VA Medical Center, Philadelphia, PA

Lydia Duckworth

HIPAA Security Specialist, VHA HIPAA Project Management OfficeChief Business Office, Washington, D.C.

Program Agenda

Security and Privacy Rules: Similarities and Differences

Overview of the Philadelphia VA Medical Center

Privacy Rule Security Rule Case Study Questions

Comparison of the Rules

Several similarities exist between the HIPAA Privacy and Security Rules:

Intended to be compatible Both protect confidentiality of electronic PHI (“ePHI”) Both provide workforce access controls and protections Coordinated compliance infrastructure Both require written and documented policies and

procedures relating to privacy and security. Both require business associate agreements

Comparison of the Rules

Likewise, several differences exist between the HIPAA Privacy and Security Rules:

No exceptions for incidental uses and disclosures Broader audit trail is advisable under the Security

Rule Scope: Security applies only to electronic PHI,

while Privacy applies to all PHI. Continued monitoring is specifically required in the

language of the Security rule

Philadelphia VA Medical Center

Provides health care for more than 400,000 veterans living in America’s fifth largest metropolitan area and seven counties.

Staffed by more than 1,500 employees who support 135 acute beds, a 240 bed nursing home care unit and four Community Based Outpatient Clinic

Site for over 200 ongoing research projects involving all clinical disciplines

Affiliated with the University of Pennsylvania Schools of Medicine, Nursing and Dental Medicine

The HIPAA Privacy Rule

Introduction and Background

VA has a strong legacy in protecting the privacy and security of veterans’ and employees’ personal information.

In an effort to oversee multiple efforts in VA to protect privacy, the Enterprise Privacy Program was established.

The VHA Privacy Office is responsible for implementing privacy regulations consistently across the Veterans Health Administration.

What is Privacy in the VA? As a federal agency, the VA is subjected to various

regulatory statutes that promote the protection of private and confidential health information.

Namely, there are six statutes with which VA must comply: Health Insurance Portability and Accountability Act of 1996 – 45

CFR 160 & 164 The Privacy Act of 1976 – 5 U.S.C. 552a The Freedom of Information Act – 5 U.S.C. 552 Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse,

Infection with Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records – 38 U.S.C. 7332

Confidentiality of Healthcare Quality Assurance Review Records – 38 U.S.C. 5705

The VA Claims Confidentiality Statute – 38 U.S.C. 5701

Why Privacy Compliance Monitoring?

To ensure program goals for confidential protection of health information are achieved.

To determine if policies, procedures and programs are being followed.

To minimize consequences of privacy failures through early detection and remediation.

To provide feedback necessary for privacy program improvement.

To demonstrate to the workforce and the community at large, organizational commitment to health information privacy.

Acknowledge Common Problems Unclear and inconsistent polices and

procedures. Inconsistencies in enforcement of

policies and procedures. Ineffective or insufficient training and

education. Employee morale and motivation.

The Processes for Monitoring

Establish goals& objectives

Define areas for review

Metricsand methods

Establishfrequency

Performmonitoring

Act onresults

How?

Establishing Goals and Objectives

Identification of monitoring goals should take into consideration several factors:

Privacy program objectives; Risk assessment results; Incident reporting; Feedback from staff; Administrative mandates.

Taking these factors into consideration identifies the desired outcomes of the monitoring process.

Defining the Areas for Review

Choosing which areas of the medical center should be reviewed can be the most difficult process.

Initially, a facility-wide analysis is most helpful to determine which areas are troubled.

The key in future monitoring is to focus on those areas that are high risk, high volume and/or areas subject to environmental/system changes.

Further, reliance on the incident reporting system will identify key areas for review.

Metrics and Methods for Monitoring

The key to identifying the methods for monitoring is to first identify the objectives and metrics of the audit.

Once the objectives and metrics are delineated, creation of a formal audit tool is critical to documenting and analyzing the results.

Critical to the overall compliance program is the presence of written analysis, compiled as a result of the formal audit.

Examples of Monitoring Methods

Interviews (staff and patients) Violation Tracking reports Chart Audits Privacy Rounds Program/Service Self-Assessment Peer Review Simulated Case Studies

Establish Frequency

Ongoing process (monthly, quarterly and annually) monitoring is essential to ensuring that the organization is fulfilling the requirements mandated by law.

Once audits are completed, corrective action plans (CAPs) should be designed and implemented across the department or medical center.

Proceeding the implementation of the CAPs, further audits should take place to monitor compliance with the CAP.

Taking Action… What’s the next step after you analyze the

audit findings? Documented analysis of the findings; Identification of best practices; Documented comparison between the findings and the

program objectives; Identification of non-compliant areas; Identification of trends from one department to another; Identification of problem areas which pose other serious

liability issues for the organization (areas where a root cause analysis committee may be helpful).

Corrective Actions

Examples of corrective actions may include:

Revision of policies and procedures; Focused education and training; and/or Heightened supervision of staff and

enforcement of policies and procedures for safeguarding protected health information.

The HIPAA Security Rule

The HIPAA Security Rule

Builds on and coordinates with organizational requirements under the Privacy Rule.

Addresses the confidentiality, integrity and availability of ePHI the covered entity creates, receives, maintains, or transmits.

The C-I-A Triad

Information Security

Integrity

Confidentiality

Availability

Security Rule Definitions

45 CFR 160.103 – Confidentiality Data or information is not made available or

disclosed to unauthorized persons or processes. 45 CFR 162.103 – Integrity

Data or information have not been altered or destroyed in an unauthorized manner.

45 CFR 164.103 – Availability Data or information is accessible and usable upon

demand by an authorized person.

Background of VA Security Practices

Federal Policies National Institute of Standards and

Technology (NIST) Guidance VA Information Technology Security

Directive

Federal Policies The Computer Act of 1987 Office of Management and Budget Circular A-

130 The Federal Managers Financial Integrity Act

of 1982 (FMFIA) Office of Management and Budget Circular A-

123 The Federal Information Security Management

Act (2003)

NIST Guidance

SP 800-12: An Introduction to Computer Security: The NIST Handbook

SP 800-14: Generally Accepted Principles and Practices for Security IT Systems

SP 800-26: Security Self-Assessment Guide for IT Systems

VA Information Security Directive

VA Directive & Handbook 6210: Automated Information Systems Security Policy

VA Directive 6212: Security of External Connections

VA Directive 6213: VA Public Key Infrastructure

VA Directive 6214: Information Technology Security Certification and Accreditation Program

VA Cyber Security Practitioner

Position Title: Information Security Officer

Responsibilities Education and Training

The HIPAA Security Standards

Administrative Safeguards “Actions, policies and procedures, to manage the selection,

development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Physical Safeguards “Security measures to protect a covered entity’s electronic information

systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Technical Safeguards “The technology and the policy and procedures for its use that protect

ePHI and control access to it.”

Administrative Safeguards

Security Management Processes Assigned Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Planning Business Associate Agreements, etc.

Physical Safeguards

Facility Access Controls Workstation Use Workstation Security Device and Media Controls

Technical Safeguards

Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

Case Study of the PVAMC

HIPAA Program Compliance Plan: Three Phase Risk Assessment:

Departmental Self-Assessment and Surveys (handout 1)

Privacy and Security Steering Committee Assessment (handout 2)

Formal Assessment by Privacy Officer and Information Security Officer (handout 2)

Case Study of the PVAMC Areas for Review:

Discussion of confidential information among staff in public areas (hallways, elevators, parking garage and cafeteria)

Health information in trash or unsecured compartments Health information in open view on desks, in hallways or

medicine carts Health information left on faxes and printers Sharing passwords Computers and workstations not logged off or securely

positioned where feasible

Case Study of the PVAMC Areas for Review (cont.):

Physical arrangement of the area Sign in sheets Use of electronic mail for transmitting protected health

information Staff awareness of and responsibilities for visitors (i.e. Did the

staff challenge visitors for identification?) Dictation conducted in public areas or in areas where the

provider can be easily overheard Business Associate Agreements with contracted

business/service agreements and accrediting organizations

Case Study of the PVAMC Survey of Key Findings:

Employees consistently rely on the fax machine as a means for transmitting protected health information.

Lack of attention to ensuring that health records are appropriately locked and secured.

Continued reliance on garbage cans as a means of destroying protected health information.

Lack of attention to logging off of computers and workstations.

Lack of written policies and procedures governing specific actions within the departments (i.e. Monitoring of Visitors in Surgery)

Case Study of the PVAMC Corrective Actions:

Required departments to implement policies and procedures regarding certain processes within the department which pose a risk to the overall Privacy and Security Program.

Provide ongoing education to all employees through bulletins, seminars, staff meetings, annual privacy and information security training and newsletters.

Develop and implement policies governing the disposal of health information.

Posted signage to remind employees and patients that health information should not be discussed in public forums.

Purchased privacy screens for all computers where repositioning was impossible or impractical.

Questions???

Contact Information:Timothy H. Graham, Esq.

Privacy and FOIA Officer, Philadelphia VAMCtimothy.graham@med.va.gov215.823.6270

Catherine Reynolds, RN MSN

Information Security Officer, Philadelphia VAMCcatherine.reynolds@med.va.gov

215.823.5159Lydia Duckworth

HIPAA Security Specialist, VHA HIPAA PMOlydia.duckworth@hq.med.va.gov202.254.0353