hitech/hipaa – are you in compliance?

1 | Global Partners in Business & Technology Consulting

HITECH/HIPAA – ARE YOU IN COMPLIANCE?Pamela HillManaging DirectorHyperion Global Partners

Thad HymelDirector of Information ServicesMcGlinchey Stafford PLLC


AGENDA

HIPAA/HITECH explanation and definitions Why should you care? Implementation standards (non-tech) Technical safeguards


DEFINITIONS

Protected Health Information (PHI)• Any oral or recorded information in any form or medium that is

• Created or received by the covered entity/BA –AND-• Relates to past, present or future condition of an individual

• Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable

basis to believe information can be used to identify an individual• Includes any data transmitted or maintained in any form


DEFINITIONS

Privacy Rule• Relates to privacy of any protected health information

(PHI) Security Rule

• Relates specifically to electronic PHI (ePHI) at rest or in transit


WHY SHOULD YOU CARE?HITECH Impact for Law Firms Casts a much wider net of entities that must comply with

HIPAA regulations, primarily those not originally considered under the original regulations

Requires Business Associates “BA’s” to comply with most HIPAA Privacy and all Security Rules• Law firms are BA’s to their clients (called “covered entities”)• Your vendors/service providers are BA’s to you


WHY SHOULD YOU CARE?

HITECH Impact for Law Firms• Significantly expands formal Federal enforcement group • Allows State Attorneys General to enforce compliance • Imposes new data breach notification by BAs to clients,

and imposes strict guidelines for subsequent client notification to OCR/HHS and/or the media • Doesn’t matter if you knew about the breach or not, you will

be held liable if it happens on your watch• Expands/allows for both criminal and civil penalties of up

to $1.5M/year


WHY SHOULD YOU CARE?

The Privacy and Security Rules consist of implementation standards

Implementation standards outline what your Firm should do to get into compliance, but they don’t state how

They are intentionally vague in order to be flexible to allow for compliance regardless of the size of your organization• Good news – you have flexibility in choosing what to/or not to

implement• Bad news - they are intentionally vague. That means the

government gets to decide if you were using basic standards of care in safeguarding your PHI


ITEMS OF NOTE State vs. Federal laws

• 40 states now have privacy and/or security laws covering both personally identifiable information and/or PHI

• That which is more stringent, wins• California and Illinois laws are more stringent than federal laws for

breach notification• Massachusetts have the strictest PII privacy and security laws

• Make sure to familiarize yourself with both Biggest News…

• Penalties and fines are paid back to the enforcement agencies, effectively making them self-funded

• Money = enforcement, enforcement, enforcement


ALLOW ME A MINUTE ON THE SOAPBOX… Soapbox points that most experts agree on

• Compliance will take time and effort to implement and new guidelines and rules are rolling out each year – time to get started

• Need to show a “good faith effort “ that the Firm is working towards compliance

• “Gross negligence” or “willful misconduct” (i.e., not doing anything to secure sensitive information) can result in criminal charges at a maximum, and serious reputation and/or client relationship issues at a minimum (large civil penalties coming in 2011)

• Document everything so when the finger pointing begins, it doesn’t end up pointed at you


HITECH/HIPAA IN A NUTSHELL


BLATANT OVERSIMPLIFICATION OF THE SAFEGUARDS AND IMPLEMENTATION STANDARDS

All the rules can be summarized in a few bullets• Know what PHI is out there and understand the associated risks of its

disclosure or loss (risk assessment and mitigation)• Access control for PHI (define who can see it, then lock it down)• Protect it (encryption, media reuse policies, information security,

portable or removable media)• Make sure you can get to it (BC/DR)• Document until your eyes roll back in your head (policies, procedures,

BA agreements, assign responsibility)


BLATANT OVERSIMPLIFICATION OF THE SAFEGUARDS AND IMPLEMENTATION STANDARDS

Before finalizing what to implement, consider:• The size, complexity and capabilities of the Firm• What risk the firm is at for unauthorized access and disclosure• Current technical infrastructure, hardware and software security

capabilities• How much the implementation(s) will cost in money and resources

Ultimately its up to legal interpretation - your Firm must decide what to implement (or not)


A FEW SEEMINGLY NON-TECHY HIGHLIGHTS Administrative Safeguards

• Comprise half of the Security Rule requirements• Risk assessment and management (R) • Sanction policy against employees who fail to comply with security policies (R)• Information security activity review (audit logs, access reports, security incident

reports) (R) • Identify a Privacy and Security Official (R) • Workforce security (access control) (R) • Contingency plan (R) • Business Associate contracts (R)

Physical Safeguards• Facility access (A)• Workstation use and security (A) • Device and media reuse (R)


A FEW SEEMINGLY NON-TECHY HIGHLIGHTS

Organizational, Policies and Procedure Safeguards• Policies

• Privacy• Media reuse• Use (or not) of mobile devices (flash drives, PDAs)• Standardized BA agreements• Security and Privacy training for employees

• Procedures• Data security breach notification and escalation • Use of BA agreements with clients

• Compliance documentation (R)


TECHNOLOGY SAFEGUARDS

Technology safeguards relate to “The technology and the policy and procedures for its use that protect ePHI and control access to it”

Safeguards do not require specific technical solutions New technical specifications coming out in November, 2010


TECHNOLOGY SAFEGUARDS

Access control • Unique user ID• Emergency access• Automatic logoff• Encryption/decryption

Integrity• Ensure data are not altered or destroyed

Audit control• Record and examine who is looking at ePHI

Person or entity authentication• Make sure the person looking at ePHI is who they claim to be

Transmission security • Protect it in transit (as well as at rest)

Remote use security• Removable or portable devices


GETTING STARTED

Form a Compliance Team• Risk Partner, COO/DofA/Executive Director, HR Director, IT Director

Complete a formal risk assessment • Address risks, policies and processes for the following:

• Storage– Address removable or mobile media and all sources of data inside the office or

that may be taken outside the office

• Transmission– Addresses the integrity and safety of ePHI transported over the network,

internet, portals, intranets, extranets, collocation facilities, WAN, remote access, email, PDA’s, home computers

• Access– Limit users access to ePHI to authorized personnel only– Access should be based upon a users role in the organization


GETTING STARTED Risk Assessment• Figure out where your data are

• Interview all related practices• Document data flow into/out of the Firm• Be realistic about the use of removable or mobile media

• Baseline current security protocols and practices for all sources of ePHI• Evaluate access, storage and transmission security for ePHI on each device

type and/or transmission method

• Develop a mitigation plan for each security issue• Document everything to show you are making a good faith effort to

safeguard ePHI


RISK ASSESSMENT SPECIFICS Access control

• Does each user have a unique ID and can we track what they look at?• Have we limited who can see ePHI?• Have we implemented encryption/decryption protocols where feasible to

control access outside the Firm?• Do we have disaster recovery in place for all sources of ePHI?• Do we have formal password policies for all devices?

Integrity• Do we have processes in place to ensure data are not altered or

destroyed? Would we know if it was? Audit control

• Do we monitor who is looking at ePHI? • Do we have technologies and processes in place that allow us to audit

this?


RISK ASSESSMENT SPECIFICS

Person or entity authentication• Is the person looking at ePHI I who they claim to be?

Transmission security • What protocols are in place to secure data in transit?

Remote use security• Do you have policies and processes to address ePHI on

removable or portable devices?


TECHNICAL IMPLEMENTATION COMPLEXITIES Being comprehensive in defining where the data are

• Healthcare, product liability, med mal, mass/toxic torte, labor/employment, environmental, litigation, aviation, insurance defense

Lack of standardized encryption/decryption tools or protocols to cover all clients

Providing security for removable or mobile media• PDAs• Flash drives• Laptops• CD’s• DVDs


TECHNICAL IMPLEMENTATION COMPLEXITIES Access control

• Practice groups have to define who can see what • Then the logic must be built into systems

• Expense of securing ePHI in all its various sources• Email• DM• Records systems• Litigation databases• Practice support databases• EMR systems• Copy machines (that cache information)• Fax machines

• Monitoring who is looking at what• Complex disaster recovery issues for all sources of ePHI


TECHNICAL IMPLEMENTATION COMPLEXITIES Defining standards and practices for data security breach

notification and mitigation• Includes policies, processes, monitoring tools, escalation protocols

Assisting the Firm in understanding ALL outside entities that may require a Business Associate agreement, such as• Document production vendors• Collocation facilities• Managed services or ASP providers• Extranet providers


FINAL THOUGHTS

The most important things to remember• Complete a formal risk assessment to get a good

handle on the extent of the problem• Get your risk partner involved right away to

establish the Firm’s legal position on the issues (before you spend too much time or resources)

• Eat the elephant one bite at a time


THANKS FOR COMING!

Questions? Pamela Hill• [email protected]• www.hgplive.com • 217.778.6976

Thad Hymel• [email protected]

mailto:[email protected]

http://www.hgplive.com/

hitech/hipaa – are you in compliance?

Documents

recorded information

individualany information

privacy andor security

basic standards of care

hipaa privacy

hitech impact

strictest pii privacy

ocrhhs andor