MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

in partnership with

February 6, 2014

MPCA HIPAA Compliance/Meaningful Use
Requirements and Security Risk Assessment
Series
Webinar 1

HIPAA/HITECH Requirements for
FQHCs and the New Omnibus Rule
(Part 1)

About MPCA
Michigan Primary Care Association (MPCA)
Has been the voice for Health Centers and other community-based
providers in Michigan since 1980. It is a leader in building a healthy
society in which all residents have convenient and affordable access to
quality health care.
MPCA‘s mission is to promote, support, and develop comprehensive,
accessible, and affordable quality community-based primary care
services to everyone in Michigan.

www.MPCA.net
517-381-8000

About OSIS
Ohio Shared Information Services, Inc. (OSIS)
We are a 501c(3) non-profit organization that partners with Federally
Qualified Health Centers (FQHCs) to provide IT and security related
services to improve the quality of care delivered to the underserved
population.
Our security division has professionals on staff dedicated to providing
information security services to transform healthcare.

www.OSISSecurity.com
513-677-5600 x1223

Presented by:
Jay Trinckes, Vice President of Information Security, OSIS
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and
INFOSEC Evaluation Methodology (IEM)
• Author:

•

•
•

Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA
Regional
Upcoming: PMI National Conference, Chicago, IL – May 2014
Experience: risk assessments, vuln/pen tests, information security
management, former law enforcement officer.

Overview of MPCA webinar Series
Series of 5 Webinars to assist members with HIPAA
Compliance and Meaningful Use
• Webinar 1: HIPAA/HITECH Requirements for
FQHCs and the New Omnibus Rule (Part 1)
• Webinar 2: HIPAA/HITECH Requirements for
FQHCs and the New Omnibus Rule (Part 2)
• Webinar 3: Meaningful Use Requirements for
FQHCs
• Webinar 4: Preliminary Assessment Tool for
FQHCs
• Webinar 5: Review of Preliminary Assessment for
FQHCs

webinar 1: Topics
•
•
•
•
•
•

HIPAA/HITECH Basics 101
Privacy Rule
Security Rule
Enforcement Activities
New Omnibus Rule Changes
Questions/Answers

Overview of HIPAA/HITECH
• The Health Insurance Portability and
Accountability Act (HIPAA) was enacted
in1996 as a response from Congress to:
– Increase technology in healthcare
– Protect against potential fraud or compromise
of sensitive information
– Different regulations within states
contradicting federal regulations
– Regional isolation – everyone doing their own
thing

HHS Responsibilities
• The Department of Health and Human Services
(HHS) was assigned responsibility and oversight
over:
– Implementation
– Enforcement through the Office for Civil Rights (OCR)

• Published/Finalized as a result of the
Administrative Simplifications Provisions
–
–
–
–

The Privacy Rule
The Electronic Transactions and Code Sets Rule
The National Identifier Requirements
The Security Rules

HITECH ACT

• Part of the American Recovery and
Reinvestment Act (ARRA) of 2009
• The Health Information Technology for
Economic and Clinical Health Act (The
HITECH Act)
– Revised HIPAA and amended enforcement
regulations
– Stiffer Penalties
– Provided enforcement actions for State
Attorney Generals
– Increased Breach Notification Rules

Covered Entities
• Health Plan
• Healthcare Clearing House
• Covered Healthcare Provider
– Healthcare – care, services, or supplies
related to the health of an individual
– Information must be transmitted in an
electronic form
– Covered Transactions

Covered Transaction
•
•
•
•
•
•
•
•
•
•
•

Healthcare claims or equivalent encounter information;
Healthcare payment and remittance advice;
Coordination of benefits;
Healthcare claim status;
Enrollment and dis-enrollment in a health plan;
Eligibility for a health plan;
Health plan premium payments;
Referral certification and authorization;
First Report of injury;
Health claims attachments; and
Other transactions that the Secretary of HHS may
prescribe by regulation.

Direct Identifiers

Direct Identifiers of the individual or of relatives, employers, or household
members of the individual are defined under 45 CFR 164.514(e)(2) and
include the following eighteen (18) items:
1.
2.

Names;
All geographic subdivisions smaller than a State,
including street address, city, county, precinct, zip code,
and their equivalent geo-codes, except for the initial
three (3) digits of a zip code if, according to the current
publicly available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000
people; and
The initial three (3) digits of a zip code for all such geographic
units containing 20,000 or fewer people are changed
to ‗000‘.

3.

4.
5.
6.
7.

All elements of dates (except year) for dates directly
related to an individual, including birth date, admission
date, discharge date, date of death; and all ages over
eighty-nine (89) and all elements of dates (including
year) indicative of such age, except that such ages and
elements may be aggregated into a single category of
age ninety (90) or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;

8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11.
Certificate/license numbers;
12. Vehicle identifiers and serial
numbers, including license plate
numbers;
13.
Device identifiers and serial
numbers;
14.
Web Universal Resource Locators
(URLs);
15.
Internet Protocol (IP) address
numbers;
16.
Biometric identifiers, including
finger and voice prints;
17.
Full face photographic images and
any comparable images;
18.
Any other unique identifying
number, characteristic, or code.

Omnibus Rule includes Genetic Information as Protected Health Information

―I will respect the privacy of
my patients, for their problems
are not disclosed to me that
the world may know.‖ – Hippocratic
Oath, Dr. Louis Lasagna (Wikipedia 2010)

Privacy Basics
• In the most basic terms, a health center (and
business associate) may NOT use or disclose
protected health information except as permitted
or required by the HIPAA Privacy Rule.
• A health center and business associate should
apply the least amount of privileges to their
individual employees based upon the roles of
their employees.
• These restrictions should be applied through
policies and procedures to restrict access to
protected health information as ‗need-to-know‘ or
to perform their job functions.

Minimum Necessary
• A health center and business associate must develop
policies and procedures to reasonably limit to, the minimum
necessary, its disclosures and requests for protected health
information for payment and healthcare operations.
• There are several different examples to demonstrate how
the minimum necessary standards can be applied, but there
may be an easier example of what not to do.
– It would be a violation of the minimum necessary standard if a
hospital employee is allowed routine, unimpeded access to
patients‘ medical records if that employee does not need this
access to do his or her job.

Minimum necessary requirements do NOT apply to disclosures
to or requests by a healthcare provider for treatment; uses or
disclosures made to the individual; uses or disclosures made
pursuant to an authorization; disclosures made to the
Secretary; uses or disclosures that are required by law; and
uses or disclosures that are required for compliance with the
Privacy Rule.

Administrative Requirements
•
•
•
•
•
•
•
•
•

Privacy Personnel Designations
Privacy Training
Administrative Safeguards
Complaint Handling
Workforce Member Sanctions
Mitigation
Retaliation
Waiver of Rights
Privacy Policies

Security Rule Basics
• Security is always evolving; on-going
• Two primary purposes for the Security
Rule
– Intended to protect certain electronic
healthcare information
– While allowing the proper access and use of
the information

• Goal: To promote the expanded use of
electronic health information in the
healthcare industry

Important Requirements
• Administration
– Security Management Process
• Risk Analysis, Risk Management, Sanction Policy,
Information System Activity Review

– Security Awareness Training
– Security Incident Procedures
– Contingency Planning

• Physical
– Workstation, Device, Remote Access

• Technical
– Access Control, Integrity, Transmission

Administrative Safeguards
• Over ½ of the HIPAA Security requirements
are covered under the Administrative
Safeguards
• Administrative Safeguards are:
– Administrative actions
– Policies/Procedures

• To manage security, must measure the:
–
–
–
–

Selection of mitigating controls
Development controls accordingly
Implementation of controls
Maintenance of controls
Will discuss more in webinar 2

Security Management
• Must ―implement policies and procedures
to prevent, detect, contain, and correct
security violations.”
– Conduct a Risk Assessment
• Risk Analysis – ―conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health
information held by the health center.‖
• Risk Management - ―implement security
measures [that are] sufficient to reduce risks [to]
vulnerabilities to a reasonable and appropriate
level.‖

Evaluation
• One of the most important requirements of the
HIPAA Security Rule is reflected in 45 CFR
164.308(a)(8) that states a health center is
required to:
– ―Perform a periodic technical and nontechnical
evaluation, based initially upon the standards
implemented under this rule [the HIPAA Security
Rule] and subsequently, in response to
environmental or operational changes affecting the
security of electronic protected health information,
that establishes the extent to which an entity’s
security policies and procedures meet the
requirements [of the HIPAA Security Rule].‖

• Also, one of the ‗meaningful use‘ core objectives

Physical Safeguards –
First Layer of Defense

• Physical Layer

– Controls over physical access
– Procedures and maintenance of documents/hardware

• Two Areas:
– Facility Access Control
– Device/Media Controls

• Physical security requires a total commitment to a
CULTURE of security and an adherence to the
principles of physical security.
– Proper Identification
– Proper Authorization
– Need to Know; Minimum Use

―60% of all theft is committed by internal staff‖

Technical Safeguards
• The objective of these safeguards is to
mitigate the risk of electronic protected
health information being used or
disclosed in an unauthorized manner.
• CIA Triad
– Confidentiality
– Integrity
– Availability

Required vs. Addressable
• Addressable is NOT the same as optional!
• Addressable means the entity must:
– Perform an assessment to determine whether
the implementation specification is a reasonable
and appropriate safeguard for implementation in
the entity‘s environment
– Decide whether to implement the addressable
specification as-is, implement an equivalent
alternative that still allows compliance, or not
implement either one
– Document the assessments and all decisions

Privacy Rule vs. Security Rule
Security Rule
Privacy Rule
• Intended to protect
• Implement
certain Electronic
Protected Health
appropriate and
Information (EPHI)
reasonable
• Secure the confidentiality,
integrity, availability while
safeguards to
allowing authorized use
secure Protected
and disclosure
– Administrative
Health
– Physical
Information (PHI):
– Administrative
– Physical
– Technical

– Technical

• More Detailed and
Comprehensive

Omnibus Rule
• Effective: March 26, 2013 – 180 days to comply –
deadline September 23, 2013
– Modifies Privacy, Security, Enforcement Rule, and
Breach Notification Rules
• Business Associates (and subcontractors of a BA) are now
directly liable for compliance – minimum necessary applies

– Limit use/disclosure for marketing/fundraising
prohibit sale of PHI
– Individuals have right to electronic copies of health
information
– Right to restrict disclosure for ‗out-of-pocket‘
payments
– Modify authorization for proof of immunization to
schools
– Enable access to decedent information (after 50
years)

Business Associates
• Omnibus Rule:
– Directly liable
– Implement administrative, physical, and technical
safeguards to protect CIA of EPHI
– BA is any organization that creates, receives,
maintains, or transmits PHI on health center‘s
behalf

• Any agent, or subcontractor of BA is also
considered a BA
– Agent must enter into a BAA with subcontractor to
comply with HIPAA Security Rules and applicable
Privacy Rules

Examples of
Business Associates
• Companies that provide certain types of functions, activities, and
services to covered entities.
–
–
–
–
–
–
–
–
–
–

Claims Processing;
Data Analysis;
Utilization review;
Billing;
Legal Services;
Accounting/financial services;
Consulting;
Administrative;
Accreditation; or
Other related services

• Omnibus Rule added:
– Patient Safety Organizations
– Health Information Organizations, E-Prescribing Gateways, other data
transmission services that require routine access
– Persons that offer personal health records to one or more individuals on
behalf of health center

Omnibus Rule (cont.)
• Enforcement Rule
– Increased tiers for Civil Monetary Penalties
(CMP); ‗willful neglect‘

• Breach Notification
– Removes ‗harm‘ threshold; every security
incident is presumed a breach, unless risk
analysis demonstrates low probability of
compromise

• Privacy Rules – includes protection of
genetic information
• De-Identification - guidance

• HITECH:

Enforcement

Violation Category
Section 1176(a)(1)

Each Violation

All Such Violations of an Identical
Provision in a Calendar Year

(A) Did Not Know

$100 - $50,000

$1,500,000

(B) Reasonable Cause

$1,000 - $50,000

$1,500,000

(C)(i) Willful Neglect –
Corrected

$10,000 - $50,000

$1,500,000

(C)(ii) Willful Neglect –
Not Corrected

$50,000

$1,500,000

• [Note: State Attorney Generals can also bring
enforcement actions.]
• OCR has collected over $50 million from enforcement
• It is more cost effective to become HIPAA compliant
than to risk enforcement

Civil Monetary Penalties (CMP)
• Civil Monetary Penalties (CMP)
– Cignet Health of Prince George‘s County, MD - $4.3 million (denied
patients‘ rights to medical records); refused to cooperate with OCR
– BlueCross and BlueShield of Tennessee - $1.5 million (first HITECH
breach notification; spent nearly $17 million for efforts related to loss of
57 hard drives with 1 million customer records; inadequate admin
safeguards and facility access controls)
– Massachusetts General Physicals Organization, Inc. settled $1 million
(loss of 192 patient records – some having HIV/AIDS)
– Health Net settled for $250,000 with state AG for losing unencrypted
hard drive of 1.5 million participants
– Accretive Health, Inc. being sued by Minnesota AG for losing
unencrypted laptop of 23,500 individuals
– TRICARE – class action lawsuit of $4.9 Billion ($1,000/record) for
losing 4.9 million records of military personnel on unencrypted tape
drive being handled by third party SAIC
– Medical Records Firm, Impairment Resources, LLC. filed for
bankruptcy after a burglary involving the loss of 14,000 (worked for
over 600 clients/insurers on reviewing medical records for workers
comp/auto)

Enforcement (cont.)

US Code Title 42 Chapter 7 – 1320d-6
• Wrongful disclosure of individually identifiable health information
• Offense: A person who knowingly and in violation of this part– Uses or causes to be used a unique health identifier;
– Obtains individually identifiable health information relating to an
individual; or
– Discloses individually identifiable health information to another person

A person described … shall—
• (1) be fined not more than $50,000, imprisoned not more than 1
year, or both;
• (2) if the offense is committed under false pretenses, be fined not
more than $100,000, imprisoned not more than 5 years, or both;
and
• (3) if the offense is committed with intent to sell, transfer, or use
individually identifiable health information for commercial
advantage, personal gain, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both.

OCR Audit
• Transition form relaxed pilot to full-on
enforcement
• Organizations will need to be prepared for 169item performance audit, concentrating on:
– HIPAA Privacy Rule
– HIPAA Security Rule
– Breach Notification Rule

• Business associates will also be subject to these
audits
• Providers are being recommended to have an
annual third-party independent report
conducted on them for HIPAA compliance.

Potential Violations
Some examples of potential violations are,
but not limited to, the following:
• Inappropriate use or disclosure of
protected health information.
• Any fraudulent activity involving protected
health information;
• Unauthorized access of protected health
information; or
• Improper handling of protected health
information.

SECURITY
INCIDENT/BREACH
NOTIFICATION

Security Incident
• Security incidents are those situations
where it is believed that protected health
information has been used or disclosed in
an unauthorized fashion.
– Actual unauthorized access, use, or
disclosure
– Interference with system operations (Denial
of Service)
• According to a report by Solutionary, security
service provider, companies pay $6,500 an hour
from a DDoS attack and up to $3,000 a day to
mitigate/recover from malware infections.

Breach Notification Rule
• Breach is defined as “the acquisition, access,
use, or disclosure of protected health information
in a manner not permitted under subpart E [45
CFR Subpart E – Privacy of Individually
Identifiable Health Information] of this part which
compromises the security or privacy of the
protected health information [or poses a
significant risk of financial, reputational, or other
harm to the individual].”
• Ponemon Survey:
– Overall Cost $188 per record (2012)
• Healthcare $233 per record (2012)
• Pharmaceutical $207 per record (2012)

– Full cost of a data breach averages $5.4 million
(includes account detection, notification, postresponse and loss of business)

Breach Risk Assessment –
LoProCo

• ―Breach‖ definition modified by Omnibus
Rule:
– Eliminated ‗harm‘ threshold
– Adopted 4 factor test
• Nature and extent of information involved
• Unauthorized person who used the information or
whom the disclosure was made
• Whether the information was actually acquired or
viewed; and
• Extent to which the risk to the information has been
mitigated

• Presumption of Breach unless demonstrate
a low probability of a compromise (LoProCo)

Factor 1 – Nature/Extent

• Nature and extent of PHI involved
including the type of identifiers and the
likelihood of re-identification
• Information sensitivity?
– Financial: social security numbers; credit
cards (fraud potential?)
– Clinical: chart notes, diagnosis/treatment
details
– Direct Identifiers
• Consider Context
• Open Source Intelligence (OSINT)

Factor 2 –
Unauthorized Person

• The unauthorized person who used the
PHI or to whom the disclosure was made
– Was person obligated to adhere to HIPAA
Regulations?
– Can information be linked to other
information to likely make a re-identification?

Factor 3 –
Acquired/Viewed

• Was the PHI actually acquired or viewed?
• HHS provided two examples:
– Low probability of compromise – stolen
laptop recovered; forensic analysis
determined no one accessed hard drive;
indicated no breach
– High probability of compromise –
unauthorized recipient received PHI in error;
viewed the PHI; reported it to center

Factor 4 – Mitigate Risk

• The extent to which the PHI has been
mitigated.
• Make efforts to mitigate risks
– Confidentiality agreements
– Assurances for destruction of PHI
• Reliability of mitigation-agreement: consider if
recipient is in health network or outside of
network

Breach Notification

• Notify relevant parties involved ‗without
unreasonable delay‘ or
• Within 60 days from ―date of discovery‖
• Describe in ―plain language‖
• May delegate to business associate, but
who is best situated to contact individuals

Individual Notification
• Brief description, including date of breach
• Types of information
• Steps to take to protect against potential
harm
• Mitigating steps taken by entity
• Contact information for individuals to
learn more

Media/HHS Notification
• Less than 500 – make log and report
within 60 days after calendar year on
HHS website
• Over 500 individuals – immediately report
breach to HHS secretary
• Over 500 residents – notify prominent
media outlet serving State or jurisdiction

Notification Exceptions
• Unintentional access by workforce member; good
faith and scope of employment
• Inadvertent disclosure between two of health center‘s
workforce
• Disclosure to unauthorized person deemed unable to
have retained the information
• Remember:
– Impermissible use or disclosure of unsecured PHI is
presumed a breach
– Presumption may be overcome by 4 factor test; loproco
– Health center could always opt to report in absence of
formal breach risk assessment

Safe Harbor
• If data is properly encrypted, it is
considered secure and falls under ‗safe
harbor‘
• Must follow HHS‘s specification on
encryption standards
– Not all encryption is the same.

Notice of Privacy Practices
• NPP should contain:
– Uses/Disclosures of PHI
– PHI-related legal duties
– Individual Rights

• Change:
– Include required authorization for the following PHI Use:
• Uses/disclosures of psychotherapy notes
• Uses/disclosures of PHI for marketing purposes
• Disclosures that constitute sale of PHI

• Individual‘s authorization is required for any
use/disclosures not discussed in the NPP

Fundraising and
Opt-Out Clause

• NPP must contain an opt-out clause
• If so, Health center may contact individual to
raise funds and disclose:
–
–
–
–
–
–

Demographic information
Dates of health care
Department of service information
Treating physician
Outcome information
Health insurance status

Individual Notification in
Event of Improper PHI Disclosure

• NPP must include:
– Individual‘s right to receive notification in
event of privacy breach
– Health center‘s requirement to communicate
breach news to individual

NPP Modification
Implementation

• NPP should be available upon request by
individual
• NPP should be available at site and
posted in clear/prominent location
• Provide revised NPP to new patients;
make copies for individuals upon request
• Post on website (45 CFR 164.520c(3)(i))

“Out of Pocket” Restrictions
• Individuals may restrict PHI disclosure for
items/services paid ‗out-of-pocket‘
• NPP must contain this new right
• New record keeping system not required
– Must develop method to ‗red flag‘ or ‗make a
notation in the record‘ to prevent disclosure

• If law requires disclosure – must disclose
• Medicare/Medicaid:
– If required by law without exception, submit claim
– If Medicare beneficiary pays ‗out of pocket‘ must
restrict

• Other considerations

Electronic PHI
• Individuals have the right to electronic copies of
their PHI upon request
–
–
–
–

Provide in form/format requested if possible
Or, provided in agreeable form
Machine-readable copies when possible
Requests for PHI to 3rd party must be:
•
•
•
•

Written
Signed
Clearly designate recipient
Include destination location

• Provide access within 30 days (can be granted
another 30-day extension)

Meaningful Use

• Center for Medicare and Medicaid provides
incentives (i.e. $) for the use of Electronic Health
Record (EHR) Technologies
• As of July 2013, estimated $9.5 billion has been paid
out to over 250,000 physicians and hospitals.
• Stage 1: 15 core objectives to meet
– Core 15 – determines if a security risk analysis was
conducted or reviewed as required under 45 CFR
164.308(a)(1)
– In addition, security updates must be implemented

• Stage 2
– Ensure adequate privacy and security protection for
personal health information (same as Core 15 above);
ALSO addresses the encryption/security of data stored
within the EHR software
– Use secure electronic messaging to communicate with
patients on relevant health information

IMPEDIMENTS,
RECOMMENDATIONS,
SUMMARY

Impediments to Compliance
• Awareness
• Technology moving faster than
policies/procedures/regulations
• No one taking responsibility for
compliance
• Systemic issues – management doesn‘t
believe it is important
• Lack of resources

Recommendations
• Make Information Security a priority in the
organization - Every company needs a
CISO
• Understand weakest link – PEOPLE
• Security is an ongoing process
• Resources

Summary
•
•
•
•
•
•
•
•
•
•

Assume Audit will happen
Prepare for Audit
Take Ownership
Conduct Risk Assessment
Update Policies/Procedures
Revise BAAs
Modify Notice of Privacy Practices
Train and Educate
Evaluate
Document, Document, Document

Service Offerings
• HIPAA Compliance Program
• HIPAA/HITECH Information Systems Security Risk Assessment
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Internal/External Vulnerability/Penetration Test
• Organizational Requirements
• Policies, Procedures, & Documentation Requirements
• Policies/Procedures
• Security Awareness Training
• Mitigation Management
• Vendor Due Diligence
• Security Incident Response Handling
• Business Continuity/Disaster Recovery Planning
• Subject Matter Expertise

Questions
Jay@OSISSecurity.com
513-707-1623 (direct)

in partnership with

Thursday, February 20, 2014
2pm – 3pm EST

MPCA HIPAA Compliance/Meaningful Use
Requirements and Security Risk Assessment
Series
Webinar 2

HIPAA/HITECH Requirements for
FQHCs and the New Omnibus Rule
(Part 2)

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

Similar to MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1) (20)

More from Michigan Primary Care Association

More from Michigan Primary Care Association (20)

Recently uploaded

Recently uploaded (20)

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

Editor's Notes