"eHealth Privacy and Security" was presented at the Center for Health Literacy Conference 2011: Plain Talk in Complex Times by Ira J. Rothman, MBA, CPHIMS, CIPP, Senior Vice President and Privacy Official, MAXIMUS. Description: This session will provide an overview of the principal eHealth privacy and security issues. Understand the basic privacy and security issues that impact Protected Health Information (PHI) and what you can do to protect yourself and your patients or clients.

1. eHealth Privacy and SecurityPlain Talk in Complex Times By: Ira J. Rothman, MBA, CPHIMS, CIPP Senior Vice President – Privacy Official September 23, 2011

2. Agenda eHealth Privacy in the News eHealth Privacy Concerns HIPAA – the Legal Basis for eHealth Privacy eHealth Security Concerns Privacy Actions You Should Take Security Actions You Should Take Questions Sept 23, 2011 2

3. eHealth Privacy in the News Privacy issues getting major attention by Congress and the media New York Times front page Friday, Sept 9, 2011 Medical Data of Thousands Posted Online Billing Vendor Handled Leaked Records “Everyone with an electronic medical record is at risk, and that means everyone.” Sept 23, 2011 3

4. eHealth Privacy in the News HHS Recently Sent Breach Report to Congress Department of Health and Human Services (HHS) reported to Congress that 5.4 million individuals were affected by breaches of protected health information (PHI) in 2010 207 breaches involved over 500 individuals per breach 5.4 million individuals notified 25,000 breaches involved less than 500 individuals per breach 50,000 individuals notified Five general causes in the report of large breaches Theft Loss of electronic media or paper records containing PHI Unauthorized access to, use, or disclosure of PHI Human error Improper disposal Majority of small breaches involved misdirected communications and affected just one individual each on average. Sept 23, 2011 4

5. eHealth Privacy Concerns What is privacy? The right to keep something confidential until the owner chooses to reveal it. E.g., sending an envelope with the contents not revealed. The information inside remains private until the addressee opens the envelope. What is Protected Health Information (PHI)? Who defines it? Who can look at it? Common concerns Medical staff and others looking at PHI they have no need or right to review Employers and others (e.g., government, police) reviewing PHI to make decisions Outsiders gaining access to private emails Sept 23, 2011 5

6. HIPAA – the Legal Basis for eHealth Privacy HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA sets federal requirements for handling Protected Health Information (PHI). It gives individuals privacy rights and imposes requirements on health-related companies including providers, insurers, and government agencies on how to handle PHI. The HIPAA rules were modified by the American Recovery and Reinvestment Act (ARRA) effective February 18, 2009. Includes the Health Information Technology for Economic and Clinical Health (HITECH) Act Extends privacy and security coverage to business associates Establishes breach notification requirements Maximum penalty amount of $1.5 million Sept 23, 2011 6

7. The HIPAA Privacy Rule and PHI The HIPAA Privacy Rule states that health care organizations must protect the privacy of individual's medical records and other personal health information. Individual's data must be protected from intentional or unintentional use or disclosure, except for legitimate medical or business reasons. Protected Health Information (PHI) is information that can be used to identify an individual or that relates to that individual's: Past, present or future physical or mental condition Health care provided to that individual Payment for health care PHI includes all individually identifiable health information. This includes: Name, address, phone numbers, date of birth Social Security Number Payment for health care Insurance coverage or enrollment/disenrollment Medical, dental, or prescription drug records Health plan beneficiary number Participation status in a government program Hospital admittance and discharge dates Sept 23, 2011 7

8. State Privacy and Security Regulations 45 states have laws governing privacy and security Most deal with electronic transmission of data on the internet or breaches of personal information Personal information can include name, social security number, credit card number, birth date and other identifying information Penalties often include civil fines Sept 23, 2011 8

9. eHealth Security Concerns What is security? Security is the degree of protection against danger, damage and loss. E.g., Sending an envelope with the contents protected from prying eyes. Security is the ability to keep the envelope from being opened or see inside until it arrives at the addressee and they decide to open it. What are common eHealth Security concerns? Personal information including health and financial information being available on the internet for anyone to see Employers, contractors, vendors or others with personal information databases may inadvertently expose the data to search engines, e.g., Google, violating privacy. Information sent over the internet may be intercepted. Information on hard drives or other portable storage devices containing PHI being lost or stolen. Someone can then sell this information or use it for identity theft. PHI in electronic records being looked at by people that have no need or right to look at Sept 23, 2011 9

10. Privacy Actions You Should Take Create strong privacy and security policies and procedures Enforce policies with sanctions Required by HIPAA Have a sanctions policy defining penalties for serious violations, e.g., removing PHI from the facility against policy, unauthorized access. Define who can look at PHI Only those with a need to know Define security policies and procedures to support the privacy policy Control and log access Privacy and security need to work together Educate staff concerning privacy and security HIPAA requires training appropriate to employee job responsibilities Deliver annual refresher Value staff who recognize privacy risks and correct or report them Sept 23, 2011 10

11. Privacy Actions You Should Take Make sure subcontractors are following HIPAA privacy regulations Many subcontractors (also called business associates) that handle PHI may not have adequate privacy and security policies and procedures in place A legal agreement (business associate agreement) is required by HIPAA defining their responsibilities Conduct audits to verify compliance Frequent cause of breaches is subcontractor lack of attention to privacy and security Don’t forget to shred paper Cross cut shredder best for shredding documents containing PHI Perform a risk assessment Survey the environment with an open mind to identify risks Develop and implement a strategy to mitigate risks Sept 23, 2011 11

12. Security Actions You Should Take Focus on reducing corporate and personal risks Use strong passwords 8 digits consisting of upper and lower case letters and numbers and special characters. Don’t use easily guessed words Put a password on your smartphone or tablet Have the password automatically set after a short period of time, e.g., 10 minutes Don’t use wifi in a public place to access a website containing personal information Particularly be aware of web sites that don’t use https as part of the web address Wifi can be intercepted Don’t use email or text messages or Twitter to send personal information Only use encryption, if available for email. Sept 23, 2011 12

13. Security Actions You Should Take Don’t post personal information on web sites that may be subject to breach, e.g., Facebook. Privacy policies change frequently with no notice Private information may be made public Use antivirus software Detects and removes malicious software Keep up to date with subscriptions Can detect and protect against new threats Use encryption Makes data unreadable to unauthorized viewers. Encrypt data on hard drives and other removable memory, e.g. USB sticks. Commercial software is available to encrypt entire hard drives. Make sure meets standard of FIPS 140-2 (i.e., standard set by Federal agency) Common cause of data breach is lack of appropriate encryption. Sept 23, 2011 13

14. Security Actions You Should Take Educate staff and family Malware or malicious software includes Trojans Viruses Hoaxes Phishing Worms Hackers Don’t open unsolicited attachments. Malware may be hidden in the attachment User should lock screens when not at desk. Set screen saver password Don’t click on popup ads while surfing the web. Another opportunity for malware to be installed. Report strange activity to network administration. Could reflect malware installed on computer Sept 23, 2011 14

15. Questions? Contact information Ira J. Rothman Senior Vice President – Privacy Official MAXIMUS, Inc. Email: IraRothman@maximus.com Phone: 916-673-4152 Sept 23, 2011 15