HIPAA and Information Security - StarkMHAR · HIPAA and Information Security * ... In the process of providing those services and technology, ... penalties for HIPAA violations

HIPAA and Information Security

* The content of this presentation is for informational purposes only and not intended to be legal advice. Specific questions regarding compliance

should be referred to your Board’s legal counsel.

Mental Health and Recovery Services Board of Stark County / Heartland East ASC

Overview

• HIPAA• Privacy Rule• Breach Notification Rule• Security Rule

• Information Security


What is HIPAA?• Signed into law by President Clinton in 1996• The spirit of HIPAA is simple -

• to secure and protect personal health information and• to enforce standards for electronic transactions in healthcare.

• HIPAA covers main categories of entities:• Covered Entities (CEs). These are the traditional players in healthcare - providers, hospitals, health

systems, insurers. • Health Plans• Providers• Clearinghouses

• Business Associates (BAs). These are individuals and organizations that provide services and/or technology to covered entities. In the process of providing those services and technology, the business associate in some way process, transmit, or store protected health information (PHI). All software vendors in healthcare, if they somehow touch PHI, are business associates.

• Subcontractors

• The Board and Ohio MHAS are Health Plans; Our Contract Agencies are Providers


What is PHI and ePHI?

• Protected Health Information (PHI)• Electronic Protected Health Information (ePHI)• PHI is simple - it’s the combination of a personal identifier (name,

DOB, SSN, IP address, email, etc) with some health-related data (condition, medication, lab, encounter, health payment, etc).

• Always keep in mind that this information is just not information but a part of someone’s life. Ask yourself the following question: If this was your information, would you want it improperly disclosed?


Administrative Requirements

Complaints• Must have complaint process for individuals to make complaints

about:• Board’s privacy policies/procedures• Compliance with Board policies/procedures• Compliance with HIPAA

• Must document all complaints and their disposition


Administrative RequirementsSanctions• Must apply appropriate sanctions against workforce members who fail to

comply with HIPAA or Board privacy policies/procedures• You cannot / will not be subject to any intimidation, coercion or discrimination if you

ever report a violation in good faith• Any reported or discovered violation will be investigated by the Security Officer

Violations• Violation of any security policy or procedure may result in corrective

disciplinary action, up to and including termination of employment• Violation may also result in civil and criminal penalties as determined by

federal and state laws and regulations


Administrative RequirementsPolicies and Procedures• Must implement policies and procedures designed to ensure compliance with requirements of Privacy

Rule, Security Rule and Breach Notification Rule. • Reasonably designed, taking into account size/type of PHI-related activities• May revise as needed if revisions in compliance with applicable regulations

• If revisions affect content of Privacy Notice, must revise and re-distribute • Can only make change effective for PHI created/received prior to effective date of revised notice if previous

Notice included statement that CE reserves the right to change the terms of Notice and make new Notice provisions effective for all PHI maintained

• Must promptly revise as necessary and appropriate to comply with changes in applicable regulations• If revisions affect content of Privacy Notice, must revise and re-distribute

Document Management• Must maintain written or electronic copies of all policies and procedures, communications, actions,

activities or designations that are required to be documented under HIPAA for minimum of 6 years (or longer if required by state law, other federal law, or other Board policies)


HIPAA Review

• Which of the following would be considered a Business Associate?

A. Government AgencyB. Covered EntityC. Documentation ConsultantD. Healthcare Provider

• Under HIPAA, a patient has the right to request an amendment to his/her medical record, and the hospital has a duty to comply.

A. TrueB. False

Privacy Rule

• The HIPAA Privacy Rule sets many of the terms used for HIPAA, outlines the types of entities that need to comply with HIPAA, defines appropriate uses or disclosures of health information, and also covers penalties for HIPAA violations. The Privacy Rule is important to understand, despite the fact that it doesn't include specific technical requirements or polices, as the Privacy Rule gives an understanding of the types of data, entities, and uses of data that HIPAA is concerned about.

De-Identified Information

• Virtually all information specific to the individual must be removed to be “de-identified”

• The requirements of the Privacy Rule do not apply (unless re-identified)

• CE or its BA may use PHI to create information that is not individually identifiable

• Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified info to be re-identified is a disclosure of PHI


General Privacy Requirements

Decedents• Must continue to protect PHI and only use or disclose as

permitted/required by HIPAA for a period of 50 years following the death of the individual.

Incidental Disclosures• May use or disclose PHI that is incidental to a permitted or required

use or disclosure provided that the Board has applied reasonable safeguards and implemented the minimum necessary standard, in accordance with Board privacy policies, to such otherwise permitted or required use or disclosure


Permitted Disclosures of PHI: Treatment, Payment & Operations • PHI can only be disclosed for reasons defined by the Privacy Rule, or with written

permission by an individual about their own health information. Other than providing access to the individual to his/her medical record, the Privacy Rule allows for disclosing PHI for three main reasons:

1. Treatment. Probably the most obvious reason for disclosure, exchanging PHI between providers for treatment, management, and consultation happens all the time.

2. Payment. In order to collect payments from insurers, disclosure of PHI is essential.3. Operations. We think of this as the catch-all bucket. It encompasses many administrative

functions such as quality reporting and different types of operational analytics. This is also where disclosures for medical education fall in.

• There are some other, more obscure reasons, for disclosures. The most relevant reasons left are for legal reasons ("required by law"), worker compensation, and for restricted research purposes, amongst others.

• In some select cases, in particular marketing, covered entities may disclose PHI but only with authorization from the individual.


Disclosure of PHI:Business Associate Agreements (BAA)Business Associate (BA): person or entity who performs or helps perform an activity or function on behalf of a CE involving the use or disclosure of PHI

examples: data processing, utilization review, accounting, legal, data analysis, billing management

• May disclose PHI to a BA or allow a BA to create or receive PHI on its behalf if satisfactory assurances received in the form of a written contract (BAA) stating that the BA will appropriately safeguard the PHI • Very specific provisions required must be incorporated into BAA

• Two governmental entities may enter into MOU instead of BAA • must accomplish same objectives as required BAA provisions

• If aware of a violation/breach of BA’s obligations, must take steps to end violation/cure breach and if unsuccessful, terminate BAA• Same for BAs with their subcontractors


Minimum Necessary Standard• Using/disclosing PHI or requesting from another CE or BA: must make reasonable efforts to limit PHI to

minimum amount necessary to accomplish intended purpose of a use or disclosure or request (applies to CEs and BAs)

• May rely on a requested disclosure as the minimum necessary for the stated purpose if such reliance is reasonable under the circumstances and:

• Disclosure is permitted by Privacy Rule to be made to public officials and public official provides written statement that info is the minimum necessary

• Requested by another covered entity• Requested by professional that is member of workforce or BA providing professional services to CE if

BA/professional represents that info is minimum necessary • Documentation/representations been provided by a person requesting the information for research purposes that

comply with Privacy Rule’s research requirements


Minimum Necessary Standard

Uses:• Must identify the persons or classes of persons in workforce that need access to PHI to carry out duties AND

the category(ies) of PHI to which access is needed for each person or class of persons identified and any conditions appropriate to such access - Must attempt to limit access accordingly

Disclosures/Requests:• For disclosures or requests made on a routine and recurring basis, must implement policies/procedures that

limit amount of PHI to that reasonably necessary to accomplish the purpose of the disclosure or request• For all other disclosures/requests must develop criteria designed to limit to the information reasonably

necessary to accomplish the purpose of the disclosure/request and review requests for disclosure on an individual basis in accordance with such criteria.

Exceptions:• disclosures to health care provider for treatment purposes, pursuant to an authorization, if required by law,

disclosures to HHS


Snooping and Minimum Necessary

• Snooping – prying into the private affairs of others, especially by prowling about.

• Looking at medical records you have access to but don’t need to.

• Snooping is a breach.• Possibly serious penalties for snooping

Rights of the Individual

• Access PHI• Individual has right to inspect and obtain copy of PHI contained in a

designated record set.

• Request for restrictions• Must permit individual to request restriction on uses or disclosures of PHI for

purposes of treatment, payment, or health care operations and disclosures to family or others involved in individual’s care or payment for care

• Request for amendment• Must permit an individual to request that Board amend PHI contained in a

designated record set


Accounting of Disclosures

Must maintain accounting of all disclosures of PHI made by CE and its BAs for six years except for those made to carry out TPO, incident to U/D permitted by regulations, correctional institutions, law enforcement, pursuant to an authorization, and those that were part of a limited data set

• Content: Date, recipient, description, purpose • If multiple disclosures to same person or entity, include number or frequency

• Provision: Within 60 days of request - may be extended by up to 30 additional days if written notification of reasons for delay provided

• Documentation: retain all documentation for 6 years and document title of persons/offices responsible for processing requests


Notice of Privacy Practices

Must provide adequate description of uses and disclosures of PHI that CE may make, the individual’s rights and the Board’s legal duties• Provision of Notice: At time of enrollment in CE’s services and to any

person upon request

• Availability of Notice: Must notify individuals every three years of the availability of the notice and how to obtain it

• Revisions to Notice: Must promptly revise and redistribute whenever material change to uses or disclosures, individual’s rights, legal duties or other privacy practices described in notice.

• Cannot implement material change prior to effective date of revised notice - except when required by law.


HIPAA Review

• A disclosure of PHI must be limited to the minimum necessary amount of information in order to correctly complete the request.

A. TrueB. False

Enforcement Rule• Civil monetary penalties

• 4 levels of violations based on culpability and corrective action taken• Calculation based on: nature and extent of noncompliance and resulting harm and covered entity’s (CE) history of

compliance and financial condition.• Capped at $1.5 million per violation.

• Business Associates (BAs) now directly subject to civil and criminal penalties for non-compliance• includes subcontractors of BAs, subcontractors of subcontractors and so on…

• CEs liable for actions of their BAs under certain conditions• one determining factor is amount of control CE has over the BA’s action in performing services under the BA

Agreement (BAA)

• HHS must investigate all complaints in which possibility of willful neglect is indicated by initial review of the facts

• must impose civil penalties where willful neglect is found• In certain extreme HIPAA cases, individuals can be exposed to criminal risk as well. When criminal action is involved

with HIPAA, the OCR hands the case off to The Department of Justice. Individuals are at risk of criminal enforcement and penalties if they “knowingly” obtain, disclose, or use PHI “in violation” of HIPAA rules.


OCR not just focusing on large or public organizations


Breach Notification Rule

• First introduced under HITECH - requires CEs to notify affected individuals, Secretary of HHS, and in some cases, the media, following discovery of a breach of unsecured PHI.

• Under HITECH Act - notification required if CE determined that breach of unsecured PHI posed “a significant risk of financial, reputational, or other harm to the affected individual.”

• Revised under Omnibus Rule to require notification unless a CE can demonstrate low probability that PHI has been compromised based on risk assessment that includes consideration of:

1. nature and extent of PHI involved, including types of identifiers and likelihood of re-identification2. unauthorized person who used or received the PHI 3. whether PHI was actually acquired or viewed4. extent to which the risk to the PHI has been mitigated


Breach Notification Rule: Notification of BreachMust provide notice to individuals whose PHI has been disclosed, used or access as a result of a breach of unsecuredPHI (includes BAs)• Content of Notice: Specific

content required• Additional Notifications: Must

notify HHS and if breach affects more than 500 people, prominent media outlets

• Timeliness: Without unreasonable delay with a maximum of 60 days after breach discovery


Security Rule

• Administrative Safeguards• Administrative actions, and policies and procedures, to manage the selection,

development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information

• Physical Safeguards• Physical measures, policies, and procedures to protect a covered entity’s

electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion

• Technical Safeguards• The technology and the policy and procedures for its use that protect

electronic protected health information and control access to it


Administrative Safeguards• Risk Assessment *• Risk Management• Sanction Policy• Information System Activity Review• HIPAA Security Officer• Authorization and/or Supervision• Workforce Clearance Procedures• Termination Procedures• Access Authorization• Access Establishment and

Modification• Security Reminders

• Protection from Malicious Software• Login Monitoring• Password Management• Response and Reporting• Data Backup Plan• Disaster Recovery Plan• Emergency Mode Operation Plan• Testing and Revision Procedures• Applications and Data Criticality

Analysis• Evaluation• Business Associate Contracts

26Mental Health and Recovery Services Board of Stark County /

Heartland East ASC

Physical Safeguards• Contingency

Operations• Facility Security

Plan• Access Control

and Validation Procedures

• Maintenance Records

• Workstation

Use• Workstation

Security• Disposal• Media Re-use• Accountability• Data Backup

and Storage


Heartland East ASC

Physical SecurityOffice & Building• Do not leave PHI unattended on desk. Any PHI should be safely filed away or

office door shut and locked away when employee is away from desk• Lock computer terminal when away from computer (ctrl-alt-delete)• Promptly retrieve any PHI printed to a shared printer• Do not discuss PHI in vicinity of unauthorized persons• All PHI must be securely stored away prior to leaving work area for the day


Physical SecurityOffice & Building (Cont.)• Employees should lock their office door when away from their office for extended

periods (lunch, End of work day, etc.)• Storage/file room and Server rooms should stay locked at all times. Only

authorized individuals should be granted access to these rooms• Ensure that office and sensitive areas are appropriately secured at the end of the

work date• Visitors/guests should not be left unattended in work areas


Workstation/Notebook Security

• Always lock terminal or log off when away from machine for an extended period of time.

• Only install authorized software• Work with Security Officer to install new software

• Mobile devices should not be left unattended or unlocked in public places.• Mobile devices should not be left unattended in visible sight• Mobile devices should be reasonably physically secured when taken home.


Technical Safeguards• Unique User Identification• Emergency Access Procedure• Automatic Logoff• Encryption and Decryption• Audit Controls• Integrity• Person or Entity Authentication• Integrity Controls• Encryption


Heartland East ASC

Electronic Communication Security

• All faxes containing any PHI should include a confidentiality coversheet. • Double check to make sure the fax number is correct.

• If programming a new number, or setting up numbers in a new fax device, verify that numbers are correct by sending test fax prior to using for PHI

• Information containing any PHI should not be sent through e-mail


Electronic Communication Security (Cont.)

• Electronic PHI should only be saved directly to a secured device only. It should not be directly saved to insecure devices such as (but not limited to):

• Local hard drive• Notebooks, Flash drives, phones, tablet computers, cloud storage (Drop Box, Box, Google

Drive, SkyDrive, etc), etc• If PHI/PII needs to be stored temporarily on a mobile device make sure that proper

protections and encryption is utilized. • Make sure to notify and work with Security officer when needing to secure sensitive

information• Lost notebooks and other mobile devices are the #1 source of data breaches


Email/Internet Security

• Email and Internet should be used appropriately, responsibly, and in accordance with Board/Agency policies and procedures.

• According to the Ohio Public Records law, records that “serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of the office” is subject to the records law for government agencies. That includes email. All agencies are subject to the E-Discovery rules.


Email/Internet Security (Cont.)

• When composing an email message ask yourself the following questions first:• Would I be comfortable if someone else saw this? (remember once email is

sent, you no longer control it)• Would I want the public to see this?• Would I want a lawyer/judge to see this?


HIPAA Review

• The establishment of computer passwords and firewalls would fall under which type of safeguard required by the Security Rule of HIPAA?

A. PhysicalB. ElectronicC. TechnicalD. Administrative

Social Engineering

• Using deception to convince individuals to disclose confidential data or perform some action

• Why bother trying to beat your technical security controls when they can trick you into giving it to them directly?

• Technical and Physical


Virus/ Social Engineering/ Phishing security• Keep anti-virus/anti-malware/spyware software up-to-date.

Do not attempt to remove them.• Do not open any attachments, click on any links, or install

software linked to any suspicious looking emails (even if they are from people you know) or from unknown senders.

• If in doubt, verify with sender• If you did not go looking for it, do not install it!

• Never send requested personal information (passwords, social security numbers, bank numbers, etc) in response to email requests. Legitimate organizations will never request this information through email.

• Never give sensitive information to unauthorized individuals over the phone


Electronic Social Engineering – Email and Internet

• Phishing: technique lures people into disclosing their user names, passwords, credit card numbers, and other personal information.

• May also direct you into downloading and installing malicious software (key loggers, Trojans, viruses, etc) in the guise of other programs. What you think may just be an innocuous program displaying dancing bears may be a Trojan sending your sensitive information to Nigeria!

• Usually takes the form of official looking emails from Network Administrators, banks, e-bay, PayPal, Nigerian princes, friends/relatives and others requesting sensitive information. May also consist of a link to an official looking website requesting sensitive information.

• Always be suspicious of emails (or directing you to a site) requesting personal or sensitive information. Legitimate persons and businesses will usually not request this information through email.


Electronic Social Engineering – Email and Internet


Physical Social Engineering – Over the phone and in-person

• Social engineers prey on people’s natural tendencies and emotions: helpfulness, sympathy, curiosity, and fear

• Examples could include someone • pretending to be a patient or someone from another agency or Board on the

phone to get sensitive information• Someone pretending to be a telephone repair person or computer technician

to gain access to computers


Physical Social Engineering – Over the phone and in-person

• Tips to combat physical Social Engineering• Verify identity of individual (ID, badge, etc)• Verify that person belongs there (e.g. verify that someone requested the

technician)• If you see someone that you don’t know roaming around in your building,

verify that they should be there.


Passwords

Creating strong passwords and keeping them secure is an essential part of good security. Weak or insecure passwords could lead to your system being compromised.

• Do not share with others• Don’t display/store passwords around workstations (e.g. sticky notes on desk

or monitor)• If you must write them down

• Store in secure place away from workstation (purse, wallet, etc)• Secure software password vault (e.g. Keepass password safe, Last Pass,

etc)


Password Polices

• Should be at least 10 characters (8 characters at absolute minimum)• Passwords should consists of a combination of lowercase, uppercase, and

non-alpha characters ( e.g. numbers, punctuation, symbols, spaces*, etc)• Should not be based solely on a single dictionary word, a common phrase,

or something closely associated with you (date of birth, name of children, name of dogs, etc)

• Use modified phrases as opposed to single work passwords.

* Many people do not realize that spaces can be used in passwords. Many systems, including Windows, allows them. Many times they can even be added to the beginning or end of a password. They can effectively add strength to your passwords


Creating strong easy to remember passwords

• Creating Strong, easy to remember passwords is easy!• The trick is to think in whole words and phrases, not in individual characters.

• $@Ivh4rtsa is a strong password but dreadfully difficult to remember, thus defeating security.


Creating strong easy to remember passwords (cont)• Create password using silly/nonsense phrases or sentences that also include non-

alpha characters (numbers, punctuation, etc). • 3 blind-folded mice.• You have 11 toes?• Jim/plays/tennis• 40+pink+balloons

• Now aren’t those a lot easier to remember than $@Ivh4rtsa even when those passwords are a lot longer?


Social Media (Board)

• All material should be approved by either the Board Director or a person designated by the Board Director prior to being posted online

• Use professional judgment and common sense when posting messages or photos on Board social media sites

• Do not post information that can be deemed offensive or that may be inappropriate

• Never post sensitive information


Social Media (Personal)

• Please refrain from posting negative information about the Board on your personal social media sites (Twitter, FaceBook, LinkedIn, Google Plus, etc)

• Don’t post anything on your personal social media sites that you would not be comfortable with the world seeing (because they may!)

• That being said, make sure to review privacy settings and adjust them to a level that you are comfortable with

• Most default privacy settings are fairly open


Social Media (Personal)


External Attacks1. Weak Passwords2. Web Management Consoles3. SQL Injection4. Missing Patches5. Other- Phishing attacks, file upload


Internal Attacks

1. Weak Passwords2. NetBIOS Spoofing3. Web Management Console4. Missing Patches5. Other- Zero day attacks, VNC, System Misconfig


Social Attacks

• Spear-Phishing• Phone Calls• Front Door• Visitors in Hall


Why?

• What is TOR?• What are you worth?• What’s your medical

history worth?


Protect Yourself

• Microsoft Security Essentials• http://windows.microsoft.com/en-us/windows/security-essentials-download

• EMET (enhanced mitigation experience toolkit)• http://www.microsoft.com/en-us/download/details.aspx?id=43714

• Email links and attachments (don’t click on them)• Multi factor authentication

• https://twofactorauth.org/


http://windows.microsoft.com/en-us/windows/security-essentials-download

http://www.microsoft.com/en-us/download/details.aspx?id=43714

https://twofactorauth.org/

Documents

HIPAA and Information Security - StarkMHAR · HIPAA and Information Security * ... In the process of providing those services and technology, ... penalties for HIPAA violations