Keynote Presentation "Building a Culture of Privacy and Security into Your Organization"
0 likes914 views
The document outlines the importance of creating a culture of privacy and security in healthcare organizations to comply with HIPAA regulations and protect patient trust. It discusses the roles of covered entities and business associates, recent breaches highlighting compliance failures, and the consequences of insufficient security practices. Additionally, it emphasizes strategies for improving privacy and security culture within healthcare organizations and the government's role in providing guidance and resources.
Keynote Presentation "Building a Culture of Privacy and Security into Your Organization"
- 1. Privacy and Security: Building a Privacy and Security Culture in Health CareOrganizations April 25th, 2012 Joy Pritts, JD, Chief Privacy Officer Office of the National Coordinator Health Information Technology
- 2. HHS Reaches $100,000 Settlement with 5 Physician Practice over HIPAA Violations 1
- 3. Why Create a Culture of Privacy and Security? • Assists Compliance to Law – New Developments • HIPAA Privacy and Security Rules • Enforcement • Good business • It’s Just the Right Thing To Do – Patient Trust 2
- 4. Compliance: Federal Health Information Privacy Laws • HIPAA Privacy and Security Rules – Health Insurance Portability and Accountability Act of 1996, effective 2003 and 2005, respectively • Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 – Final Rule submitted to OMB March 24th, 2012 • Others (e.g., 42 CFR part 2) 3
- 5. Who Must Comply with HIPAA Privacy and Security Rules? • Covered entities (CEs) –Health plans –Health care clearinghouses –Most health care providers 4
- 6. Business Associates and HITECH • Business Associates include: • EHR Vendors • Data Analytic Firms • HITECH Clarifies Business Associates include: • Health Information Exchanges • Personal Health Record Vendors • HITECH Specifies that Business Associates • Must follow administrative, physical and technical safeguards of the Security Rule • Must Follow use and Disclosure Limits of Privacy Rule • Subject to the same Civil and Criminal Penalties as Covered Entities 5
- 7. HIPAA Privacy Rule: Two Sides of One Coin Protect Privacy: Patients’ Rights: A CE may not use or • Right to access disclose PHI except: • Right to an • as the Privacy Rule accounting of permits or requires disclosures of (ie. payment, • Right to correct treatment operations or amend etc) • Right to notice of privacy • as the patient or practices their representative • Right to file a authorizes in writing. complaint 6
- 8. HIPAA Security Rule (CFR 164.306) • Protects Patient Health Information that is transmitted by or maintained in any form of electronic media • Framework of Technical, Administrative, Physical Safeguards • Ensures workforce training and compliance Flexible Approach (Addressable): Size, complexity and capabilities of Covered Entity Security Capabilities of CE hardware and software Cost of Security Measures Probability and criticality of potential risks to ePHI 7
- 9. So… Isn’t this old news? Then, why Are So Many Organizations Not In Compliance? 8
- 10. Major Causes of Breaches of PHI in 2010 Breaches over 500 records: • Theft and loss were the most common reported causes of large breaches. • Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or theft of electronic media • This accounted for records of 2,979,121 individuals. • Loss of electronic media or paper records affected approximately 1,156,847 individuals - OCR Report to Congress on Breaches of Unsecured Information, 2011 9
- 11. Risk Assessments • 25% of healthcare organizations do not conduct security risk assessments – HIMSS 2011 Security Study • 39% of healthcare organizations do not or are not sure if they perform a risk assessment – Ponemon Study, 2011 10
- 12. Business Associates and Breaches Due to the high volume of records handled, a breaches from business associates translate into a disproportionate number of patients affected: • Business associates involved in 22% of the breaches • But this 22% accounts for 63% of all patients affected by the breaches 11
- 13. Security and Mobile Devices - Ponemon Institute, 2011 12
- 14. HITECH: It’s a New Day . . . 13
- 15. HITECH and Privacy and Security • Established Chief Privacy Officer for the Office of the National Coordinator • Increased fines for breaches • Created mandatory fines for willful neglect • Created Mandatory Breach Notification Rule • Established basis for Meaningful Use 14
- 16. Meaningful Use and Privacy and Security MU Stage 1 requires eligible providers and hospitals to • Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. • No exclusion. 15
- 17. Enforcement • OCR has begun systematic audits of 150 organizations • CMS and Meaningful Use audits for Incentive funds are set to begin 16
- 18. Enforcement: Large organizations • Blue Cross Blue Shield of Tennessee (BCBST) settled with OCR for $1,500,000 for the theft of 57 hard drives to theft, March 13, 2012 • Hard Drives contained names, social security numbers, diagnosis codes, DoB and Plan ID #s for over 1 million individuals • Caused by failure to implement appropriate physical access controls 17
- 19. Small Practice Enforcement Phoenix Cardiac Surgery (5 physician practice) was posting clinical and surgical appointments for its patients on an Internet-based publicly accessible calendar 18
- 20. Phoenix Cardiac Surgery • July 2007 to February 2009, Practice posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar • September 2005 until November 2009, Practice daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts 19
- 21. OCR’s Other Findings • Failure to implement adequate policies and procedures to appropriately safeguard patient information • Failure to document any employee training on its policies and procedures on the Privacy and Security Rules • Failure to identify a security official and conduct a risk analysis • Failure to obtain business associate agreements with Internet-based email and calendar services that included storage of and access to its PHI 20
- 22. Outcome of Investigation • $100,000 Settlement • Corrective Action Plan includes: – Develop written policies and procedures, submitted to and approved by OCR and documented training for employees – “An accurate and thorough” risk assessment of the potential risks and vulnerabilities to PHI – Submission of Risk Management Plan to OCR – Identification of Security Official – Business Associates Agreements – Any violation of policies and procedures will be a Reportable events to OCR CAP available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_ 21 agreement.pdf
- 23. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” - Leon Rodriguez Director of the Office for Civil Rights April 17th 2012, OCR Press Release 22
- 24. The Real Loss – Patient Trust Beyond Compliance and Return on Investment, Ensuring Patient Privacy is Just the Right Thing to Do 23
- 25. Good Business: Patient Trust The ROI for Breach Prevention Diminished productivity and financial consequences due to a breach can be severe. Organizations reported: • The potential result is patient churn; the average lifetime value of one lost patient is $113,400 • Economic impact • Loss of time and productivity • Diminishment of brand or reputation • LOSS OF PATIENT GOODWILL - Ponemon, “Second Annual Benchmark Study 24
- 26. Developing a Privacy and Security Culture Challenges: • Providers and Staff may have little understanding of new technology and privacy and security issues • Providers and Staff are reticent about asking questions or for assistance • Adopting new software and workflow in the fast- moving healthcare culture is difficult • Vendors may assume that providers and staff understand privacy and not adequately train 25
- 27. Strategies • Executive Leadership Communicate Essential Value • Privacy and Security Metrics are included in Employee Performance Plans/Evaluations • Considered as part of physical environment, patient care, and all communications • Staff are made to feel comfortable in asking questions and for help, resources are widely and freely available • Training, is regular and updated and an essential part of the overall strategic plan • Continuous Improvement and audits completed and results communicated to all 26
- 28. ONC’s Office of the Chief Privacy Officer Recent and Current Projects • Personal Health Record Roundtable • Mobile Device Roundtable • Small practice Risk Assessment – original and revised • HIE Privacy and Security Program Information Notice • Security Training and Video Games • Research project on security configurations of mobile devices • Mobile device good practices videos and materials • Website redesign: www.healthit.gov • Data Segmentation Project • Community College Curriculum Privacy and Security Review 27
- 29. Training Materials – Series of Security Video Games Due for Release Summer of 2012 DRAFT 28
- 30. Sharing Responsibility for Ensuring Patient Privacy We all have a role to play in keeping health information private and secure. • Government establishes P/S policies that are affordable and workable • Vendors should create easy-to-use P/S features and communicate importance • Providers and staff should understand their role in protecting patient privacy • Patients understand their rights and basic means of securing their PHI 29
- 31. We Are All In This Together Office of the National Coordinator for 4/30/2012 30 Health Information Technology
- 32. Conclusion Questions? 31
- 33. HIPAA/HITECH Resources • Privacy and Security Section of HealthIT.gov: http://healthit.hhs.gov • Are you a Covered Entity?: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html • OCR HIPAA Privacy Rule Training Materials: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html • OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html • OCR Settlement with Phoenix Cardiac Surgery: http://www.hhs.gov/news/press/2012pres/04/20120417a.html • Fast Facts about the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/cefastfacts.html • The HHS Office of Civil Rights, HIPAA FAQs: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html • Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/smallbusiness.html • OCR’s Sample Business Associate Contract Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html 32
- 34. Other Federal Law Resources • 42 CFR Pt. 2: http://www.samhsa.gov/healthPrivacy/ • Title X Confidentiality: 42 C.F.R. § 59.11: http://ecfr.gpoaccess.gov/cgi/t/text/text- idx?c=ecfr&sid=ce18bb9053f3b026e8983fd8ac27170c&rgn=div8&view=text&nod e=42:1.0.1.4.43.1.19.11&idno=42 • GINA deferring to HIPAA: 29 C.F.R. §§ 1635.9(c) and 1635.11(d): http://ecfr.gpoaccess.gov/cgi/t/text/text- idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod e=29:4.1.4.1.21.0.26.9&idno=29 and http://ecfr.gpoaccess.gov/cgi/t/text/text- idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod e=29:4.1.4.1.21.0.26.11&idno=29 – GINA: http://www.ornl.gov/sci/techresources/Human_Genome/publicat/GINAMay2008.pdf • HIPAA deferring to FERPA; exceptions to “protected health information” under (2)(i) and (2)(ii) in 45 C.F.R. § 160.103: http://ecfr.gpoaccess.gov/cgi/t/text/text- idx?c=ecfr&sid=35aa826589279b8cff00d53c641a609f&rgn=div8&view=text&node =45:1.0.1.3.74.1.27.3&idno=45 – FERPA/HIPAA Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa- guidance.pdf 4/30/2012 ONC 33
- 35. Other Resources • For state privacy laws, see the National Conference of State Legislators (NCSL): http://www.ncsl.org/?tabid=17173 • For state privacy law information: http://ihcrp.georgetown.edu/privacy/records.html • National Governor’s Association (NAG) Report on state laws and HIE: http://www.nga.org/Files/pdf/1103HIECONSENTLAWSREPORT.PDF • Health Information Security and Privacy Collaboration (HISPC) reports on state laws: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__hispc/1240 • The Financial Management of Cyber Risk: “An Implementation Framework for CFOs” American National Standards Institute, 2010 • Second Annual Benchmark Study on Patient Privacy and Data Security, 2011 Ponemon Institute • OCR’s Sample Business Associate Contract Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Office of the National Coordinator for 4/30/2012 34 Health Information Technology