Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
HIPAA Compliance: What it is, what it means, and what to do about it.
Adam Carlson, Security Solutions Consultant Intapp
• Introductions • HIPAA Background and History • Overview of HIPAA Requirements • Impact on Firm Operations • Compliance Program Tips
Agenda
• Adam Carlson • 12+ years in information security • M.S. from UC Davis, ISACA CISM • Security researcher studying Internet threats • Security auditor for financial services/Fortune 500 • Chief Security Officer at UC Berkeley • Legal IT security consultant (and some healthcare) • Currently security solutions consultant at Intapp • Member of ILTA LegalSEC Vendor Advisory Board
• I am not a lawyer
My Background
• PHI – Protected Health Information • HHS – Health and Human Services • OCR – Office of Civil Rights in HHS • CE – Covered Entity • BA – Business Associate • BAA – Business Associate Agreement
Acronyms To Remember
HIPAA Background A Long And Winding Road
• Health Insurance Portability and Accountability Act • Originally passed in 1996 • Title I: Strengthens health care coverage guarantees
for employees • Title II: Reduce fraud, simplify administration, medical
liability • Contained privacy and security requirements • Only applied to “covered entities”
HIPAA Origins
Possibly your clients • A Health Care Provider • A Health Plan • A Health Care Clearinghouse
So why do law firms care? • “Business associates” of covered entities managing
“protected health information” are expected to implement similar protections
• Group health plans
Who Are These “Covered Entities”
• A business associates agreement (BAA) is meant to ensure that business associates afford protected health information the same types of protections as the covered entity.
Law Firms Are “Business Associates”
• Broad definition • Includes names and addresses • Data must be affiliated with “Covered Entity”
Protected Health Information
Patient vs. Hospital Example
Patient Law Firm: Medical Records Received From Patient Are Not PHI
Hospital Law Firm: Medical Records Received From Hospital Are PHI
Straightforward Situation
Business Associate
Law Firm Business Associate
Covered Entity
Law Firm Business Partners requiring Business Associate Agreements
Covered Entity
Subcontractor 1
Subcontractor 2
Subcontractor 3
Much Harder To Classify
Business Associate
Business partner of a covered entity and law firm client
Covered Entity
Your Law Firm
Covered Entity
Your Law Firm
Key decision: How will you identify and classify PHI?
• Business associates had only contractual obligations • Large number of breaches prompted change
• 57% of Reported Breaches Involved Third-Parties • HITECH Act of 2009
• Applied certain security requirements directly to law firms • Increased breach notification requirements
• Omnibus Rule of 2013 • Clarified security and privacy expectations of law firms • Set date for compliance (Mar 2013) and enforcement (Sep 2013)
Recent Changes Increased Liability
HHS Civil Monetary Penalties for Violations • $100 to $50,000 per violation • Up to $1.5 million per year for violations of identical
provision • Noncompliant entities likely to have multiple violations • Separate violation for each person affected or each day
of continuing noncompliance
Civil Penalties for Noncompliance
• HIPAA contains privacy and security requirements for protecting health information
• These requirements were traditionally imposed on law firms through contract
• The Omnibus Rule of 2013 applied these requirements directly to law firms
• Law firms will face fines for non-compliance starting in September 23, 2013
Brief Recap
Requirements Overview
• Privacy Rule • Security Rule • Breach Notification Rule
• All three rules apply to law firms classified as “business
associates”
Three Key Rules To Understand
• Finalized in 2000, compliance required by 2003 • Applies to ALL protected health information (PHI) • Imposes restrictions on uses and disclosures • Calls for reasonable and appropriate safeguards
• Administrative • Technical • Physical
• Requires business associates agreements
Privacy Rule
• Finalized in 2003, compliance required by 2005 • Applies only to ePHI (electronic protected health
information) • Meant to address fears about “digitization” of health
records called for by HIPAA • Enumerates more detailed requirements:
• Administrative Safeguards • Technical Safeguards • Physical Safeguards
Security Rule
From official Health and Human Services Guidance: “The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access.”
• While Security Rule was meant to apply to only ePHI,
Privacy Rule requirements call for similar protections described by the Security Rule
Relationship Between The Rules
• Created as a part of the 2009 HITECH Act • Requires breaches of PHI to the individuals, HHS, and
in some cases the media • Breaches must be reported within 60 days • Breaches of over 500 records are permanently listed on
the HHS website • Omnibus strengthened reporting requirements by
broadening the definition of a breach
Breach Notification Rule
What This Means For Law Firm Operations
• Law firms must address compliance requirements • Privacy Rule • Security Rule • Breach Notification Rule
• May require changes to business processes • How matters are taken in • How matters are protected and managed • May require increased monitoring and oversight • May impact relationship with law firm vendors and service
providers
Formal Compliance Program
• Recommended best practices • Formalize business associate agreement intake process • Systematically review every practice area • Classify matters during intake • Inventory vendors/business partners with access to PHI
• Bonus: Use DLP software
Determining the Scope of HIPAA
• Pharmaceutical & Medical Device Litigation • Employment Litigation • Insurance (and Insurance Litigation) • Health Care (and Health Care Litigation) • ERISA Litigation • And many more….
Common Practice Areas Handling PHI
• Limit how PHI is disclosed externally • Already addressed by professional responsibility and MRPC
• Implement “reasonable and appropriate” safeguards • “Minimum necessary” requirement more specific
• “…make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
• Implementation specification for internal use • Identify the persons who need access to PHI • For each role, identify the type of PHI and the conditions for access
Privacy Rule Compliance
• Covered entities must ensure the confidentiality, integrity, availability of all ePHI they create, receive, maintain or transmit
• Anticipate and address threats to PHI • Protect against reasonably anticipated impermissible
uses or disclosures • Ensure workforce compliance
Security Rule Goals
Administrative Safeguards Security Management and Information Access Management
Physical Safeguards Facility Access and Workstation/Device Security
Technical Safeguards Access Controls, Audit Controls, Integrity Controls, Transmission Security
Three Types Of Protections
Projected Level of Effort
AdministrativeSafeguards
Physical Safeguards Technical Safeguards
(“Estimated”)
• Facility Access Controls • Business continuity, facility protections, maintenance
management
• Workstation Use • Approved use-cases, workstation privacy, remote access users
• Workstation Security • Physical security of workstations accessing ePHI
• Device and Media Controls • Media disposal and reuse, backup systems, secure deletion
Physical Safeguards
• Access Control • Unique user identification • Emergency access procedures • Automatic logoff protections • Encryption and decryption
• Audit Controls • Integrity • Person or Entity Authentication • Transmission Security
Technical Safeguards
• Security Management Process • Come back to this in a minute
• Assigned Security Responsibility • Designate security official
• Workforce Security • Authorization and/or supervision, workforce clearance,
termination • Information Access Management
• Isolate health care clearinghouse, access authorization, access establishment and modification
Administrative Safeguards
• Security Awareness and Training • Security reminders, malicious software, log-in monitoring,
password management
• Security Incident Procedures • Response and reporting
• Contingency Plan • Data backups, disaster recovery, emergency mode operation plan
• Evaluation • Periodic technical and non-technical evaluation
• Business Associate Agreements
Admin. Safeguards Continued
• Risk Analysis • “Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information…”
• Risk Management • “Implement security measures sufficient to reduce risks and vulnerabilities to a
reasonable and appropriate level…”
• Sanction Policy • Develop sanction policy for violations of policies and procedures
• Information System Activity Review • Regularly review records of system activity and audit logs
Security Management Process-§164.308(a)(1)
• Do whatever is “reasonable and appropriate” to protect the confidentiality, integrity and availability of PHI
• Take a process-oriented rather than checklist-oriented approach
• Document the results of the risk assessment and risk management processes
• Periodically review and re-assess existing protections
In Other Words…
• Necessary elements: • Scope of the Analysis • Data Collection • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk • Finalize Documentation
Risk Analysis Guidance
Tips For An Effective HIPAA Program
• Engage and educate firm stakeholders • Security investments or business process changes may be
needed
• Designate a HIPAA Privacy Officer • Designate a HIPAA Security Officer • Inventory existing Business Associate Agreements • Identify practice groups working with PHI • Determine scope of HIPAA compliance concerns
First Steps
• Update firm policies to address HIPAA requirements • Revise vendor contracts to include BAA language • Inventory systems and physical locations storing PHI • Review systems against technical safeguards • Review locations against physical safeguards • Educate and train employees on HIPAA fundamentals • Document these efforts
Address The Low Hanging Fruit
• Privacy Policy • Sanction Policy • Remote Access Policy • Incident Response Policy • Mobile Device Policy • Portable Device/Encryption Policy • Business Associate/Vendor Management Policy
Policies That Might Be Impacted
• Ensure attorneys/staff can recognize a HIPAA breach • Provide a means to report/escalate breaches quickly • Prepare required breach analysis process • Establish rapid communications plan • Form the appropriate teams ahead of time
• Investigation team • Breach analysis team • Communications/response team
Breach Notification Rule
• How will your firm identify and classify matters containing PHI?
• How will your firm interpret and implement the “minimum necessary” requirement?
• How will your firm address the “information system activity review requirement”?
• How will your firm address the “risk analysis” requirement
Strategic Compliance Questions
• Identify matters containing PHI during intake • Centralize PHI into fewer systems
• Reduces risk analysis scope dramatically • Minimizes access control maintenance and management • Minimizes amount of requisite logging and monitoring
• Designate ‘approved’ vendors and business partners who may need to access ePHI
Effective Ways To Limit Effort
• Document what you are doing today for security • Implement encryption on mobile devices • Evaluate your “celebrity” exposure • Focus initially on matters with high volumes of records • Develop a compliance roadmap of where you are going
If You Feel Behind
• Official HHS HIPAA Website • http://www.hhs.gov/ocr/privacy/index.html
• Official Security Rule Guidance • http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
• Official Minimum Necessary Guidance • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html
• Sample BAA Provisions • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Some Useful Resources
• HIPAA Audit Protocol • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
• HIPAA Enforcement Examples • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/casebyissue.html
• NIST 800-60-1 – HIPAA Security Rule Guidance • http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
• NIST HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa/
• Educause HIPAA Resources • http://www.educause.edu/library/health-insurance-portability-and-accountability-act-hipaa
• Tweet (#LegalSEC) or share more on the forums!
Additional Resources
Thanks! Questions?