HIPAA Compliance: What it is, what it means, and what to do about it.

Adam Carlson, Security Solutions Consultant Intapp

• Introductions • HIPAA Background and History • Overview of HIPAA Requirements • Impact on Firm Operations • Compliance Program Tips

Agenda

• Adam Carlson • 12+ years in information security • M.S. from UC Davis, ISACA CISM • Security researcher studying Internet threats • Security auditor for financial services/Fortune 500 • Chief Security Officer at UC Berkeley • Legal IT security consultant (and some healthcare) • Currently security solutions consultant at Intapp • Member of ILTA LegalSEC Vendor Advisory Board

• I am not a lawyer

My Background

• PHI – Protected Health Information • HHS – Health and Human Services • OCR – Office of Civil Rights in HHS • CE – Covered Entity • BA – Business Associate • BAA – Business Associate Agreement

Acronyms To Remember

HIPAA Background A Long And Winding Road

• Health Insurance Portability and Accountability Act • Originally passed in 1996 • Title I: Strengthens health care coverage guarantees

for employees • Title II: Reduce fraud, simplify administration, medical

liability • Contained privacy and security requirements • Only applied to “covered entities”

HIPAA Origins

Possibly your clients • A Health Care Provider • A Health Plan • A Health Care Clearinghouse

So why do law firms care? • “Business associates” of covered entities managing

“protected health information” are expected to implement similar protections

• Group health plans

Who Are These “Covered Entities”

• A business associates agreement (BAA) is meant to ensure that business associates afford protected health information the same types of protections as the covered entity.

Law Firms Are “Business Associates”

• Broad definition • Includes names and addresses • Data must be affiliated with “Covered Entity”

Protected Health Information

Patient vs. Hospital Example

Patient Law Firm: Medical Records Received From Patient Are Not PHI

Hospital Law Firm: Medical Records Received From Hospital Are PHI

Straightforward Situation

Business Associate

Law Firm Business Associate

Covered Entity

Law Firm Business Partners requiring Business Associate Agreements

Covered Entity

Subcontractor 1

Subcontractor 2

Subcontractor 3

Much Harder To Classify

Business Associate

Business partner of a covered entity and law firm client

Covered Entity

Your Law Firm

Covered Entity

Your Law Firm

Key decision: How will you identify and classify PHI?

• Business associates had only contractual obligations • Large number of breaches prompted change

• 57% of Reported Breaches Involved Third-Parties • HITECH Act of 2009

• Applied certain security requirements directly to law firms • Increased breach notification requirements

• Omnibus Rule of 2013 • Clarified security and privacy expectations of law firms • Set date for compliance (Mar 2013) and enforcement (Sep 2013)

Recent Changes Increased Liability

HHS Civil Monetary Penalties for Violations • $100 to $50,000 per violation • Up to $1.5 million per year for violations of identical

provision • Noncompliant entities likely to have multiple violations • Separate violation for each person affected or each day

of continuing noncompliance

Civil Penalties for Noncompliance

• HIPAA contains privacy and security requirements for protecting health information

• These requirements were traditionally imposed on law firms through contract

• The Omnibus Rule of 2013 applied these requirements directly to law firms

• Law firms will face fines for non-compliance starting in September 23, 2013

Brief Recap

Requirements Overview

• Privacy Rule • Security Rule • Breach Notification Rule

• All three rules apply to law firms classified as “business

associates”

Three Key Rules To Understand

• Finalized in 2000, compliance required by 2003 • Applies to ALL protected health information (PHI) • Imposes restrictions on uses and disclosures • Calls for reasonable and appropriate safeguards

• Administrative • Technical • Physical

• Requires business associates agreements

Privacy Rule

• Finalized in 2003, compliance required by 2005 • Applies only to ePHI (electronic protected health

information) • Meant to address fears about “digitization” of health

records called for by HIPAA • Enumerates more detailed requirements:

• Administrative Safeguards • Technical Safeguards • Physical Safeguards

Security Rule

From official Health and Human Services Guidance: “The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access.”

• While Security Rule was meant to apply to only ePHI,

Privacy Rule requirements call for similar protections described by the Security Rule

Relationship Between The Rules

• Created as a part of the 2009 HITECH Act • Requires breaches of PHI to the individuals, HHS, and

in some cases the media • Breaches must be reported within 60 days • Breaches of over 500 records are permanently listed on

the HHS website • Omnibus strengthened reporting requirements by

broadening the definition of a breach

Breach Notification Rule

What This Means For Law Firm Operations

• Law firms must address compliance requirements • Privacy Rule • Security Rule • Breach Notification Rule

• May require changes to business processes • How matters are taken in • How matters are protected and managed • May require increased monitoring and oversight • May impact relationship with law firm vendors and service

providers

Formal Compliance Program

• Recommended best practices • Formalize business associate agreement intake process • Systematically review every practice area • Classify matters during intake • Inventory vendors/business partners with access to PHI

• Bonus: Use DLP software

Determining the Scope of HIPAA

• Pharmaceutical & Medical Device Litigation • Employment Litigation • Insurance (and Insurance Litigation) • Health Care (and Health Care Litigation) • ERISA Litigation • And many more….

Common Practice Areas Handling PHI

• Limit how PHI is disclosed externally • Already addressed by professional responsibility and MRPC

• Implement “reasonable and appropriate” safeguards • “Minimum necessary” requirement more specific

• “…make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

• Implementation specification for internal use • Identify the persons who need access to PHI • For each role, identify the type of PHI and the conditions for access

Privacy Rule Compliance

• Covered entities must ensure the confidentiality, integrity, availability of all ePHI they create, receive, maintain or transmit

• Anticipate and address threats to PHI • Protect against reasonably anticipated impermissible

uses or disclosures • Ensure workforce compliance

Security Rule Goals

Administrative Safeguards Security Management and Information Access Management

Physical Safeguards Facility Access and Workstation/Device Security

Technical Safeguards Access Controls, Audit Controls, Integrity Controls, Transmission Security

Three Types Of Protections

Projected Level of Effort

AdministrativeSafeguards

Physical Safeguards Technical Safeguards

(“Estimated”)

• Facility Access Controls • Business continuity, facility protections, maintenance

management

• Workstation Use • Approved use-cases, workstation privacy, remote access users

• Workstation Security • Physical security of workstations accessing ePHI

• Device and Media Controls • Media disposal and reuse, backup systems, secure deletion

Physical Safeguards

• Access Control • Unique user identification • Emergency access procedures • Automatic logoff protections • Encryption and decryption

• Audit Controls • Integrity • Person or Entity Authentication • Transmission Security

Technical Safeguards

• Security Management Process • Come back to this in a minute

• Assigned Security Responsibility • Designate security official

• Workforce Security • Authorization and/or supervision, workforce clearance,

termination • Information Access Management

• Isolate health care clearinghouse, access authorization, access establishment and modification

Administrative Safeguards

• Security Awareness and Training • Security reminders, malicious software, log-in monitoring,

password management

• Security Incident Procedures • Response and reporting

• Contingency Plan • Data backups, disaster recovery, emergency mode operation plan

• Evaluation • Periodic technical and non-technical evaluation

• Business Associate Agreements

Admin. Safeguards Continued

• Risk Analysis • “Conduct an accurate and thorough assessment of the potential risks and

vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information…”

• Risk Management • “Implement security measures sufficient to reduce risks and vulnerabilities to a

reasonable and appropriate level…”

• Sanction Policy • Develop sanction policy for violations of policies and procedures

• Information System Activity Review • Regularly review records of system activity and audit logs

Security Management Process-§164.308(a)(1)

• Do whatever is “reasonable and appropriate” to protect the confidentiality, integrity and availability of PHI

• Take a process-oriented rather than checklist-oriented approach

• Document the results of the risk assessment and risk management processes

• Periodically review and re-assess existing protections

In Other Words…

• Necessary elements: • Scope of the Analysis • Data Collection • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk • Finalize Documentation

Risk Analysis Guidance

Tips For An Effective HIPAA Program

• Engage and educate firm stakeholders • Security investments or business process changes may be

needed

• Designate a HIPAA Privacy Officer • Designate a HIPAA Security Officer • Inventory existing Business Associate Agreements • Identify practice groups working with PHI • Determine scope of HIPAA compliance concerns

First Steps

• Update firm policies to address HIPAA requirements • Revise vendor contracts to include BAA language • Inventory systems and physical locations storing PHI • Review systems against technical safeguards • Review locations against physical safeguards • Educate and train employees on HIPAA fundamentals • Document these efforts

Address The Low Hanging Fruit

• Privacy Policy • Sanction Policy • Remote Access Policy • Incident Response Policy • Mobile Device Policy • Portable Device/Encryption Policy • Business Associate/Vendor Management Policy

Policies That Might Be Impacted

• Ensure attorneys/staff can recognize a HIPAA breach • Provide a means to report/escalate breaches quickly • Prepare required breach analysis process • Establish rapid communications plan • Form the appropriate teams ahead of time

• Investigation team • Breach analysis team • Communications/response team

Breach Notification Rule

• How will your firm identify and classify matters containing PHI?

• How will your firm interpret and implement the “minimum necessary” requirement?

• How will your firm address the “information system activity review requirement”?

• How will your firm address the “risk analysis” requirement

Strategic Compliance Questions

• Identify matters containing PHI during intake • Centralize PHI into fewer systems

• Reduces risk analysis scope dramatically • Minimizes access control maintenance and management • Minimizes amount of requisite logging and monitoring

• Designate ‘approved’ vendors and business partners who may need to access ePHI

Effective Ways To Limit Effort

• Document what you are doing today for security • Implement encryption on mobile devices • Evaluate your “celebrity” exposure • Focus initially on matters with high volumes of records • Develop a compliance roadmap of where you are going

If You Feel Behind

• Official HHS HIPAA Website • http://www.hhs.gov/ocr/privacy/index.html

• Official Security Rule Guidance • http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

• Official Minimum Necessary Guidance • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html

• Sample BAA Provisions • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Some Useful Resources

• HIPAA Audit Protocol • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

• HIPAA Enforcement Examples • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/casebyissue.html

• NIST 800-60-1 – HIPAA Security Rule Guidance • http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

• NIST HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa/

• Educause HIPAA Resources • http://www.educause.edu/library/health-insurance-portability-and-accountability-act-hipaa

• Tweet (#LegalSEC) or share more on the forums!

Additional Resources

Thanks! Questions?