Healthcare Insurance Portability and Accountability Act (HIPAA)By Hugh Kominars, VP - ControlCase

Agenda

• Introduction• What is HIPAA today? • How does Omnibus and HITECH tie into and mean in

the context of HIPAA• High level requirements of the HIPAA Privacy,

Security and Breach Notification Rules for covered entities and business associates

• Lessons Learned - Demonstrating Compliance• Maintaining effective compliance with CaaS• Q&A

2/23

Introduction

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› Shared Assessment/BITS FISAP Assessor

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessor

› EI3PA Assessor

› SSAE16, SOC1, SOC2, SOC3 Audits

› HITRUST and HIPAA

3/23

What is HIPAA today?

Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule:• Establishes administrative, physical and technical

security and privacy standards• Applies to both healthcare providers and business

associates (3rd parties) • Attributes responsibility for monitoring HIPAA

compliance of business associates to healthcare providers

• Assessment of compliance of business associates due 09/23/13

4/23

HIPAA, HITECH and the Omni-bus Rule

5 / 23

HITECH

• Specifically extends security, privacy and breach notification requirements to Business Associates (BA)

• Establishes mandatory penalties for ‘willful neglect’

• Imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI.“

• Institutes third party management and monitoring as ‘due diligences and ‘due care’ provisions

• Establishes the right for patients to obtain their PHI in an electronic format (i.e. ePHI)

Omni-bus Rule

• Finalization of interim rules outlined in the HITECH act

• Formalizes enforcement provisions for breaches

• Expands definition of BA to include subcontractors of BA (BA of BA)

• Clarifies that HHS will determine the actual maximum for penalties

• Covered Entities (CE) and BA are liable for the acts of BA and their subcontractors

• Requires a on-going monitoring process for the organization’s security programs and processes.

HIPAA Enforcement

• HHS’ Office of Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rule › Performing investigations of complaints (95,588 reported since 2003; 22,497

investigated by OCR)› Random sampling of organizations, (115 performed in 2012)› Assessment of risk/exposure based on transaction volumes (CEs and BAs)

• OCR resolution options› Voluntary compliance,› Corrective action, and/or› Resolution agreement

• OCR referrals to Department of Justice (DOJ)› Cases involving knowingly disclosing or obtaining PHI› 526 cases have been referred to date

• HHS determines penalties (Federal)› Additional penalties levied by individual States Attorneys’ for affected residents › Funds approximately half of OCR audit operations cost from fines

6 /23

Fines/Penalties

HIPAA Violation Minimum Penalty Maximum Penalty

Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation, with an annual maximum of $1.5 million

$50,000 per violation, with an annual maximum of $1.5 million

7 / 23

Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page

Enforcement Results

Organization Penalty (Federal) Nature of Violation

CIGNET $4,300,000 Online database application error.Alaska Department of Health and Human Services $1,700,000 Unencrypted USB hard drive stolen, poor policies and risk

analysis.

WellPoint $1,700,000Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a tech eval in response to software upgrade.

Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates $1,500,000 Unencrypted laptop stolen, poor risk analysis, policies.

Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.

South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.

Idaho State University $400,000 Breach of unsecured ePHI.

Shasta Regional Medical Center $275,000 Inadequate safeguarding of PHI from impermissible uses and disclosures.

Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.

The Hospice of Northern Idaho $50,000 Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis.

8 / 23

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

Looking Forward….

• Leon Rodriguez (HHS OCR Director)› "I think all these (17) cases really powerfully articulate those expectations and

the fact that we will be holding people accountable," › “…those numbers are expected to go up, especially when the official audit

program goes live this year. ”› When asked regarding root cause or biggest misstep, Rodriguez pointed to risk

analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,"

• Onshore/Offshore BAs and their BAs› Enforcement actions on BAs with onshore business units is clear cut› For BAs with only offshore business units; enforcement actions levied through

CEs.

9 / 23

HIPAA Requirements – Privacy Rule

Privacy Rule Main Points:• Requires appropriate safeguards to protect the privacy of personal health

information• Sets limits and conditions on the uses and disclosures that may be made of

such information without patient authorization • Gives patients rights over their health information, including rights to

examine and obtain a copy of their health records, and to request corrections

• Requires compliance with the Security RuleFor BAs• Requires breach notification to the Covered Entity• Requires either the individual or the Covered Entity access to PHI• Requires reporting the disclosure of PHI to the Secretary of HHS• Provide an accounting of disclosures.

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

10/23

HIPAA Requirements – Security Rule

Administrative Safeguards:Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required), Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required) and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required); Business Associate Agreements (required)

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

Technical Safeguards:Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff (addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls (addressable), Encryption (addressable)

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Physical Safeguards:Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security (required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage (addressable)

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

11/23

HIPAA Requirements – Breach Notification

Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

12/23

Definition of BreachA breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Unsecure PHITransition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or Federal Information Processing Standards (FIPS) 140-2 validatedDestruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88

Breach Notification Methods: By email or first class mail, to the media, posting the notice on the home page of its web site for at least 90 days, If BA, to the CE, within 60 days of determination

Notification Thresholds> 500 records: notify HHS, to individuals and media, within 60 days< 500 records: notify HHS, annually consolidated listing

Burden of ProofCEs/BAs required to prove that they have notified the affected parties within the time periods specified or face penalties

HIPAA Requirements – BAs and subcontractors

• Comply directly with the HIPAA Regulation• Business associates must identify, assess and monitor their

supporting business associates (BAs of BAs) and provide regular updates to the respective CE

• BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers

• BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers

• Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance

13/23

Lessons Learned - Demonstrating Compliance -

14 / 23

• Risk Assessments› Not performed/not updated or

documented› Limited scope: facilities, processing

environment, personnel, software, › Not aligned with controls or

monitoring

• Inventories (Asset Management)› Out of date/not documented

hardware, software, interfaces, dataflow diagrams/process descriptions, removable media, teleworkers (remote), BAs and subcontractors

• No BA/Vendor Management program

• Policies, procedures and standards (Governance)

• Hardening and patch management› None or not implemented› Not monitored/No follow-up› End-of-life

• Vulnerability Management› Inconsistent/incomplete internal

vulnerability and penetration testing for networks and applications

› Remediation gaps› No Internet content restrictions

Lessons Learned (continued)

15 / 23

• System Logging and Monitoring› Not implemented/inconsistent› Not retained or analyzed› Lack of oversight and approval

• None or inconsistent encryption of data in transmission or storage

• Media management and tracking gaps

• Untested incident and breach response processes for PHI related disclosures

• User Provisioning› Excessive privileges/accesses› No formal documentation of

rationale› Lack of oversight and approval

• Training and awareness› Not HIPAA oriented› No refresh› Lack of evidence of attendance

• Inadequate business continuity and disaster recover

• Failure to monitor external maintenance personnel

Root Causes

16/23

• Operational Conflicts of Interest› Maintaining versus securing› Capacity and focus› Lack of resources for monitoring and maintaining compliance after achieving initial

compliance

• No assignment of accountability• Personnel turnover• Lack of expertise and objectivity• Process disconnects between HR, change management, IT and

Systems acquisition• Lack of resources for monitoring and maintaining compliance

after achieving initial compliance

The Path Forward and Beyond

17/23

• Risk Assessments – complete, detailed, controls aligned to mitigate risk, and a program to monitor the effectiveness of those controls

• Inventories (Asset Management) – documented, covering all hardware, software, interfaces (internally and externally), process documentation (DFD) with narratives, removable media (with method of encryption), teleworkers and BAs and subcontractors (including what PHI is shared and how is it protected)

• BA Management Program – identifies in-scope and out-of-scope organizations, the data that is shared, an assessment of risk, the method to monitor and track HIPAA compliance, results of monitoring.

• Policies, procedures and standards (Governance) – complete to include Sanction/Corrective Action policies and evidence that it is implemented

• Hardening and patch management – covers all assets that process PHI; tied to asset management and verified by internal/external vulnerability scans

• Vulnerability Management – covers all assets that process PHI, includes

remediation and retesting to verify remediation effectiveness. • System Logging and Monitoring – covers all systems, databases and applications

that process, transmit and store PHI

The Path Forward and Beyond

18/23

• Data Encryption – in transit and at rest, tied to DFD and process narratives

• Media Management and Tracking – covers removable encrypted media, tied to DFD and process narratives

• Incident and Breach Response Processes – defined and tested to address breach and disclosure of PHI, understanding of who is impacted, and who needs to be notified

• User Provisioning – to specific system/applications, two manager review (business and IT Security)

• Training and awareness – covers new hire with annual retraining, maintaining a roster of completion and non-compliance.

• Business Continuity and Disaster Recover – must show that PHI would be available after a disaster

• Personnel Monitoring – cover employees, contractors and third parties that have access to PHI (physical and electronic)

• Compliance as a Service (CaaS)› Integration of services, software and compliance management and

reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC

› Allows clients to easily assess, monitor and maintain compliance not only with HIPAA, but across multiple standards

› Services Include• Gap and Risk assessments (initial and on-going)• Automated data discovery for the 18 PHI identifiers• Policy and procedures• Training and awareness; records• External and internal vulnerability assessments for networks and applications• External and internal penetration tests for networks and applications• BA/Supplier identification, management and assessments• Logging and Monitoring

How ControlCase Supports CEs and BAs

19/23

How ControlCase Supports CEs and BAs

19/23

How ControlCase Supports CEs and BAs

19/23

Mapping CaaS to HIPAA

20/23

Mapping CaaS to HIPAA

20/23

Fines and Penaltieshttp://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page

Enforcement Resultshttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

HIPAA Privacy http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

HIPAA SecurityAdministrative Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdfTechnical Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdfPhysical Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

HIPAA Breach Notificationhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

Factors that OCR considers when investigating a complainthttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/whatocrconsiders.html

Breach Notification Information http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Factors considered when levying civil penalties (fines)http://www.hipaasurvivalguide.com/hipaa-regulations/160-408.php

24 / 23

External Resources

Q & A

22/23

To Learn More …

• Visit www.controlcase.com

• Call +1 703 483 6383 (North America)

• Call +57 1 678 3716 (South America)

• Call +44 1276 686 048 (Europe)

• Call +971 4440 5958 (Middle East & Africa)

• Call +91 982 029 3399 (Asia Pacific)

• Hugh Kominars (VP) hkominars@controlcase.com

23/23