Worry Free IT

Protecting ePHI

What Providers and Business Associates Need

to Know

March 2, 2015

This presentation was originally

delivered at the North Metro

Medical Manager’s Association

(NMMMA) meeting in Kennesaw,

Georgia on October 7, 2014.

2

Protecting ePHI - Overview

• Where are we today – Key Dates, ePHI and Enforcement

• Risk Analysis – Covered Entities and Business Associates (BAs)

• Best Practices and Tips

3

Key Dates

Health Insurance Portability and Accountability Act (HIPAA) –

signed in to law August 21, 1996. It established new standards

associated with the management of healthcare information.

HIPAA HiTech Act – Feb 17, 2009. Part of the American Recovery

and Reinvestment Act of 2009. It established incentives for

healthcare providers to adopt electronic medical records’

software systems. It also expanded the scope of the HIPAA

privacy and security rules and set forth new rules for breach

notification.

HIPAA Omnibus Final Rule – Sept 23rd, 2013. Business Associates

and Sub-Contractors must adhere to the same guidelines that Covered Entities do, according to the HIPAA rule/guidelines

4

5

What is (PHI) Protected Health Information?

US Department of Health and Human Services defines protected health information (PHI) as individually identifiable information that falls into the following 18 types of identifiers:

Here are the 18 PHI identifiers:1. Name

2. Region (smaller than a state)

3. Date

4. Phone #

5. Fax #

6. Email address

7. Social Security #

8. Medical record #

9. Health insurance beneficiary #

10. Account #

11. Certificate/license #

12. Vehicle identifier/license plate #

13. Device ID & serial #

14. Web URL

15. IP address

16. Finger print

17. Full face photo

18. Any other unique ID # or characteristic

that could reasonably be associated with

the individual

What is (ePHI) Electronic Protected

Health Information?

Electronic Protected Health Information (ePHI)

is any protected health information (PHI) that

is created, stored, transmitted, or received

electronically.

Electronic protected health information

includes any medium used to store, transmit,

or receive PHI electronically.

6

ePHI (continued)

The following and any future technologies used for accessing,

transmitting, or receiving PHI electronically are covered by the

HIPAA Security Rule.

Media containing data at rest (stored):

• Personal Computers with internal hard drives used at work, home or

traveling

• External portable hard drives, including iPods and similar devices

• Magnetic Tape

• Removable storage devices such as USB memory sticks, CD’s, DVDs and

floppy disks

• PDAs and Smartphones

Data in transit via: wireless, Ethernet, DSL, cable network

connection:

• Email

• File Transfer

7

8

Why all the Fuss?

The core of the HIPAA regulations is to ensure that ownership of any and all medical data is retained solely by the individual. The individual can then decide to share that information with providers, family members, employers, if needed. Only an individual has the right to grant access to their medical data.

Simply put: we’re trying to maintain privacy and avoid bias and discrimination.

9

Enforcement

Historically, HIPAA fines and

reprimands were triggered after an

event, such as a data breach. That

has changed.

The Office for Civil Rights (OCR, part

of the Department of Health & Human Resources) is responsible for

enforcing the HIPAA HiTech

regulation.

Leon Rodriguez, OCR Director, takes

his job very seriously. He has created

a permanent HIPAA audit program that includes BAs.

10

Enforcement (continued)

As he focuses on ramping up the

HIPAA audits of Covered Entities and

Business Associates, Mr. Rodriguez has

powerful allies and one big incentive:

Powerful Allies

• Centers for Medicare & Medicaid Services (CMS)

• Works in conjunction with other Gov’t branches – HHS, FTC, SEC, etc.

• The States’ Attorney Generals

Big Incentive

• The OCR is authorized to keep some of the money paid in fines.

• It was reported that as of January 2014, OCR already had $4.5

million set aside from fines levied from their audits.

The OCR is serious about protecting PHI and they’ve got the teeth, funds and leadership to back it up.

11

Violations & Penalties

HIPAA Violation Minimum Penalty Maximum Penalty

Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation, with an annual maximum of $1.5 million

$50,000 per violation, with an annual maximum of $1.5 million

12

Criminal Liability

U.S. Department of Justice (DOJ) clarified that covered entities

and specified individuals can be held criminally liable under

HIPAA as follows:

• Those who "knowingly" obtain or disclose individually

identifiable health information in violation of the Administrative

Simplification Regulations face a fine of up to $50,000 as well

as imprisonment up to one year.

• Offenses committed under false pretenses allow penalties to

be increased to a $100,000 fine with up to five years in prison.

• Offenses committed with the intent to sell, transfer, or use

individually identifiable health information for commercial

advantage, personal gain or malicious harm permit fines of

$250,000 and imprisonment for up to ten years.

13

Companies & Fines

Examples of fines levied:

Entity Fined Fine Violation

CIGNET $4,300,000 Online database application error.

Alaska Department of Health and Human Services

$1,700,000Unencrypted USB hard drive stolen, poor policies and risk analysis.

WellPoint $1,700,000

Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade.

Blue Cross Blue Shield of Tennessee

$1,500,000 57 unencrypted hard drives stolen.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates

$1,500,000Unencrypted laptop stolen, poor risk analysis, policies.

Affinity Health Plan $1,215,780Returned photocopiers without erasing the

hard drives.

South Shore Hospital $750,000Backup tapes went missing on the way to contractor.

Idaho State University $400,000 Breach of unsecured ePHI.

14

What do I do now?

Whether you are a Covered

Entity or a Business Associate

(BA) you must perform a risk

analysis.

If you are ever audited by the

OCR – the first thing they are

going to ask to see is your risk

analysis.

15

What is a Risk Analysis?

Process to identify potential

hazards and analyze what

could happen should an

unfavorable event occur.

In healthcare we’re looking at:

• What and where are the

gaps associated with the

protection of ePHI?

• What are the biggest

risks(theft, natural disaster,

hacker attack, etc.)?

16

HHS/OCR Final Guidance for a Risk Analysis

1) Scope of Analysis

All ePHI that an organization creates,

receives, maintains, or transmits must be

included in the risk analysis. (45 C.F.R. §

164.306(a)).

This includes all electronic media, network

security between locations and any

aspects of your HIPAA hosting terms with

a third-party or Business Associate (BA).

17

HHS/OCR Final Guidance for a Risk Analysis (continued)

2) Data Collection

Where does ePHI live? Locate where data

is being stored, received, maintained or

transmitted. If you’re hosting health

information at a data center, you should

contact your hosting provider to

document where and how your data is

stored. (45 C.F.R. § 164.308(a)(1)(ii)(A)

and 163.316 (b)(1).)

18

HHS/OCR Final Guidance for a Risk Analysis (continued)

3) Identify and Document Potential

Threats and Vulnerabilities

Identify and document any anticipated

threats to data, and any vulnerabilities

that may lead to leaking of ePHI.

Anticipating potential HIPAA violations

can help your organization quickly and

effectively reach a resolution. (45 C.F.R.

§§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and

164.316 (b)(1)(iii).)

19

HHS/OCR Final Guidance for a Risk Analysis(continued)

4) Assess Current Security Measures

What kind of security measures are you

taking to protect your data? This might

include any encryption, two-factor

authentication, and other security

methods put in place by you or your

hosting provider. (45 C.F.R. §§

164.306(b)(1), 164.308(a)(1)(ii)(A) and

164.316 (b)(1).)

20

HHS/OCR Final Guidance for a Risk Analysis(continued)

5) Determine the Likelihood of Threat

Occurrence

The probability and likelihood of potential

risks to ePHI. (45 C.F.R. § 164.306(b)(2)(iv).)

i.e. – laptop theft versus your location gets

hit by a tornado.

21

HHS/OCR Final Guidance for a Risk Analysis(continued)

6) Determine the Potential Impact of

Threat Occurrence

Consideration of the ‘criticality’ or impact

of potential risks to confidentiality, integrity

and availability of ePHI. (45 C.F.R. §

164.306(b)(2)(iv).)

How many people could be affected

and what extent of data (just medical

records or billing information as well)?

Ex. - Sending someone’s ePHI via

unsecured email versus an unencrypted

laptop that houses 500 patient records.

22

HHS/OCR Final Guidance for a Risk Analysis(continued)

7) Determine the Level of Risk

This is subjective - HHS’ suggestion is

to evaluate the values assigned to

threat occurrence (#5) and the

resulting impact (#6) to come up

with a level of risk. (45 C.F.R. §§

164.306(a)(2), 164.308(a)(1)(ii)(A),

and 164.316(b)(1).)

Risk levels should be accompanied

by a list of corrective measures to

help mitigate that risk.

23

HHS/OCR Final Guidance for a Risk Analysis(continued)

8) Finalize Documentation

The Security Rule requires the risk

analysis to be documented(45 C.F.R. §

164.316(b)(1).)

No format is specified – just make sure

you have things written down.

Remember – if you are ever audited –

documentation is what the OCR looks

for first.

24

HHS/OCR Final Guidance for a Risk Analysis(continued)

9) Periodic Review and Updates to the

Risk Analysis

The Risk Analysis is an ongoing process

(45C.F.R. §§ 164.306(e) and

164.316(b)(2)(iii)).

For Meaningful Use – has to be done

every year.

In general – has to be done whenever

significant changes are made in the

environment. If no changes occur it

should still be done once a year.

25

Risk Analyses, Business Associate Agreements

and Business AssociatesThere are several ways to do a Risk

Analysis – some right and many wrong.

Checklists won’t hold up to an audit.

OCR will come down on you even if your

vendor recommended a checklist – you

don’t want to be at the discretion of the

OCR.

A proper Risk Analysis is going to adhere

to the National Institute of Standards and

Technology (NIST) guidelines.

26

Risk Analyses, Business Associate Agreements

and Business Associates

Identify who your Business Associates

(BAs) are and make sure you have

executed Business Associate Agreements

(BAAs) in place.

Analyze your BAs and rank them based

on the amount of data they have access

too/perception of how much access too

they have.

Do some due diligence on them – ask for

proof of their risk assessment. Use

common sense.

27

Risk Analyses, Business Associate Agreements

and Business Associates

For high risk BAs – have a meeting – invite

them to come in and be a part of the

process that you are having to go

through.

Covered entities can and will be held

liable for the BAs conduct.

Make sure your BAAs are updated –

anything that has not been updated

since Jan 2013 should be updated.

28

Technology-enabled Best Practices

Firewalls

• Have physical firewalls in place.

• Make sure they are up-to-date.

Anti-Virus Protection

• Have a proven, paid version in place.

• Make sure it is up-to-date.

Run Up-to-Date Software

• Make sure it’s actively supported

(note: XP is not).

• Make sure it is up-to-date with

patches.

Hardware /

Software

29

Technology-enabled Best Practices

Identify & Document where PHI Lives

• Paper?

• Electronic?

• Verbally communicated?

Minimize what is Seen or Retained

• Don’t need it? Don’t have it!

• Encrypt information where you

can.

PHI within your

Network

30

Technology-enabled Best Practices

Keep PHI Off if Possible where Risk of Theft is High

• Laptops (if you must have PHI: encrypt)

• Tablets

• Smart phones

• Thumb drives

Mobile Device Management (MDM) Policy

• Have one.

• Enforce it.

• Have software and process to remotely wipe

tablets and smartphones if they are lost or stolen.

All Mobile

Devices

31

Technology-enabled Best Practices

Backups of PHI

• Make sure they are encrypted.

• Keep in a safe, secure place re: hardware

and software.

Physical Access

• Limit both on-site and off-site access.

• Enforce it.

Data Backup &

Recovery

32

Technology-enabled Best Practices

Get an Assessment

• Know your baseline.

• Measure your progress.

• Document processes as well as your

rationale for taking action… and not

taking action.

Communicate

• Train and educate personnel.

• Formally and informally.

Document,

Document,

Document.

Discussing PHI

• Be aware of where you are and your surroundings when talking about

a case/client that involves PHI (patient information):

o Office telephone: Is your door open?

o Cell phone: Where are you? In public? An elevator? Who’s

around you?

o Conversation with a co-worker: Are you in a high-traffic hallway?

An elevator? A coffee shop? The restroom?

o Remember and keep in mind the 18 identifiers.

• Don’t share information with other staff members unless it is absolutely

necessary for them to perform their job functions.

33

Treat PHI with the same care that you would your own information: keep it secure and protect the right to privacy.

Workforce Tips

Email

• Do not use Gmail/AOL/Hotmail accounts or any other consumer

based email systems to send any PHI. They are not secure.

• Pay close attention to your incoming emails . Example - phishing

attacks:

o Targeted emails sent to a small number of people, typically an executive

team.

o Message will appear to be personal to you: oftentimes information is

pulled from social media sites or online profiles.

o Email can contain links to websites or include compromised attachments.

o Once clicked or opened, key loggers or some other form of malware is

installed that allows remote parties to monitor your activity and steal data.

34

Workforce Tips

Mobility

• Don’t download or send ePHI to anything

mobile unless absolutely necessary to

perform your job function.

• This includes laptops, iPhones, iPads,

Androids, thumb drives, etc.

• If you have to have data on a mobile

device, ensure that the data is encrypted.

• Do not send information via text

messaging: this is not secure.

35

Minimizing where ePHI lives is a huge step

in protecting it and maintaining compliance.

Workforce Tips

Mobility

• When you work remotely and connect in to your corporate network:

o Keep documents on the office network.

o Guard against copying any information to your workstation

and/or device.

• Do not save passwords in applications such as web browsers or VPN

clients: If your device is ever lost, stolen or compromised, the new

owner could easily connect to the internet and access your sites

without having to guess or crack your password.

36

Workforce Tips

Passwords

• Your organization has a password policy for a

reason. Typically it requires you to change your

password periodically and to have certain

requirements to make it a strong password, such as:

o 8-12 characters

o Change quarterly (for example).

o Should include letters, numbers and symbols

37

Workforce Tips

• www.howsecureismypassword.net: a website to measure the strength

of a password (note: do not enter your real passwords into this or any site)

o PW = stgpwb!g 33 minutes to crack with a PC

o PW = stgpWb!g 24 hours to crack with a PC

o PW = s2gpWb!g 72 hours to crack with a PC

• Don’t fight your company’s password policy!

• Do not share your passwords.

• Do not write your passwords on a sticky note and attach to your

computer or monitor.

Working with Paper

• Keep areas where PHI is located locked

at all times.

• Have a designated person that can lock

and unlock these areas only. (Privacy

Officer)

• If you are working with paper copies of

documents that contain PHI:

o Maintain control of the copies at all

times.

o Do not leave the copies lying around

for others to see.

• Use fax cover sheets that have privacy

statements on them.

38

Workforce Tips

Miscellaneous

• Lock your workstation when you leave your desk.

+

• Position your monitors so people passing by your office, or coming

into your office to talk to you, cannot see the information on your

monitors.

39

Workforce Tips

Worry Free IT

Richard Stokes

rstokes@network1consulting.com

Richard joined Network 1 in 2003, as employee #4, and has been an integral part of Network 1’s growth over the years both in sales and client management. He has been leading Network 1’s focus on medical practices and healthcare since 2010.

Richard is an active member of the North Fulton Medical Group Management Association (NFMGMA) and has served on their Board. He is also an active member of the North Metro Medical Manager’s Association (NMMMA) and serves on their Board. In addition, Richard has been interviewed and quoted as a healthcare IT consultant in Physicians Practice, American Medical News andMedicalOfficeToday and has spoken as a HIPAA and ePHI expert at several medical and

legal associations in Atlanta. Richard is also a regular contributor for Network 1’s Tuesday Tips.

40