HIPAA Guidelines: Quick Study Guide 1423238710, 9781423238713

Table of contents :
HIPAA Guidelines
HIPAA Rules & Related Laws
When HIPAA Applies
HIPAA-Related Risks
HIPAA Enforcements
HIPAA Privacy Rule Requirements
HIPAA Security Rule Requirements
HIPAA Data Breach Notification Rule Requirements
HIPAA Privacy, Security & Compliance in Practice
Additional Resources

Citation preview

WORLD’S #1 ACADEMIC OUTLINE

Rules, laws, risks, enforcements, privacy, security and notification requirements & compliance in practice

HIPAA Rules & Related Laws HIPAA Rules

• Health Insurance Portability and Accountability Act (HIPAA) -Changes practices of health plans and insurers regarding portability and continuity of health coverage -Accountability ››Improves the efficiency and effectiveness of the health care system ››Reduces administrative costs ››Improves Medicare and Medicaid programs ››Reduces fraud and abuse ››Improves quality of patient care through clinical data access and information availability for decision-making ››Protects patients’ rights ››Protects the privacy and security of patients’ health information • Transaction Standards and Privacy, Security, and Data Breach Notification Rules -Distinct areas that affect Covered Entities (CEs) and Business Associates (BAs) -Part of the Administrative Simplification section of the accountability part of HIPAA -Commonly referred to as “HIPAA rules” • Privacy Rule -Protects patients’ rights (e.g., access to their records) -Assures privacy and security of patients’ Protected Health Information (PHI) in all formats (including electronic, paper, and oral) • Security Rule -Safeguards PHI created, transmitted, and maintained in electronic format -Requires that the confidentiality, integrity, and availability of information are protected • Breach Notification and Enforcement Rules -Describe security incidents and data breach notification requirements for CEs and their BAs -Describe investigations, procedures, and monetary

penalties for violations of the HIPAA Administrative Simplification Rules • HIPAA Rules are commonly referred to as 45 CFR Part 160, 162, and 164 and can be found at www.ecfr.gov/ > Title 45 > Subtitle A > Subchapter C -HIPAA was published in 1976; the Privacy, Security, and Enforcement Rules were modified over the years -The HIPAA Omnibus Rule passed in 2013 is the final rule; it finalized and modified interim rule provisions established by the Health Information Technology for Economic Clinical Health (HITECH) Act in 2009 • Additional information, guidelines, and resources about HIPAA can be found at www.hhs.gov/hipaa/index.html > HIPAA for Professionals

HIPAA-Related Agencies

• US Department of Health and Human Services (HHS): -Office for Civil Rights (OCR): Privacy, security, and data breach rule enforcement agency; enforces HIPAA Omnibus Rule compliance on behalf of HHS and has reached multiple settlements for HIPAA violations (look for the Enforcement link at www.hhs.gov/hipaa/) ››“Wall of Shame”: List of data breaches reported to OCR affecting more than 500 individuals (see Additional Resources, p. 6) -Centers for Medicare and Medicaid Services: Transaction standards enforcement agency, focusing on Transactions, Code Sets, Employer Identifier & National Provider Identifier Standards, and Incentives programs such as the Merit-based Incentive Payment System, or MIPS (qpp.cms.gov/mips/overview) -Office of the National Coordinator for Health Information Technology: Issues guides on the privacy and security of health information and training materials • State Attorney General (SAG): HIPAA enforcement authority; some SAG offices are very active in enforcement and pursue HIPAA-related investigations independently from OCR; settlements and penalties

vary but can be significant, including a ban from doing business • Federal Trade Commission (FTC): Enforces Section 5 of the FTC Act, the primary federal statute applicable to the privacy and security practices of businesses that collect health information but are not CEs and are not covered by HIPAA; the FTC pursued multiple HIPAArelated investigations independently from the OCR -Often involved in data/identity theft cases -FTC “standard” resolution is long-term (20 years) independent audit/monitoring requirement; sometimes monetary settlements are enforced as well • US Department of Justice (DOJ): Pursues criminal penalties including monetary penalties and prison sentences against individuals involved in PHI theft and related fraud (see DOJ HIPAA Penalties table, p. 2) • Other related agencies: Drug Enforcement Administration (DEA), US Department of Commerce, National Institute of Standards and Technology (NIST), US Food and Drug Administration (FDA)

HIPAA-Related Laws

• State laws: Data breach notification requirements; penalties vary by state (e.g., California, Texas) • SAMHSA: Substance Abuse and Mental Health Services Administration 42 CFR Part 2 www.ecfr.gov/ > Title 42 > Chapter I > Subchapter A > Part 2 • FERPA: Family Educational Rights and Privacy Act of 1974; addresses protection of student records; 34 CFR Part 99 www.ecfr.gov/ > Title 34 > Subtitle A > Part 99 • Other laws that may apply in certain scenarios: -CLIA: Clinical Laboratory Improvement Amendments 42 CFR Public Health -GINA: Genetic Information Nondiscrimination Act 29 CFR Labor > Part 1635 -GDPR: European Union General Data Protection Regulation www.ec.europa.eu/justice/data-protection/ reform/index_en.htm

2276-481910/22/2018

When HIPAA Applies HIPAA applies to organizations processing electronic transactions (subject to Transaction Standards) involving: • Claims and encounter information • Enrollment and disenrollment • Payment and remittance advice • Referrals and authorizations • Claims status • Coordination of benefits • Eligibility • Premium payment

-Social Security numbers -Medical record numbers -Health plan beneficiary numbers -Account numbers -Certificate/License numbers -Vehicle identifiers and serial numbers, including license plate numbers -Device identifiers and serial numbers -Web universal resource locators (URLs) -Internet Protocol (IP) address numbers -Biometric identifiers, including finger and voice prints -Full face photographic images and any comparable images -Any other unique identifying number, characteristic, or code

What Data Is Protected?

• The concept of data protection under HIPAA is based on two terms: -Protected health information (PHI) -Personally identifiable information (PII) ››Subset of PHI ››Includes demographics, personal identification numbers (e.g., SSN, driver’s license number), address (including email), and personal characteristics (e.g., biometrics, pictures) ››Organizations should minimize the use, collection, and retention of PII to what is necessary to accomplish their business purpose and shall protect data so the individuals cannot be re-identified • The following identifiers of the individual or of relatives, employers, or household members of the individual are protected under HIPAA, so the combination of these elements cannot be used for re-identification of the individual: -Names -All - geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code (see exceptions in the rule) -All - elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older -Telephone numbers -Fax numbers -Electronic mail addresses

Who Needs to Comply

• Covered entities (CEs): -Health care providers: Any doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit electronic information for transactions (listed previously) subject to Transaction Standards -Health plans: Health, dental, vision insurance plans, HMOs, company and church health plans, government programs that pay for health care (e.g., Medicare and Medicaid), and the military and veterans’ health care programs -Health care clearinghouses: Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content) or vice versa • Business Associates (BAs): Individuals or entities (and their subcontractors) receiving, creating, maintaining, or transmitting PHI on behalf of or for a CE; BAs are obligated to appropriately safeguard PHI and adhere to Privacy Rule standards -Functions and activities: ››Claims processing or administration ››Data analysis, processing, transmitting, or administration ››Utilization review 1

When HIPAA Applies (continued )

››Quality assurance ››Billing ››Benefit management ››Practice management ››Re-pricing -Examples : ››Third-party administrator that assists a health plan with claims processing ››CPA firm whose accounting services to a health care provider involve access to PHI ››Attorney whose legal services to a health plan involve access to PHI ››Independent medical transcriptionist that provides transcription services to a physician ››Health insuring organization managing PHI exchange on behalf of a CE

HIPAA Enforcements

››Consultant that performs utilization reviews for a hospital ››Health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer ››Pharmacy benefits manager that manages a health plan’s pharmacist network ››E-prescribing gateways ››Vendors of personal health records ››Data (paper and electronic) storage vendor maintaining and storing PHI ››Data disposal vendor Note: Internet service providers, delivery services such as FedEx or UPS, and cleaning companies are not BAs.

OCR HIPAA Penalties Violation Category Did Not Know Reasonable Cause Willful Neglect–Corrected

$1,500,000

$50,000

$1,500,000

Monetary Penalty

Prison Term

Up to $50,000 and

Up to 1 year

If the offenses are committed under false pretenses

Up to $100,000 and

Up to 5 years

If the offenses are committed with the intent Up to $250,000 to sell, transfer, or use PHI for commercial and advantage, personal gain, or malicious harm

Up to 10 years

OCR Desk Audit Focus OCR works toward the development of a permanent audit program; past audit efforts focused on the following requirements:

Privacy Rule

Notice of Privacy Practices & Content Requirements  Provision of Notice: Electronic Notice Right to Access

 

10,000

Legal, forensics, and media and public relations costs associated with data breach: number of hours at $150 per hour

300

$45,000

Internal research and investigation labor: cost 300 hours at $75 per hour

300

$22,500

Credit monitoring for 1 year at $3 per individual, per month for 50% of affected individuals

$3.00

$180,000

Notification cost at $1.00 per letter

$1.00

Breach Notification Rule

Security Management Process: Risk Management

HIPAA Privacy Rule Requirements Privacy Rule

Class action litigations are $1,000 per record.

• Set of national standards for the use and disclosure of an individual’s PHI by CEs • Standards for providing individuals with privacy rights to understand and control how their health information is used • Requires: -Formal designation of a Privacy Officer responsible for rule implementation and enforcement -Posting of Notice of Privacy Practices (NPP) that meets Privacy Rule requirements, is made available to patients, and is posted on the organization’s website and in its facilities -Implementation of NPP provisions through the organization’s documented policies, procedures, and processes

$10,000,000 10%

$1,257,500

Other ways to estimate data breach cost: Cost per record lost (Ponemon Institute 2017): $141 Verizon DBIR 2015 Cost Ranges Average (Upper)

100

$18,120

$25,450

1,000

$52,260

$67,480

$87,140

10,000

$143,360

$178,960

$223,400

100,000

$366,500

$474,600

$614,600

1,000,000

$892,400

$1,258,670

$1,775,350

Security Management Process: Risk Analysis

Look for details at https://www.hhs.gov/hipaa/index.html > HIPAA for Professionals > Compliance & Enforcement > Audit > Audit Program Protocol.

$257,500

The legal costs would also significantly increase.

Timeliness of Notification  Content of Notification

Security Rule

$10,000

Total cost without litigation

Expected

$1,500,000

$10,000–$50,000

For certain offenses such as knowingly obtaining PHI

Estimated Data Breach Cost: Simple Example

Average (Lower)

$1,500,000

Offense

Data compromises, cost of responding to data breaches (hacking, theft—Confidentiality), inability to access systems or data (ransomware or system failure—Availability), lost data and costs of data recovery (malware or theft), internal costs of security incidents (lost time, productivity, executive/staff changes, system and data errors that need to be fixed— Integrity), cost of multiyear litigations, settlements or audit/reporting requirements, loss of reputation resulting in loss of business/customers, poor ratings, lost referrals, exclusions (e.g., inability to participate in government programs), increased insurance costs

Records

$100–$50,000

DOJ HIPAA Penalties

Business Risks

Total cost with litigation settled at 10%

All Such Violations of an Identical Provision in a Calendar Year

$1,000–$50,000

Willful Neglect–Not Corrected

HIPAA-Related Risks

Number of individual patient records maintained by organization

Each Violation

$35,730

Privacy Rule Required Elements & Provisions § 164.520 Notice of Privacy Practices for PHI

Patient has the right to: • Get an electronic or paper copy of medical record; providers may charge a fee: -Cost-based fee -Flat-rate fee (e.g., HHS prescribed $6.50 fee) • Ask the provider to correct the patient’s medical record • Request confidential communications • Ask the provider to limit what they use or share • Get a list of those with whom the provider has shared information • Get a copy of the privacy notice • Choose someone to act for the patient • File a complaint if the patient feels that their rights have been violated Providers may ask that patients exercise their rights in writing. See rule for exceptions for health plans, insurers, and inmates. • Health plans are required to remind enrollees of the availability of the NPP at least once every three years -Send a copy of the NPP -Mail a reminder and instructions on how to obtain the NPP -Include a reminder and instructions on how to obtain the NPP in health plan newsletter or other publication sent to enrollees

Patient Safety Risks

Harmful drug interactions; inability to treat patients or access systems; patient death; identity theft resulting in scams, stress, and financial harm; reputational harm to patient (resulting in legal actions); liability arising from lost or corrupted data leading to misdiagnosis

Compliance Risks

Data collection and legal cost of responding to complaints or investigations, multiyear external audit and reporting mandates, civil monetary penalties and settlements, criminal offense liabilities, public relations and reputation costs (OCR Wall of Shame), loss of Medicare or Medicaid business (exclusions)

“Environmental” Risks

These risks are affected by increases in the following factors: • Volume of digital assets and transactions • Return on investment or tools availability for automated attacks (ransomware) • Mobility of PHI—the complexity and cost of systems and infrastructure • Competition in health care and pressure to lower costs • Threats affecting digital assets: hackers’ attacks, malicious insiders, extortion, tax fraud • Monetary attractiveness of PHI (versus SSN, driver’s license number, or credit card number) and intellectual property (medical research) -PHI fraud is more difficult to detect, lasts longer, and is more profitable -PHI is used for tax and insurance fraud and identity fraud

§ 164.510 Patient Has the Right & Choice to Tell the Provider to:

• Share information with patient’s family, close friends, or others involved in patient’s care • Share information in a disaster relief situation • Include patient information in a hospital directory If patient is unconscious, provider may go ahead and share patient’s information if they believe it is in the patient’s best interest. Provider may also share patient information 2

when needed to lessen a serious and imminent threat to health or safety.

§ 164.508 Uses & Disclosures for Which an Authorization Is Required

Patient must give written permission for the provider to use patient information for: • Marketing purposes • Sale of patient’s information • Most sharing of psychotherapy notes In the case of fundraising, provider may contact patient for fundraising efforts, but provider must provide the patient with an option to opt out of fundraising communications.

§ 164.512 Uses & Disclosures (Sharing) of PHI That Do Not Require Patient-Written Permission

Providers have to meet many conditions in the law before they can share PHI for these purposes: • Treatment, Payments, and Operations (TPO) • Public health activities and safety issues

-To - share proof of student immunization records with a school -To - prevent and control disease, injury, or disability -To - conduct public health surveillance, investigations, or interventions -To - track FDA-regulated products -To - report vital events (birth, death, etc.) • Health research (limitations apply) • Complying with laws • Averting serious threat to health or safety (limitations apply) • Reporting crime, domestic violence, neglect, or abuse (limitations apply) • Responding to organ and tissue donation requests • Working with medical examiners or funeral directors • Addressing workers’ compensation, law enforcement, and other government requests • Responding to lawsuits and legal actions

Provider Responsibilities

• Maintain privacy and security of PHI

• Notify patients promptly about data breaches that may compromise patients’ PHI • Make a copy of the NPP available to patients • Provide the copy of the NPP upon enrollment and every three years (health plans only) • Allow patients to change their PHI sharing choices • Follow duties and practices described in the NPP Providers can change content of the Notice and shall make the new Notice available upon request, in their office, and on their website.

Privacy Rule Implementation

Effective implementation requires: • Privacy Officer designation • Understanding of NPP provisions (privacy officer and staff training and recurring reminders) • Adoption of privacy forms supporting patients’ rights, execution process, and documentation and making these forms and templates available to front desk staff (process training)

HIPAA Security Rule Requirements Security Rule

• Set of national standards for the protection of electronic PHI created, maintained, received, or transmitted by CEs and BAs • Set of “Required” and “Addressable” implementation specifications (controls) for assuring reasonable and appropriate protection of PHI and organization systems • § 164.306 requires that organizations: -Ensure the confidentiality, integrity, and availability of all electronic PHI the CE or BA creates, receives, maintains, or transmits (Security Officer and risk analysis) -Protect against any reasonably anticipated threats or hazards to the security or integrity of such information (risk management program) -Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule (security incident and data breach detection) -Ensure compliance with the Security Rule by its workforce (security awareness training and documentation) -Identify reasonable and adequate security measures based on: ››Size, complexity, and capabilities of the organization ››Technical infrastructure (hardware and software) security capabilities ››Cost of security measures ››Probability and criticality of potential risks

Security Rule Standards & Implementation Specifications

• Develop and implement policies and procedures addressing Security Rule implementation specifications (controls) • Required (R) implementation specifications must be implemented • Addressable (A) implementation specifications must be: -Implemented, if reasonable and appropriate for organization environment -Documented why implementation is not reasonable and appropriate; implement equivalent alternative measure if reasonable and appropriate

§ 164.308 Administrative Safeguards

• Assigned security responsibility (R): Designate a Security Officer and scope of responsibilities • Security management process: Assure prevention, detection, containment, and correction of security violations -Risk analysis (R): Conduct comprehensive risk analysis that includes system’s testing and status evidence -Risk management (R): Implement security measures sufficient to reduce risks to reasonable and appropriate levels, Identify and Protect resources, Detect suspicious events and security incidents, and Respond to and Recover from security incidents -Sanction policy (R): Apply appropriate sanctions against workforce members who fail to comply -Information system activity review (R): Regularly review information system activity (e.g., audit logs, access reports, security incident tracking reports) • Workforce security: Assure appropriate access to PHI -Authorization and/or supervision (A): Implement procedures for the authorization and/or supervision of

workforce members working with PHI or in locations where PHI might be accessed -Workforce clearance procedure (A): Implement procedures to determine that the access of a workforce member to electronic PHI is appropriate (periodic access review) -Termination procedures (A): Implement procedures for terminating access to electronic PHI when employment ends or access is inappropriate • Information access management: Implement policies and procedures for authorizing access to PHI to support Privacy Rule requirements (need to know, separation of duties, role-based access) -Isolating health care clearinghouse functions (R): Separate and protect access to clearinghouse PHI from unauthorized access by the larger (parent) organization -Access authorization (A): Implement policies and procedures for granting access to PHI through a workstation, transaction program, or process -Access establishment and modification (A): Implement policies and procedures that, based on access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, a transaction program, or process • Security awareness and training: Assure all staff have security awareness and resilience to attacks -Security reminders (A): Provide periodic reminders about best practices and ongoing threats and attacks -Protection from malicious software (A): Procedures for guarding against, detecting, and reporting malicious software -Log-in monitoring (A): Procedures for monitoring log-in attempts, reporting discrepancies, and detecting unauthorized access -Password management (A): Procedures for creating, changing, and safeguarding passwords • Security incident procedures: Implement policies and procedures to address security incidents -Response and reporting breach notification (R): Identify and Respond to security incidents, mitigate harmful effects, and document incidents and outcomes • Contingency plan: Establish policies and procedures for responding to emergencies or recovering from incidents (e.g., fire, vandalism, system failure, and natural disaster) that damage systems containing PHI -Data backup plan (R): Create and maintain retrievable, exact copies of PHI -Disaster recovery plan (R): Establish procedures to restore systems or data loss; prioritize systems recovery to support vital business functions -Emergency mode operation plan (R): Establish procedures for continuation of critical business processes to protect the security of electronic PHI while operating in emergency mode (business continuity plan) -Testing and revision procedures (A): Periodically test and revise contingency plans -Applications and data criticality analysis (A): Assess criticality of specific applications and data; prioritize what has to be protected most and recovered first • Evaluation (R): Perform a periodic technical and nontechnical evaluation of how organization security policies 3

and procedures meet Security Rule requirements in context of environmental and operational changes affecting security of organization PHI • BA contracts and other arrangements: CE may engage BA to create, receive, maintain, or transmit electronic PHI only if the CE obtains satisfactory assurances that the BA will appropriately safeguard the information -Written contract or other arrangement (R): Written business associate agreement (BAA), meeting specific requirements, shall be in place; memorandum of understanding (MOU), contracts, or data-sharing agreements incorporating BAA provisions can be used -CE - does not need BAA with BA subcontractors, but BA needs to have BAA with subcontractors

§ 164.310 Physical Safeguards

• Facility access controls: Limit physical access to electronic information systems and the facility or facilities in which they reside, while ensuring that properly authorized access is allowed -Contingency operations (A): Establish facility access procedures to support systems and data recovery in the event of an emergency -Facility security plan (A): Protect facility and equipment therein from unauthorized physical access, tampering, and theft -Access control and validation procedures (A): Control and validate a person’s access to facilities based on the person’s role or function, including visitor control and control access to software programs for testing and revision -Maintenance records (A): Document repairs and modifications to the physical components of a facility that are related to security (e.g., hardware, walls, doors, and locks) • Workstation use (R): Specify proper functions to be performed, procedures, and the physical attributes of the surroundings of specific devices that can access electronic PHI • Workstation security (R): Implement physical safeguards for all workstations that access electronic PHI, to restrict access to authorized users • Device and media controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility and the movement of these items within the facility -Disposal (R): Address final disposition of PHI and/or the hardware or electronic media on which it is stored -Media re-use (R): Implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use -Accountability (A): Maintain a record of hardware and electronic media assignments to individuals -Data backup and storage (A): Create a retrievable, exact copy of PHI, when needed, before movement of equipment

§ 164.312 Technical Safeguards

• Access control: Implement technical policies and procedures for systems to allow only authorized access for individuals or software programs

-Unique user identification (R): Assign a unique user ID (name and/or number) for identifying and tracking user identity -Emergency access procedure (R): Establish procedures for obtaining necessary PHI during an emergency -Automatic logoff (A): Implement procedures that terminate a user’s session after a predetermined time of inactivity -Encryption and decryption (A): Implement a mechanism to encrypt and decrypt PHI in storage on a device • Audit controls (R): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI • Integrity: Protect PHI from improper alteration or destruction -Mechanism to authenticate electronic PHI (A): Implement electronic mechanisms (e.g., file-integrity monitoring, hash signatures) to corroborate that PHI has not been altered or destroyed in an unauthorized manner • Person or entity authentication (R): Implement procedures to verify that a person or entity seeking access to PHI is the one claimed • Transmission security: Implement technical security measures to guard against unauthorized access to

PHI that is being transmitted over a network -Integrity controls (A): Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until disposed of -Encryption (A): Implement a mechanism to encrypt PHI whenever it is deemed appropriate

§ 164.314 Organizational Requirements

• BA contracts or other arrangements (MOUs, datasharing agreements) must meet specific requirements: -Comply with applicable requirements -Implement administrative, physical, and technical safeguards -Terminate contract under certain conditions, in case of BA contract violation or breach -Report problems to Secretary if termination is not feasible -Report to cover entity security incidents, including data breaches -Ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards -Ensure that the same provisions apply to BA contracts with subcontractors • Requirements for group health plans: -Ensure that the plan sponsor will reasonably and appropriately safeguard PHI

-Ensure that adequate employee separation of access to PHI is supported by reasonable and appropriate security measures -Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information -Report to the group health plan any security incident of which it becomes aware

§ 164.316 Policies, Procedures & Documentation Requirements

• Policies and procedures: Implement policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule • Documentation: Maintain policies and procedures in written (which may be electronic) form and maintain written (which may be electronic) record of required actions, activities, or assessments -Time limit (R): Retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later -Availability (R): Make documentation available to individuals responsible for process implementation -Updates (R): Review and update documentation periodically, as environmental or operational changes affect PHI security

HIPAA Data Breach Notification Rule Requirements Security Incidents vs. Data Breaches

-Elements to be considered in risk assessment: ››The nature and extent of the PHI involved ››The unauthorized person who used the PHI or to whom the disclosure was made ››Whether the PHI was actually acquired or viewed ››The extent to which the risk to the PHI has been mitigated -Breach reporting requirements

• Security incident: An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (§ 164.304) • Breach: An impermissible acquisition, access, use, or disclosure that compromises the security or privacy of unsecured PHI (§ 164.402) -Unsecured PHI means information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary -A - ransomware attack can be a reportable data breach (see the Ransomware Fact Sheet from HHS)

Possible reportable data breach The following elements need to be considered in risk assessment: (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) The unauthorized person who used the protected health information or to whom the disclosure was made; (3) Whether the protected health information was actually acquired or viewed; if only the opportunity existed for the information to be acquired or viewed. (4) The extent to which the risk to the protected health information has been mitigated.

§ 164.402 Data Breach Determination & Exceptions Security incident reported and confirmed Complete the security incident report Use these charts to document determination

Probability of PHI Compromise

HIPAA violation: Impermissable use or disclosure that compromises the security or privacy of the PHI. CE - Covered Entity BA - Business Associate

Is the incident a HIPAA violation?

LOW

NO

No breach reporting requirement Retain all documentation— burden of proof of your due diligence in case of audit or investigation.

YES

S

Need to report data breach Retain all documentation Individuals affected: 499 or fewer

Notice to: (1) Individual no later than 60 days after discovery (2) HHS Secretary no later than 60 days after end of calendar year

S

NO

Was it the inadvertent disclosure of PHI from a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA? In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

YE

NO

Was it the unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a CE or BA?

YE

NO

Mitigate and follow up YES with disciplinary actions, procedures revisions, and training as needed.

HIGH

500 or more

Notice to: (1) Individual (2) HHS Secretary (3) Media no later than 60 days after discovery

• Decision matrix -Risk assessment documentation -Probability of PHI compromise determines reporting and notification

Do you, the CE, or BA have a good faith belief that the unauthorized individual, to whom the impermissable disclosure was made, would not have been able to retain the information?

Notification Requirements

§ 164.404 Notification to Individuals • CE shall notify individuals whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed • Breach shall be treated as discovered, as of the first day on which such breach is known to the CE or, by exercising reasonable diligence, would have been known -Timeliness of notification: Without unreasonable delay and no later than 60 days after breach discovery -Content of notification: ››Notification written in plain language ››Brief description of what happened, the date of the breach, and the date of the breach discovery ››Description of the types of unsecured PHI that were involved in the breach, such as whether full name, SSN, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved

Possible reportable data breach—need to complete the risk assessment to identify High-Low probability of a PHI compromise. Risk assessment requirement applies to impermissable use or disclosure of limited data sets as well. Retain all documentation, even when incident is considered NOT a reportable data breach.

• Security Incident Report (SIR) • Decision flow -Distinguish security incident from data breach–exceptions ››Unintentional acquisition, access, or use ››Inadvertent disclosure ››Good-faith belief that information is not retained 4

HIPAA Data Breach Notification Rule Requirements (continued )

§ 164.412 Law Enforcement Delay If breach notification, notice, or posting would impede a criminal investigation or cause damage to national security, law enforcement can request a delay. • Delay notification by time specified in written statement • Delay notification by 30 days when requested verbally; document verbal request, including the identity of the official making the request

››Any steps individuals should take to protect themselves from potential harm resulting from the breach ››Brief description of what the CE involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches ››Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, a website, or a postal address -Methods of individual notification: ››Written notice: By first-class mail to the individual at the last known address or by electronic mail if individual has agreed to electronic communications ››Substitute notice: In the case in which there is insufficient or out-of-date contact information that precludes written notification, then phone, website, or media notification can be used

§ 164.414 Administrative Requirements & Burden of Proof

Retain all security incident, breach determination risk assessment, and notification documentation.

Incident Response Elements

• Execute incident response plan created in advance and based on the Boyd Loop Observe following principles: Orient -Action methodology: Use Boyd loop -Response goal: Limit damage and reduce recovery time and cost Decide -Remember, not all security or privacy incidents result in data Act breaches, but all incidents need to be evaluated (OODA) • Start Security Incident Report (SIR) • Investigate and triage incidents: Assess criticality and elevate as needed -Collect evidence and track steps, time, and costs—it matters • Notify incident response team: -Privacy/Security Officer -Legal/HR -System/Application vendor -Cybersecurity specialist/forensic -Vendor (e.g., cloud-based systems) • Contain and mitigate incident effects (e.g., isolate systems); eliminate incident root cause -Malware: Remove or isolate -Botnet connection: Remove or isolate -Publicly shared document with sensitive information: Stop sharing • Determine if appropriate to report crime to law enforcement; seek legal counsel advice -FBI or Secret Service field office -Report incident to Internet Crime Complaint Center (IC3) -File police report • Report threat -ISAC organization (e.g., National Health Information Sharing and Analysis Center or Multi-State Information Sharing and Analysis Center) -US-CERT • Recover data or systems: Implement contingency plans as needed -Data backup and site recovery/cloud systems • Assess breach and notification requirements -Conduct breach risk assessment -Consider state-specific rules -Complete notifications -Document all steps • Evaluate response -Costs (argument for security investments) -Improvement opportunities

§ 164.406 Notification to the Media

• For a breach involving more than 500 residents of a state or jurisdiction, notify prominent media outlets serving the state or jurisdiction -Timeliness of notification: Without unreasonable delay and no later than 60 days after breach discovery -Content of notification: Same as for individuals § 164.408 Notification to the Secretary • Breaches involving 500 or more individuals: Notification without unreasonable delay and no later than 60 days after breach discovery, and as specified on the HHS website • Breaches involving fewer than 500 individuals: CE shall maintain a log of breaches and, no later than 60 days after the end of each calendar year, provide the required notification to the HHS secretary and as specified on the HHS website § 164.410 Notification by a Business Associate • BA shall notify the CE of PHI breaches • Breach shall be treated as discovered, as of the first day on which such breach is known to the BA or, by exercising reasonable diligence, would have been known to the BA -Timeliness of notification: Without unreasonable delay and no later than 60 days after discovery -Content of notification: Shall include the identification of each individual whose unsecured PHI has been accessed, acquired, used, or disclosed during the breach and any other available information that the CE is required to include in notification to the individual Notification Timelines Individuals Affected

Fewer Than 500

500 or More

Notice to individuals

Within 60 days after discovery

Within 60 days after discovery

Notice to media

NA

Within 60 days after discovery

Notice to secretary

Annual—within 60 days after end of current calendar year

Within 60 days after discovery

HIPAA Privacy, Security & Compliance in Practice Designated Privacy & Security Officers

-Request for accounting of PHI disclosures -Request to amend PHI -Request to restrict use and disclosure of PHI -Personal representative designation -Authorization to disclose PHI (release of information) -Complaint about use of PHI

• Can be the same individual • Document responsibilities • Use position description or designation document

Notice of Privacy Practices (NPP) • Review and update; use OCR templates • Post on website and in facility • Make available to individuals—print copies

Completed Risk Analysis

• Internal or external • Use a certified privacy, security, and audit professional • Ensure accountability and audit proof your documentation—reports should be dated and signed • Use controls framework -For - small businesses: HIPAA Standards & Implementation Specifications -For - larger and more mature organizations: NIST, ISO, COBIT ››When using vendor’s proprietary products or other frameworks, make sure the controls are mapped to NIST ››Most government auditors or investigators will use NIST controls as reference • Essential elements and steps: -Review and test policies and procedures ››Do not rely on a checklist only ››Test; verify that policy or procedure is implemented ››If termination policy indicates user’s access removal in one day, verify this is happening and only current employees have active access to systems -Include evidence of system and processes testing -Include vulnerability scanning (different from pen testing) ››Use reputable, licensed tool(s) and skilled professionals ››Use internal authenticated scans and policy compliance scans ››Prioritize detected vulnerabilities in reports so IT operations knows what to focus on first ››Review low-level vulnerabilities, as some may present significant risks

Nondiscrimination Notice (NDN)

• Not technically HIPAA, but applies to activities or programs receiving federal funding (e.g., Medicare and Medicaid patients); see ACA § 1557 • NDN requires provision of: -Free aids for people with disabilities, such as language interpreters or written information in other formats (e.g., large print, audio) -Free language services for people whose primary language is not English, such as language interpreters or information written in other languages • Post required NDN with taglines in the top 15 languages spoken in your state in the office • Implement procedure to meet NDN requirements: -Establish process for verifying if the insurance provider has those services available -Establish contract with a qualified interpreting services company • For organizations with more than 15 employees: -Designate individual responsible for compliance with NDN regulation -Develop and implement grievance/complaint procedure

Privacy Forms & Templates

• Review, update, and make sure staff know where forms are • Train front desk staff on patients’ privacy rights and privacy forms use • Essential forms: -NPP acknowledgment (can be incorporated in intake form) -Request for access to PHI 5

HIPAA Privacy, Security & Compliance in Practice (continued )

››Pen testing for large organizations, mature security programs, or specific requirements .. Understand the difference between a vulnerability scan and a pen test .. Develop appropriate and proper pen test scope -Conduct privacy and compliance assessment

CSC 15: Wireless Access Control

››Quizzes ››Phishing assessments (larger organizations) -Technical and solution/tool training for individuals (e.g., email, SharePoint) -Technical training and certifications for IT/security professionals • Keep yourself and others accountable (metrics and compliance documentation) -Keep track of what, who, and when execution; use calendar/tasks list, Excel spreadsheet, Microsoft Project, Smartsheet, SharePoint list, etc. -Develop monthly monitoring and reporting schedules -Use or customize dashboard summaries and visuals for management and leadership -Report quarterly to executives and board of directors -Maintain documentation: ››Manage and organize documentation by focus area, department, or year; establish naming standards for folders and documents ››Sign and date created or reviewed reports ››Use screenshots when system reports are not available

CSC 16: Account Monitoring and Control

Cybersecurity & IT Strategy

20 Critical Security Controls CSC 1: Inventory and Control of Hardware Devices CSC 2: Inventory and Control of Software Assets

CSC 12: Boundary Defense

CSC 3: Continuous Vulnerability Management

CSC 13: Data Protection

CSC 4: Controlled Use of Administrative Privileges CSC 5: Secure Configurations for Hardware and Software, on Mobile Device Laptops, Workstations, and Servers

CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewall Routers and Switches

CSC 14: Controlled Access Based on the Need to Know

20 CSC

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections

CSC 18: Application Software Security

CSC 8: Malware Defenses

CSC 19: Incident Response and Management

CSC 9: Limitation and Control of Network Ports, Protocol, and Services

• Business needs and functions -Prioritize and integrate -Good security does not have to mean poor functionality or poor user experience • IT operations and security -Do - not compete—both are equally important -Consider security before spending money on operations -Operationalize both with 20 Critical Security Controls -Create visibility -Automate • Audit and compliance -Automate—think continuous audit -Consider when making IT security/operations investments -Scrutinize security or compliance “plug and play” toolboxes promising to solve all issues—there are no such things

CSC 17: Implement a Security Awareness and Training Program

CSC 20: Penetration Tests and Red Team Exercises

-Prioritize findings and security risks using: ››20 Critical Security Controls ››ASD Top 4 and Essential 8 Cybersecurity Strategies ››NSA IAD Top 10 Information Assurance Mitigation Strategies -Use exit conference to update executives and decision makers • Repeat periodically or when major changes occur -Annual risk analysis is good practice ››Technology and threats change constantly ››Often required by federal incentives programs -Consider independent, external assessment at least every two years

NIST Cybersecurity Framework

Use for strategy development and tools selection: • Identify resources (assets, data, users) • Protect resources (patching, configuration, antivirus, training, backup, etc.) • Detect vulnerabilities, threats, suspicious events, incidents—create visibility • Respond to security incidents—contain and mitigate • Recover from incidents—deploy contingency plans

Risk Analysis Follow-up & Risk Mitigation

• Good risk analysis should include strategy and long-term recommendations • Understand and communicate privacy, security, and compliance risks in context of other organizational risks • Keep track of activities and results

ÌRecovery planning ÌImprovements ÌCommunications

Re

co

ve

r

d ÌResponse planning on sp e ÌCommunications R ÌAnalysis ÌMitigation ÌImprovements

Additional Resources

ÌAssessment management ÌBusiness environment ÌGovernance ÌRisk assessment ÌRisk management strategy

t NIST CSF Protec

Detect

• Create a plan: Prioritized list of to-dos with what, who, and when (assigned responsibilities and due dates) -Security and risk mitigation plan or risk management plan -Plan of Actions and Milestones (POA&M) -Project management plan • Assure risk management plan is in alignment with Cybersecurity/IT strategy • Mitigate prioritized risks • Update policies and procedures as regulations, technology, and processes change -Include privacy policy and procedures -Use electronic format (searchable and easy to navigate) -Make it a usable reference rather than a shelved printout -Incorporate appropriate content or references in employee handbook -Ask staff to re-sign policy acknowledgments annually or at least every two years • Facilitate training and security awareness -General, annual security awareness and compliance training for all staff -Specialized security awareness training for high-value users, executives, IT admins, and HR -Periodic privacy, security, and compliance reminders and awareness testing ››Newsletter topics

Identify

Risk Management

ÌAccess control ÌAwareness training ÌData security ÌPolicies and procedures ÌMaintenance ÌProtective technology

ÌAnomalies and events ÌContinuous monitoring ÌDetection processes

• Office of the National Coordinator (ONC) for Health Information Technology: www. healthit.gov/ • ONC HIPAA resources: www.healthit.gov/providers-professionals/ehr-privacy-security • NIST Cybersecurity: www.nist.gov/topics/cybersecurity • NIST Computer Security Resource Center: csrc.nist.gov/ • Internet Crime Complaint Center (IC3): www.ic3.gov/complaint/default.aspx • FBI: www.fbi.gov/tips

• HHS Health Information Privacy resources: www.hhs.gov/hipaa/index.html • HHS OCR list (“Wall of Shame”) of reported breaches affecting more than 500 individuals: ocrportal.hhs.gov/ocr/breach/breach_report.jsf • Submitting notice of a breach to the HHS secretary: www.hhs.gov/hipaa/for-professionals /breach-notification/breach-reporting/index.html • Updated current regulations: www.ecfr.gov/ U.S. $6.95 Author: Robert Brzezinski, CHPS, CISA, CISM

Disclaimer: This guide is intended for informational purposes only. Due to its condensed format, it cannot cover every aspect of the subject. BarCharts Publishing, Inc., its writers, editors, and design staff are not responsible or liable for the use or misuse of the information contained in this guide.

All rights reserved. No part of this publication may be reproduced or transmitted in any form, or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission from the publisher. Made in the USA © 2018 BarCharts, Inc. 0518 6