Transcript encryption - Amazon Web Services

Privacy and Security of PHI
In The Era of Meaningful Use
Alison Nicklas, MJ, RHIA, CCS
Director HIM, Privacy Officer
St. Francis Hospital and Medical Center
Objectives
• Understand our role in protecting the privacy
of our patient’s information and ensuring the
security of the systems
• Identify the key standard to mitigate a breach
• Understand the role of Meaningful Use in
increased breach reports
• Understand the legal and financial
repercussions of a breach to both the patient
and the covered entity
Agenda
•
•
•
•
•
•
HIPAA Privacy – 2003
HIPAA Security – 2005
HITECH Privacy and Security – 2009
Meaningful Use
Sample Cases - 2013
Reported Breaches – Legal Outcomes
HIPAA Privacy - 2003
• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)
– HIPAA Privacy and Security outlined
• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001
– 2003 – HIPAA Privacy in effect
• Covers the information
• Any format – paper, film/fiche, electronic, oral
• Compliance date: 4/14/2003
HIPAA Privacy - 2003
• Key Documents
– The Code of Federal Regulations (C.F.R.)
• 45 C.F.R. Parts 1 to 199 – revised October 1,
2007
• Key Definitions
– Covered Entity: “health plan, health care
clearinghouse, or a health care provider
who transmits any health information in
electronic form”
HIPAA Privacy - 2003
• Key Definitions (Continued)
– Health Care Clearinghouse: “entity that
processes or facilitates the processing of health
information received from another entity” or
that “processes or facilitates the processing of
health information for a receiving entity”
– Business Associate: “performs a function or
activity involving the use or disclosure of
individually identifiable health informaton” for
a covered entity.
HIPAA Privacy - 2003
• 45 C.F.R. § 164.502
– Permitted uses and disclosures
– With and without authorization
– Minimum necessary “to accomplish the
intended purpose of the use, disclosure, or
request”
• No need for patient authorization to
release for “treatment, payment, or
healthcare operations”
HIPAA Privacy - 2003
• Accounting of Disclosures
– Six years prior (if paper record)
– Three years prior (if electronic record)
– Exceptions:
•
•
•
•
•
•
Incidental to a permitted disclosure
Based on valid authorization
National security reasons
Correctional facilities or law enforcement
Limited data set requirements and
For Now…“treatment, payment, or healthcare
operations”
HIPAA Privacy - 2003
• Included in an Accounting:
– The date of the disclosure
– The name of the entity or person who
received the PHI
– The addresses of such entity or person (if
known)
– Brief description of the PHI
– Brief statement of the purpose of the
disclosure
HIPAA Security 2005
• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)
– HIPAA Privacy and Security outlined
• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001
– 2005 – HIPAA Security in effect
• Electronic information “created, received,
retained, or transmitted by the covered entity”
• Effective April 20, 2005
HIPAA Security 2005
• Specific Security Safeguards
– “Required” – the covered entity MUST
implement as written
– “Addressable” – the covered entity has the
OPTION to implement as written or assess
if there were reasonable
• If not deemed “reasonable” – MUST
– Implement an alternate “equivalent” specification
AND
– Document why the stated specification was deemed
not to be reasonable
HIPAA Security 2005
• Four REQUIRED implementation
specifications
– Security Risk Assessment:
• Identify any risks and vulnerabilities to the
confidentiality, integrity, and availability of ePHI
• Implement policies and procedures to mitigate
identified risks and vulnerabilities
• Focus on those with a “reasonable anticipation
of threat”
HIPAA Security 2005
– Assess current security measures
• Technical: Access controls – firewalls, audit
controls, and encryption
• Non-Technical: Policies and procedures,
standards and guildeines
– Evaluate the potential impact of threat
• Risk for that threat (human/environmental
threats)
– Identify security measures to mitigate risk
HITECH - 2009
• ARRA: American Recovery and
Reinvestment Act – includes:
• HITECH: Health Information Technology
for Economic and Clinical Health
(HITECH)
HITECH - 2009
• HITECH Act includes:
– Improved guidance for the Security Rule
– Increased penalties for a breach
• Technical Safeguards include:
– Encryption (Note – this is only an addressable
standard – not required)
• Defined: making ePHI “unusable, unreadable,
or indecipherable”
– Destruction (applies to unsecured data such as
paper, film, fiche…
HITECH - 2009
• Encryption: Addressable
– Firewall may be an alternative - “reasonable
and appropriate safeguard”
• RISK: Breach of the firewall considered a
reportable incident to the Office of Civil Rights
as the information was not made “unusable,
unreadable, or indecipherable”
HITECH - 2009
• New Penalties
– Prior to HITECH – no monetary penalty if the
covered entity “did not know or could not have
reasonably known of the breach”
– HITECH:
• Minimum $100 - $50,000
–
–
–
–
Did Not Know
Reasonable Cause
Willful Neglect – Corrected
Willful Neglect – Not Corrected
• Maximum $1,500,000
$100 - $50,000
$1,000 - $50,000
$10,000 - $50,000
$50,000
Meaningful Use
• HITECH – Meaningful Use
– “Voluntary”
– Failure results in penalties
• 1% Medicare payment reduction in 2015
• 2% Medicare payment reduction in 2016
• 3% Medicare payment reduction 2017 +
Meaningful Use
• Defined: Using certified electronic
health record (EHR) technology to:
– Improve quality, safety, efficiency, and
reduce health disparities
– Engage patients and family
– Improve care coordination, and population
and public health
– Maintain privacy and security of patient
health information
Meaningful Use
• Objectives: meaningful use compliance
will result in:
– Better clinical outcomes
– Improved population health outcomes
– Increased transparency and efficiency
– Empowered individuals
– More robust research data on health
systems
Meaningful Use
• Eligible Hospitals and Critical Access
Hospitals
– Can apply for Medicare AND Medicaid
financial incentives
• Eligible Professionals
– Can apply for Medicare OR Medicaid
financial incentives
Meaningful Use
• Eligible Hospital – Medicare Incentive
– Start value: $2,000,000
– Add
• $200 per discharged patient (no payment for first
1,150) to a maximum of 23,000 patients
– Multiplied by both:
• Medicare Share – Based on number of inpatient Part
A bed days + number of inpatient Part C days x (total
charges – charges related to charity care)
• Transition Factor – Based on the year the hospital
first attests to meaningful Use
Meaningful Use
• Certified technology must be used
• Meet Core and Menu Set Objectives
– INCLUDES PRIVACY AND SECURITY OF DATA
• Electronic Data Security
– Encryption – only an “addressable”
standard
– Firewalls – “reasonable and appropriate”
but FAILS to meet “breach” standards
Outcome of “Voluntary” EHR
• HHS Secretary – Kathleen Sebelius
– May 22, 2013:
– “Doctors and hospitals’ use of health IT
more than doubled since 2012”
• Data from the Office of Civil Rights has
demonstrated that more than
29,000,000 patient records have been
breached since 2009 (only includes
breaches of 500 or more!)
Sample Cases - 2013
• Advocate Medical Group
– Largest Chicago physician group – more than
1,000 doctors, 200 locations
– Administrative building broken into
– 4 unencrypted personal computers stolen July 15,
2013
– Over 4 million patient records stored – 2nd largest
ever reported to HHS
Sample Cases - 2013
– Only password protected – a “first line of defense”
– it is NOT encryption
– Data:
• SSN, DOB, patient names, addresses
– NOT the FIRST breach reported by Advocate
• 2009 – employee reported theft of a personal
laptop with 812 patient records - unencrypted
Sample Cases - 2013
• AHMC Healthcare
– Administrative Office Break-in
– Two password protected laptops stolen
October 12, 2013
• SSN, name, MCR/Ins. ID number, dx/proc codes,
Ins./Patient payments
– 729,000 Patient Records
– Will now expedite the encryption policy for
laptops
Sample Cases - 2013
• Horizon Blue Cross and Blue Shield of NJ
– Headquarters Break-in
– Two password protected and cable-locked
laptops stolen November 4, 2013
• Data: SSN, Names, Addresses, DOB, Clinical
Information
– 840,000 Patient Records
– Plan: Review staff education, policies and
encryption
– Not the first breach – 2008 lost laptop with
300,000 individuals notified
Sample Cases - 2013
• 5.5 million patient records included in
just 3 breach reports for 2013
• All included SSNs and patient names
• All involved unencrypted devices – even
with two organizations already having
had similar breach reports in the past
• Since 2009 – 29,000,000 million patient
records have been compromised
through breaches
Breach Outcomes
• Lawsuits
– HIPAA “Breach” not a cause of action for
individuals
– March 8, 2013 – Polanco v. Omnicell
• Laptop stolen from employee vehicle
• Not encrypted
• Vendor managed medications for several
healthcare organizations
• Mother of patient sued – “Omnicall violated her
privacy” – information included her insurance
Breach Outcomes
• Polanco v. Omnicell
– Omnicell had policies requiring encryption –
but employee only had password
protection security
– Case dismissed: Polanco “failed to
demonstrate and injury”
• Loss of confidence of patients
• Cost of defending lawsuit
• Failure to REQUIRE encryption as a security
measure
Breach Outcomes
• Historically
– Failure to file suit under HIPAA Privacy and
Security – no “private right of action”
– HHS – can directly enforce and impose
penalties (maximum of $1.5 million)
– Penalties – paid to HHS – NOT TO
PATIENT(s)
Breach Outcomes
• Recent Case – May Set Precedence
– Curry v. AvMed
• AvMed (Health Plan): Two unencrypted laptops
stolen December 2009 from a locked
conference room
• 1.2 million patient records compromised
• Juana Curry and William Moore – victims of
identify theft
Breach Outcomes
• Curry v. Avmed
– Lawsuit:
• Avmed failed to “adequately secure and encrypt
the laptops” and it was “negligent and failed to
discharge its obligation to protect sensitive
personal information of its customers”
– Dismissed in July 2011 – “with prejudice”
– Appealed in August 2011
Breach Outcomes
• Curry v. AvMed
– Affirmed Dismissals of:
• “Negligence per se” and
• “Breach of implied covenant of good faith and
fair dealing”
Breach Outcomes
– Reversed Dissmissals of remaining 5 counts:
• Negligence, Breach of Contract, Breach of
Implied Contract, Breach of Fiduciary Duty, and
Restitution/Unjust Enrichment
• Negligence: Failure to encrypt
• Unjust enrichment: AvMed received
remuneration for the purpose of securing PHI
– Meet and Confer: Reviewed allegations and
engaged in preliminary settlement
discussions – resolved through private
mediation
Breach Outcomes
• AvMed:
– Denies any wrongdoing or liability
– Each and all claims
– Concluded further defense would be “risky,
burdensome, and expensive”
– Agreed to terms and conditions of
settlement
Breach Outcomes
• Plaintiffs
– Believe claims asserted have merit
– Recognize and acknowledge risk of delays
and that they might not prevail
– Concluded that the terms and conditions
are fail and reasonable
Breach Outcomes
• Settlement
– Identity Theft Settlement
• Submitted timely, actual, documented,
unreimbursed losses accompanied by proof
– Premium Overpayment Claim
• Submitted timely, number of years for which
the Defendant was paid for insurance premiums
• Maximum of $30 per person
• $3,000,000 minimum payment to be covered by
AvMed (Additional for Identify Theft Coverage)
Breach Outcomes
• Advocate – July, 2013 Breach
– 3 Class Action Lawsuits filed
– Compromise of over 4,000,000 patient
records
• Compare with AvMed of 1,200,000 patient
records - $3,000,000 minimum cost
Identity Theft v. Medical
Identity Theft
• January 2014 Survey
– Medical-related identity theft accounted for
43% of all identity thefts reported in 2013
• Far greater than Banking and Finance,
Government and Military, or Education
– U.S. Dept. of Health and Human Services
• Medical Records of between 27.8 and 67.7
million people have been breached since 2009
Identity Theft v. Medical
Identity Theft
• Medical Identity Theft
– “The fraudulent acquisition of someone’s
personal information – name, SSN, Health
Insurance Number – for the purpose of
illegally obtaiing medical services or
devices, insurance reimbursements or
prescription drugs.”
Identity Theft v. Medical
Identity Theft
• Medical Identity Theft
– Victims
• Little to no recourse for recovery
• Financial repercussions
• Erroneous information added to personal
medical files
Identity Theft v. Medical
Identity Theft
• Edward Snowden, the former National
Security Agency contractor who has
disclosed the agency’s activities to the
media, says the NSA has cracked the
encryption used to protect the medical
records of millions of Americans.
Use of Medical Information
• Psychiatrist in MA: False diagnoses –
submit medical insurance claims for
psychiatric sessions that never occurred
• Identity Thief in MO: False Driver’s
License to obtain Medical Records and a
prescription belonging to another
woman
• Dental Office in OH: Obtain prescription
drugs
Use of Medical Information
• Methods Used to Obtain Information
– Stealing laptops / electronic device – more
than 50% of medical-related breaches
– Hacking into computer networks (St.
Joseph’s Hospital in Texas – 429,000 patient
records) – 14% of breaches
– Gaining unauthorized Access – 20% of
breaches
• Lucrative - $10 to $20 for each bit of
information
Medical Identity Theft
• Discovery – does not correct the
“mischief” done
– Corrected information may be placed in file
BUT difficult to get information removed –
fear of medical liability
– Information from the “theif” gets mixed
with the information of the real patient –
very difficult to segregate especially in the
electronic environment
Medical Identity Theft
• Can result in patient death
– Inaccurate medication allergies
– Inaccurate medication lists –
interactions/failure of medications being
prescribed
– Delays in treatment
• Appendicitis following Appendectomy?
Electronic Health Records
• Compromised by Medical Identity Theft
– Difficult to make corrections
– Difficult to address insurance fraud
• Deductibles
• Maximum coverage exceeded
Prevention
• ENCRYPT
– Laptops
– Personal Computers
– Portable Electronic Devices
• iPhones / Smart Phones
• iPads / Notepads
– Use software tracking that allows remote
erasing of portable device if stolen
Prevention
• ENCRYPT
–Financial Impact
• HHS Fines
• Credit Monitor Protection
• Loss of Patients (and their
confidence)
• Loss of Business
Prevention
•ENCRYPT
– There is no other real option
• Firewalls do not protect the data
• Passwords do not protect the data
• Secure Servers do not protect the data
Prevention
• Personal Steps to Prevent Medical Identity
Theft
– Do not carry your insurance card
– Beware of “Free” services when required to
provide insurance information
– Request health provider ask for you ID
– Check statement of benefits
– Request an annual / semiannual summary of
benefits – compare with actual visits
– Check credit reports for unpaid medical bills
Open Discussion
• Who has experienced a breach?
• What steps were taken following that
incident?
• Do you think that your organization has
secured its PHI?
• Do you think that your patients are
confident in the security of their PHI?