Title: Demystifying%20HIPAA:%20Strategies%20for%20Joint%20Compliance%20with%20the%20HIPAA%20Privacy%20and%20Security%20Rules
1Demystifying HIPAA Strategies for Joint
Compliance with the HIPAA Privacy and Security
Rules
- Timothy H. Graham, Esq.
- Privacy and Freedom of Information Act Officer
- Philadelphia VA Medical Center, Philadelphia, PA
- Catherine Reynolds, RN, MSN
- Information Security Officer
- Philadelphia VA Medical Center, Philadelphia, PA
- Lydia Duckworth
- HIPAA Security Specialist, VHA HIPAA Project
Management OfficeChief Business Office,
Washington, D.C.
2Program Agenda
- Security and Privacy Rules Similarities and
Differences - Overview of the Philadelphia VA Medical Center
- Privacy Rule
- Security Rule
- Case Study
- Questions
3Comparison of the Rules
- Several similarities exist between the HIPAA
Privacy and Security Rules - Intended to be compatible
- Both protect confidentiality of electronic PHI
(ePHI) - Both provide workforce access controls and
protections - Coordinated compliance infrastructure
- Both require written and documented policies and
procedures relating to privacy and security. - Both require business associate agreements
4Comparison of the Rules
- Likewise, several differences exist between the
HIPAA Privacy and Security Rules - No exceptions for incidental uses and disclosures
- Broader audit trail is advisable under the
Security Rule - Scope Security applies only to electronic PHI,
while Privacy applies to all PHI. - Continued monitoring is specifically required in
the language of the Security rule
5Philadelphia VA Medical Center
- Provides health care for more than 400,000
veterans living in Americas fifth largest
metropolitan area and seven counties. - Staffed by more than 1,500 employees who support
135 acute beds, a 240 bed nursing home care unit
and four Community Based Outpatient Clinic - Site for over 200 ongoing research projects
involving all clinical disciplines - Affiliated with the University of Pennsylvania
Schools of Medicine, Nursing and Dental Medicine
6The HIPAA Privacy Rule
7Introduction and Background
- VA has a strong legacy in protecting the privacy
and security of veterans and employees personal
information. - In an effort to oversee multiple efforts in VA to
protect privacy, the Enterprise Privacy Program
was established. - The VHA Privacy Office is responsible for
implementing privacy regulations consistently
across the Veterans Health Administration.
8What is Privacy in the VA?
- As a federal agency, the VA is subjected to
various regulatory statutes that promote the
protection of private and confidential health
information. - Namely, there are six statutes with which VA must
comply - Health Insurance Portability and Accountability
Act of 1996 45 CFR 160 164 - The Privacy Act of 1976 5 U.S.C. 552a
- The Freedom of Information Act 5 U.S.C. 552
- Confidentiality of Drug Abuse, Alcoholism and
Alcohol Abuse, Infection with Human
Immunodeficiency Virus, and Sickle Cell Anemia
Medical Records 38 U.S.C. 7332 - Confidentiality of Healthcare Quality Assurance
Review Records 38 U.S.C. 5705 - The VA Claims Confidentiality Statute 38 U.S.C.
5701
9Why Privacy Compliance Monitoring?
- To ensure program goals for confidential
protection of health information are achieved. - To determine if policies, procedures and programs
are being followed. - To minimize consequences of privacy failures
through early detection and remediation. - To provide feedback necessary for privacy program
improvement. - To demonstrate to the workforce and the community
at large, organizational commitment to health
information privacy.
10Acknowledge Common Problems
- Unclear and inconsistent polices and procedures.
- Inconsistencies in enforcement of policies and
procedures. - Ineffective or insufficient training and
education. - Employee morale and motivation.
11The Processes for Monitoring
Establish goals objectives
Define areas for review
How?
Metrics and methods
Establish frequency
Perform monitoring
Act on results
12Establishing Goals and Objectives
- Identification of monitoring goals should take
into consideration several factors - Privacy program objectives
- Risk assessment results
- Incident reporting
- Feedback from staff
- Administrative mandates.
- Taking these factors into consideration
identifies the desired outcomes of the monitoring
process.
13Defining the Areas for Review
- Choosing which areas of the medical center should
be reviewed can be the most difficult process. - Initially, a facility-wide analysis is most
helpful to determine which areas are troubled. - The key in future monitoring is to focus on those
areas that are high risk, high volume and/or
areas subject to environmental/system changes. - Further, reliance on the incident reporting
system will identify key areas for review.
14Metrics and Methods for Monitoring
- The key to identifying the methods for monitoring
is to first identify the objectives and metrics
of the audit. - Once the objectives and metrics are delineated,
creation of a formal audit tool is critical to
documenting and analyzing the results. - Critical to the overall compliance program is the
presence of written analysis, compiled as a
result of the formal audit.
15Examples of Monitoring Methods
- Interviews (staff and patients)
- Violation Tracking reports
- Chart Audits
- Privacy Rounds
- Program/Service Self-Assessment
- Peer Review
- Simulated Case Studies
16Establish Frequency
- Ongoing process (monthly, quarterly and annually)
monitoring is essential to ensuring that the
organization is fulfilling the requirements
mandated by law. - Once audits are completed, corrective action
plans (CAPs) should be designed and implemented
across the department or medical center. - Proceeding the implementation of the CAPs,
further audits should take place to monitor
compliance with the CAP.
17Taking Action
- Whats the next step after you analyze the audit
findings? - Documented analysis of the findings
- Identification of best practices
- Documented comparison between the findings and
the program objectives - Identification of non-compliant areas
- Identification of trends from one department to
another - Identification of problem areas which pose other
serious liability issues for the organization
(areas where a root cause analysis committee may
be helpful).
18Corrective Actions
- Examples of corrective actions may include
- Revision of policies and procedures
- Focused education and training and/or
- Heightened supervision of staff and enforcement
of policies and procedures for safeguarding
protected health information.
19The HIPAA Security Rule
20The HIPAA Security Rule
- Builds on and coordinates with organizational
requirements under the Privacy Rule. - Addresses the confidentiality, integrity and
availability of ePHI the covered entity creates,
receives, maintains, or transmits.
21The C-I-A Triad
Confidentiality
Information Security
Integrity
Availability
22Security Rule Definitions
- 45 CFR 160.103 Confidentiality
- Data or information is not made available or
disclosed to unauthorized persons or processes. - 45 CFR 162.103 Integrity
- Data or information have not been altered or
destroyed in an unauthorized manner. - 45 CFR 164.103 Availability
- Data or information is accessible and usable upon
demand by an authorized person.
23Background of VA Security Practices
- Federal Policies
- National Institute of Standards and Technology
(NIST) Guidance - VA Information Technology Security Directive
24Federal Policies
- The Computer Act of 1987
- Office of Management and Budget Circular A-130
- The Federal Managers Financial Integrity Act of
1982 (FMFIA) - Office of Management and Budget Circular A-123
- The Federal Information Security Management Act
(2003)
25NIST Guidance
- SP 800-12 An Introduction to Computer Security
The NIST Handbook - SP 800-14 Generally Accepted Principles and
Practices for Security IT Systems - SP 800-26 Security Self-Assessment Guide for IT
Systems
26VA Information Security Directive
- VA Directive Handbook 6210 Automated
Information Systems Security Policy - VA Directive 6212 Security of External
Connections - VA Directive 6213 VA Public Key Infrastructure
- VA Directive 6214 Information Technology
Security Certification and Accreditation Program
27VA Cyber Security Practitioner
- Position Title Information Security Officer
- Responsibilities
- Education and Training
28The HIPAA Security Standards
- Administrative Safeguards
- Actions, policies and procedures, to manage the
selection, development, implementation, and
maintenance of security measures to protect ePHI
and to manage the conduct of the covered entitys
workforce in relation to the protection of that
information. - Physical Safeguards
- Security measures to protect a covered entitys
electronic information systems and related
buildings and equipment, from natural and
environmental hazards, and unauthorized
intrusion. - Technical Safeguards
- The technology and the policy and procedures for
its use that protect ePHI and control access to
it.
29Administrative Safeguards
- Security Management Processes
- Assigned Responsibility
- Workforce Security
- Information Access Management
- Security Awareness Training
- Security Incident Procedures
- Contingency Planning
- Business Associate Agreements, etc.
30Physical Safeguards
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
31Technical Safeguards
- Access Control
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security
32Case Study of the PVAMC
- HIPAA Program Compliance Plan
- Three Phase Risk Assessment
- Departmental Self-Assessment and Surveys (handout
1) - Privacy and Security Steering Committee
Assessment (handout 2) - Formal Assessment by Privacy Officer and
Information Security Officer (handout 2)
33Case Study of the PVAMC
- Areas for Review
- Discussion of confidential information among
staff in public areas (hallways, elevators,
parking garage and cafeteria) - Health information in trash or unsecured
compartments - Health information in open view on desks, in
hallways or medicine carts - Health information left on faxes and printers
- Sharing passwords
- Computers and workstations not logged off or
securely positioned where feasible
34Case Study of the PVAMC
- Areas for Review (cont.)
- Physical arrangement of the area
- Sign in sheets
- Use of electronic mail for transmitting protected
health information - Staff awareness of and responsibilities for
visitors (i.e. Did the staff challenge visitors
for identification?) - Dictation conducted in public areas or in areas
where the provider can be easily overheard - Business Associate Agreements with contracted
business/service agreements and accrediting
organizations
35Case Study of the PVAMC
- Survey of Key Findings
- Employees consistently rely on the fax machine as
a means for transmitting protected health
information. - Lack of attention to ensuring that health records
are appropriately locked and secured. - Continued reliance on garbage cans as a means of
destroying protected health information. - Lack of attention to logging off of computers and
workstations. - Lack of written policies and procedures governing
specific actions within the departments (i.e.
Monitoring of Visitors in Surgery)
36Case Study of the PVAMC
- Corrective Actions
- Required departments to implement policies and
procedures regarding certain processes within the
department which pose a risk to the overall
Privacy and Security Program. - Provide ongoing education to all employees
through bulletins, seminars, staff meetings,
annual privacy and information security training
and newsletters. - Develop and implement policies governing the
disposal of health information. - Posted signage to remind employees and patients
that health information should not be discussed
in public forums. - Purchased privacy screens for all computers where
repositioning was impossible or impractical.
37Questions???
- Contact Information
- Timothy H. Graham, Esq.
- Privacy and FOIA Officer, Philadelphia VAMC
- timothy.graham_at_med.va.gov
- 215.823.6270
- Catherine Reynolds, RN MSN
- Information Security Officer, Philadelphia VAMC
- catherine.reynolds_at_med.va.gov
- 215.823.5159
- Lydia Duckworth
- HIPAA Security Specialist, VHA HIPAA PMO
- lydia.duckworth_at_hq.med.va.gov
- 202.254.0353