Demystifying%20HIPAA:%20Strategies%20for%20Joint%20Compliance%20with%20the%20HIPAA%20Privacy%20and%20Security%20Rules

1
Demystifying HIPAA Strategies for Joint
Compliance with the HIPAA Privacy and Security
Rules

• Timothy H. Graham, Esq.
• Privacy and Freedom of Information Act Officer
• Philadelphia VA Medical Center, Philadelphia, PA
• Catherine Reynolds, RN, MSN
• Information Security Officer
• Philadelphia VA Medical Center, Philadelphia, PA
• Lydia Duckworth
• HIPAA Security Specialist, VHA HIPAA Project
  Management OfficeChief Business Office,
  Washington, D.C.

2
Program Agenda

• Security and Privacy Rules Similarities and
  Differences
• Overview of the Philadelphia VA Medical Center
• Privacy Rule
• Security Rule
• Case Study
• Questions

3
Comparison of the Rules

• Several similarities exist between the HIPAA
  Privacy and Security Rules
• Intended to be compatible
• Both protect confidentiality of electronic PHI
  (ePHI)
• Both provide workforce access controls and
  protections
• Coordinated compliance infrastructure
• Both require written and documented policies and
  procedures relating to privacy and security.
• Both require business associate agreements

4
Comparison of the Rules

• Likewise, several differences exist between the
  HIPAA Privacy and Security Rules
• No exceptions for incidental uses and disclosures
• Broader audit trail is advisable under the
  Security Rule
• Scope Security applies only to electronic PHI,
  while Privacy applies to all PHI.
• Continued monitoring is specifically required in
  the language of the Security rule

5
Philadelphia VA Medical Center

• Provides health care for more than 400,000
  veterans living in Americas fifth largest
  metropolitan area and seven counties.
• Staffed by more than 1,500 employees who support
  135 acute beds, a 240 bed nursing home care unit
  and four Community Based Outpatient Clinic
• Site for over 200 ongoing research projects
  involving all clinical disciplines
• Affiliated with the University of Pennsylvania
  Schools of Medicine, Nursing and Dental Medicine

6
The HIPAA Privacy Rule
7
Introduction and Background

• VA has a strong legacy in protecting the privacy
  and security of veterans and employees personal
  information.
• In an effort to oversee multiple efforts in VA to
  protect privacy, the Enterprise Privacy Program
  was established.
• The VHA Privacy Office is responsible for
  implementing privacy regulations consistently
  across the Veterans Health Administration.

8
What is Privacy in the VA?

• As a federal agency, the VA is subjected to
  various regulatory statutes that promote the
  protection of private and confidential health
  information.
• Namely, there are six statutes with which VA must
  comply
• Health Insurance Portability and Accountability
  Act of 1996 45 CFR 160 164
• The Privacy Act of 1976 5 U.S.C. 552a
• The Freedom of Information Act 5 U.S.C. 552
• Confidentiality of Drug Abuse, Alcoholism and
  Alcohol Abuse, Infection with Human
  Immunodeficiency Virus, and Sickle Cell Anemia
  Medical Records 38 U.S.C. 7332
• Confidentiality of Healthcare Quality Assurance
  Review Records 38 U.S.C. 5705
• The VA Claims Confidentiality Statute 38 U.S.C.
  5701

9
Why Privacy Compliance Monitoring?

• To ensure program goals for confidential
  protection of health information are achieved.
• To determine if policies, procedures and programs
  are being followed.
• To minimize consequences of privacy failures
  through early detection and remediation.
• To provide feedback necessary for privacy program
  improvement.
• To demonstrate to the workforce and the community
  at large, organizational commitment to health
  information privacy.

10
Acknowledge Common Problems

• Unclear and inconsistent polices and procedures.
• Inconsistencies in enforcement of policies and
  procedures.
• Ineffective or insufficient training and
  education.
• Employee morale and motivation.

11
The Processes for Monitoring
Establish goals objectives
Define areas for review
How?
Metrics and methods
Establish frequency
Perform monitoring
Act on results
12
Establishing Goals and Objectives

• Identification of monitoring goals should take
  into consideration several factors
• Privacy program objectives
• Risk assessment results
• Incident reporting
• Feedback from staff
• Administrative mandates.
• Taking these factors into consideration
  identifies the desired outcomes of the monitoring
  process.

13
Defining the Areas for Review

• Choosing which areas of the medical center should
  be reviewed can be the most difficult process.
• Initially, a facility-wide analysis is most
  helpful to determine which areas are troubled.
• The key in future monitoring is to focus on those
  areas that are high risk, high volume and/or
  areas subject to environmental/system changes.
• Further, reliance on the incident reporting
  system will identify key areas for review.

14
Metrics and Methods for Monitoring

• The key to identifying the methods for monitoring
  is to first identify the objectives and metrics
  of the audit.
• Once the objectives and metrics are delineated,
  creation of a formal audit tool is critical to
  documenting and analyzing the results.
• Critical to the overall compliance program is the
  presence of written analysis, compiled as a
  result of the formal audit.

15
Examples of Monitoring Methods

• Interviews (staff and patients)
• Violation Tracking reports
• Chart Audits
• Privacy Rounds
• Program/Service Self-Assessment
• Peer Review
• Simulated Case Studies

16
Establish Frequency

• Ongoing process (monthly, quarterly and annually)
  monitoring is essential to ensuring that the
  organization is fulfilling the requirements
  mandated by law.
• Once audits are completed, corrective action
  plans (CAPs) should be designed and implemented
  across the department or medical center.
• Proceeding the implementation of the CAPs,
  further audits should take place to monitor
  compliance with the CAP.

17
Taking Action

• Whats the next step after you analyze the audit
  findings?
• Documented analysis of the findings
• Identification of best practices
• Documented comparison between the findings and
  the program objectives
• Identification of non-compliant areas
• Identification of trends from one department to
  another
• Identification of problem areas which pose other
  serious liability issues for the organization
  (areas where a root cause analysis committee may
  be helpful).

18
Corrective Actions

• Examples of corrective actions may include
• Revision of policies and procedures
• Focused education and training and/or
• Heightened supervision of staff and enforcement
  of policies and procedures for safeguarding
  protected health information.

19
The HIPAA Security Rule
20
The HIPAA Security Rule

• Builds on and coordinates with organizational
  requirements under the Privacy Rule.
• Addresses the confidentiality, integrity and
  availability of ePHI the covered entity creates,
  receives, maintains, or transmits.

21
The C-I-A Triad
Confidentiality
Information Security
Integrity
Availability
22
Security Rule Definitions

• 45 CFR 160.103 Confidentiality
• Data or information is not made available or
  disclosed to unauthorized persons or processes.
• 45 CFR 162.103 Integrity
• Data or information have not been altered or
  destroyed in an unauthorized manner.
• 45 CFR 164.103 Availability
• Data or information is accessible and usable upon
  demand by an authorized person.

23
Background of VA Security Practices

• Federal Policies
• National Institute of Standards and Technology
  (NIST) Guidance
• VA Information Technology Security Directive

24
Federal Policies

• The Computer Act of 1987
• Office of Management and Budget Circular A-130
• The Federal Managers Financial Integrity Act of
  1982 (FMFIA)
• Office of Management and Budget Circular A-123
• The Federal Information Security Management Act
  (2003)

25
NIST Guidance

• SP 800-12 An Introduction to Computer Security
  The NIST Handbook
• SP 800-14 Generally Accepted Principles and
  Practices for Security IT Systems
• SP 800-26 Security Self-Assessment Guide for IT
  Systems

26
VA Information Security Directive

• VA Directive Handbook 6210 Automated
  Information Systems Security Policy
• VA Directive 6212 Security of External
  Connections
• VA Directive 6213 VA Public Key Infrastructure
• VA Directive 6214 Information Technology
  Security Certification and Accreditation Program

27
VA Cyber Security Practitioner

• Position Title Information Security Officer
• Responsibilities
• Education and Training

28
The HIPAA Security Standards

• Administrative Safeguards
• Actions, policies and procedures, to manage the
  selection, development, implementation, and
  maintenance of security measures to protect ePHI
  and to manage the conduct of the covered entitys
  workforce in relation to the protection of that
  information.
• Physical Safeguards
• Security measures to protect a covered entitys
  electronic information systems and related
  buildings and equipment, from natural and
  environmental hazards, and unauthorized
  intrusion.
• Technical Safeguards
• The technology and the policy and procedures for
  its use that protect ePHI and control access to
  it.

29
Administrative Safeguards

• Security Management Processes
• Assigned Responsibility
• Workforce Security
• Information Access Management
• Security Awareness Training
• Security Incident Procedures
• Contingency Planning
• Business Associate Agreements, etc.

30
Physical Safeguards

• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls

31
Technical Safeguards

• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

32
Case Study of the PVAMC

• HIPAA Program Compliance Plan
• Three Phase Risk Assessment
• Departmental Self-Assessment and Surveys (handout
  1)
• Privacy and Security Steering Committee
  Assessment (handout 2)
• Formal Assessment by Privacy Officer and
  Information Security Officer (handout 2)

33
Case Study of the PVAMC

• Areas for Review
• Discussion of confidential information among
  staff in public areas (hallways, elevators,
  parking garage and cafeteria)
• Health information in trash or unsecured
  compartments
• Health information in open view on desks, in
  hallways or medicine carts
• Health information left on faxes and printers
• Sharing passwords
• Computers and workstations not logged off or
  securely positioned where feasible

34
Case Study of the PVAMC

• Areas for Review (cont.)
• Physical arrangement of the area
• Sign in sheets
• Use of electronic mail for transmitting protected
  health information
• Staff awareness of and responsibilities for
  visitors (i.e. Did the staff challenge visitors
  for identification?)
• Dictation conducted in public areas or in areas
  where the provider can be easily overheard
• Business Associate Agreements with contracted
  business/service agreements and accrediting
  organizations

35
Case Study of the PVAMC

• Survey of Key Findings
• Employees consistently rely on the fax machine as
  a means for transmitting protected health
  information.
• Lack of attention to ensuring that health records
  are appropriately locked and secured.
• Continued reliance on garbage cans as a means of
  destroying protected health information.
• Lack of attention to logging off of computers and
  workstations.
• Lack of written policies and procedures governing
  specific actions within the departments (i.e.
  Monitoring of Visitors in Surgery)

36
Case Study of the PVAMC

• Corrective Actions
• Required departments to implement policies and
  procedures regarding certain processes within the
  department which pose a risk to the overall
  Privacy and Security Program.
• Provide ongoing education to all employees
  through bulletins, seminars, staff meetings,
  annual privacy and information security training
  and newsletters.
• Develop and implement policies governing the
  disposal of health information.
• Posted signage to remind employees and patients
  that health information should not be discussed
  in public forums.
• Purchased privacy screens for all computers where
  repositioning was impossible or impractical.

37
Questions???

• Contact Information
• Timothy H. Graham, Esq.
• Privacy and FOIA Officer, Philadelphia VAMC
• timothy.graham_at_med.va.gov
• 215.823.6270
• Catherine Reynolds, RN MSN
• Information Security Officer, Philadelphia VAMC
• catherine.reynolds_at_med.va.gov
• 215.823.5159
• Lydia Duckworth
• HIPAA Security Specialist, VHA HIPAA PMO
• lydia.duckworth_at_hq.med.va.gov
• 202.254.0353