Privacy, Confidentiality, Security, and HIPAA NURS 737: Concepts in Nursing Informatics Module 2, Subtopic 3 Privacy, Confidentiality, Security, and HIPAA This document is intended solely for the use of N737. Not for distribution
Privacy, Confidentiality, and Security “Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.” Example: Persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center clearly identified by signs on the front of the building “Confidentiality pertains to the treatment of information/data that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.” (https://www.research.uci.edu/compliance/human-research-protections/researchers/privacy-and-confidentiality.html#privacy) Security - measures taken to guard against espionage or sabotage, crime, attack, or escape 2
The Health Insurance Portability and Accountability Act (HIPAA) The HIPAA law has evolved over time. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. The AS provisions also address the Security and Privacy of health data. (https://www.hhs.gov/hipaa/for-professionals/index.html) 3
How HIPAA Affects Whom HIPAA is NOT JUST about Privacy of patient data! IT also includes: Employer Identifier gives a unique code to your employer for Medicare/Medicaid/FICA purposes Privacy and Confidentiality Standards and Security Standards affect the entire healthcare continuum Transactions and Code Sets Standards require specific coding criteria for all electronic transactions with CMS 4
The Health Insurance Portability and Accountability Act (HIPAA) Under the Affordable Care Act of 2010, provisions to HIPAA of 1996 further increase use of electronic data interchange and include requirements to adopt: operating rules for each of the HIPAA covered transactions a unique, standard Health Plan Identifier (HPID) standard and operating rules for electronic funds transfer (EFT), electronic remittance advice (RA), and claims attachments. In addition, health plans will be required to certify their compliance. 5
HIPAA Omnibus Rule Much has changed in health care since HIPAA was enacted over fifteen years ago. HHS announces a final rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA (2009) The new rule will help protect patient privacy and safeguard patients’ health information (http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html)
Administrative Simplification The purpose of this law is to “mandate new security standards to protect an individual’s health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.” 7
Administrative Simplification Electronic transactions and code sets standards requirements Privacy requirements Security requirements National identifier requirements 8
HIPAA: Electronic transactions and code sets standards Transaction Standards (ANSI X12N or NCPDP) A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care. Under HIPAA, HHS adopted certain standard transactions for the electronic exchange of health care data. These transactions include: Claims and encounter information Payment and remittance advice Claims status Eligibility Enrollment and disenrollment Referrals and authorizations Coordination of benefits Premium payment (https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Transactions/TransactionsOverview.html) 9
HIPAA: Electronic transactions and code sets standards Under HIPAA, HHS adopted specific code sets for diagnoses and procedures used in all transactions. Code sets classify medical: Diagnoses; Procedures; Diagnostic tests; Treatments; Equipment and supplies They inform diverse health care functions, from billing to tracking public health. Code sets outlined in HIPAA include: ICD-10 – International Classification of Diseases, 10th edition Health Care Common Procedure Coding System (HCPCS) CPT-Current Procedure Terminology CDT – Code on Dental Procedures and Nomenclature NDC – National Drug Codes (https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Code-Sets/index.html) 10
HIPAA: Electronic transactions and code sets standards Unique Identifiers: HIPAA establishes and requires unique identifiers for: Health plans – HPID, or Health Plan Identifier, is a standard, unique identifier for health plans Employers – EIN, or Employer Identification Number, is issued by the Internal Revenue Service and is used to identify employers in electronic transactions Providers – NPI, or National Provider Identifier, is a unique 10-digit number used to identify health care providers Patients – There is no adopted standard to identify patients NPIs and EINs must be used on all HIPAA transactions. (https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Unique-Identifier/UniqueIdentifiersOverview.html) 11
Privacy Rules The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. (https://www.hhs.gov/hipaa/for-professionals/privacy/index.html) 12
The HIPAA Privacy Rules Business Associates By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. Health care providers and health plans often use the services of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose PHI to these “business associates” (BA) if they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may not disclose PHI for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html) 13
The HIPAA Security Rules The HIPAA Security Rule establishes national standards to protect individuals’ ePHI that is created, received, used, or maintained by a covered entity. The Security Rule requires the following appropriate safeguards to ensure the confidentiality, integrity, and security of electronic protected health information: Administrative safeguards Physical safeguards Technical safeguards Organizational requirements
Common Security Breaches Examples: Inside jobs, social engineering Brute force Eavesdropping, sniffing, snooping Data modification Identity spoofing Password-based attacks Denial of service attacks Man in the middle attacks Application layer attacks
Administrative Safeguards Address process of security management in your organization. Risk analysis Evaluating likelihood and impact of potential risks to ePHI Implementing appropriate security measures to address identified risks Documenting security measures chosen, with rationale Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews Presenter 2012-08-20 12:17:02 -------------------------------------------- Administrative safeguards address the process you have put into place in your organization to administer security of the ePHI system. Each organization is required to identify and analyze potential risks to its ePHI, and it must implement security measures that reduce those risks and vulnerabilities to a reasonable and appropriate level. This is done using a risk analysis. A risk analysis process includes, but is not limited to, the following activities: Evaluate the likelihood and impact of potential risks to ePHI; Implement appropriate security measures to address the risks identified in the risk analysis; Document the chosen security measures and, where required, the rationale for adopting those measures; and Maintain continuous, reasonable, and appropriate security protections. This should be an ongoing process. Regular reviews should be performed to evaluate the effectiveness of the security measures put in place, and newly identified potential risks to ePHI should be addressed in an ongoing fashion.
Administrative Safeguards (cont.) (For the tools and guidance, click on the links below.) Security Risk Assessment Tools HHS Security Risk Assessment Tool NIST HIPAA Security Rule Toolkit Risk Analysis Guidance: Read the Guidance on Risk Analysis requirements under the Security Rule.
Administrative Safeguards (cont’d) Designated security official Responsible for developing and implementing security policies and procedures. Knowledge of good HIPAA practices Familiarity with established IT security standards Ability to interface well with all levels of management and staff Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed?
Administrative Safeguards (cont’d) Processes for appropriate authorization and supervision of workforce members who work with ePHI. Well-documented training of all workforce members in security policies and procedures Appropriate sanctions against violators.
Physical Safeguards: Access Limit physical access to facilities, while ensuring that authorized access is allowed. Server rooms where ePHI is stored Work areas where ePHI is accessed Back-up media storage potentially containing ePHI Inventory hardware and software. Know where inventory is kept. Know value of hardware, software, equipment.
Physical Safeguards: Access Limit physical access to facilities, while ensuring that authorized access is allowed. Server rooms where ePHI is stored Work areas where ePHI is accessed Back-up media storage potentially containing ePHI Inventory hardware and software. Know where inventory is kept. Know value of hardware, software, equipment. Presenter 2012-08-20 12:17:02 -------------------------------------------- Physical safeguards are written to address issues regarding facility access control, workstation use, workstation security, and device and media controls. This includes limiting physical access to work facilities without impeding access to those requiring access. This is particularly true in areas where ePHI may be present including work areas, server rooms, back-up media storage units, and the like. These areas require an extra level of protection to limit access to authorized users only and, whenever possible, create a structure for logging access, particularly any irregularities such as for maintenance staff, etc, who may require entry into these locations but are not considered routine in nature. Additionally, keeping a reliable hardware inventory – along with its value and locations – is also an important safeguard to preventing theft of a system which may inadvertently contain ePHI data. http://en.wikipedia.org/wiki/Strong_password#Examples_that_follow_guidelines Component 8/Unit 6a Health IT Workforce Curriculum Version 2.0 Spring 2011
Physical Safeguards: Access (cont’d) Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. Lock down publicly-accessible systems potentially containing ePHI. Strong passwords (8-14 characters with variety of letters, symbols, numbers) changed regularly. At least 256-bit encryption, especially for wireless, backups, & offsite data. Media destroyed after being thoroughly wiped.
Technical Safeguards: Access Control Access controls, audit controls, integrity, person, user/entity authentication, transmission security Most effective: layered approach. Multiple technologies employed concurrently. Adequate access controls include: AD (Active Directory), LDAP (Lightweight Directory Access Protocol) Vendor-specific controls usually part of EHR
Technical Safeguards: Firewall Inspects incoming network traffic; permits or denies access based on criteria. Hardware- or software-driven. Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). Most commonly placed on network perimeter (network-based) or network device (host- based). EHR will require certain ports to remain open.
Firewalls Blocked Allowed Blocked Allowed Allowed NETWORK FIREWALL COMPUTER FIREWALL Health IT Workforce Curriculum Version 2.0 Spring 2011