Steps Toward Being HIPAA Complaint

1
Steps Toward Being HIPAA Complaint

• Hossein Akhlaghpour, CTO, ObjectJ Inc.,
  hossein_at_objectj.com
• Saeed Akhlaghpour, Sharif University of
  Technology, MBA Dept., saeed_at_objectj.com

2
Outline

• Introduce HIPAA (terminologies)
• Where does HIPAA come from?
• What does HIPAA Complaint mean?
• An Ideal HIPAA Complaint Hospital
• How to customize HIPAA for Iran

3
What is HIPAA?

• The Health Insurance Portability and
  Accountability Act
• Assure portability of health insurance
• Decrease health care fraud and abuse
• Improve efficiency and effectiveness of health
  care
• Guarantee security and privacy of patient health
  information

4
PHI

• Protected Health Information (PHI)
• PHI is any information a hospital or health care
  provider receives or creates that may be used to
  identify
• A patient
• A patients health status
• The health care services that the patient
  receives, whether in the past, present or future.
• 18 different components of identifiable
  information have been identified.

5
Covered Entities (CEs)

• Entities that transmit any health information in
  electronic form in connection with certain
  standard transactions.
• They include
• health plans,
• health care clearinghouses,
• and health care providers.

6
Health Information Security

• Authorization
• Privacy
• Confidentiality
• Availability
• Integrity
• Legislation
• Accountability Audit

7
Authorization

• Does the entity have the right to receive or keep
  the information?
• The 13-year-old daughter of a hospital employee
  took a list of patients names and phone numbers
  from the hospital when visiting her mother at
  work. As a joke, she contacted patients and told
  them they were diagnosed with HIV. (Hospital
  Clerks Child Allegedly Told Patients That They
  Had AIDS, The Washington Post, March 1, 1995, p.
  A17)
• If any PHI is disclosed by a Covered Entity,
  willingly or by someone gaining unauthorized
  access, patients are required to be informed

8
Privacy

• Do we have consent of the patient ?
• The federal Office for Protection from Research
  Risks suspended more than 1,000 studies at
  Virginia Commonwealth University, in part for
  failing to gain the consent of research subjects
  and for failing to adequately safeguard data. (J.
  Matthews, Fathers Complaints Shut Down
  Research, The Washington Post, January 12, 2000,
  p. B7)
•  If a Covered Entity wishes to use PHI in
  marketing, research, or fundraising, written
  authorization must be obtained.

9
Confidentiality

• Does the entity have the right policies to
  protect the information?
• Eli Lilly and Co. inadvertently revealed over 600
  patient e-mail addresses when it sent a message
  to every individual registered to receive
  reminders about taking Prozac. In the past, the
  e-mail messages were addressed to individuals.
  The message announcing the end of the reminder
  service, however, was addressed to all of the
  participants. (R. OHarrow, Prozac Maker Reveals
  Patient E-Mail Addresses, The Washington Post,
  July 4, 2001, p. E1)
• Protected Health Information (PHI) will be
  limited to those who need the information to
• provide care
• handle payments
• manage health care operations

10
Legislation

• Are these security violations subject to the law
  suits?
• A jury in Waukesha, Wisconsin, found that an
  emergency medical technician (EMT) invaded the
  privacy of an overdose patient when she told the
  patients co-worker about the overdose. The
  co-worker then told nurses at West Allis Memorial
  Hospital, where both she and the patient were
  nurses. The EMT claimed that she called the
  patients co-worker out of concern for the
  patient. The jury, however, found that regardless
  of her intentions, the EMT had no right to
  disclose confidential and sensitive medical
  information, and directed the EMT and her
  employer to pay 3,000 for the invasion of
  privacy. (L. Sink, Jurors Decide Patient Privacy
  Was Invaded, Milwaukee Journal Sentinel, May 9,
  2002
• Penalties for violation of the Privacy Rule
  include civil money penalties and even prison for
  certain violations. State laws present further
  possible avenues.

11
Integrity

• How can we prevent tampering with the
  information?
• University of Minnesota researchers violated the
  confidentiality of organ donors when it mailed a
  survey to 1200 transplant recipients
  participating in a long-term research study and
  mistakenly revealed the names of those who had
  donated their kidney to the recipients. Although
  many recipients already knew the identity of
  their organ donor, more than 400 learned the name
  of their donor for the first time. A software
  upgrade was cited as the reason for the breach,
  apparently because it altered a feature that was
  supposed to suppress the donors' names.
• If the authentication attempt fails then access
  has to be blocked.
• The secure exchange of information objects
  between two entities requires that a trusted
  relationship exist between sender and receiver.

12
Availability

• Are we providing unnecessary information?
• Does security regulations jeopardize the
  patients health by restricting its disclosure?
• After suffering a work-related injury to her
  wrist, Roni Breite authorized her insurance
  company to release information pertaining to her
  wrist ailment to her employer. When she had the
  opportunity to review her medical record, the
  file contained her entire medical history,
  including records on recent fertility treatment
  and pregnancy loss. (E. McCarthy, Patients Voice
  Growing Concerns about Privacy, Sacramento
  Business Journal, April 5, 1999)
• Disclosures of patient information will be
  limited to the minimum necessary for the purpose
  of the disclosure, except for purposes of
  treatment.
• 45 CFR 164.502(b)(1)

13
Accountability/Audit

• If the security is violated can we point out the
  suspect?
• An Orlando woman had her doctor perform some
  routine tests and received a letter weeks later
  form a drug company touting a treatment for her
  high cholesterol. (Many Can Hear What You Tell
  Your Doctors Records of Patients Are Not Kept
  Private, Orlando Sentinel, November 1997, p. A1)
• All attempts to gain access to a system
  containing PHI have to be logged for later
  investigation

14
HIPAA Compliancy
Security Regulation
Physical
Technical
Administrative

• No Product is HIPAA Complaint by itself

15
Security Policies

• Examples of non-technical policies
• Return medical records to their proper location
• Always dispose the unnecessary papers with paper
  shredder
• Avoid printing any information that contains
  patient information
• Ask for identification of whoever needs protected
  information and log the related action
• All employee display their badge that has their
  name and identification all the time
• Safeguard patient information that is in your
  possession
• Do not leave information unattended
• Log off of computer systems after accessing
  electronic data
• Do not leave information visible on an unattended
  computer monitor or fax tray
• Shred sensitive paper data
• Dont share your passwords
• Dont write your password down on paper
• Report any security incidents you become aware of
• Handling suspected viruses
• Dont discuss patients condition with colleagues
  in public places
• Employee cannot install any software without the
  consent of the employer

16
Physical Security

• Lightning
• power fluctuations
• Flooding
• Fire
• static electricity
• improper environmental conditions
• constitute the most common problems.

17
Technical Security Controls

• A network intrusion detection system to
  continually monitor Internet, Extranet, and
  Internal communications
• Network firewalls that require a rigorous
  firewall change request process
• RSA Secure-ID time-based token system for strong
  authentication for employee remote access
• VPN connectivity utilizing 168bit 3DES encrypted
  IPSec tunnels
• Secure file transfer via the Internet utilizing
  minimally 168 bit SSL encryption
• Secure email via S/MIME-based encryption
  technologies and X.509 Digital Certificates
• Virus Protection for all computer workstations
  and servers

18
Technical Security Protocols

• SSL (HTTPS)
• ACL (JAAS)
• Digital Signature (Certificate)
• Private Key Infrastructure (PKI)
• Web Services (WSDL, UDDI)
• HL7
• X12

19
An Ideal HIPAA Complaint Hospital
20
De-Identification

• Remove enough information so the risk of
  identifying the patient to which the information
  belongs is very small.
• When PHI is properly de-identified, careful
  tracking of the data is no longer necessary

21
Technical Infrastructure
Hospital
Physically Secure Area
Web Services
HTTPS
Application Server
Web server
Database
Web Services
Internet
Firewall
DMZ
HTTP
SSL
Secure Line
DSA
Web server
HL-7
SSL / ACL
Application Server
22
Enterprise Layer Infrastructure
WSDL, HL7, HTTPS
Security Framework
Web Services
X12 Transaction
Universal ID Indexer
Ontology / Code Translator
Application Server Layer
Data Source Layer
23
Business Associate Agreement

• The HIPAA regulations require that each covered
  entity have a signed Business Associate
  Agreement with every business partner with which
  personal health information is shared. The
  agreement limits what the business partner can
  use the information for.

24
HOSPITAL SYSTEMS EFFECTED BY HIPAA

• Laboratory
• Pharmacy
• Radiology
• Registration (ADT)
• Credential Handling
• Data Warehouse
• Accounting
• Materials Management
• Home Care
• Nursing home
• Physician practice
• Human Resources

• Medical Records
• Coding and Abstracting
• Chart Tracking
• Document Imaging
• Electronic Medical
• Records
• Clinical Data Repository
• Demand Management
• Patient Scheduling
• Referral Management

25
How can we customize HIPAA for Iran?

• Security is a Global Problem
• ISO 17799
• US HIPAA
• Europe EC Data Protection Directive, EC 95/46
• Japan HPB 517
• DICOM (NEMA, COCIR, JIRA)

26
Iterative Process for HIPAA-like Adoption
Technology
Policy/Procedure
Legislation
27
HIPAA Compliancy Strategy

• Implement
• Data Conversion
• System Upgrade
• System Replacement
• Update Policies Procedure

• Certify Monitor
• Review Test
• Certify
• Initiate Operations
• Monitor Audit
• Ongoing Feedback

• Plan
• Educate
• Gather Requirement
• Risk Analysis
• Plan

28
Risk Mitigation
Employee Termination Process Illustrates,
HIPAA-Compliance is a Combination of Processes
and Technology, Since No Product Can Provide
HIPAA-Compliance by Itself.
29
References

• http//www.hhs.gov/ocr/hipaa/guidelines/minimumnec
  essary.pdf
• http//aspe.hhs.gov/admnsimp/FINAL/FR03-8334.pdf
• http//www.iso-17799.com
• http//www.hipaadvisory.com
• http//www.cert.org/tech_tips/packet_filtering.htm
  l
• http//www.nema.org/docuploads/54E642D2-B0FD-4508-
  95095C3F55A36DFA/HIPAA_Education-Feb-14-2001.doc
• http//medical.nema.org