HIPAA Security Overview Centers for Medicare

1
HIPAA Security OverviewCenters for Medicare
Medicaid Services (CMS)
2
Agenda

• Role of CMS
• Security Rule Overview
• CMS HIPAA Security Strategy
• Providence Resolution Agreement
• Summary Conclusion
• QA

3
Role of CMS

• CMS has delegated authority to enforce the
  non-privacy provisions of the HIPAA regulations
• Transactions and Code Sets
• Identifiers (NPI, EIN)
• Security
• CMS is responsible for HIPAA enforcement as well
  as
• Regulatory/Policy Interpretation
• Outreach and Education
• Guidance and FAQs
• New Regulations (including other ehealth related
  issues e.g. eRx)

4
Security Rule Overview

• Applies to Electronic Protected Health
  Information (EPHI) that a covered entity creates,
  receives, maintains, or transmits
• Scalability/Flexibility
• Based on organization size, complexity, technical
  capabilities and infrastructure, cost of security
  measures and potential security risks
• Technologically Neutral
• Describes what needs to be done vs. how it is
  to be done
• Standards are required but the implementation
  specifications may be either required or
  addressable

5
CMS HIPAA Security Strategy

• CMS takes a three-prong approach to HIPAA
  Security. The three prongs are
• Outreach Education
• Enforcement
• Compliance Reviews

6
Outreach and Education Efforts

• Federal and Non-Federal Collaboration
• Develop/Disseminate Educational Guidance
  Materials
• Security Papers
• Administrative, Physical and Technical Safeguards
• Basics of Risk Analysis and Risk Management
• Implementation for the Small Provider
• Frequently Asked Questions
• Security Compliance Review Checklist
• Remote Use and Access Guidance
• The materials can be found on the CMS Website at
  
• http//www.cms.hhs.gov (under the link for
  Regulations and Guidance).

7
Outreach Education - Remote Use Access
Guidance Rationale

• Increased risk to protected health information
• Associated with increased remote access to EPHI
• Increase in workforce mobility
• Increase in use of portable media storage devices
• Recent security related incidents
• Reported loss or theft of devices containing EPHI
• Reported access to health information by
  unauthorized users

8
Outreach Education - Highlights of Remote
Access Guidance

• Published December 28, 2006
• Reiterates requirements of the HIPAA Security
  Rule
• Identifies strategies consistent with
  organizational capabilities (Scalable and
  Flexible)
• Pertains to Access, Storage and Transmission of
  EPHI
• Three categories of action highlighted
• Conducting Security Risk Assessment
• Developing and Implementing Policies and
  Procedures
• Implementing Mitigation Strategies

9
HIPAA Security Enforcement Current Process

• Review complaint to determine validity and scope
• Notify Filed Against Entity (FAE) of complaint
• Request specific documents from the FAE
• Assess documents to determine if they
• Demonstrate compliance
• Demonstrate the need for a Corrective Action Plan
  (CAP)
• Monitor CAPs to completion
• Close complaint upon demonstration of compliance
• Issue closure correspondence to all parties

10
HIPAA Security Enforcement Overlapping
Complaints

• CMS and the Office for Civil Rights (OCR)
  collaborate on cases that overlap the Security
  and Privacy Rules
• Approximately 70 of the CMS Security cases are
  referrals from OCR
• Majority of Security complaints allegation of
  inappropriate access and risk of inappropriate
  disclosure

11
HIPAA Security Enforcement - Complaint Categories

• Unauthorized access to EPHI
• Employees or relatives accessing EPHI
• Loss or theft of devices containing EPHI
• Small volume of complaints large volume of
  records
• Insufficient access controls for systems
  containing EPHI
• Shared passwords
• Encryption
• CMS has received 350 Security Rule complaints
• 102 cases are open
• 248 case have been resolved

12
Onsite HIPAA Security Compliance Reviews

• Contracted with Price Waterhouse Coopers (PwC)
  for 10 reviews in 2008
• Reviews place emphasis on remote use and access
  issues
• CMS publishes de-identified post-review
  information
• Initial target
• Entities against whom a complaint has been filed
  and
• Reported risk to security of large volume of
  records
• The compliance reviews will be used as a tool to
  achieve voluntary compliance

13
Onsite HIPAA Security Compliance Reviews -
Continued

• Compliance reviews have revealed several key
  areas of vulnerability to include
• Lack of encryption for portable devices and media
• Lack of verification of role-based access
  privileges
• Reviews have resulted in CAPs that include
• Policies and procedures for remote use/access
• Designation of internal security audit personnel
• Compliance review cases are generally closed when
  CMS verifies completion of CAP

14
OIG Security Audit Initiative

• Objective is to determine if certain covered
  entities have implemented measures in accordance
  with provisions of the HIPAA Security Rule
• The recent OIG review of Piedmont Hospital
  highlighted issues related to
• Technical safeguard vulnerabilities for wireless
  communications
• Vulnerabilities involving physical access to
  electronic information systems and the facilities
• Administrative safeguard vulnerability related to
  business associate contracts

15
Providence Resolution Agreement What Does it
Mean?

• Background
• Case involved 386,000 unencrypted patient records
  
• 100,000 resolution amount paid to HHS
• 3 year corrective action monitoring
• Significance
• Landmark case First resulting in monetary fine
• Sets the stage for similar action for similar
  cases
• Represents the evolution of CMS enforcement
  efforts

16
Summary Conclusion

• Security provides opportunity and obligation
• CMS three-pronged approach
• Outreach and Education
• Enforcement
• Compliance Review
• Consequences of non-compliance
• Loss of resources
• Loss of time
• Loss of TRUST

17

• Discussion and Questions