There are real life consequences for organizations that do not integrate privacy and security throughout the continuum of HIT adoption, including health information breaches that could result in identity theft, financial loss and even altered records that can impact patient safety. Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT, whose office is directly engaged with these issues, will lead an interactive keynote discussion on ways to build a culture of privacy and security in healthcare organizations.

1. Privacy and Security:
Building a Privacy and Security
Culture in Health CareOrganizations
April 25th, 2012
Joy Pritts, JD,
Chief Privacy Officer
Office of the National Coordinator
Health Information Technology

2. HHS Reaches $100,000 Settlement with 5 Physician
Practice over HIPAA Violations
1

3. Why Create a Culture of Privacy and Security?
• Assists Compliance to Law
– New Developments
• HIPAA Privacy and Security Rules
• Enforcement
• Good business
• It’s Just the Right Thing To Do – Patient Trust
2

4. Compliance:
Federal Health Information Privacy Laws
• HIPAA Privacy and Security Rules
– Health Insurance Portability and Accountability
Act of 1996, effective 2003 and 2005, respectively
• Health Information Technology for Economic
and Clinical Health (HITECH) Act of 2009 –
Final Rule submitted to OMB March 24th, 2012
• Others (e.g., 42 CFR part 2)
3

5. Who Must Comply with HIPAA Privacy and Security Rules?
• Covered entities (CEs)
–Health plans
–Health care clearinghouses
–Most health care providers
4

6. Business Associates and HITECH
• Business Associates include:
• EHR Vendors
• Data Analytic Firms
• HITECH Clarifies Business Associates include:
• Health Information Exchanges
• Personal Health Record Vendors
• HITECH Specifies that Business Associates
• Must follow administrative, physical and technical
safeguards of the Security Rule
• Must Follow use and Disclosure Limits of Privacy Rule
• Subject to the same Civil and Criminal Penalties as
Covered Entities 5

7. HIPAA Privacy Rule: Two Sides of One Coin
Protect Privacy: Patients’ Rights:
A CE may not use or
• Right to access
disclose PHI except:
• Right to an
• as the Privacy Rule accounting of
permits or requires disclosures of
(ie. payment, • Right to correct
treatment operations or amend
etc) • Right to notice
of privacy
• as the patient or practices
their representative • Right to file a
authorizes in writing. complaint
6

8. HIPAA Security Rule (CFR 164.306)
• Protects Patient Health Information that is transmitted by or
maintained in any form of electronic media
• Framework of Technical, Administrative, Physical Safeguards
• Ensures workforce training and compliance
Flexible Approach (Addressable):
 Size, complexity and capabilities of Covered Entity
 Security Capabilities of CE hardware and software
 Cost of Security Measures
 Probability and criticality of potential risks to ePHI
7

9. So…
Isn’t this old news?
Then, why Are So Many Organizations
Not In Compliance?
8

10. Major Causes of Breaches of PHI in 2010
Breaches over 500 records:
• Theft and loss were the most common reported
causes of large breaches.
• Among the 207 breaches that affected 500 or more
individuals, 99 incidents involved theft of paper
records or theft of electronic media
• This accounted for records of 2,979,121 individuals.
• Loss of electronic media or paper records affected
approximately 1,156,847 individuals
- OCR Report to Congress on Breaches of
Unsecured Information, 2011 9

11. Risk Assessments
• 25% of healthcare organizations do not conduct security
risk assessments
– HIMSS 2011 Security Study
• 39% of healthcare organizations do not or are not sure if
they perform a risk assessment
– Ponemon Study, 2011
10

12. Business Associates and Breaches
Due to the high volume of records handled, a
breaches from business associates translate
into a disproportionate number of patients
affected:
• Business associates involved in 22% of the
breaches
• But this 22% accounts for 63% of all patients
affected by the breaches
11

13. Security and Mobile Devices
- Ponemon Institute, 2011
12

14. HITECH: It’s a New Day . . .
13

15. HITECH and Privacy and Security
• Established Chief Privacy Officer for the Office
of the National Coordinator
• Increased fines for breaches
• Created mandatory fines for willful neglect
• Created Mandatory Breach Notification Rule
• Established basis for Meaningful Use
14

16. Meaningful Use and Privacy and Security
MU Stage 1 requires eligible providers and hospitals to
• Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1) and implement security updates as
necessary and correct identified security deficiencies
as part of its risk management process.
• No exclusion.
15

17. Enforcement
• OCR has begun systematic audits of 150
organizations
• CMS and Meaningful Use audits for
Incentive funds are set to begin
16

18. Enforcement: Large organizations
• Blue Cross Blue Shield of Tennessee (BCBST)
settled with OCR for $1,500,000 for the theft of
57 hard drives to theft, March 13, 2012
• Hard Drives contained names, social security
numbers, diagnosis codes, DoB and Plan ID #s for
over 1 million individuals
• Caused by failure to implement appropriate
physical access controls
17

19. Small Practice Enforcement
Phoenix Cardiac
Surgery (5 physician
practice) was posting
clinical and surgical
appointments for its
patients on an
Internet-based publicly
accessible calendar
18

20. Phoenix Cardiac Surgery
• July 2007 to February 2009, Practice posted over 1,000
separate entries of ePHI on a publicly accessible,
Internet-based calendar
• September 2005 until November 2009, Practice daily
transmitted ePHI from an Internet-based email account
to workforce members’ personal Internet-based email
accounts
19

21. OCR’s Other Findings
• Failure to implement adequate policies and procedures
to appropriately safeguard patient information
• Failure to document any employee training on its policies
and procedures on the Privacy and Security Rules
• Failure to identify a security official and conduct a risk
analysis
• Failure to obtain business associate agreements with
Internet-based email and calendar services that included
storage of and access to its PHI
20

22. Outcome of Investigation
• $100,000 Settlement
• Corrective Action Plan includes:
– Develop written policies and procedures, submitted to and
approved by OCR and documented training for employees
– “An accurate and thorough” risk assessment of the potential
risks and vulnerabilities to PHI
– Submission of Risk Management Plan to OCR
– Identification of Security Official
– Business Associates Agreements
– Any violation of policies and procedures will be a Reportable
events to OCR
CAP available at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_
21
agreement.pdf

23. “We hope that health care providers pay careful
attention to this resolution agreement and understand
that the HIPAA Privacy and Security Rules have been in
place for many years, and OCR expects full compliance
no matter the size of a covered entity.”
- Leon Rodriguez
Director of the Office for Civil Rights
April 17th 2012, OCR Press Release
22

24. The Real Loss – Patient Trust
Beyond Compliance and Return on Investment,
Ensuring Patient Privacy is Just the Right Thing to Do
23

25. Good Business: Patient Trust
The ROI for Breach Prevention
Diminished productivity and financial consequences
due to a breach can be severe. Organizations reported:
• The potential result is patient churn; the average
lifetime value of one lost patient is $113,400
• Economic impact
• Loss of time and productivity
• Diminishment of brand or reputation
• LOSS OF PATIENT GOODWILL
- Ponemon, “Second Annual Benchmark Study
24

26. Developing a Privacy and Security Culture
Challenges:
• Providers and Staff may have little understanding
of new technology and privacy and security issues
• Providers and Staff are reticent about asking
questions or for assistance
• Adopting new software and workflow in the fast-
moving healthcare culture is difficult
• Vendors may assume that providers and staff
understand privacy and not adequately train
25

27. Strategies
• Executive Leadership Communicate Essential Value
• Privacy and Security Metrics are included in Employee
Performance Plans/Evaluations
• Considered as part of physical environment, patient care,
and all communications
• Staff are made to feel comfortable in asking questions
and for help, resources are widely and freely available
• Training, is regular and updated and an essential part of
the overall strategic plan
• Continuous Improvement and audits completed and
results communicated to all
26

28. ONC’s Office of the Chief Privacy Officer
Recent and Current Projects
• Personal Health Record Roundtable
• Mobile Device Roundtable
• Small practice Risk Assessment – original and revised
• HIE Privacy and Security Program Information Notice
• Security Training and Video Games
• Research project on security configurations of mobile
devices
• Mobile device good practices videos and materials
• Website redesign: www.healthit.gov
• Data Segmentation Project
• Community College Curriculum Privacy and Security Review
27

29. Training Materials – Series of Security Video Games
Due for Release Summer of 2012
DRAFT 28

30. Sharing Responsibility for Ensuring Patient Privacy
We all have a role to play in keeping health
information private and secure.
• Government establishes P/S policies that are
affordable and workable
• Vendors should create easy-to-use P/S features
and communicate importance
• Providers and staff should understand their role
in protecting patient privacy
• Patients understand their rights and basic
means of securing their PHI 29

31. We Are All In This Together
Office of the National Coordinator for
4/30/2012 30
Health Information Technology

32. Conclusion
Questions?
31

33. HIPAA/HITECH Resources
• Privacy and Security Section of HealthIT.gov: http://healthit.hhs.gov
• Are you a Covered Entity?:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
• OCR HIPAA Privacy Rule Training Materials:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html
• OCR Guidance on Significant Aspects of the HIPAA Privacy Rule:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html
• OCR Settlement with Phoenix Cardiac Surgery:
http://www.hhs.gov/news/press/2012pres/04/20120417a.html
• Fast Facts about the HIPAA Privacy Rule:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/cefastfacts.html
• The HHS Office of Civil Rights, HIPAA FAQs: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
• Guidance materials for Small Providers, Small Health Plans, and other Small Businesses:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/smallbusiness.html
• OCR’s Sample Business Associate Contract Provisions:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
32

34. Other Federal Law Resources
• 42 CFR Pt. 2: http://www.samhsa.gov/healthPrivacy/
• Title X Confidentiality: 42 C.F.R. § 59.11:
http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&sid=ce18bb9053f3b026e8983fd8ac27170c&rgn=div8&view=text&nod
e=42:1.0.1.4.43.1.19.11&idno=42
• GINA deferring to HIPAA: 29 C.F.R. §§ 1635.9(c) and 1635.11(d):
http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod
e=29:4.1.4.1.21.0.26.9&idno=29 and http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&sid=ecbc0d928c8f11dbab0c20532d0101c9&rgn=div8&view=text&nod
e=29:4.1.4.1.21.0.26.11&idno=29
– GINA: http://www.ornl.gov/sci/techresources/Human_Genome/publicat/GINAMay2008.pdf
• HIPAA deferring to FERPA; exceptions to “protected health information” under
(2)(i) and (2)(ii) in 45 C.F.R. § 160.103: http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&sid=35aa826589279b8cff00d53c641a609f&rgn=div8&view=text&node
=45:1.0.1.3.74.1.27.3&idno=45
– FERPA/HIPAA Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-
guidance.pdf
4/30/2012 ONC 33

35. Other Resources
• For state privacy laws, see the National Conference of State Legislators (NCSL):
http://www.ncsl.org/?tabid=17173
• For state privacy law information: http://ihcrp.georgetown.edu/privacy/records.html
• National Governor’s Association (NAG) Report on state laws and HIE:
http://www.nga.org/Files/pdf/1103HIECONSENTLAWSREPORT.PDF
• Health Information Security and Privacy Collaboration (HISPC) reports on state laws:
http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__hispc/1240
• The Financial Management of Cyber Risk: “An Implementation Framework for CFOs”
American National Standards Institute, 2010
• Second Annual Benchmark Study on Patient Privacy and Data Security, 2011 Ponemon Institute
• OCR’s Sample Business Associate Contract Provisions:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Office of the National Coordinator for
4/30/2012 34
Health Information Technology