HIPAA defined 18 Protected Health Information (PHI) identifyers. Electronic PHI (ePHI) is the computer version of PHI. What are the risks of not protecting ePHI? And what are the best practices and tips for protecting ePHI.
2. This presentation was originally
delivered at the North Metro
Medical Manager’s Association
(NMMMA) meeting in Kennesaw,
Georgia on October 7, 2014.
2
3. Protecting ePHI - Overview
• Where are we today – Key Dates, ePHI and Enforcement
• Risk Analysis – Covered Entities and Business Associates (BAs)
• Best Practices and Tips
3
4. Key Dates
Health Insurance Portability and Accountability Act (HIPAA) –
signed in to law August 21, 1996. It established new standards
associated with the management of healthcare information.
HIPAA HiTech Act – Feb 17, 2009. Part of the American Recovery
and Reinvestment Act of 2009. It established incentives for
healthcare providers to adopt electronic medical records’
software systems. It also expanded the scope of the HIPAA
privacy and security rules and set forth new rules for breach
notification.
HIPAA Omnibus Final Rule – Sept 23rd, 2013. Business Associates
and Sub-Contractors must adhere to the same guidelines that
Covered Entities do, according to the HIPAA rule/guidelines
4
5. 5
What is (PHI) Protected Health Information?
US Department of Health and Human
Services defines protected health
information (PHI) as individually
identifiable information that falls into
the following 18 types of identifiers:
Here are the 18 PHI identifiers:
1. Name
2. Region (smaller than a state)
3. Date
4. Phone #
5. Fax #
6. Email address
7. Social Security #
8. Medical record #
9. Health insurance beneficiary #
10. Account #
11. Certificate/license #
12. Vehicle identifier/license plate #
13. Device ID & serial #
14. Web URL
15. IP address
16. Finger print
17. Full face photo
18. Any other unique ID # or characteristic
that could reasonably be associated with
the individual
6. What is (ePHI) Electronic Protected
Health Information?
Electronic Protected Health Information (ePHI)
is any protected health information (PHI) that
is created, stored, transmitted, or received
electronically.
Electronic protected health information
includes any medium used to store, transmit,
or receive PHI electronically.
6
7. ePHI (continued)
The following and any future technologies used for accessing,
transmitting, or receiving PHI electronically are covered by the
HIPAA Security Rule.
Media containing data at rest (stored):
• Personal Computers with internal hard drives used at work, home or
traveling
• External portable hard drives, including iPods and similar devices
• Magnetic Tape
• Removable storage devices such as USB memory sticks, CD’s, DVDs and
floppy disks
• PDAs and Smartphones
Data in transit via: wireless, Ethernet, DSL, cable network
connection:
• Email
• File Transfer
7
8. 8
Why all the Fuss?
The core of the HIPAA regulations is to
ensure that ownership of any and all
medical data is retained solely by the
individual. The individual can then
decide to share that information with
providers, family members,
employers, if needed. Only an
individual has the right to grant
access to their medical data.
Simply put: we’re trying to maintain
privacy and avoid bias and
discrimination.
9. 9
Enforcement
Historically, HIPAA fines and
reprimands were triggered after an
event, such as a data breach. That
has changed.
The Office for Civil Rights (OCR, part
of the Department of Health &
Human Resources) is responsible for
enforcing the HIPAA HiTech
regulation.
Leon Rodriguez, OCR Director, takes
his job very seriously. He has created
a permanent HIPAA audit program
that includes BAs.
10. 10
Enforcement (continued)
As he focuses on ramping up the
HIPAA audits of Covered Entities and
Business Associates, Mr. Rodriguez has
powerful allies and one big incentive:
Powerful Allies
• Centers for Medicare & Medicaid Services (CMS)
• Works in conjunction with other Gov’t branches – HHS, FTC, SEC, etc.
• The States’ Attorney Generals
Big Incentive
• The OCR is authorized to keep some of the money paid in fines.
• It was reported that as of January 2014, OCR already had $4.5
million set aside from fines levied from their audits.
The OCR is serious about protecting PHI and they’ve
got the teeth, funds and leadership to back it up.
11. 11
Violations & Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know
(and by exercising
reasonable diligence would
not have known) that
he/she violated HIPAA
$100 per violation, with an
annual maximum of $25,000
for repeat violations (Note:
maximum that can be
imposed by State Attorneys
General regardless of the
type of violation)
$50,000 per violation, with
an annual maximum of $1.5
million
HIPAA violation due to
reasonable cause and not
due to willful neglect
$1,000 per violation, with an
annual maximum of
$100,000 for repeat
violations
$50,000 per violation, with
an annual maximum of $1.5
million
HIPAA violation due to
willful neglect but violation
is corrected within the
required time period
$10,000 per violation, with
an annual maximum of
$250,000 for repeat
violations
$50,000 per violation, with
an annual maximum of $1.5
million
HIPAA violation is due to
willful neglect and is not
corrected
$50,000 per violation, with
an annual maximum of $1.5
million
$50,000 per violation, with
an annual maximum of $1.5
million
12. 12
Criminal Liability
U.S. Department of Justice (DOJ) clarified that covered entities
and specified individuals can be held criminally liable under
HIPAA as follows:
• Those who "knowingly" obtain or disclose individually
identifiable health information in violation of the Administrative
Simplification Regulations face a fine of up to $50,000 as well
as imprisonment up to one year.
• Offenses committed under false pretenses allow penalties to
be increased to a $100,000 fine with up to five years in prison.
• Offenses committed with the intent to sell, transfer, or use
individually identifiable health information for commercial
advantage, personal gain or malicious harm permit fines of
$250,000 and imprisonment for up to ten years.
13. 13
Companies & Fines
Examples of fines levied:
Entity Fined Fine Violation
CIGNET $4,300,000 Online database application error.
Alaska Department of Health
and Human Services
$1,700,000
Unencrypted USB hard drive stolen, poor
policies and risk analysis.
WellPoint $1,700,000
Did not have technical safeguards in
place to verify the person/entity seeking
access to PHI in the database. Failed to
conduct a technical evaluation in
response to software upgrade.
Blue Cross Blue Shield of
Tennessee
$1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear
Infirmary and Massachusetts
Eye and Ear Associates
$1,500,000
Unencrypted laptop stolen, poor risk
analysis, policies.
Affinity Health Plan $1,215,780
Returned photocopiers without erasing the
hard drives.
South Shore Hospital $750,000
Backup tapes went missing on the way to
contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
14. 14
What do I do now?
Whether you are a Covered
Entity or a Business Associate
(BA) you must perform a risk
analysis.
If you are ever audited by the
OCR – the first thing they are
going to ask to see is your risk
analysis.
15. 15
What is a Risk Analysis?
Process to identify potential
hazards and analyze what
could happen should an
unfavorable event occur.
In healthcare we’re looking at:
• What and where are the
gaps associated with the
protection of ePHI?
• What are the biggest
risks(theft, natural disaster,
hacker attack, etc.)?
16. 16
HHS/OCR Final Guidance for a Risk Analysis
1) Scope of Analysis
All ePHI that an organization creates,
receives, maintains, or transmits must be
included in the risk analysis. (45 C.F.R. §
164.306(a)).
This includes all electronic media, network
security between locations and any
aspects of your HIPAA hosting terms with
a third-party or Business Associate (BA).
17. 17
HHS/OCR Final Guidance for a Risk Analysis
(continued)
2) Data Collection
Where does ePHI live? Locate where data
is being stored, received, maintained or
transmitted. If you’re hosting health
information at a data center, you should
contact your hosting provider to
document where and how your data is
stored. (45 C.F.R. § 164.308(a)(1)(ii)(A)
and 163.316 (b)(1).)
18. 18
HHS/OCR Final Guidance for a Risk Analysis
(continued)
3) Identify and Document Potential
Threats and Vulnerabilities
Identify and document any anticipated
threats to data, and any vulnerabilities
that may lead to leaking of ePHI.
Anticipating potential HIPAA violations
can help your organization quickly and
effectively reach a resolution. (45 C.F.R.
§§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and
164.316 (b)(1)(iii).)
19. 19
HHS/OCR Final Guidance for a Risk Analysis
(continued)
4) Assess Current Security Measures
What kind of security measures are you
taking to protect your data? This might
include any encryption, two-factor
authentication, and other security
methods put in place by you or your
hosting provider. (45 C.F.R. §§
164.306(b)(1), 164.308(a)(1)(ii)(A) and
164.316 (b)(1).)
20. 20
HHS/OCR Final Guidance for a Risk Analysis
(continued)
5) Determine the Likelihood of Threat
Occurrence
The probability and likelihood of potential
risks to ePHI. (45 C.F.R. § 164.306(b)(2)(iv).)
i.e. – laptop theft versus your location gets
hit by a tornado.
21. 21
HHS/OCR Final Guidance for a Risk Analysis
(continued)
6) Determine the Potential Impact of
Threat Occurrence
Consideration of the ‘criticality’ or impact
of potential risks to confidentiality, integrity
and availability of ePHI. (45 C.F.R. §
164.306(b)(2)(iv).)
How many people could be affected
and what extent of data (just medical
records or billing information as well)?
Ex. - Sending someone’s ePHI via
unsecured email versus an unencrypted
laptop that houses 500 patient records.
22. 22
HHS/OCR Final Guidance for a Risk Analysis
(continued)
7) Determine the Level of Risk
This is subjective - HHS’ suggestion is
to evaluate the values assigned to
threat occurrence (#5) and the
resulting impact (#6) to come up
with a level of risk. (45 C.F.R. §§
164.306(a)(2), 164.308(a)(1)(ii)(A),
and 164.316(b)(1).)
Risk levels should be accompanied
by a list of corrective measures to
help mitigate that risk.
23. 23
HHS/OCR Final Guidance for a Risk Analysis
(continued)
8) Finalize Documentation
The Security Rule requires the risk
analysis to be documented(45 C.F.R. §
164.316(b)(1).)
No format is specified – just make sure
you have things written down.
Remember – if you are ever audited –
documentation is what the OCR looks
for first.
24. 24
HHS/OCR Final Guidance for a Risk Analysis
(continued)
9) Periodic Review and Updates to the
Risk Analysis
The Risk Analysis is an ongoing process
(45C.F.R. §§ 164.306(e) and
164.316(b)(2)(iii)).
For Meaningful Use – has to be done
every year.
In general – has to be done whenever
significant changes are made in the
environment. If no changes occur it
should still be done once a year.
25. 25
Risk Analyses, Business Associate Agreements
and Business Associates
There are several ways to do a Risk
Analysis – some right and many wrong.
Checklists won’t hold up to an audit.
OCR will come down on you even if your
vendor recommended a checklist – you
don’t want to be at the discretion of the
OCR.
A proper Risk Analysis is going to adhere
to the National Institute of Standards and
Technology (NIST) guidelines.
26. 26
Risk Analyses, Business Associate Agreements
and Business Associates
Identify who your Business Associates
(BAs) are and make sure you have
executed Business Associate Agreements
(BAAs) in place.
Analyze your BAs and rank them based
on the amount of data they have access
too/perception of how much access too
they have.
Do some due diligence on them – ask for
proof of their risk assessment. Use
common sense.
27. 27
Risk Analyses, Business Associate Agreements
and Business Associates
For high risk BAs – have a meeting – invite
them to come in and be a part of the
process that you are having to go
through.
Covered entities can and will be held
liable for the BAs conduct.
Make sure your BAAs are updated –
anything that has not been updated
since Jan 2013 should be updated.
28. 28
Technology-enabled Best Practices
Firewalls
• Have physical firewalls in place.
• Make sure they are up-to-date.
Anti-Virus Protection
• Have a proven, paid version in
place.
• Make sure it is up-to-date.
Run Up-to-Date Software
• Make sure it’s actively supported
(note: XP is not).
• Make sure it is up-to-date with
patches.
Hardware /
Software
29. 29
Technology-enabled Best Practices
Identify & Document where PHI Lives
• Paper?
• Electronic?
• Verbally communicated?
Minimize what is Seen or Retained
• Don’t need it? Don’t have it!
• Encrypt information where you
can.
PHI within your
Network
30. 30
Technology-enabled Best Practices
Keep PHI Off if Possible where Risk of Theft is High
• Laptops (if you must have PHI: encrypt)
• Tablets
• Smart phones
• Thumb drives
Mobile Device Management (MDM) Policy
• Have one.
• Enforce it.
• Have software and process to remotely wipe
tablets and smartphones if they are lost or stolen.
All Mobile
Devices
31. 31
Technology-enabled Best Practices
Backups of PHI
• Make sure they are encrypted.
• Keep in a safe, secure place re: hardware
and software.
Physical Access
• Limit both on-site and off-site access.
• Enforce it.
Data Backup &
Recovery
32. 32
Technology-enabled Best Practices
Get an Assessment
• Know your baseline.
• Measure your progress.
• Document processes as well as your
rationale for taking action… and not
taking action.
Communicate
• Train and educate personnel.
• Formally and informally.
Document,
Document,
Document.
33. Discussing PHI
• Be aware of where you are and your surroundings when talking about
a case/client that involves PHI (patient information):
o Office telephone: Is your door open?
o Cell phone: Where are you? In public? An elevator? Who’s
around you?
o Conversation with a co-worker: Are you in a high-traffic hallway?
An elevator? A coffee shop? The restroom?
o Remember and keep in mind the 18 identifiers.
• Don’t share information with other staff members unless it is absolutely
necessary for them to perform their job functions.
33
Treat PHI with the same care that you would your own
information: keep it secure and protect the right to privacy.
Workforce Tips
34. Email
• Do not use Gmail/AOL/Hotmail accounts or any other consumer
based email systems to send any PHI. They are not secure.
• Pay close attention to your incoming emails . Example - phishing
attacks:
o Targeted emails sent to a small number of people, typically an executive
team.
o Message will appear to be personal to you: oftentimes information is
pulled from social media sites or online profiles.
o Email can contain links to websites or include compromised attachments.
o Once clicked or opened, key loggers or some other form of malware is
installed that allows remote parties to monitor your activity and steal data.
34
Workforce Tips
35. Mobility
• Don’t download or send ePHI to anything
mobile unless absolutely necessary to
perform your job function.
• This includes laptops, iPhones, iPads,
Androids, thumb drives, etc.
• If you have to have data on a mobile
device, ensure that the data is encrypted.
• Do not send information via text
messaging: this is not secure.
35
Minimizing where ePHI lives is a huge step
in protecting it and maintaining compliance.
Workforce Tips
36. Mobility
• When you work remotely and connect in to your corporate network:
o Keep documents on the office network.
o Guard against copying any information to your workstation
and/or device.
• Do not save passwords in applications such as web browsers or VPN
clients: If your device is ever lost, stolen or compromised, the new
owner could easily connect to the internet and access your sites
without having to guess or crack your password.
36
Workforce Tips
37. Passwords
• Your organization has a password policy for a
reason. Typically it requires you to change your
password periodically and to have certain
requirements to make it a strong password, such as:
o 8-12 characters
o Change quarterly (for example).
o Should include letters, numbers and symbols
37
Workforce Tips
• www.howsecureismypassword.net: a website to measure the strength
of a password (note: do not enter your real passwords into this or any site)
o PW = stgpwb!g 33 minutes to crack with a PC
o PW = stgpWb!g 24 hours to crack with a PC
o PW = s2gpWb!g 72 hours to crack with a PC
• Don’t fight your company’s password policy!
• Do not share your passwords.
• Do not write your passwords on a sticky note and attach to your
computer or monitor.
38. Working with Paper
• Keep areas where PHI is located locked
at all times.
• Have a designated person that can lock
and unlock these areas only. (Privacy
Officer)
• If you are working with paper copies of
documents that contain PHI:
o Maintain control of the copies at all
times.
o Do not leave the copies lying around
for others to see.
• Use fax cover sheets that have privacy
statements on them.
38
Workforce Tips
39. Miscellaneous
• Lock your workstation when you leave your desk.
+
• Position your monitors so people passing by your office, or coming
into your office to talk to you, cannot see the information on your
monitors.
39
Workforce Tips
40. Worry Free IT
Richard Stokes
rstokes@network1consulting.com
Richard joined Network 1 in 2003, as employee #4, and has been an integral part of Network 1’s growth
over the years both in sales and client management. He has been leading Network 1’s focus on
medical practices and healthcare since 2010.
Richard is an active member of the North Fulton Medical Group Management Association (NFMGMA)
and has served on their Board. He is also an active member of the North Metro Medical Manager’s
Association (NMMMA) and serves on their Board. In addition, Richard has been interviewed and quoted
as a healthcare IT consultant in Physicians Practice, American Medical
News andMedicalOfficeToday and has spoken as a HIPAA and ePHI expert at several medical and
legal associations in Atlanta. Richard is also a regular contributor for Network 1’s Tuesday Tips.
40