ACA Marketing Presentation · Those Subject to HIPAA Covered Entities – Health Care Providers,...

U .SS S,

HIPAA Review

HIPAA Legislation

Health Insurance Portability and Accountability Act

2019 © ACA Inc.

Regulate use and disclosure of PHIEstablished standards for healthcare transactionsUpdated by the HITECH Act and Omnibus Rule More updates possible this year

Protected Health Information

Information about an individual’s physical or mental health, including provision or payment for services;that can be reasonably used to identify an individual; and is transmitted or maintained in any form or medium.

2019 © ACA Inc.

Name Address Dates (less than year) Phone number Fax number Email address Social Security number Medical record number Health plan number

Account number Certificate/license number Vehicle identifier Device identifier Web URL IP address Finger or voice print Photographic image Any unique ID or code

Those Subject to HIPAA

Covered Entities – Health Care Providers, Health Plans or Health Care Clearinghouses Business Associates – Any entity providing services to a Covered Entity, or another Business Associate, that creates, receives, maintains or transmits PHI

2019 © ACA Inc.

Conduit Exception – An entity that transmits PHI, with only temporary storage; access is transient in nature

HIPAA Rules

Privacy Rule Use and disclosure of PHI and individuals’ rights

Security Rule Administrative, Technical and Physical standards

for transmission, storage and disposal of ePHI

2019 © ACA Inc.

HIPAA Rules

Transactions and Code Sets Rule EDI standards for

transactions

Identifiers Rule National Provider Identifier

Enforcement Rule Compliance provisions and

penalties for violations

2019 © ACA Inc.

Breach Notification Rule Breach definition and requirements for reporting and

notification to affected individuals

New Federal Initiatives

MyHealthEData Seeks to empower people by giving them more control

over their health data, and facilitating health data exchange between providers

Led by the White House Office of American Innovation with participation from HHS, CMS, ONC, NIH and VA

2019 © ACA Inc.

Promoting Interoperability (PI) Program Rebranding of the Meaningful Use program Emphasizes measures that require exchange of

health data between providers and patients Incentivizes providers to make it easier for patients to

get their records in electronic format

HIPAA Improvement RFI

Foster care coordination and data access, while still protecting privacyUse health IT effectively to address opioid use disorder prevention and treatment

2019 © ACA Inc.

Provide accounting of disclosures for treatment, payment, and health care operationsUpdate Notice of Privacy Practices requirements Improve patient matching accuracy

Proposed Rules

21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Program Issued by the Office of the National Coordinator (ONC) Advance interoperability and support the access,

exchange, and use of electronic health information

2019 © ACA Inc.

Interoperability and Patient Access Issued by the Centers for Medicare and Medicaid

Services (CMS) Expand access to health information and improve the

seamless exchange of data in healthcare

International Data Privacy

General Data Protection Regulation (GDPR)Approved by EU Parliament, effective May, 2018Affects any company that does business in the EU

2019 © ACA Inc.

Aligns data protection rules throughout the EUGives people more control over their data – to request it, export it, and withdraw consent to access or use it

International Data Privacy

Privacy advocacy groups have already filed complaintsGoogle, Facebook, Instagram and WhatsApp have all been subject to legal action

2019 © ACA Inc.

Google has been fined 50 million euros for lack of consent for ad personalizationFacebook is facing fines for a security incident reported in September involving the theft of user access tokens

Complying with the Rules

HIPAA Privacy and Security Officers

2019 © ACA Inc.

Privacy and Security Policies and Procedures Staff sanctions for non-compliance, up to and including

termination and prosecution Anti-Retaliation policy to protect staff when reporting

violations they observe

Training and Continuing EducationSecurity Incident Assessment and Notification

Risk Management and Mitigation Disaster Recovery and Business Continuity PlanBusiness Associate Agreements Notice of Privacy Practices

Basic Security Measures

Create strong passwords and keep them secure

2019 © ACA Inc.

Do not download apps or install programs yourself

Lock your computer when leaving your desk, and store documents securely

Be mindful when guests are in the office

Be vigilant about phishing scams online and in emails

Contact IT immediately if you notice something wrong with your computer

Data Exchange

2019 © ACA Inc.

Paper PHI Remove incoming faxes promptly Send test faxes to new recipients Use secure shredding bins not regular trash

ePHI Storage – ePHI on network drives only Helpdesk Logs – use designated folders for data

exchange; not the helpdesk application or email Use encrypted email – no ePHI in the subject line If you receive an unencrypted email containing ePHI:

o Save ePHI to a network drive if neededo Delete message from Inbox and Deleted Items folderso Notify HIPAA Officers who will follow up

Transport Layer Security (TLS)

2019 © ACA Inc.

Data exchange over an encrypted channelEncryption is at the server level, and must be in place at both sender and receiver The data is not encrypted; only the channel

While not a violation, ACA does not recommend TLS Messages inadvertently sent to recipients outside

the TLS channel are not secure After messages are sent via TLS they may reside

on devices that are not completely secure

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHIIt’s only a breach if the data is UNSECURED – not encrypted, or otherwise secured and discarded

Breach Basics

2019 © ACA Inc.

2018 Top Breaches

2019 © ACA Inc.

AccuDoc – Billing vendor for Atrium Health, a large hospital system in NC, SC and GA, had several databases hackedUnityPoint Health – Business email system compromised in a phishing attack. UnityPoint had another breach earlier in 2018 due to phishing, affecting 16,429 patients Employees Retirement System of Texas – System flaw allowed users to view each others’ information

HIPAA Criminal Offense

Former UPMC employee wrongfully obtained and purposely disclosed PHI Under HIPAA criminal statute, she is facing up to 10 years in prison and fines of $500,000, due to the malicious intent

2019 © ACA Inc.

UPMC may also face penalties if it is found that user access was not appropriately limited, or audit protocols were missing or insufficient

In Case of an Incident

Notify HIPAA Officers and perform initial mitigation Emails – Try to recall the message; if unsuccessful ask

recipient(s) to delete the message Faxes – Ask recipients to destroy the fax

2019 © ACA Inc.

Investigate and document the incident

Follow policy and procedure changes to prevent recurrence

Participate in refresher training if required

Phishing Scams Evolve

Emails with PDFs attached may bypass spam filtersSeemingly benign attachments link to malicious sitesUsers lured into divulging credentials and PHICommon sites mimicked: Google, Apple, Netflix

2019 © ACA Inc.

Apple Phishing Scam

2019 © ACA Inc.

Cyber Blackmail

Messages appear to come from your own account May include a password you’ve used in the pastHackers usually want money (bitcoin) or credentialsThreats are designed for maximum embarrassment

2019 © ACA Inc.

New Office 365 Attack

Email includes fake Office 365 non-delivery notificationSend Again button links to a credentials phishing pageAfter entering your credentials on the fake page, you’re returned to the official Office 365 pageGenuine non-deliverable notifications do not contain a Send Again button

2019 © ACA Inc.

Look Before You Leap

Don’t assume a message is safe if you know the sender

2019 © ACA Inc.

Be wary of overly urgent or enticing messages

Don’t respond to requests for your credentials

Navigate to websites yourself instead of clicking links

Check messages for grammar and spelling errors

Hover over links to verify their authenticity

Be on the lookout for generic or blank recipient lines

Don’t Take the Bait

Do you know the sender?

NO

Message arrives in your inbox

YES

Does the message have

attachment(s)?

Does the message have

attachment(s)?

Is the message axpected?

Can you verify attachment(s) with

the sender?

Does the message contain

a link?

Message should be OK

NO

NO

NO

NO

YESYESYESYES

NO

YES

Does the message contain

a link?

NO

Message may be marketing or junk

but is likely OK

NO

Does the link pass the checklist ?

NO

YESYES

Does anything else seem “off” about

the message: misspellings, grammar, etc.?

Message may be marketing or junk

but is likely OK

YES

Link Checklist• Hover over the link; is it genuine? • Is the message overly urgent or enticing? • Are you asked to disclose credentials?• Are you offered something of value?• Does anything else seem off to you?

The Internet of Things

Smart devices and wearables offer more convenience but also make networks more vulnerableNIST recently released draft document highlighting risks and baseline considerations

2019 © ACA Inc.

Devices can be used to launch cyber attacks

Data stored on the devices can be compromised

Privacy of individuals can be impacted

ACA Marketing Presentation · Those Subject to HIPAA Covered Entities – Health Care Providers,...

Documents

Transcript of ACA Marketing Presentation · Those Subject to HIPAA Covered Entities – Health Care Providers,...