Introduction into Rehabilitative Health Care: Health Care ...
ACA Marketing Presentation · Those Subject to HIPAA Covered Entities – Health Care Providers,...
Transcript of ACA Marketing Presentation · Those Subject to HIPAA Covered Entities – Health Care Providers,...
U .SS S,
HIPAA Review
HIPAA Legislation
Health Insurance Portability and Accountability Act
2019 © ACA Inc.
Regulate use and disclosure of PHIEstablished standards for healthcare transactionsUpdated by the HITECH Act and Omnibus Rule More updates possible this year
Protected Health Information
Information about an individual’s physical or mental health, including provision or payment for services;that can be reasonably used to identify an individual; and is transmitted or maintained in any form or medium.
2019 © ACA Inc.
Name Address Dates (less than year) Phone number Fax number Email address Social Security number Medical record number Health plan number
Account number Certificate/license number Vehicle identifier Device identifier Web URL IP address Finger or voice print Photographic image Any unique ID or code
Those Subject to HIPAA
Covered Entities – Health Care Providers, Health Plans or Health Care Clearinghouses Business Associates – Any entity providing services to a Covered Entity, or another Business Associate, that creates, receives, maintains or transmits PHI
2019 © ACA Inc.
Conduit Exception – An entity that transmits PHI, with only temporary storage; access is transient in nature
HIPAA Rules
Privacy Rule Use and disclosure of PHI and individuals’ rights
Security Rule Administrative, Technical and Physical standards
for transmission, storage and disposal of ePHI
2019 © ACA Inc.
HIPAA Rules
Transactions and Code Sets Rule EDI standards for
transactions
Identifiers Rule National Provider Identifier
Enforcement Rule Compliance provisions and
penalties for violations
2019 © ACA Inc.
Breach Notification Rule Breach definition and requirements for reporting and
notification to affected individuals
New Federal Initiatives
MyHealthEData Seeks to empower people by giving them more control
over their health data, and facilitating health data exchange between providers
Led by the White House Office of American Innovation with participation from HHS, CMS, ONC, NIH and VA
2019 © ACA Inc.
Promoting Interoperability (PI) Program Rebranding of the Meaningful Use program Emphasizes measures that require exchange of
health data between providers and patients Incentivizes providers to make it easier for patients to
get their records in electronic format
HIPAA Improvement RFI
Foster care coordination and data access, while still protecting privacyUse health IT effectively to address opioid use disorder prevention and treatment
2019 © ACA Inc.
Provide accounting of disclosures for treatment, payment, and health care operationsUpdate Notice of Privacy Practices requirements Improve patient matching accuracy
Proposed Rules
21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Program Issued by the Office of the National Coordinator (ONC) Advance interoperability and support the access,
exchange, and use of electronic health information
2019 © ACA Inc.
Interoperability and Patient Access Issued by the Centers for Medicare and Medicaid
Services (CMS) Expand access to health information and improve the
seamless exchange of data in healthcare
International Data Privacy
General Data Protection Regulation (GDPR)Approved by EU Parliament, effective May, 2018Affects any company that does business in the EU
2019 © ACA Inc.
Aligns data protection rules throughout the EUGives people more control over their data – to request it, export it, and withdraw consent to access or use it
International Data Privacy
Privacy advocacy groups have already filed complaintsGoogle, Facebook, Instagram and WhatsApp have all been subject to legal action
2019 © ACA Inc.
Google has been fined 50 million euros for lack of consent for ad personalizationFacebook is facing fines for a security incident reported in September involving the theft of user access tokens
Complying with the Rules
HIPAA Privacy and Security Officers
2019 © ACA Inc.
Privacy and Security Policies and Procedures Staff sanctions for non-compliance, up to and including
termination and prosecution Anti-Retaliation policy to protect staff when reporting
violations they observe
Training and Continuing EducationSecurity Incident Assessment and Notification
Risk Management and Mitigation Disaster Recovery and Business Continuity PlanBusiness Associate Agreements Notice of Privacy Practices
Basic Security Measures
Create strong passwords and keep them secure
2019 © ACA Inc.
Do not download apps or install programs yourself
Lock your computer when leaving your desk, and store documents securely
Be mindful when guests are in the office
Be vigilant about phishing scams online and in emails
Contact IT immediately if you notice something wrong with your computer
Data Exchange
2019 © ACA Inc.
Paper PHI Remove incoming faxes promptly Send test faxes to new recipients Use secure shredding bins not regular trash
ePHI Storage – ePHI on network drives only Helpdesk Logs – use designated folders for data
exchange; not the helpdesk application or email Use encrypted email – no ePHI in the subject line If you receive an unencrypted email containing ePHI:
o Save ePHI to a network drive if neededo Delete message from Inbox and Deleted Items folderso Notify HIPAA Officers who will follow up
Transport Layer Security (TLS)
2019 © ACA Inc.
Data exchange over an encrypted channelEncryption is at the server level, and must be in place at both sender and receiver The data is not encrypted; only the channel
While not a violation, ACA does not recommend TLS Messages inadvertently sent to recipients outside
the TLS channel are not secure After messages are sent via TLS they may reside
on devices that are not completely secure
A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHIIt’s only a breach if the data is UNSECURED – not encrypted, or otherwise secured and discarded
Breach Basics
2019 © ACA Inc.
2018 Top Breaches
2019 © ACA Inc.
AccuDoc – Billing vendor for Atrium Health, a large hospital system in NC, SC and GA, had several databases hackedUnityPoint Health – Business email system compromised in a phishing attack. UnityPoint had another breach earlier in 2018 due to phishing, affecting 16,429 patients Employees Retirement System of Texas – System flaw allowed users to view each others’ information
HIPAA Criminal Offense
Former UPMC employee wrongfully obtained and purposely disclosed PHI Under HIPAA criminal statute, she is facing up to 10 years in prison and fines of $500,000, due to the malicious intent
2019 © ACA Inc.
UPMC may also face penalties if it is found that user access was not appropriately limited, or audit protocols were missing or insufficient
In Case of an Incident
Notify HIPAA Officers and perform initial mitigation Emails – Try to recall the message; if unsuccessful ask
recipient(s) to delete the message Faxes – Ask recipients to destroy the fax
2019 © ACA Inc.
Investigate and document the incident
Follow policy and procedure changes to prevent recurrence
Participate in refresher training if required
Phishing Scams Evolve
Emails with PDFs attached may bypass spam filtersSeemingly benign attachments link to malicious sitesUsers lured into divulging credentials and PHICommon sites mimicked: Google, Apple, Netflix
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Apple Phishing Scam
2019 © ACA Inc.
Cyber Blackmail
Messages appear to come from your own account May include a password you’ve used in the pastHackers usually want money (bitcoin) or credentialsThreats are designed for maximum embarrassment
2019 © ACA Inc.
Cyber Blackmail
2019 © ACA Inc.
Cyber Blackmail
2019 © ACA Inc.
Cyber Blackmail
2019 © ACA Inc.
Data Sources for Blackmailers
Pwned = “owned” by someonehttps://haveibeenpwned.com
2019 © ACA Inc.
New Office 365 Attack
Email includes fake Office 365 non-delivery notificationSend Again button links to a credentials phishing pageAfter entering your credentials on the fake page, you’re returned to the official Office 365 pageGenuine non-deliverable notifications do not contain a Send Again button
2019 © ACA Inc.
Fake Office 365 Message
2019 © ACA Inc.
Fake Office 365 Message
2019 © ACA Inc.
Genuine Office 365 Message
2019 © ACA Inc.
Look Before You Leap
Don’t assume a message is safe if you know the sender
2019 © ACA Inc.
Be wary of overly urgent or enticing messages
Don’t respond to requests for your credentials
Navigate to websites yourself instead of clicking links
Check messages for grammar and spelling errors
Hover over links to verify their authenticity
Be on the lookout for generic or blank recipient lines
Don’t Take the Bait
Do you know the sender?
NO
Message arrives in your inbox
YES
Does the message have
attachment(s)?
Does the message have
attachment(s)?
Is the message axpected?
Can you verify attachment(s) with
the sender?
Does the message contain
a link?
Message should be OK
NO
NO
NO
NO
YESYESYESYES
NO
YES
Does the message contain
a link?
NO
Message may be marketing or junk
but is likely OK
NO
Does the link pass the checklist ?
NO
YESYES
Does anything else seem “off” about
the message: misspellings, grammar, etc.?
Message may be marketing or junk
but is likely OK
YES
Link Checklist• Hover over the link; is it genuine? • Is the message overly urgent or enticing? • Are you asked to disclose credentials?• Are you offered something of value?• Does anything else seem off to you?
The Internet of Things
Smart devices and wearables offer more convenience but also make networks more vulnerableNIST recently released draft document highlighting risks and baseline considerations
2019 © ACA Inc.
Devices can be used to launch cyber attacks
Data stored on the devices can be compromised
Privacy of individuals can be impacted
Fiona Update
2019 © ACA Inc.