HIPAA in 2017: Hot Topics You Can’t IgnoreDanika Brinda, PhD, RHIA, CHPS, HCISPP

March 16, 2017

Privacy Rule

Breach Notification

State Law

Authorizations

Polices andProcedures

The Truth Is……

Have created confusion and misunderstanding across all healthcare organizations

Common Confusion and Misunderstanding

Let’s Talk…

My organization is compliant because we have our notice of privacy practices created

My organization has great practices when it comes to HIPAA and we don’t have to write them down

My Organization is too small to have to comply with the HIPAA Requirements

My EHR Vendor or Information Technology Vendor Took Care of Everything I Need to Do with Privacy and Security

HIPAA is far too complex and challenging

HIPAA in 2017

I don’t have to comply

What Can the HealthCare Industry Expect

• Increased HIPAA Enforcement, including fines

• Increased Number of Data Breaches

• Continuance of the HIPAA Audit Program

• Continued focus on Patient's Rights under HIPAA

• Issues with cybersecurity attacks

• Continue Media Focus in Healthcare Privacy and Security

HIPAA Data Breaches

What is a Breach? • An impermissible use or disclosure of PHI is "presumed to be a

breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

• HIPAA Breach Risk Assessment:• Who was the unauthorized person who used the PHI or to whom was the

PHI disclosed to?

• What is the nature and extent of the PHI involved and the likelihood of re-identification?

• Did the other party actually view or acquire the PHI?

• Has the risk to the PHI been mitigated and to what extent?

An Employee inappropriately accesses a co-workers chart

A fax is sent to the incorrect fax number

A release of information is sent to the incorrect recipient

An employee blogs about their work day which included specific patient diagnosis

that can link to a patient

Someone has hacked into your EHR and obtained SSN for multiple patients

A physician/employee inappropriately access a chart of a celebrity

An e-mail with PHI in the context was sent to the incorrect e-mail recipient

Examples of Potential Breaches

Data Breach Requirements• Documentation

• Breach = YES

• Documentation that shows all notification were made, Date of Notification, Content of Notification

• Breach = NO

• Documentation from the Risk Assessment, low probability that the information was compromised

• Application of any of the exceptions and why

Investigation

Who

What

When

Where

Why

4 Breach Risk Assessment Questions

Notification

Individuals

Secretary of Health and Human Services

Media (> 500)

Business Associates

60 Days from the Date of Discovery

No Unreasonable Delay

• Unsecured PHI

• PHI that is not secured through the use of a technology or methodology specified by the Department of HHS (Potentially Breached Data)

• Secured PHI

• PHI that is considered unusable, unreadable, or indecipherable to unauthorized individuals

• Encryption

• Destruction

Unsecured vs. Secured PHI

Data Breach UpdateData Breaches continue to rise at an alarming rateCybersecurity has created more threats to healthcare organizations 1857 Large Scale Data Breaches since September 2009171,672,894 Individuals Impacted

2017 (so far) – 55 2016 – 329 2015 – 269 2014 – 295 2013 – 274 2012 – 208 2011 – 196 2010 – 198 2009 – 18

Theft & Loss are still the leading causes of healthcare data breaches

18

198 196208

274

295

269

329

55

2009 2010 2011 2012 2013 2014 2015 2016 2017 (YTD)

Number of Data Breaches < 500 Individuals by Year

15%

13%

69%

0%3%

Data Breaches by Covered Entity Type> 500 Individuals Impacted

September 2009 - March 2017

Business Associate

Health Plan

Helathcare Provider

Healthcare Clearing House

Unspecified

Business Associates, 315, 17%

Covered Entities, 1542, 83%

Business Associate InvolvementData Breaches > 500 Individuals Impacted

September 2009 - March 2017

15%

4%

8%

4%

42%

2%

25%

Breach by TypeData Breaches > 500 IndividualsSeptember 2009 - March 2017

Hacking/IT Incident

Improper Disposal

Loss

Other

Theft

Unknown

Unauthroized Access/Disclosure

12%

5%

9%

18%

14%

11%

8%

23%

Location of Breach < 500 IndividualsSeptember 2009 - March 2017

Desktop Computer

Electronic Medical Record

E-Mail

Laptop

Network Server

Other

Other Portable Devices

Paper

Data Breaches Reported By Year

Annual Report to Congress onBreaches of Unsecured Protected Health Information

2017 HIPAA Audits

Current Status of HIPAA Audits

• Desk Audits are Current Happening• 166 Covered Entities• 45 Business Associates

• The review is only on specific components of the HIPAA regulations• On-site HIPAA Audits will begin in 2017, after desk audits are complete• Intent of HIPAA Audits:

• Identify Best Practices• Uncover new risks and vulnerabilities• Detect areas for technical assistance• Encourage consistent attention to compliance• Develop tools and guidance for industry self-evaluation and breach prevention

• Intended to be non-punitive

HIPAA Documentation Requirements

“Two aspects of HIPAA that will be extensively audited are enterprise-wide risk assessments and policies and processes…”

Deven McGrawDeputy Director for Health Information Privacy

Department of Health and Human Services' Office for Civil

Rights

HIPAA Documentation ExpectationsPrivacy Rule Documentation –164.530(i)

A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule Requirements

HIPAA Documentation ExpectationsSecurity Rule Documentation –164.316(b)(1)

Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment

Tell Me!

Tell Me!

2017 HIPAA Hot Topics

What’s New with HIPAA Enforcement?

HIPAA Fines by the Years = $66,729,700Year Total Number of HIPAA Fines with Resolutions Agreements Total Fines Collected

2008 1 $100,000

2009 1 $2,500,000

2010 2 $1,035,000

2011 3 $6,165,500

2012 5 $4,850,000

2013 3 $3,065,780

2014 6 $7,940,220

2015 6 $6,193,400

2016 13 $23,504,800

2017 4 $11,375,000

How Can You Fight the Battle with Hacking

• Conduct a Risk Analysis/Assessment

• Conduct Vulnerability Assessments and Penetration Testing

• Encrypt data at rest

• Encrypt data in motion

• Encrypt Hardware

• Know where data is stored and maintained

• Securely back up your data

• Keep systems up to date with updates

• Use antivirus solutions

• Use intrusion detection software

• Educate workforce members

• Have a Incident Security Plan ready (and test it)

HIPAA Success Tips• Make the HIPAA Privacy and Security Officers known within the organization

• Have a clearly defined incident response/breach response process

• Report any concerns to organization leadership immediately

• Don’t share any information learned from work to anyone that doesn’t need to know it

• Educate Workforce

• Use strong passwords and change them

• Conduct information system activity review (Audit Reviews)

• Follow policies and procedures established by your organization

• Have automatic log off turned on for systems with PHI

• Don’t allow others to access systems that you are logged into

• Don’t share passwords or write down passwords

• Respect the security features established by your organization

• Don’t leave computers in your car easily viewed (especially unlocked)