HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.
HIPAA in 2017: Hot Topics You Can’t Ignore · 3/16/2017 · when it comes to HIPAA and we...
Transcript of HIPAA in 2017: Hot Topics You Can’t Ignore · 3/16/2017 · when it comes to HIPAA and we...
HIPAA in 2017: Hot Topics You Can’t IgnoreDanika Brinda, PhD, RHIA, CHPS, HCISPP
March 16, 2017
Privacy Rule
Breach Notification
State Law
Authorizations
Polices andProcedures
The Truth Is……
Have created confusion and misunderstanding across all healthcare organizations
Common Confusion and Misunderstanding
Let’s Talk…
My organization is compliant because we have our notice of privacy practices created
My organization has great practices when it comes to HIPAA and we don’t have to write them down
My Organization is too small to have to comply with the HIPAA Requirements
My EHR Vendor or Information Technology Vendor Took Care of Everything I Need to Do with Privacy and Security
HIPAA is far too complex and challenging
HIPAA in 2017
I don’t have to comply
What Can the HealthCare Industry Expect
• Increased HIPAA Enforcement, including fines
• Increased Number of Data Breaches
• Continuance of the HIPAA Audit Program
• Continued focus on Patient's Rights under HIPAA
• Issues with cybersecurity attacks
• Continue Media Focus in Healthcare Privacy and Security
HIPAA Data Breaches
What is a Breach? • An impermissible use or disclosure of PHI is "presumed to be a
breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
• HIPAA Breach Risk Assessment:• Who was the unauthorized person who used the PHI or to whom was the
PHI disclosed to?
• What is the nature and extent of the PHI involved and the likelihood of re-identification?
• Did the other party actually view or acquire the PHI?
• Has the risk to the PHI been mitigated and to what extent?
An Employee inappropriately accesses a co-workers chart
A fax is sent to the incorrect fax number
A release of information is sent to the incorrect recipient
An employee blogs about their work day which included specific patient diagnosis
that can link to a patient
Someone has hacked into your EHR and obtained SSN for multiple patients
A physician/employee inappropriately access a chart of a celebrity
An e-mail with PHI in the context was sent to the incorrect e-mail recipient
Examples of Potential Breaches
Data Breach Requirements• Documentation
• Breach = YES
• Documentation that shows all notification were made, Date of Notification, Content of Notification
• Breach = NO
• Documentation from the Risk Assessment, low probability that the information was compromised
• Application of any of the exceptions and why
Investigation
Who
What
When
Where
Why
4 Breach Risk Assessment Questions
Notification
Individuals
Secretary of Health and Human Services
Media (> 500)
Business Associates
60 Days from the Date of Discovery
No Unreasonable Delay
• Unsecured PHI
• PHI that is not secured through the use of a technology or methodology specified by the Department of HHS (Potentially Breached Data)
• Secured PHI
• PHI that is considered unusable, unreadable, or indecipherable to unauthorized individuals
• Encryption
• Destruction
Unsecured vs. Secured PHI
Data Breach UpdateData Breaches continue to rise at an alarming rateCybersecurity has created more threats to healthcare organizations 1857 Large Scale Data Breaches since September 2009171,672,894 Individuals Impacted
2017 (so far) – 55 2016 – 329 2015 – 269 2014 – 295 2013 – 274 2012 – 208 2011 – 196 2010 – 198 2009 – 18
Theft & Loss are still the leading causes of healthcare data breaches
18
198 196208
274
295
269
329
55
2009 2010 2011 2012 2013 2014 2015 2016 2017 (YTD)
Number of Data Breaches < 500 Individuals by Year
15%
13%
69%
0%3%
Data Breaches by Covered Entity Type> 500 Individuals Impacted
September 2009 - March 2017
Business Associate
Health Plan
Helathcare Provider
Healthcare Clearing House
Unspecified
Business Associates, 315, 17%
Covered Entities, 1542, 83%
Business Associate InvolvementData Breaches > 500 Individuals Impacted
September 2009 - March 2017
15%
4%
8%
4%
42%
2%
25%
Breach by TypeData Breaches > 500 IndividualsSeptember 2009 - March 2017
Hacking/IT Incident
Improper Disposal
Loss
Other
Theft
Unknown
Unauthroized Access/Disclosure
12%
5%
9%
18%
14%
11%
8%
23%
Location of Breach < 500 IndividualsSeptember 2009 - March 2017
Desktop Computer
Electronic Medical Record
Laptop
Network Server
Other
Other Portable Devices
Paper
Data Breaches Reported By Year
Annual Report to Congress onBreaches of Unsecured Protected Health Information
2017 HIPAA Audits
Current Status of HIPAA Audits
• Desk Audits are Current Happening• 166 Covered Entities• 45 Business Associates
• The review is only on specific components of the HIPAA regulations• On-site HIPAA Audits will begin in 2017, after desk audits are complete• Intent of HIPAA Audits:
• Identify Best Practices• Uncover new risks and vulnerabilities• Detect areas for technical assistance• Encourage consistent attention to compliance• Develop tools and guidance for industry self-evaluation and breach prevention
• Intended to be non-punitive
HIPAA Documentation Requirements
“Two aspects of HIPAA that will be extensively audited are enterprise-wide risk assessments and policies and processes…”
Deven McGrawDeputy Director for Health Information Privacy
Department of Health and Human Services' Office for Civil
Rights
HIPAA Documentation ExpectationsPrivacy Rule Documentation –164.530(i)
A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule Requirements
HIPAA Documentation ExpectationsSecurity Rule Documentation –164.316(b)(1)
Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
Tell Me!
Tell Me!
2017 HIPAA Hot Topics
What’s New with HIPAA Enforcement?
HIPAA Fines by the Years = $66,729,700Year Total Number of HIPAA Fines with Resolutions Agreements Total Fines Collected
2008 1 $100,000
2009 1 $2,500,000
2010 2 $1,035,000
2011 3 $6,165,500
2012 5 $4,850,000
2013 3 $3,065,780
2014 6 $7,940,220
2015 6 $6,193,400
2016 13 $23,504,800
2017 4 $11,375,000
How Can You Fight the Battle with Hacking
• Conduct a Risk Analysis/Assessment
• Conduct Vulnerability Assessments and Penetration Testing
• Encrypt data at rest
• Encrypt data in motion
• Encrypt Hardware
• Know where data is stored and maintained
• Securely back up your data
• Keep systems up to date with updates
• Use antivirus solutions
• Use intrusion detection software
• Educate workforce members
• Have a Incident Security Plan ready (and test it)
HIPAA Success Tips• Make the HIPAA Privacy and Security Officers known within the organization
• Have a clearly defined incident response/breach response process
• Report any concerns to organization leadership immediately
• Don’t share any information learned from work to anyone that doesn’t need to know it
• Educate Workforce
• Use strong passwords and change them
• Conduct information system activity review (Audit Reviews)
• Follow policies and procedures established by your organization
• Have automatic log off turned on for systems with PHI
• Don’t allow others to access systems that you are logged into
• Don’t share passwords or write down passwords
• Respect the security features established by your organization
• Don’t leave computers in your car easily viewed (especially unlocked)