What’s your HIPAA risk? · Certified in healthcare compliance and risk management Experts in...
Transcript of What’s your HIPAA risk? · Certified in healthcare compliance and risk management Experts in...
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
What’s your HIPAA risk?Debunking the top 5 myths
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Presenters
Bobby SeegmillerSVP and Founding Partner
PATMascot
Kirk IsingSenior Account Executive
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Today’s Agenda
Top myths about HIPAA compliance
Understanding cybersecurity and what yourresponsibilities are
Importance of completing an annual riskanalysis
Open question & answer
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
HIPAA One Company Introduction
HIPAA Compliance & Data Security Professionals Certified in healthcare compliance and risk management Experts in talent, solutions and methodologies Dedicated to constant improvement
HIPAA One Risk Analysis Software: Over 7,000 sites (CEs and BAs) protecting ePHI Automation of all mundane labor-intensive activities Includes security and privacy and breach notification
Scalable Software Technology Used by single-doc practices to enterprise health plans Current with updated state and HIPAA phase 2 audit protocol
Disclaimer: We are not attorneys, but as auditors must understand HIPAA.
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Poll Questions
Which segment of the industry are you in?
A. Skilled NursingB. Home HealthC. Assisted LivingD. Other
Which option best describes your role?
A. ClinicalB. AdministrativeC. IT
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
True or FalseSmall organizations are not audited by the OCR
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Small organizations are not audited by the OCR
The OCR audits organizations of all sizes.
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Cybersecurity is Everyone’s Responsibility
1. Partners and patients rely onyou to protect their information
2. Threats are everywhere – amatter of when not if
3. Breaches are costly
Cybersecurity is important because:
1. Unlocked laptops
2. Exposed passwords
3. Sophisticated phishing
4. Malicious phone calls
No single security tool can catch:
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
True or FalseMy EHR vendor is HIPAA
compliant, so that covers my organization
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
My EHR vendor is HIPAA compliant, so that covers my
organizationYou are responsible for your compliance.
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
EHR Compliance ≠ Total Compliance
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Chain of Trust and Liability
Covered Entity:Healthcare providerHealth Plan
Business Associate: Billing/CodingIT Services
Business Associate AgreementePHI Sharing
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
True or FalseMy company provides software to protect me from all malicious
attacks
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
My company provides software to protect me from all malicious
attacksOrganizations can implement tools but training
and awareness are just as important
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
IT Incidents in the Healthcare Industry
111 Healthcare IT Incidents reportedto HHS in Jan-May 2020 (Providers)
Incidents reported were EMAIL associated 76
*Statistics from the US Department of Health and Human Services Breach Portal Jan - May 2020
3.6 Million individuals affected bythe IT incidents.
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Phishing Emails on the Rise
Be suspicious of emails and messages
Think before you click links
Regularly update computer &
devices
Never share personal
information online
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Tools to Aid Compliance
Multi-Factor AuthenticationHIPAA Training
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Poll Questions
Have you conducted your 2020 HIPAA Security Risk
Assessment?
A. YesB. NoC. I was not aware
we were requiredto do one
If you were audited tomorrow, are you 100% confident you
would pass?
A. YesB. No
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
True or FalseLong Term Care/Home Health are not required to perform a Security
Risk Analysis
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Long Term Care/Home Health are not required to perform a Security
Risk Analysis
A Risk Analysis is required annually
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Working Towards Compliance
Complete a Security Risk Analysis Annually Implement tools to
protect your office
Train all new and existing employees
Review and update policies and procedures
T
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Security Risk Analysis
•A foundational piece to yourcybersecurity and HIPAA initiative
• Identifies risk and vulnerabilitiesthat could lead to a breach
•Creates a roadmap for the year
•Ongoing updates and reviews
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Key Steps of a Security Risk Analysis (SRA)
Gather information, policies, and procedures
01Compare current items to the requirements
02Assess gaps: Security, Privacy, and Breach Audits
03
Report on findings and outstanding risks
05Response planning and remediation actions
04Execute updates and begin risk management
06A Security Risk Analysis must be completed and
reviewed each year
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Security Risk Analysis
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Progress Overview
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Assigning Risk
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Remediation Planning
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Remediation Planning
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Yearly Import of Security Risk Analysis
Imports last year’s questions and updates.
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
HIPAA One Time Estimates
HR Director: 30 min
EMR/ePHI System Admin: 45 min
IT Network Manager: 30 min
IT Server Manager: 60 min
Facilities Manager: 30 min
HIPAA Security Officer: 90 min
Average Time Per Interview*
* Add 10 minutes for every 1K employees
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
True or FalseI can only be audited if I
have a breach
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
I can only be audited if I have a breach
You can be audited at any time
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Ways to be Audited
Breach Notice: Phishing, Ransomware, unauthorized disclosure (Omnibus update)
01 02 03 04Eligibility Audit: Office for Civil Rights, Medicaid/ Medicare, State Attorney General
Business Associate: Regardless of who is at fault, the covered entity is responsible
Patient Complaint/ Whistleblower: Privacy (PHI), Security (ePHI) or Breach Notice
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
No organization is too small to be audited. Everyone is at risk
You need to be HIPAA compliant, just as your EHR vendor is HIPAA compliant
Organizations should implement software as well as provide awareness training
A Security Risk Analysis is required annually
You can be audited anytime: eligibility audit, breach, or patient complaint
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Poll Question
What topic would you like to learn more about?
A. Security Risk AnalysisB. Privacy/Breach Risk AnalysisC. HIPAA Training and Awareness
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Questions?
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Thank You For Joining Us
Follow us on Social:
HIPAA One @HIPAAOne
To Learn More Contact Us:
www.hipaaone.com
© 2020 HIPAA One All Rights Reserved. Webinar Sponsors:
Thank You for Joining Us
Webinar and handouts available at:simpleltc.com/hipaa-risk