HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance
|
|
- Vincent Leonard
- 6 years ago
- Views:
Transcription
1 2017 Annual Conference HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance Renee H. Martin, JD, RN, MSN Dilworth Paxson, LLP 1500 Market Street, Suite 3500 Philadelphia, PA Tel: (215) Fax: (215)
2 2016-A very good year for data breaches The Identity Theft Resource Center survey showed across the USA, a record high of 1,093 data breaches occurred with 377 in the health care industry. For the 8 th consecutive year, hacking, skimming, phishing attacks were the leading causes of data breaches more than 50% in health care With increased breaches-new record amount of fines paid by CEs and BAs for breach of unsecured PHI OCR entered into 13 settlements with CEs and BAsmore than 2xs number of settlements in
3 Details of breaches not often published HIPAA Complaint Investigations-- OCR determines if CE or BA has violated privacy or security rule, if there findings that CE or BA committed significant violation, a large number of individuals were affected, or OCR wants to send a message to other CEs or BAs. OCR will issue a press release and OCR closes the investigation and puts closure letter on OCR website. ProPublica created an app on its HIPAA Helper Tool-allows determination of repeat offenders. Largest offenders Dept. of Veteran Affairs and CVS Health. Offenses keep occurring despite technical assistance being provided by OCR. Top 5 complaints in 2014: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; lack of administrative safeguards of electronic protected health information. 3
4 Complaints Received and Cases Resolved Over 150,507 complaints received to date Over 24,879 cases resolved with corrective action and/or technical assistance Expect to receive 17,000 complaints this year 4
5 The OCR Enforcement Process Right to file a compliant. A person who believes a covered entity or business associate is not complying may file a complaint with Secretary. - Disgruntled Employees - Patients Investigation. The Secretary will investigate any complaint filed when a preliminary review indicates possible violation due to willful neglect. Compliance Reviews. The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying when a preliminary review of the facts indicates a possible violation due to willful neglect or in any other circumstance. Audit Program (discuss later) Today s breach report could lead to tomorrow s OCR Compliance Review 5
6 Complaint Process 6
7 Enforcement Guidance: How OCR Closes Cases enforcement/data/index.html Cases that OCR closes fall into five categories: Resolved after intake & review (no investigation) Technical Assistance (no investigation) No Violation (investigated) Corrective Action Obtained (investigated; includes Resolution Agreements) OCR may decide not to investigate a case further if : The case is referred to the Department of Justice for prosecution, The case involved a natural disaster. The case was pursued, prosecuted, and resolved by state authorities. The covered entity or business associate has taken steps to comply with the HIPAA Rules and OCR determines enforcement resources are better/more effectively deployed in other cases. 7
8 Enforcement Process (continued) If the evidence indicates that the Covered Entity was not in compliance, OCR will attempt to resolve the case by obtaining: - Voluntary compliance; - Corrective action; and/or - Resolution Agreement. Civil Money Penalties are also possible always accompany a Resolution Agreement Possible referrals to the Department of Justice of criminal violations. Pennsylvania enforcement results for compliance reviews as of December 31, 2016: - 12% (No Violation) - 67% (Resolved after Intake and Review) - 21% (Corrective Action) 8
9 Enforcement by State Attorneys General OCR developed HIPAA enforcement training in 2011 to help State Attorneys General use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules. Videos and slides are available on the OCR website. - 8 modules, including Module 6: "Investigating and Prosecuting HIPAA Violations." - Includes examples of how OCR could impose civil money penalties to a given fact pattern State AGs have not made extensive use of their new enforcement power to date. No Pennsylvania AG enforcement actions to date. 9
10 OCR Audit Program Audit Purpose: Support Improved Compliance Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance - Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond) Learn from this next phase in structuring permanent audit program Develop tools and guidance for industry self-evaluation and breach prevention 10
11 Audit Program Status Second Audit Phase Underway Desk audits 166 Covered Entities 43 Business Associates Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs On-site audits of both CEs and BAs in 2017, after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols A desk audit subject may be subject to on-site audit OCR beginning distribution of draft findings to audited CEs & BAs 11
12 Desk Audit Reporting: Process After review of submitted documentation: Draft findings shared with the entity Entity may respond in writing Final audit reports will: Describe how the audit was conducted Present any findings, and Contain any written entity responses to the draft OCR Website: 12
13 Investigative Perspectives of the Parties 13
14 OCR s Investigative Perspective Still conducting complaint investigations Can widen complaint investigation at any time if complaint investigation signals a potential larger compliance issue Red Flag for CE or BA-when OCR wants to move from paper review to employee interviews OCR looks at multiple "small breaches" which evidence a systematic problem, as well as large breaches put on wall of shame. Guaranteed OCR investigation with 500 or more individuals affected If the breach involves a security breach or successful incident, involving a laptop, or another device, OCR will send laptop to Washington for forensic team analysis to determine vulnerabilities of device and recommendations made encryption, log-on and off, remote swiping, etc. 14
15 OCR s Investigative Perspective OCR has been given significant leeway in fine negotiation and resolution actions OCR central works with local office to move case to Resolution Agreement-generally OCR wants Resolution Agreement entered into within one month. If not Resolution Agreement- CE or BA can move to Administrative Hearing-only one case to date, and was affirmed by ALJ. 15
16 OCR s Investigative Perspective What does OCR expect from CE or BA during process? Cooperation, Cooperation, Cooperation Keep your litigation attorney out of it! Timely responses to requests for information Evidence from CE or BA that it is willing to faithfully and seriously change systems, employee behavior, policies and procedures Don't wait until the end of the investigation 16
17 CE or BA Conduct Perspective Determine who has requisite information to respond to the OCR investigation or complaint Write all responses clearly, honestly If you do not believe there is a valid basis for the complaint, say so and give rationale If you are wrong and you need to conduct corrective action, start action right away and inform OCR as soon as possible of your corrective action 17
18 CE or BA Conduct Perspective Keep leadership informed-board of Directors doesn't like surprises Which begs the question of existence informational governance within your organization's compliance plan 18
19 What is at Stake? 19
20 Resolution Agreements What is a Resolution Agreement? A contract between HHS and a CE in which the CE agrees to perform certain obligations (such as staff training) and make reports to HHS, generally for a 3 year period. During this period, HHS monitors the CE s compliance with its obligations. Typically includes payment of a resolution amount. A resolution agreement is used to settle investigations with more serious outcomes. 20
21 Civil Monetary Penalties The four categories For CMPs used for the penalty structure are as follows: Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) Category 3: A violation suffered as a direct result of "willful neglect of HIPAA Rules, in cases where an attempt has been made to correct the violation Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation 21
22 Civil Monetary Penalties Category 1: Minimum fine of $100 per violation up to $50,000 Category 2: Minimum fine of $1,000 per violation up to $50,000 Category 3: Minimum fine of $10,000 per violation up to $50,000 Category 4: Minimum fine of $50,000 per violation 22
23 Recent Enforcement Actions 2/16/2017: HIPAA settlement shines light on the importance of audit controls Memorial Healthcare System pays $5.5 million MHS third largest public health care system in U.S. 2/1/2017: Lack of timely action risks security and costs money- Blackberry lost, unencrypted & not password protected. Had consultant perform Risk Assessment found security gaps in system CE did not address. CMP $3,217,000 1/18/2017: HIPAA settlement demonstrates importance of implementing safeguards for ephi MAPFRE Life Insurance Company in Puerto Rico (also underwrites group and individual health insurance plans) reported lost USB device to ORC. No risk assessment, no risk plan. CMP - $2.2 million 23
24 Continuing Enforcement Issue: Affirmative Disclosures Not Permitted The HIPAA Privacy Rule provides that Covered Entities or Business Associates may not use or disclose PHI except as permitted or required. See 45 C.F.R (a). Examples of Potential Violations: Covered Entity permits news media to film individuals in its facility prior to obtaining their authorization. Covered Entity publishes PHI on its website or on social media without an authorization from the individual(s). Covered Entity confirms that an individual is a patient and provides other PHI to reporter(s) without authorization from the individual. Covered Entity faxes PHI to an individual's employer without authorization from the individual. 24
25 Continuing Enforcement Issue: Lack of Business Associate Agreements HIPAA generally requires that CEs and BAs enter into agreements with their BAs to ensure that the Bas will appropriately safeguard protected health information. See 45 C.F.R (b). Examples of Potential Business Associates: A collections agency providing debt collection services to a health care provider which involves access to protected health information. An independent medical transcriptionist that provides transcription services to a physician. A subcontractor providing remote backup services of PHI data for an IT contractor-business associate of a health care provider. 25
26 Continuing Enforcement Issue: Incomplete or Inaccurate Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R (a)(1)(ii)(A). Organizations frequently underestimate the proliferation of ephi within their environments. When conducting a risk analysis, an organization must identify all of the ephi created, maintained, received or transmitted by the organization. Examples: Applications like EHR, billing systems; documents and spreadsheets; database systems and web servers, fax servers, backup servers; etc.); Cloud based servers, Medical Devices, Messaging Apps ( , texting, ftp); other media 26
27 Risk Analysis Guidance strative/securi tyrule/rarinalguidance.html
28 Continuing Enforcement Issue: Failure to Manage Identified Risk The Risk Management Standard requires the "[implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]." See 45 C.F.R (a)(1)(ii)(B). Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures. In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan. 28
29 Mobile Device Security 29
30 Continuing Enforcement Issue: Lack of Transmission Security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R (e)(2)(ii). Applications for which encryption should be considered when transmitting ephi may include: o o Texting o Application sessions o File transmissions (e.g., ftp) o Remote backups o Remote access and support sessions (e.g., VPN) 30
31 Continuing Enforcement Issue: Lack of Appropriate Auditing The HIPAA Rules require the "[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." See 45 C.F.R (b). Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to "regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." See 45 C.F.R (a)(1)(ii)(D). Activities which could warrant additional investigation: o Access to PHI during non-business hours or during time off o Access to an abnormally high number of records containing PHI o Access to PHI of persons for which media interest exists o Access to PHI of employees 31
32 Continuing Enforcement Issue: Patching of Software The use of unpatched or unsupported software on systems which access ephi could introduce additional risk into an environment. Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level. In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end-of-life for support include: o Router and firewall firmware o o Anti-virus and anti-malware software Multimedia and runtime environments (e.g., Adobe Flash, Java, etc.) 32
33 Continuing Enforcement Issue: Insider Threat Organizations must "[i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to ephi... and to prevent those workforce members who do not have access... from obtaining access to ephi," as part of its Workforce Security plan. See 45 C.F.R (a)(3). Appropriate workforce screening procedures should be included as part of an organization's Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R (a)(3)(ii)(B). Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization's workforce exit or separation process. See 45 C.F.R (a)(3)(ii)(c). 33
34 Continuing Enforcement Issue: Disposal of PHI When an organization disposes of electronic media which may contain ephi, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R (d)(2)(i). The implemented disposal procedures must ensure that le]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication : Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal. Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices. 34
35 Continuing Enforcement Issue: Insufficient Backup and Contingency Planning Organizations must ensure that adequate contingency plans (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R (a)(7). Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan. As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See (a)(7)(ii)(d). 35
36 What s Next? 36
37 Long-term Regulatory Agenda HITECH provision re: providing individuals harmed by violations of the HIPAA regulations with a percentage of any civil monetary penalties or settlements collected. HITECH provisions re: changes to HIPAA Accounting of Disclosure provisions. 37
38 Upcoming Guidance/FAQs Privacy and Security for "All of Us" (PMI) research program Text messaging Social Media Use of CEHRT & compliance with HIPAA Security Rule (w/onc) RA/CMP Process Update of existing FAQs to account for Omnibus and other recent developments Minimum necessary 38
39 Recent Guidance: Ransomware and Cloud Computing Ransomware: Cloud Computing: 39
40 Monthly Guidance: Cybersecurity Newsletters February 2016 Ransomware, "Tech Support" Scam, New BBB Scam Tracker June 2016 What's in Your Third-Party Application Software March 2016 Keeping PHI safe, Malware and Medical Devices April 2016 New Cyber Threats and Attacks on the Healthcare Sector May 2016 Is Your Business Associate Prepared for a Security Incident September 2016 Cyber Threat Information Sharing October 2016 Mining More than Gold (FTP) November 2016 December 2016 January 2017 February 2017 What Type of Authentication is Right for you? Understanding DoS and DDoS Attacks Audit Controls Reporting and Monitoring Cyber Threats 40
41 Don t let your program get Stale-presuming you have one. 41
42 What should a Privacy or Security officer be doing now? Keep up with (watch and listen): Current regulations ongoing check across the enterprise Watch/listen for pending changes or challenges in potential regulation NCVHS and HIT Privacy Workgroup Breach notices and stories NIST releases and sample security measures OCR audit information and other notices Monitor work force actions and activates Monitor contracts and business associate agreements 42
43 What should a Privacy or Security officer be doing now? Keep up with: Active participation in enterprise information governance Ongoing security auditing and risk analysis - all technology Planning: Breach strategic planning and workgroup - There will be a breach! Monitoring team Response team who will do what, when, and how? Back-ups for team Business Associate breach Workforce training 43
44 What should a Privacy or Security officer be doing now? Keep up with training and education: Workforce orientation New hire / volunteer orientation On-going reminders and annual retraining Security related training Specialty training and awareness Patient training related to: Patient portal access and use Other technology Consents and authorizations 44
45 What should a Privacy or Security officer be doing now? Keep up with new technology and exchange: Home-based technologies Entity based technologies Enterprise patient portal or sponsored PHR HIE within and external to the enterprise Keeping up with change: Physical plant Patient areas Data and information sites 45
46 Office of Civil Rights (OCR-HHS) Resources Office of the National Coordinator for Health Information Technology (ONC) Substance Abuse and Mental Health Services Administration Nation Institute for Standards and Technology - Healthcare Federal Register 46
47 Resources American Health Information Management Association American Records Management Association Health Care Compliance Association Health Information Management and Systems Society (HIMSS) 47
48 Resources OCR Security Resources OCR NIST Cross Walk urity%20rule%20cross walk% %20finatpdf OCR - Right to Access ONC - Treatment Exchange: treatment.pdf 48
49 Resources e-publications: EHR Intelligence Government Security Enews Healthcare Law Today (Foley & Lardner LLP Health HIT Smart Brief Health IT News 49
50 Resources e-publications (continued): Health Information Security HealthlT Security Information Management 50
51 Resources OCR Audit: Audit Protocol Audit Pre-Screening Questionnaire BA Pre-Screening Questionnaire: 51
52 Questions? 52
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationCYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston
CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationHIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017
HIPAA Highlights and Impact to your Telehealth Program Wednesday, Sept 27, 2017 Susan Clarke, HCISPP (ISC) 2 certified Healthcare Information Security and Privacy Practitioner. 15+ years of Healthcare
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationP2. Health Information Privacy and Security Standards
P2. Health Information Privacy and Security Standards Adam Greene, Partner Davis Wright Tremaine LLP Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS Office for Civil Rights Marti
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationHIPAA Comes of Age: 21 Years of Privacy and Security
Cyber Hot Topics Webinar Series: HIPAA Comes of Age: 21 Years of Privacy and Security August 17, 2017 11:30AM 12:30PM CST Presented by: Andrew Elbon, Judd A. Harwood, Amy S. Leopard, and Jordan A. Stivers
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationCOUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017
COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE Presented by Paul R. Hales, J.D. May 8, 2017 1 HIPAA Rules Combat Cyber Crime HIPAA Rules A Blueprint to Combat Cyber Crime 2 HIPAA Rules Combat Cyber Crime
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationTechnology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014
Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014 Welcome! Thank you for joining us today. In today s call we ll cover the Security Assessment and next steps. If you want
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationHIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?
HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT? Are You a Covered Entity Or a Business Associate to a Covered
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationHIPAA Security Rule: Annual Checkup. Matt Sorensen
HIPAA Security Rule: Annual Checkup Matt Sorensen Disclaimer This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationThese rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.
HIPAA Checklist There are 3 main parts to the HIPAA Security Rule. They include technical safeguards, physical safeguards, and administrative safeguards. This document strives to summarize the requirements
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More information8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID
Billing & Reimbursement Revenue Cycle Management 8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing and Reimbursement for Physician Offices, Ambulatory Surgery Centers and Hospitals Billings & Reimbursements
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationWhen the Other Brother Steps Up: State Privacy Enforcement Actions
When the Other Brother Steps Up: State Privacy Enforcement Actions Healthcare Enforcement Compliance Conference November 6, 2018 Washington, DC Blaine Kerr, CISA, CHPC Chief Privacy Officer Jackson Health
More informationPrivacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare
Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare Rita Bowen, MA, RHIA, CHPS, SSGB In her role of Vice President of Privacy, HIM Policy and Education, Bowen ensures new and existing
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationHIPAA Security. An Ounce of Prevention is Worth a Pound of Cure
HIPAA Security An Ounce of Prevention is Worth a Pound of Cure Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Paul R. Hales, Attorney at Law Subject Matter Expert
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationPLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1
PLEASE NOTE This is an interactive panel, and we will be conducting voting throughout. To make voting easy, please register NOW, before the panel starts. To register: - Text the phrase MICHAELBERWA428
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationWhat is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS
What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals
More informationHIPAA Privacy, Security and Breach Notification 2017
HIPAA Privacy, Security and Breach Notification 2017 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA Privacy and Security Training Program
Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationSummary Analysis: The Final HIPAA Security Rule
1 of 6 5/20/2005 5:00 PM HIPAAdvisory > HIPAAregs > Final Security Rule Summary Analysis: The Final HIPAA Security Rule By Tom Grove, Vice President, Phoenix Health Systems February 2003 On February 13,
More informationHIPAA Security & Privacy
HIPAA Security & Privacy New Omnibus Regulations Prepared by Keith Weiner for New York State HIMSS Omnibus Rule Released on January 25, 2013, the final 563 page Omnibus Rule is the largest sweeping change
More informationSecurity and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018
Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More information