Not Just Another Day of HIPAA

Size: px

Start display at page:

Download "Not Just Another Day of HIPAA"

Jeffry Marshall
5 years ago
Views:

Not Just Another Day of HIPAA Presented by: Patti Klingel, PhD, CPHQ, CRM, CHC Director of Corporate Compliance & Organizational Ethics United Church Homes, Inc.

(UCH) and have provided compliance consult audits for United Church Homes Management.

1 Not Just Another Day of HIPAA Presented by: Patti Klingel, PhD, CPHQ, CRM, CHC Director of Corporate Compliance & Organizational Ethics United Church Homes, Inc. Disclosure I have no vested interest in any company that conducts HIPAA privacy and security audits. I am an employee of United Church Homes, Inc. (UCH) and have provided compliance consult audits for United Church Homes Management. A little about me and my role at United Church Homes Director of Corporate Compliance & Organizational Ethics since 2015 Conduct audits for Affordable Senior Housing and CCRC Communities in 14 states Appointed as the Corporate HIPAA Privacy Officer in

regularly planned internal audit Understand the value of an outside expert

2 Objectives At the end of this session you will: Realize you are NOT alone in your tracking and reporting breaches Be able to describe the value of a regularly planned internal audit Understand the value of an outside expert conducting a HIPAA/Security audit So how did I get here? In a period of 18 months..this happened! 2

3 Three staff members attending the same conference at the same hotel had their laptops stolen from their vehicles. The good: All were password protected Two were carbonite protected (backup/recovery software details available) One was brand new with no data saved on it The not good They were left in plain sight on the seat in their cars The laptops were replaced at a cost to the organization It was reportable to the Office of Civil Rights (OCR) Oops. Two cell phones were reported lost/stolen 3

The good: One phone was password protected One phone was immediately reported stolen/service disconnected/phone wiped The not good: One phone was never found One phone stolen was not password

4 The good: One phone was password protected One phone was immediately reported stolen/service disconnected/phone wiped The not good: One phone was never found One phone stolen was not password protected Took 11 days to be reported lost/stolen before service was turned off/phone wiped It was reportable to OCR The wrong resident information as faxed to the wrong specialist (not a veterinarian ~smile~) The wrong resident information was sent with another resident to a physician s office who politely returned it to the resident s family to take back to the Community. Oops.. The good: We found the fax number was inadvertently changed by mistake We standardized the process of how nurses process records for residents to take on their physician office visits The not good: The incidents were both reportable to OCR 4

CEO emailed a request for all W-2 s of the entire organization to be sent to another company to evaluate our benefit structure.

5 CEO ed a request for all W-2 s of the entire organization to be sent to another company to evaluate our benefit structure. The payroll employee checked with their boss, who checked with their boss, and determined that if that s what the CEO requested, they should follow the request. It turned out to be a Phishing scam. The Good We had cyber insurance that covered the claim We were able to provide fraud protection to all our employees for a year It was not reportable to the OCR The Not Good It affected the unprocessed tax returns of all United Church Homes employees All employees affected had to file an IRS form We had to report to local (police), state (State Attorney General in 14 states) and federal (FBI/IRS) entities 5

Next steps Internal auditing was completed annually as required by National Institute of Standard & Technology (NIST) by VP of IT VP of IT left in 2016 Interim Director of IT appointed (Contracted

6 Next steps Internal auditing was completed annually as required by National Institute of Standard & Technology (NIST) by VP of IT VP of IT left in 2016 Interim Director of IT appointed (Contracted person) Questions about auditing and training Was it enough? Were we looking in the right places? Were we looking at the right things? Were we missing items? Is our education process intact? Compliance Committee Compliance Committee for suggestions/recommendations Another internal audit? Issues identified: Contracted Interim Director had never conducted a NIST security audit Director of Corporate Compliance didn t have necessary security access to conduct some of the required audits The IT team had never been trained in security provisions of the HIPAA regulations. Recommendations: Look at 3 outside vendors for consulting assistance and quotes 6

What we did in the meantime Took immediate steps related to cyber crime into our own hands Contracted with an organization KnowBe4 Provided education/training to staff related to: Phishing

7 What we did in the meantime Took immediate steps related to cyber crime into our own hands Contracted with an organization KnowBe4 Provided education/training to staff related to: Phishing schemes/cyber crime Virus potential via s, etc. Reporting all HIPAA privacy and security issues Started with an internet search What is a HIPPA compliance audit? Definition by OCR: The HIPAA audit program is an important part of Office of Civil Right s (OCR) overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. What we searched for: A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. 7

8 What we found Hundreds of consultants Hundreds of specialty consultants Dental Hospital Healthcare, etc. Hundreds of locations (Canada to Mexico Maine to Hawaii) Hundreds of contact information (phone consults, on site consults, video consults, etc.) Opportunities Searched and spoke with vendors Had the opportunity to view two presentations of the three we targeted Determined the one that could provide the best service Decided to do the HIPAA Privacy as a side but to really focus on HIPAA Security Consultant Process First we uploaded all our P&P s related to HIPAA privacy and security for review Second did an external vulnerability scan of our IP addresses Third did a walkthrough of four sites Two large CCRC s One small SNF Community Corporate Office 8

9 What THEY found! Findings Privacy Good Policies would cover us Many staff were aware of the P&P s Reporting appropriately Privacy liaisons in every buildings Everyone reported to the Corporate Privacy Officer Corporate Privacy Officer reported all breaches to OCR Not Good: Missing elements in several policies No standard formal investigation policy No standard formal investigation documentation process Findings (continued) Security Good We were willing to fix things 9

Findings (continued) Not good Over 3,000 had access to EHR Vulnerability scan revealed a virus Servers were not all secured Documents (paper medical records) were not all secured No tracking

10 Findings (continued) Not good Over 3,000 had access to EHR Vulnerability scan revealed a virus Servers were not all secured Documents (paper medical records) were not all secured No tracking mechanism for hardware No tracking mechanism for Personal Health information data at rest Encryption was not prevalent Staff were using guest network (technically unsecure) Security policies were lacking What we received from the audit Formalized report of the Privacy and Security findings. A letter of authentication of our NIST audit. Recommendations for privacy updates to policies/procedures Recommendations for security policies and procedures A hand holding session on working through the recommendations Ongoing support for security including ongoing scans, updates and policy releases. What we really got out of the audit? 10

11 What we have completed Officially appointed by the Board: HIPAA Privacy Officer HIPAA Security Officer Updated Privacy P&P s Formulated Security P&P s Prioritized our audit findings into Very High, High, or Moderate priorities Thank YOU! Questions? Patti Klingel, PhD, CPHQ, CRM, CHC Director of Corporate Compliance & Organizational Ethics Phone pklingel@uchinc.org 11

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements