HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Size: px

Start display at page:

Download "HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017"

Anissa Hood
6 years ago
Views:

1 HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

2 Breach Notification State Law Privacy Rule

3 Authorizations Polices and Procedures

4 The Truth Is

5 Have created confusion and misunderstanding across all healthcare organizations

6 Let s Talk Common Confusion and Misunderstanding

7 My organization is compliant because we have our notice of privacy practices created

8 My organization has great practices when it comes to HIPAA and we don t have to write them down

9 My Organization is too small to have to comply with the HIPAA Requirements

10 My EHR Vendor or Information Technology Vendor Took Care of Everything I Need to Do with Privacy and Security

11 HIPAA is far too complex and challenging

12 HIPAA in 2017

13 I don t have to comply

14 What Can the HealthCare Industry Expect Increased HIPAA Enforcement, including fines Increased Number of Data Breaches Continuance of the HIPAA Audit Program Continued focus on Patient's Rights under HIPAA Issues with cybersecurity attacks Continue Media Focus in Healthcare Privacy and Security

15 HIPAA Data Breaches

16 What is a Breach? An impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. HIPAA Breach Risk Assessment: Who was the unauthorized person who used the PHI or to whom was the PHI disclosed to? What is the nature and extent of the PHI involved and the likelihood of reidentification? Did the other party actually view or acquire the PHI? Has the risk to the PHI been mitigated and to what extent?

Examples of Potential Breaches An Employee inappropriately accesses a co-workers chart A fax is sent to the incorrect fax number A release of information is sent to the incorrect recipient An

17 Examples of Potential Breaches An Employee inappropriately accesses a co-workers chart A fax is sent to the incorrect fax number A release of information is sent to the incorrect recipient An employee blogs about their work day which included specific patient diagnosis that can link to a patient Someone has hacked into your EHR and obtained SSN for multiple patients A physician/employee inappropriately access a chart of a celebrity An with PHI in the context was sent to the incorrect recipient

18 Data Breach Requirements Investigation Who What When Where Why 4 Breach Risk Assessment Questions Notification Individuals Secretary of Health and Human Services Media (> 500) Business Associates 60 Days from the Date of Discovery No Unreasonable Delay Documentation Breach = YES Documentation that shows all notification were made, Date of Notification, Content of Notification Breach = NO Documentation from the Risk Assessment, low probability that the information was compromised Application of any of the exceptions and why

19 Unsecured vs. Secured PHI Unsecured PHI PHI that is not secured through the use of a technology or methodology specified by the Department of HHS (Potentially Breached Data) Secured PHI PHI that is considered unusable, unreadable, or indecipherable to unauthorized individuals Encryption Destruction

Data Breach Update Data Breaches continue to rise at an alarming rate Cybersecurity has created more threats to healthcare organizations 1857 Large Scale Data Breaches since September 2009

20 Data Breach Update Data Breaches continue to rise at an alarming rate Cybersecurity has created more threats to healthcare organizations 1857 Large Scale Data Breaches since September ,672,894 Individuals Impacted 2017 (so far) Theft & Loss are still the leading causes of healthcare data breaches

Number of Data Breaches < 500 Individuals by Year 329 295 274 269

21 Number of Data Breaches < 500 Individuals by Year (YTD)

22 Data Breaches by Covered Entity Type > 500 Individuals Impacted September March % 3% 15% 13% Business Associate Health Plan Helathcare Provider Healthcare Clearing House Unspecified 69%

23 Business Associate Involvement Data Breaches > 500 Individuals Impacted September March 2017 Business Associates, 315, 17% Covered Entities, 1542, 83%

24 Breach by Type Data Breaches > 500 Individuals September March % 15% 2% 4% 8% 4% Hacking/IT Incident Improper Disposal Loss Other Theft Unknown Unauthroized Access/Disclosure 42%

25 14% Location of Breach < 500 Individuals September March % 12% 5% Desktop Computer Electronic Medical Record 9% Laptop 8% Network Server 11% 18% Other Other Portable Devices Paper

26 Data Breaches Reported By Year Annual Report to Congress on Breaches of Unsecured Protected Health Information

28 2017 HIPAA Audits

29 Current Status of HIPAA Audits Desk Audits are Current Happening 166 Covered Entities 45 Business Associates The review is only on specific components of the HIPAA regulations On-site HIPAA Audits will begin in 2017, after desk audits are complete Intent of HIPAA Audits: Identify Best Practices Uncover new risks and vulnerabilities Detect areas for technical assistance Encourage consistent attention to compliance Develop tools and guidance for industry self-evaluation and breach prevention Intended to be non-punitive

32 HIPAA Documentation Requirements

33 Deven McGraw Deputy Director for Health Information Privacy Department of Health and Human Services' Office for Civil Rights Two aspects of HIPAA that will be extensively audited are enterprise-wide risk assessments and policies and processes

35 HIPAA Documentation Expectations Privacy Rule Documentation (i) A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule Requirements

HIPAA Documentation Expectations Security Rule Documentation 164.

36 HIPAA Documentation Expectations Security Rule Documentation (b)(1) Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment

37 Tell Me!

38 Tell Me!

39 2017 HIPAA Hot Topics

50 What s New with HIPAA Enforcement?

52 HIPAA Fines by the Years = $66,729,700 Year Total Number of HIPAA Fines with Resolutions Agreements Total Fines Collected $100, $2,500, $1,035, $6,165, $4,850, $3,065, $7,940, $6,193, $23,504, $11,375,000

How Can You Fight the Battle with Hacking Conduct a Risk Analysis/Assessment Conduct Vulnerability Assessments and Penetration Testing Encrypt data at rest Encrypt data in motion Encrypt Hardware

54 How Can You Fight the Battle with Hacking Conduct a Risk Analysis/Assessment Conduct Vulnerability Assessments and Penetration Testing Encrypt data at rest Encrypt data in motion Encrypt Hardware Know where data is stored and maintained Securely back up your data Keep systems up to date with updates Use antivirus solutions Use intrusion detection software Educate workforce members Have a Incident Security Plan ready (and test it)

55 HIPAA Success Tips Make the HIPAA Privacy and Security Officers known within the organization Have a clearly defined incident response/breach response process Report any concerns to organization leadership immediately Don t share any information learned from work to anyone that doesn t need to know it Educate Workforce Use strong passwords and change them Conduct information system activity review (Audit Reviews) Follow policies and procedures established by your organization Have automatic log off turned on for systems with PHI Don t allow others to access systems that you are logged into Don t share passwords or write down passwords Respect the security features established by your organization Don t leave computers in your car easily viewed (especially unlocked)

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,