HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Size: px

Start display at page:

Download "HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure"

Nigel Bates
5 years ago
Views:

1 HIPAA Security An Ounce of Prevention is Worth a Pound of Cure

2 Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Paul R. Hales, Attorney at Law Subject Matter Expert and Author Disclaimer: Nothing in this presentation should be construed as legal advice nor relied upon as legal expertise.

3 Prevention in HIPAA Security An ounce of prevention is worth a pound of cure. --Benjamin Franklin

4 Prevention in HIPAA Security Today s Program 1. Recent Examples of HIPAA Enforcement 2. Lessons Learned HHS/OCR Priorities 3. HHS/OCR Priorities 2016 HIPAA Compliance Audits Underway Now

5 Advocate Health Care Network August 4, 2016 $5.55 Million Payment to U.S. HHS/ OCR HHS/OCR Closely Supervised 2 Year Corrective Action Plan Following 36 Month Exhaustive Investigation Privacy, Security & Breach Notification Rule Violations Business Associate involvement

6 Oregon Health & Science University July 28, 2016 $2.7 Million Payment to U.S. HHS/ OCR HHS/OCR Closely Supervised 3 Year Corrective Action Plan Following 41 Month Exhaustive Investigation Widespread Privacy and Security Violations Business Associate involvement

7 Oregon Health & Science University July 28, 2016 From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ephi, said OCR Director Jocelyn Samuels.

8 Oregon Health & Science University July 28, 2016 Director Samuels: This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.

9 Triple-S Management Corporation November 30, 2015 $3.5 Million Payment to U.S. HHS/ OCR HHS/OCR Closely Supervised 3 Year Corrective Action Plan Following 60 Month Exhaustive Investigation Privacy, Security & Breach Notification Rule Violations Business Associate involvement

10 Triple-S Management Corporation November 30, 2015 Background September 2010 Two former employees accessed member information Access rights were never terminated September 2013 and April 2014 Beneficiaries PHI disclosed on mailers No BAA with vendor that did the mailing January 2014 former employee copied member info onto CD and downloaded onto home PC October 2014 third mailer incident envelopes stuffed with wrong member ID cards Breaches greater than 500 records February another mailer incident August 2015 final mailing incident member treatment info sent to all members

11 Triple-S Management Corporation November 30, 2015 Corrective Action Plan Requires Triple S to: 1. Conduct Risk Analysis and Implement Risk Management Plan 2. Review and revise, as necessary, all Policies and Procedures to comply with the Federal standards governing Privacy and Security of individually identifiable health information. 3. Implement such Policies and Procedures within 30 days of HHS approval of revised Policies and Procedures. 4. Conduct mandatory Workforce training covering requirements of the Privacy, Security, and Breach Notification Rules

12 Lessons Learned HHS/OCR Priorities 1. HHS/OCR is Serious about Enforcement 2. Priorities A.HIPAA Risk Analysis Risk Management B.Up-to-Date Privacy, Security and Breach Notification Policies C.Workforce Training

Lessons Learned HHS/OCR Priorities HHS OCR Director Jocelyn Samuels Based on our enforcement experience and the breach reports we ve received, it is critical

13 Lessons Learned HHS/OCR Priorities HHS OCR Director Jocelyn Samuels Based on our enforcement experience and the breach reports we ve received, it is critical that entities take a comprehensive and thorough approach to assessing and addressing the risks to all of the protected health information (PHI) they maintain.

14 HHS/OCR HIPAA Compliance Audits Reflect HHS/OCR Priorities 1. HIPAA Risk Analysis Risk Management 2. Breach Notification Rule A. Timeliness of Notification B. Content of Notification 3. Patient Access to PHI A. Procedures and Allowable Fees 4. Notice of Privacy Practices A. Posting and making available through Web Site B. Content

16 Compliance Manager Total Management Complete Guidance Affordable for Everyone Bonus Resources

17 Compliance Services Leverage an Expert Optimize Revenue Improve Accuracy Save Time

18 Questions and Discussion

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,