Security Lessons Learned from HIPAA Enforcement

Similar documents
Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Hospital Council of Western Pennsylvania. June 21, 2012

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Breach Notification Remember State Law

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.


WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

What s New with HIPAA? Policy and Enforcement Update

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Cloud Computing Guidance

Audits Accounting of disclosures

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Healthcare Privacy and Security:

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

When the Other Brother Steps Up: State Privacy Enforcement Actions

The ABCs of HIPAA Security

P2. Health Information Privacy and Security Standards

HIPAA Security & Privacy

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Federal Security Rule H I P A A

HIPAA Privacy and Security Training Program

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA & Privacy Compliance Update

Presented by: Jason C. Gavejian Morristown Office

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

A Glimpse Into Privacy and Security: Where Have We Been and Where Are We Going

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Clearwater HIPAA Security Assessment Software. Demonstration

Integrating HIPAA into Your Managed Care Compliance Program

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

The HIPAA Omnibus Rule

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

HIPAA Privacy, Security and Breach Notification

The simplified guide to. HIPAA compliance

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

If a HIPAA Breach Happens, Are You Ready?

The Data Breach: How to Stay Defensible Before, During & After the Incident

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA Security and Privacy Policies & Procedures

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Information Privacy and Security Training Authored by: Office of HIPAA Administration

efolder White Paper: HIPAA Compliance

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Putting It All Together:

Latest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions

Speakers. Shellie Zavatsky Director of Internal Audit at Hurley Medical Center. Trent Long Director of Managed Privacy Services at FairWarning, Inc

Managing Cybersecurity Risk

SECURITY STATE OF THE INDUSTRY

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Policy and Procedure: SDM Guidance for HIPAA Business Associates

COMMENTARY. Information JONES DAY

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Understanding the Impact of Data Privacy January 2012

EXHIBIT A. - HIPAA Security Assessment Template -

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

HIPAA and the Chiropractic Practice

Security and Privacy Breach Notification

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Data Compromise Notice Procedure Summary and Guide

Outline. Why Healthcare IT? Communication Issues

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

All Aboard the HIPAA Omnibus An Auditor s Perspective

The Law and The Reality Grace Wiechman, CISSP Guidant Corporation

Cyber Security Issues

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

A Security Risk Analysis is More Than Meaningful Use

I HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Overview of Presentation

Opening and Closing the Door to Medicaid. Program Integrity Joseph Kopsa, MA, JD Section Chief Program Integrity DHH HIPAA Privacy & Security Officer

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Transcription:

Security Lessons Learned from HIPAA Enforcement Presentation to HealthSec 12 August 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine

Enforcement of the Security Rule HIPAA Security Rule published in 2003 with compliance date of April 2005. Initially enforced by HHS Centers for Medicare & Medicaid Services (CMS) HHS Office for Civil Rights (OCR) took over enforcement in July 2009 2

Security Rule Closures (April 2005 to December 2011) 3

Top Security Issues (April 2003 to 2009) 1. Lack of information access management 2. Lack of access controls 3. Lack of security awareness and training 4. Lack of security incident response and reporting 5. Lack of device and media controls 4

Top Security Issues (2011) 1. Lack of risk analysis 2. Lack of security incident response and reporting 3. Lack of security awareness and training 4. Lack of access controls 5. Failure to address encryption and decryption (data in storage) 5

Overview of Breach Reports 452 large breaches reported between Sept. 2009 and June 2012 Over 50,000 small breaches reported in same period Over 20 million individuals affected by large breaches 6

Lesson 1: You should be less concerned with: And more concerned with: 7

Causes of Large Breaches (by number of breaches) Sept. 2009 to June 2012 Unknown, 7, 1% Improper Disposal, 24, 5% Hacking/IT Incident, 31, 7% Other, 3, 1% Loss, 59, 13% Theft, 234, 52% Unauthorized Access/Disclosure, 93, 21% 8

Cause of Large Breach (by # of affected individuals) Sept. 2009 to June 2012 Unknown, 350,961, 2% Improper Disposal, 1,230,299, 6% Hacking/IT Incident, 1,565,300, 7% Other, 156,398, 1% Loss, 2,226,160, 11% Theft, 7,924,146, 38% Unauthorized Access/Disclosure, 7,314,610, 35% 9

Lesson 2: The highest number of breaches involve: a) Desktops b) Laptops c) Other portable devices d) Paper 10

Location of Large Breaches (by # of breaches) Sept. 2009 to June 2012 Other (Backup Tapes), 5, 1% Electronic Medical Record, 8, 2% Other (hard drives), 1, 0% Other, 36, 8% Paper, 114, 25% Laptop, 104, 23% E-mail, 11, 3% Network Server, 47, 10% Computer, 61, 14% Other Portable Electronic Device, 65, 14% 11

Location of Large Breach (# of individuals affected) Sept. 2009 to June 2012 E-mail, 267,172, 1% Paper, 643,912, 3% Other Portable Electronic Device, 981,131, 5% Other (hard drives), 1,023,209, 5% Electronic Medical Record, 1,146,335, 6% Laptop, 1,938,235, 9% Other (Backup Tapes), 6,284,483, 30% Computer, 2,290,566, 11% Other, 3,799,900, 18% Network Server, 2,393,017, 12% 12

Lesson 3: It isn t me, it s you Many large breaches are caused by business associates, not covered entities 13

Large Breaches Caused by BAs (by # of breaches) Sept. 2009 to June 2012 Business Associate, 96, 21% Covered Entity, 356, 79% 14

Large Breaches (by # of affected individuals) Sept. 2009 to June 2012 Business Associate, 12,083,409, 58% Covered Entity, 8,684,465, 42% 15

Privacy and Security Audits First substantial HIPAA privacy and security audits First proactive review (rather than incident driven) Audits include site visits and audit reports Includes very limited notice (10-15 business days to produce documents) Site visits of 3-5 persons for 3-10 days 16 16

Who Will Be Audited: First 20 Audits Level 1 > $1B Level 2 $300M - $1B Level 3 $50M - $300M Level 4 <$50M Total Health Plans 2 3 1 2 8 Health care providers Healthcare clearinghouses 2 2 2 4 10 1 1 0 0 2 5 6 3 6 20 17 17

Initial Audit Results Source: 2012 HIPAA Privacy and Security Audits, OCR/NIST Conference, 6/7/12 18

Initial Audit Results Source: 2012 HIPAA Privacy and Security Audits, OCR/NIST Conference, 6/7/12 19

Initial Audit Results Source: 2012 HIPAA Privacy and Security Audits, OCR/NIST Conference, 6/7/12 20

Initial Audit Results Source: 2012 HIPAA Privacy and Security Audits, OCR/NIST Conference, 6/7/12 21

Initial Audit Results Source: 2012 HIPAA Privacy and Security Audits, OCR/NIST Conference, 6/7/12 22

HHS Settlements/Penalties Issues that have led to HHS settlements*: Breaches involving over 350,000 (Providence, BCBS of Tennessee) Breaches involving sensitive information, such as HIV or celebrities (Mass General, UCLA) Improper disposal caught on tape (CVS, Rite Aid) * Settlements represent allegations not formal findings 23

HHS Settlements/Penalties Issues that have led to HHS settlements*: Improper disclosure for marketing (discovered through OIG/DOJ false claims investigation) (MSO Washington) Inappropriate use of online calendar/general lack of compliance, lack of BAs (Phoenix Cardiac Surgeons) Issue that has led to a penalty Refusal to cooperate with OCR investigation (Cignet) * Settlements represent allegations not formal findings 24

State AGs Join the Party HITECH Act (2009) provided State attorneys general authority to enforce HIPAA Four suits have been brought (three settled) (CT, VT, MN, and MA) None have coincided with HHS formal action Issue that has led to AG actions: Large breaches Large breach can lead to multiple AG settlements and other enforcement Average settlement: $260,000 * Settlements represent allegations not formal findings 25 25

HIPAA Criminal Cases Almost 20 criminal convictions Began mostly with financial fraud cases More recent convictions involve snooping Mostly employees Penalties range from probation and community service to over a year imprisonment 26

Lessons Learned HHS and State AGs focus enforcement on breaches and headlines Encrypt, encrypt, encrypt Focus on large data sets, including back-up tapes and spreadsheets Pay close attention to VIPs and sensitive information 27 27

Lessons Learned HHS tends to look for systematic problems Was a breach due to systematic failures? Were there policies? Training? Sanctions? Auditing? HHS has a history of voluntary enforcement, but settlements are increasing (a few a year) 28 28

For more information Adam H. Greene, JD, MPH adamgreene@dwt.com 202.973.4213 29

Questions 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback