HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Similar documents
What s New with HIPAA? Policy and Enforcement Update

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

P2. Health Information Privacy and Security Standards

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Security and Privacy Policies & Procedures

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Policy and Procedure: SDM Guidance for HIPAA Business Associates


HIPAA & Privacy Compliance Update

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Hospital Council of Western Pennsylvania. June 21, 2012

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA Security Checklist

HIPAA Security Checklist

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Data Backup and Contingency Planning Procedure

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Putting It All Together:

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

The ABCs of HIPAA Security

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Security Rule Policy Map

The simplified guide to. HIPAA compliance

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

The Relationship Between HIPAA Compliance and Business Associates

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Privacy, Security and Breach Notification

Electronic Communication of Personal Health Information

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA Federal Security Rule H I P A A

Information Governance, the Next Evolution of Privacy and Security

HIPAA Cloud Computing Guidance

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Comes of Age: 21 Years of Privacy and Security

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

When the Other Brother Steps Up: State Privacy Enforcement Actions

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Support for the HIPAA Security Rule

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Healthcare Privacy and Security:

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

The HIPAA Omnibus Rule

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA 101: What All Doctors NEED To Know

HIPAA For Assisted Living WALA iii

Security Lessons Learned from HIPAA Enforcement

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

EXHIBIT A. - HIPAA Security Assessment Template -

2015 HFMA What Healthcare Can Learn from the Banking Industry

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Vendor Security Questionnaire

Healthcare HIPAA and Cybersecurity Update

HIPAA Compliance & Privacy What You Need to Know Now

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Summary Analysis: The Final HIPAA Security Rule

Audits Accounting of disclosures

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Disaster Recovery and HIPAA Compliance

HIPAA FOR BROKERS. revised 10/17

HIPAA Enforcement Training for State Attorneys General

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

HCISPP HealthCare Information Security and Privacy Practitioner

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

HIPAA Security Manual

HIPAA Security & Privacy

Incident Response: Are You Ready?

Transcription:

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1

Speaker Introduction Deven McGraw, JD, MPH Deputy Director Health Information Privacy Division HHS Office for Civil Rights 2

Conflict of Interest Deven McGraw, JD, MPH Has no real or apparent conflicts of interest to report. 3

Agenda 2017 Goals and Objectives Phase 2 Audits Compliance and Enforcement Cybersecurity Efforts 4

Learning Objectives Recognize OCR s 2017 Goals and Objectives Discuss OCR s Phase 2 Audit Program Compare OCR s 2016 and 2017 Compliance and Enforcement Actions Illustrate OCR s Cybersecurity Efforts 5

Electronic Secure Data, Enhanced Communication 6

2017 Goals and Objectives Administration transition - new priorities could be set Staff have developed recommendations for additional policy guidance (plus additional responsibilities re: implementation of the 21 st Century Cures Act). Continued execution of audit and enforcement of compliance with HIPAA Rules. 7

21 st Century Cures Act Calls for additional guidance: Accessing and sharing PHI for research purposes, including prep to research w/onc, common legal, governance and security barriers that prevent trusted exchange of health info w/onc, improving individual access to health information, including from BAs Ability to disclose treatment-related information about persons with mental health disorders, such as with close friends and family 8

Long-term Regulatory Agenda HITECH provision re: providing individuals harmed by violations of the HIPAA regulations with a percentage of any civil monetary penalties or settlements collected. HITECH provisions re: changes to HIPAA Accounting of Disclosure provisions. 9

Other guidance/faqs Privacy and Security for All of Us (PMI) research program Text messaging Social Media Use of CEHRT & compliance with HIPAA Security Rule (w/onc) Enforcement process Update of existing FAQs to account for Omnibus and other recent developments Minimum necessary 10

HIPAA COMPLIANCE AUDITS PHASE 2 AHIP 11

Purpose: Support Improved Compliance Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond) Learn from this next phase in structuring permanent audit program Develop tools and guidance for industry self-evaluation and breach prevention 12

Program Status Desk audits underway 166 Covered Entities 45 Business Associates Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs On-site audits of both CEs and BAs in 2017,after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols A desk audit subject may be subject to on-site audit 13

OCR Audit Phishing Scam November 2016 14

Desk Audit Reporting: Process After review of submitted documentation Draft findings shared with the entity Entity may respond in writing Final audit reports will Describe how the audit was conducted Present any findings, and Contain any written entity responses to the draft Under OCR s separate, broad authority to open compliance reviews, OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit 15

Covered Entity Desk Audit Controls Notice of Privacy Practices & Content Requirements [ 164.520(a)(1) & (b)(1)] Privacy Rule Controls Provision of Notice Electronic Notice [ 164.520(c)(3)] Right to Access [ 164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)] Breach Notification Rule Controls Security Rule Controls Timeliness of Notification [ 164.404(b)] Content of Notification [ 164.404(c)(1)] Security Management Process -- Risk Analysis [ 164.308(a)(1)(ii)(A)] Security Management Process -- Risk Management [ 164.308(a)(1)(ii)(B)] 16

Business Associate Desk Audit Controls Breach Notification Rule Controls Notification by a Business Associate [ 164.410, with reference to Content of Notification 164.404(c)(1)] Security Management Process -- Risk Analysis [ 164.308(a)(1)(ii)(A)] Security Rule Controls Security Management Process -- Risk Management [ 164.308(a)(1)(ii)(B)] 17

Audit Guidance Selected protocol elements with associated document submission requests and related Q&As Slides from audited entity webinar held July 13, 2016 Comprehensive question and answer listing OCR Website: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/audit/index.html 18

COMPLIANCE, ENFORCEMENT & CYBERSECURITY 19 AHIP 19

Lack of Business Associate Agreements HIPAA generally requires that covered entities and business associates enter into agreements with their business associates to ensure that the business associates will appropriately safeguard protected health information. See 45 C.F.R. 164.308(b). Examples of Potential Business Associates: A collections agency providing debt collection services to a health care provider which involves access to protected health information. An independent medical transcriptionist that provides transcription services to a physician. A subcontractor providing remote backup services of PHI data for an IT contractor-business associate of a health care provider. 20

Incomplete or Inaccurate Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R. 164.308(a)(1)(ii)(A). Organizations frequently underestimate the proliferation of ephi within their environments. When conducting a risk analysis, an organization must identify all of the ephi created, maintained, received or transmitted by the organization. Examples: Applications like EHR, billing systems; documents and spreadsheets; database systems and web servers; fax servers, backup servers; etc.); Cloud based servers; Medical Devices Messaging Apps (email, texting, ftp); Media 21

Risk Analysis Guidance http://www.hhs.gov/ocr/priva cy/hipaa/administrative/secur ityrule/rafinalguidance.html http://scap.nist.gov/hipaa/ http://www.healthit.gov/provi ders-professionals/securityrisk-assessment 22

Failure to Manage Identified Risk The Risk Management Standard requires the [implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]. See 45 C.F.R. 164.308(a)(1)(ii)(B). Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures. In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan. 23

Mobile Device Security http://www.healthit.gov/mobiledevices 24

Lack of Transmission Security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R. 164.312(e)(2)(ii). Applications for which encryption should be considered when transmitting ephi may include: o Email o Texting o Application sessions o File transmissions (e.g., ftp) o Remote backups o Remote access and support sessions (e.g., VPN) 25

Lack of Appropriate Auditing The HIPAA Rules require the [implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. See 45 C.F.R. 164.312(b). Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. 164.308(a)(1)(ii)(D). Activities which could warrant additional investigation: o Access to PHI during non-business hours or during time off o Access to an abnormally high number of records containing PHI o Access to PHI of persons for which media interest exists o Access to PHI of employees 26

No Patching of Software The use of unpatched or unsupported software on systems which access ephi could introduce additional risk into an environment. Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level. In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end-of-life for support include: o Router and firewall firmware o Anti-virus and anti-malware software o Multimedia and runtime environments (e.g., Adobe Flash, Java, etc.) 27

Insider Threat Organizations must [i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information, as part of its Workforce Security plan. See 45 C.F.R. 164.308(a)(3). Appropriate workforce screening procedures could be included as part of an organization s Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R. 164.308(a)(3)(ii)(B). Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization s workforce exit or separation process. See 45 C.F.R. 164.308(a)(3)(ii)(C). 28

Disposal When an organization disposes of electronic media which may contain ephi, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R. 164.310(d)(2)(i). The implemented disposal procedures must ensure that [e]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800 88: Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal. Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices. 29

Insufficient Backup and Contingency Planning Organizations must ensure that adequate contingency plans (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. 164.308(a)(7). Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan. As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See 164.308(a)(7)(ii)(D). 30

2016-2017 Enforcement Actions HIPAA settlement demonstrates importance of implementing safeguards for ephi - January 18, 2017 First HIPAA enforcement action for lack of timely breach notification settles for $475,000 January 9. 2017 UMass settles potential HIPAA violations following malware infection November 22, 2016 $2.14 million HIPAA settlement underscores importance of managing security risk October 17, 2016 HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements September 23, 2016 Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016 Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016 Business Associate s Failure to Safeguard Nursing Home Residents PHI Leads to $650,000 HIPAA Settlement June 29, 2016 Unauthorized Filming for NY Med Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016 $750,000 settlement highlights the need for HIPAA business associate agreements Improper disclosure of research participants protected health information results in $3.9 million HIPAA settlement - March 17, 2016 $1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016 Physical therapy provider settles violations that it impermissibly disclosed patient information - February 16, 2016 Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - February 3, 2016 31

Cybersecurity OCR recently released guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats. http://www.hhs.gov/hipaa/forprofessionals/security/guidance/index.html 32

Cybersecurity Newsletters February 2016 Ransomware, Tech Support Scam, New BBB Scam Tracker March 2016 Keeping PHI safe, Malware and Medical Devices April 2016 New Cyber Threats and Attacks on the Healthcare Sector May 2016 Is Your Business Associate Prepared for a Security Incident June 2016 What s in Your Third-Party Application Software September 2016 Cyber Threat Information Sharing October 2016 Mining More than Gold (FTP) November 2016 What Type of Authentication is Right for you? December 2016 Understanding DoS and DDoS Attacks January 2017 Audit Controls http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html 33

Electronic Secure Data, Enhanced Communication 34

Questions http://www.hhs.gov/hipaa Join us on Twitter @hhsocr Please complete an online session evaluation 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback