Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Similar documents
Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA & Privacy Compliance Update

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA-HITECH: Privacy & Security Updates for 2015

What s New with HIPAA? Policy and Enforcement Update

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Cloud Computing Guidance

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017


Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Security Lessons Learned from HIPAA Enforcement

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

The ABCs of HIPAA Security

HIPAA Privacy, Security and Breach Notification

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA For Assisted Living WALA iii

The HIPAA Omnibus Rule

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Security and Privacy Policies & Procedures

efolder White Paper: HIPAA Compliance

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Putting It All Together:

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA Comes of Age: 21 Years of Privacy and Security

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Healthcare Privacy and Security:

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA FOR BROKERS. revised 10/17

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

University of Wisconsin-Madison Policy and Procedure

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Overview of Presentation

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Patient Right Access to PHI Understanding Recent OCR Guidance. Sondra Hornsey, CHC, CHPC HIPAA Privacy Officer, Washington University March 31, 2016

Employee Security Awareness Training Program

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Tips and Advice for Your. Medical Practice

HIPAA Privacy, Security and Breach Notification 2017

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

The Relationship Between HIPAA Compliance and Business Associates

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Introduction CHAPTER 1

HIPAA Security Checklist

HIPAA Security Checklist

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Security and Privacy Breach Notification

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Integrating HIPAA into Your Managed Care Compliance Program

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

American Academy of Audiology Responses to Questions from HIPAA Webinar

HIPAA Federal Security Rule H I P A A

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Breach Notification Remember State Law

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

HIPAA Privacy, Security and Breach Notification 2018

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security Manual

If a HIPAA Breach Happens, Are You Ready?

by Robert Hudock and Patricia Wagner April 2009 Introduction

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

01.0 Policy Responsibilities and Oversight

HIPAA Privacy and Security Training Program

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance and Auditing in the Public Cloud

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

The simplified guide to. HIPAA compliance

Policy. Policy Information. Purpose. Scope. Background

Presented by: Jason C. Gavejian Morristown Office

Transcription:

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR) U.S. Department of Health and Human Services DISCLAIMER These power point slides, along with the remarks of Ms. Hardy, are intended to be purely informational and informal in nature. Nothing in the slides or in Ms. Hardy s statements are intended to represent orreflect the official interpretation or position of the United States Department of Health and Human Services, the Office for Civil Rights. 1

Updates Policy Development Breach Notification Enforcement Audit 3 POLICY DEVELOPMENT 4 2

Access Guidance HIPAA Right of Access Guidance Issued in two phases in early 2016 Comprehensive Fact Sheet Series of FAQs Scope Form and Format and Manner of Access Timeliness Fees Directing Copy to a Third Party, and Certain Other Topics 5 Access Guidance Access Scope Designated record set broadlyincludes medical, payment, and other records used to make decisions about the individual Doesn t matter how old the PHI is, where it is kept, or where it originated Includes clinical laboratory test reports and underlying information (including genomic information) 6 3

Access Guidance Access Scope (cont.) Very limited exclusions and grounds for denial E.g., psychotherapy notes, information compiled for litigation, records not used to make decisions about individuals (e.g., certain business records) BUT underlying information remains accessible Covered entity may not require individual to provide rationale for request or deny based on rationale offered No denial for failure to pay for health care services Concerns that individual may not understand or be upset by the PHI not sufficient to deny access 7 Access Guidance Access Requests for Access Covered entity may require written request Can be electronic Reasonable steps to verify identity BUTcannot create barrier to or unreasonably delay access E.g., cannot require individual to make separate trip to office to request access 8 4

Access Guidance Access Form and Format and Manner of Access Individual has right to copy in form and format requested if readily producible If PHI maintained electronically, at least one type of electronic format must be accessible by individual Depends on capabilities, not willingness Includes requested mode of transmission/transfer of copy Right to copy by e-mail (or mail), including unsecure e-mail if requested by individual (plus light warning about security risks) Other modes if within capabilities of entity and mode would not present unacceptable security risks to PHI on entity s systems 9 Access Guidance Access Timeliness and Fees Access must be provided within 30 days (one 30-day extension permitted) BUT expectation that entities can respond much sooner Limited fees may be charged for copy Reasonable, cost-based fee for labor for copying (and creating summary or explanation, if applicable); costs for supplies and postage No search and retrieval or other costs, even if authorized by State law Entities strongly encouraged to provide free copies Must inform individual in advance of approximate fee 10 5

Access: Designated 3 rd Party Third Party Access to an Individual s PHI Individual s right of access includes directing a covered entity to transmit PHI directly to another person, in writing, signed, designating the person and where to send a copy (45 CFR 164.524) Individual may also authorize disclosures to third parties, whereby third parties initiate a request for the PHI on their own behalf if certain conditions are met (45 CFR 164.508) 11 Platform for users to influence guidance http://hipaaqsportal.hhs.gov/ HIT Developer Portal OCR launched platform for mobile health developers in October 2015; purpose is to understand concerns of developers new to health care industry and HIPAA standards Users can submit questions, comment on other submissions, vote on relevancy of topic OCR will consider comments as we develop our priorities for additional guidance and technical assistance Guidance issued in February 2016 about how HIPAA might apply to a range of health app use scenarios FTC/ONC/OCR/FDA Mobile Health Apps Interactive Tool on Which Laws Apply issued in April 2016 12 6

Platform for users to influence guidance http://hipaaqsportal.hhs.gov/ October 2015 Cloud Guidance Cloud Computing Guidance OCR released guidance clarifying that a CSP is a business associate and therefore required to comply with applicable HIPAA regulations when the CSP creates, receives, maintains or transmits identifiable health information (referred to in HIPAA as electronic protected health information or ephi) on behalf of a covered entity or business associate. When a CSP stores and/or processes ephi for a covered entity or business associate, that CSP is a business associate under HIPAA, even if the CSP stores the ephi in encrypted form and does not have the key. CSPs are not likely to be considered conduits, because their services typically involve storage of ephi on more than a temporary basis. http://www.hhs.gov/hipaa/for-professionals/special-topics/cloudcomputing/index.html http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associateof-a-hipaa-covered-entity-block-or-terminate-access/index.html 14 7

New Cybersecurity Guidance page Cyber Security Guidance Material HHS OCR has launched a Cyber Security Guidance Material webpage, including a Cyber Security Checklist and Infographic, which explain the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. Cyber Security Checklist - PDF Cyber Security Infographic[GIF 802 KB] https://www.hhs.gov/hipaa/forprofessionals/security/guidance/cybersecurity/index.html 15 Cybersecurity Newsletters Cybersecurity Newsletters 15 issues in total 2017 Newsletters January 2017 (Understanding the Importance of Audit Controls) February 2017 (Reporting and Monitoring Cyber Threats) April 2017 (Man-in-the-Middle Attacks and HTTPS Inspection Products ) May 2017 (Plan, Respond, and Report!) http://www.hhs.gov/hipaa/forprofessionals/security/ guidance/index.html OCR Activity Update 16 8

Cybersecurity Ransomware Guidance OCR recently released guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats. http://www.hhs.gov/hipaa/forprofessionals/security/guidance/index.html 17 BREACH HIGHLIGHTS AND RECENT ENFORCEMENT ACTIVITY 18 9

Breach Notification Breach Notification Requirements Covered entity must notify affected individuals, HHS, and in some cases, the media, of breach Business associate must notify covered entity of breach Notification to be provided without unreasonable delay (but no later than 60 calendar days) after discovery of breach Annual reporting to HHS of smaller breaches (affecting less than 500 individuals) permitted OCR posts breaches affecting 500+ individuals on OCR website 19 HIPAA Breach Highlights September 2009 through July 31, 2017 Approximately 2,017 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 48% of large breaches Hacking/IT now account for 17% of incidents Laptops and other portable storage devices account for 26% of large breaches Paper records are 21% of large breaches Individuals affected are approximately 174,974,489 Approximately 293,288 reports of breaches of PHI affecting fewer than 500 individuals 20 10

HIPAA Breach Highlights 500+ Breaches by Type of Breach as of July 31, 2017 Improper Disposal 3% Other 5% Unknown 1% Hacking/IT 17% Theft 40% Unauthorized Access/Disclosure 27% Loss 8% 21 HIPAA Breach Highlights 500+ Breaches by Location of Breach as of July 31, 2017 EMR 6% Other 10% Paper Records 21% Email 10% Network Server 17% Laptop 17% Desktop Computer 10% Portable Electronic Device 9% 22 11

What Happens When HHS/OCR Receives a Breach Report OCR posts breaches affecting 500+ individuals on OCR website (after verification of report) Public can search and sort posted breaches OCR opens investigations into breaches affecting 500+ individuals, and into number of smaller breaches Investigations involve looking at: Underlying cause of the breach Actions taken to respond to the breach (including compliance with breach notification requirements) and prevent future incidents Entity s compliance prior to breach 23 General Enforcement Highlights Over 158,293 complaints received to date Over 25,312 cases resolved with corrective action and/or technical assistance Expect to receive 17,000 complaints this year As of 7/31/2017 24 12

General Enforcement Highlights In most cases, entities able to demonstrate satisfactory compliance through voluntary cooperation and corrective action In some cases though, nature or scope of indicated noncompliance warrants additional enforcement action Resolution Agreements/Corrective Action Plans 49 settlement agreements that include detailed corrective action plans and monetary settlement amounts 3 civil money penalties As of July 31, 2017 25 Recent Enforcement Actions 2017 Enforcement Actions St. Luke's-Roosevelt Hospital Center Memorial Hermann Health System CardioNet Center for Children s Digestive Health Metro Community Provider Network Memorial Healthcare System Children s Medical Center of Dallas 26 13

Recurring Compliance Issues Recurring Compliance Issues Business Associate Agreements Risk Analysis Failure to Manage Identified Risk, e.g. Encrypt Lack of Transmission Security Lack of Appropriate Auditing No Patching of Software Insider Threat Improper Disposal Insufficient Data Backup and Contingency Planning 27 Corrective Action Corrective Actions May Include: Updating risk analysis and risk management plans Updating policies and procedures Training of workforce Implementing specific technical or other safeguards Mitigation CAPs may include monitoring 28 14

Good Practices Some Good Practices: Review all vendor and contractor relationships to ensure BAAs are in place as appropriate and address breach/security incident obligations Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned Dispose of PHI on media and paper that has been identified for disposal in a timely manner Incorporate lessons learned from incidents into the overall security management process Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members critical role in protecting privacy and security 29 Audit Program AUDIT 30 15

Audit Program HITECH Audit Program Purpose: Identify best practices; uncover risks and vulnerabilities not identified through other enforcement tools; encourage consistent attention to compliance Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit) Also hope to learn from this next phase in structuring permanent audit program 31 Audit Program History HITECH legislation: HHS (OCR) shall provide for periodic audits to ensure that covered entities and business associates comply with HIPAA regulations. (Section 13411) Pilot phase (2011-2012) comprehensive, on-site audits of 115 covered entities. 2013 issuance of formal evaluation report 2016 Phase 2 (ongoing) between 200-250 onsite and desk audits of covered entities and business OCR Activity Update 32 16

Audit Program Selected Desk Audit Provisions For Covered Entities: Security Rule: risk analysis and risk management; Breach Notification Rule: content and timeliness of notifications; or Privacy Rule: NPP and individual access right For Business Associates: Security Rule: risk analysis and risk management and Breach Notification Rule: reporting to covered entity See protocol on-line for details: http://www.hhs.gov/sites/default/files/2016hipaadeskauditauditeeguidance.pdf OCR Activity Update 33 Audit Program Status 167 Covered entity desk audits underway; desk audits of business associates began in November. On-site audits will begin in 2017. On-site audits will evaluate auditees against comprehensive selection of controls in the audit protocol: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/audit/protocol/ OCR Activity Update 34 17

More Information http://www.hhs.gov/hipaa Join us on Twitter @hhsocr 35 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback