Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Similar documents
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA & Privacy Compliance Update

What s New with HIPAA? Policy and Enforcement Update

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Hospital Council of Western Pennsylvania. June 21, 2012


The ABCs of HIPAA Security

All Aboard the HIPAA Omnibus An Auditor s Perspective

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

The Relationship Between HIPAA Compliance and Business Associates

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security and Privacy Policies & Procedures

HIPAA Privacy, Security and Breach Notification

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA Cloud Computing Guidance

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

Data Backup and Contingency Planning Procedure

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA For Assisted Living WALA iii

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Federal Security Rule H I P A A

HIPAA Security Rule: Annual Checkup. Matt Sorensen

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Healthcare Privacy and Security:

Putting It All Together:

Security Lessons Learned from HIPAA Enforcement

The HIPAA Omnibus Rule

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

American Academy of Audiology Responses to Questions from HIPAA Webinar

Healthcare HIPAA and Cybersecurity Update

Overview of Presentation

HIPAA FOR BROKERS. revised 10/17

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

HIPAA and HIPAA Compliance with PHI/PII in Research

The simplified guide to. HIPAA compliance

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA Compliance is not a Cybersecurity Strategy

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Security and Privacy Breach Notification

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Getting OCR Audit-Ready in 7 Steps:

When the Other Brother Steps Up: State Privacy Enforcement Actions

HIPAA Security Checklist

HIPAA Security Checklist

HIPAA Compliance Checklist

01.0 Policy Responsibilities and Oversight

HIPAA Privacy, Security and Breach Notification 2017

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Information Governance, the Next Evolution of Privacy and Security

HIPAA 101: What All Doctors NEED To Know

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Security & Privacy

Support for the HIPAA Security Rule

Physician Office Name Ambulatory EHR Security Risk Analysis

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

and Privacy HIPAA-Compliance Checklist

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

by Robert Hudock and Patricia Wagner April 2009 Introduction

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Not Just Another Day of HIPAA

HIPAA Tips and Advice for Your. Medical Practice

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

HIPAA COMPLIANCE FOR VOYANCE

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Regulatory Compliance

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

EXHIBIT A. - HIPAA Security Assessment Template -

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Transcription:

Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1

Enforcement 2016 Record Year for Resolution Agreements and Civil Monetary Penalties 13 actions Nearly $25M in penalties So far in 2017 8actions Over $17M in penalties Enforcement Trends Timely Notification of Breach Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets Loss occurred in 2013 836 patients 45 days late in notifying patients $475,000 settlement Corrective Action Plan 2

Enforcement Trends Loss of Portable Devices Children s Medical Center of Dallas (February 1, 2017) A series of lost blackberries and laptops stemming pre-breach Rule to April 2013 $3.2M penalty (no voluntary settlement) Aware of the risks Security Gap Analysis (2006/2007) PricewaterhouseCoopers (2008) But took no action and issued unencrypted portable devices to staff Enforcement Trends OCR requires CEs to act on identified risks Children s Medical Center of Dallas University of Mississippi Medical Center (discussed at 2016 Health Law Institute) Oregon Health and Science University (discussed at 2016 Health Law Institute) 3

Enforcement Trends Loss of Portable Devices CardioNet (April 24, 2017) First case involving wireless healthcare provider Stolen laptop $2.5M settlement Corrective Action Plan Enforcement Trends Lack of Security Risk Analysis Metro Community Provider Network (April 12, 2017) Federally-qualified health center (FQHC) Hacker and phishing emails 3,200 individuals No risk analysis completed until after the incident $400,000 settlement Corrective Action Plan 4

Enforcement Trends Access and Audit Controls Memorial Healthcare System (February 16, 2017) Former employee access not terminated Accessed daily without detection for 1 year 80,000 patients impacted $5.5M settlement Corrective Action Plan Enforcement Trends Impermissible Disclosures Memorial Hermann Health System (May 10, 2017) Patient presented allegedly fraudulent identification card to staff Reported to law enforcement -- PERMITTED Issued press release $2.5M settlement Corrective Action Plan 5

Enforcement Trends Impermissible Disclosures St. Luke s-roosevelt Hospital (May 23, 2017) Sensitive information faxed to employer HIV status Sexually transmitted diseases Sexual orientation Mental health $387,000 settlement Corrective Action Plan Enforcement Trends Business Associate Agreements Continuing enforcement issue Raleigh Orthopedic Clinic (discussed at 2016 Health Law Institute) Care New England Health System (discussed at 2016 Health Law Institute) OCR s Message Have them them 6

Enforcement Trends Centers for Children s Digestive Health (April 20, 2017) Lack of BAA BA stored patient records $31,000 settlement Corrective Action Plan Additional Trends* Lack of transmission security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R. 164.312(e)(2)(ii). Applications for which encryption should be considered: Email Texting File transmission (e.g., ftp) Remote backups Remote access and support sessions (e.g., VPN) *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) 7

Additional Trends* Lack of Auditing The HIPAA Rules require the [implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. See 45 C.F.R. 614.312(b). Regular review of information systems activity is required Activities which could require additional investigation: Access to ephi during non-business hours or during PTO Access to an abnormally high number of records containing ephi Access to ephi of high profile individuals Access to PHI of employees *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) Additional Trends* Insufficient Backup/Contingency Planning Organizations must ensure that adequate contingency planning (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. 164.308(a)(7). Periodic testing Revisions to address deficiencies Important note from OCR on use of cloud vendors May aid with contingency planning, but may not encompass all that is required for an effective contingency plan *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) 8

Phase 2 HIPAA Audit Program Selected covered entities received notification in July 2016 by email Desk audits complete Identification of Business Associates Selection pool drawn from over 20,000 entities identified by covered entities Desk audits underway On-site audits of both covered entities and business associates after completion of desk audits Evaluate against a comprehensive selection of controls in protocols Phase 2 HIPAA Audit Program Covered Entity Audits (166 total) Type Providers 90% Health Plans 8.7% Health Care Clearinghouses 1% By Region Midwest (includes Kansas and Missouri) Covered Entities (38) Business Associates (15) Privacy and Breach (103) Security (63) Business Associate Audits (41 total) Breach and Security 9

Phase 2 HIPAA Audit Program o Three-Step Process: o Draft findings o Issuance of final audit reports o Compliance Reviews, BUT OCR has represented that the Audit Program is not intended to be a gotcha program or punitive program Phase 2 HIPAA Audit Program OCR s Linda Sanchez represented at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security 2017 Support Improved Compliance Identify best practices Uncover risks & vulnerabilities Detect areas for technical assistance Encourage consistent attention to compliance 10

Phase 2 HIPAA Audit Program o So what did OCR review? o Covered Entity Desk Audit Controls HHS Office for Civil Rights, 10 th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules Phase 2 HIPAA Audit Program Privacy Rule Controls Notice of Privacy Practices Copies of all NPPS URL of NPP posted on website Electronic notice policy and procedures Right to Access Access requests Extensions Access forms Access policies and procedures 11

Phase 2 HIPAA Audit Program Breach Notification Rule Controls Timeliness of notifications Content of notifications Form letters Phase 2 HIPAA Audit Program Security Rule Controls Risk Analysis Current and prior RAs Documentation for previous year demonstrating implementation of RA process Availability to individuals responsible for process Periodic review and updating Policies/procedures Going back 6 years related to implementation of RA 12

Phase 2 HIPAA Audit Program Security Rule Controls Risk Management Documentation supporting implementation of security measures to reduce risks identified in RA Documentation for previous year showing efforts to manage risks Policies/procedures Going back 6 years related to implementation of risk management Documentation current and ongoing risks reviewed and updated Documentation for previous year demonstrating implementation of risk management process Availability to individuals responsible for process Periodic review and updating Phase 2 HIPAA Audit Program HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules 13

Phase 2 HIPAA Audit Program HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules Phase 2 HIPAA Audit Program Takeaways Breach Timeliness of Notification Most notifications were timely 65% of covered entities received a 1 rating 11% did not No date on letter Content Only 14% received a 1 rating 67% received a 3, 4, or 5 rating Not adequately describing Specific types of PHI breached Mitigation 14

Phase 2 HIPAA Audit Program Takeaways Privacy Access HUGE PROBLEM Only 11/103 covered entities received a 1 or 2 rating Over half had a 4 or 5 rating Communicating access rights to individuals Using authorization forms versus access forms Content 48% received a 1 or 2 rating Notification of right to direct information to third party enotice 57% received a 1 rating 21% received a 4 or 5 rating Difficult to find Phase 2 HIPAA Audit Program Security Risk Analysis NO 1 ratings Lot of room for improvement Not conducting RA Not documenting RA Not clear conducted regularly Listing of risks but no ratings Incomplete forms Not identifying all information systems where ephi located Risk Management Majority received 4 or 5 rating Lot of room for growth here No documentation of action on results of RA No documentation that risk management addressed regularly 15

Phase 2 HIPAA Audit Program Preliminary Findings Notice of Privacy Practices Right to Access OCR Audit Protocol 180 HIPAA Requirements & Questions 89 privacy requirements 72 security requirements 19 breach notification requirements Audit Protocol d April 2016, HHS, https://www.hhs.gov/hipaa/forprofessionals/complianceenforcement/audit/index.html 16

Upcoming Initiatives Accounting of Disclosures 2011 Notice of Proposed Rulemaking (NPRM) implementing accounting of disclosures provisions in the 2009 HITECH Act Access reports In July 2017, OCR Deputy Director for Health Information Privacy, Deven McGraw announced OCR is starting over from scratch Texting Guidance in the works For now, OCR refers providers to Access Guidance Upcoming Initiatives More on cybersecurity https://www.hhs.gov/hipaa/forprofessionals/security/guidance/cybersecur ity/index.html Cybersecurity checklists Newsletters 17

Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback