HIPAA, Privacy, and Security Oh My!

Similar documents
HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

ARE YOU HIP WITH HIPAA?

AFTER THE OMNIBUS RULE

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Determining Whether You Are a Business Associate

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA OMNIBUS FINAL RULE

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA Compliance Guide

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Changes to HIPAA Privacy and Security Rules

BREACH NOTIFICATION POLICY

LEGAL ISSUES IN HEALTH IT SECURITY

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

503 SURVIVING A HIPAA BREACH INVESTIGATION

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Basic Training for Health & Welfare Plan Administrators

HEALTHCARE BREACH TRIAGE

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

H E A L T H C A R E L A W U P D A T E

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Background and History

ARRA s Amendments to HIPAA Privacy & Security Rules

Fifth National HIPAA Summit West

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Privacy Overview

HIPAA: Impact on Corporate Compliance

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

2016 Business Associate Workforce Member HIPAA Training Handbook

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Effective Date: 4/3/17

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA & The Medical Practice

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Compliance Steps for the Final HIPAA Rule

Business Associate Agreement

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Management Alert Final HIPAA Regulations Issued

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA and Lawyers: Your stakes have just been raised

The HIPAA Omnibus Rule

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Privacy and Security Rules

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Compliance Under the Magnifying Glass

HIPAA Data Breach ITPC

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

OMNIBUS RULE ARRIVES

HIPAA Privacy, Breach, & Security Rules

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

Compliance Steps for the Final HIPAA Rule

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Changes to HIPAA Under the Omnibus Final Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Getting a Grip on HIPAA

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Interpreters Associates Inc. Division of Intérpretes Brasil

1 Security 101 for Covered Entities

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Transcription:

2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com

Learning Objectives At the end of this learning session, you will be able to: Understand recent changes to HIPAA and HITECH regulations effecting providers and business associates Understand what is privacy and security? Identify who is a covered entity and who are my business associates that require a separate agreement What is a breach and how could I protect my organization Examples of good business practices, education and 3 rd party analysis 2

2014 CliftonLarsonAllen LLP HIPAA - What Is It? CLAconnect.com 3

HIPAA - What is it? Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) the 4 original parts included: Electronic transactions and code sets standards requirements Privacy requirements Security requirements National identifier requirements HIPPA or HIPAA? We will focus on privacy and security 4

2014 CliftonLarsonAllen LLP HIPAA Requirements Historically What s old and what s new? CLAconnect.com 5

Key Historical Dates The goal of HIPAA is to make health insurance more portable, ensure privacy and security of an individual s health and medical information, and create standardization. 1996 HIPAA 2003 Final Security Rule published 2011 OCR Compliance Audits began 2002 Final Modifications to the Privacy Rule published 2009 HITECH passed as part of the American Recovery & Reinvestment Act 9/15/09 breach notification obligations effective 1/17/13 Omnibus out, effective date 3/26/13 effective 9/23/13 6

HITECH ACT in 2009 HITECH Act - 2009 Extended the reach of HIPAA Breach notification requirements on covered entities and business associates Limits use and disclosure of certain PHI Increases individuals rights with respect to PHI Significant enforcement and penalties for violation of privacy and security of PHI 7

Protection of Electronic PHI Examples of EPHI: Clinical records, chargemaster, billing, detailed patient records, etc. HUD resident files containing medical information A/R and Billing Workers Comp Health Insurance and other benefits Payroll reports Revenue documentation Other 8

Protection of PHI Types of Data Written documentation and all paper records Spoken and verbal information including voice mails Electronic databases, including research information PHI on a phone, USB drive, etc. Photographic images Audio and video 9

HITECH Breach Notification Breach notification Must notify individuals whose unsecured PHI has been or is reasonably believed to have been breached Business Associates must notify covered entities of breach upon becoming aware Unsecured PHI defined by HHS and will be updated annually Notification without unreasonable delay no more than 60 days after discovery of breach Notification to individual via first class mail unless individual specified electronic mail 10

HITECH Breach Notification Breach notification (continued) Media notice required depending on number of individuals effected: Posting notice on website, major print, or broadcast media if more than 10 individuals involved More than 500 individuals in one State notice to prominent media outlets in the State HHS notice for any breach at least annually. If more than 500 then notice immediately. Notice must include duplication of facts, type of PHI, steps individuals should take to protect themselves, investigation method, mitigation to prevent and contact information to ask questions. 11

HITECH Penalties and Enforcement HITECH requires HHS to formally investigate: Possible violation exists or if breach reported Willful neglect present? Reasonable due diligence present Corrected? Not corrected? Tier approach to penalties 12

HITECH Penalties and Enforcement Civil monetary penalties: Violation Category Section 1176(a)(1) Each Violation (A) Did not know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C) (i) Willful Neglect Corrected (C) (ii) Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 All such Violations of an Identical Provision in a Calendar Year 13

HITECH Penalties and Enforcement In addition State attorney generals may bring a HIPAA enforcement action against a covered entity or business associate HHS is now performing periodic audits related to compliance by covered entities and business associates (see enforcement section upcoming) 14

2014 CliftonLarsonAllen LLP New Omnibus Rule Changes What s old and what s new? CLAconnect.com 15

Breach Notification New Modifications Change in the definition of a breach in the 2009 omnibus rule from: acquisition, access, use or disclosure of PHI in a manner not permitted under [the privacy rule] which compromises the security or privacy of the PHI compromises the security or privacy of PHI is defined as posing a significant risk of financial, reputational, or other harm to the individual the risk of harm threshold Final Rule definition of a breach - Section 13400(1) an acquisition, access, use, or disclosure of PHI in a manner not permitted [and] is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised. 16

Breach Notification Exceptions There are three exceptions to the Breach Notification Requirement which are unchanged: Unintentional acquisition access or use of PHI if it was made in good faith Inadvertent disclosure which will not be further used or disclosed in an impermissible manner Good faith belief that the disclosure was not retained If it does not meet the three exceptions, it is presumed to be a breach UNLESS the PHI was rendered unusable, unreadable, or indecipherable i.e. ENCRYPTION!!! 17

Breach - Risk Assessment Covered entity AND business associate must consider: Nature and extent of PHI involved Who used the information or to whom was the disclosure made? Was PHI actually acquired or viewed? How was the risk mitigated? Does the event rise to the level of a breach Requirement to notify the Secretary of HHS following the discovery of a breach of unsecured PHI Should have been compliant by March 26, 2013 required to be compliant by September 23, 2013 18

Willful Neglect and Penalties Appears over 70 times in the final ruling Defined by 45 CFR 160.401 as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated 19

Action Plan for Covered Entities Encrypt, encrypt, encrypt and implement a BYOD ( Bring your own device ) policy Review and update business associate agreements Affects an estimated 250,000 500,000 business associates around the country and beyond Review and revise your breach notification policies Affects 19,000 covered entities Review and update privacy policies Affects 700,000 covered entities Provide updated education for your workforce (data obtained from the 2013 HIPAA Omnibus approximate number of affected entities) 20

2014 CliftonLarsonAllen LLP Covered Entities and Business Associate Agreements CLAconnect.com 21

HIPAA - What Is It? Privacy Governs the use and disclosure of individually identifiable health information or Protected Health Information ( PHI ) Security Administrative, technical and physical safeguards required to prevent unauthorized access to PHI 22

HIPAA - Covered Entities Covered entities Directly effected Health care providers Health plans Health care clearinghouses HC providers are: Person or organization who furnishes, bills, or is paid by HC in the normal course of business Covered ONLY if they transmit health information electronically in connection with transaction covered by HIPAA transaction rules Directly or through a business associate 23

How to Comply Security Rules Appoint a security officer Perform an internal or 3 rd party risk analysis: Likelihood and impact of risks to ephi Implement security measures to address Document the security measures Maintain protections (continuous, reasonable, etc.) Develop and implement a risk management plan Education and training is a MUST 24

HIPAA - Who are Business Associates A business associate is: A person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information Not a workforce member A covered entity can also be a business associate 25

HIPAA - Who are Business Associates (Con t) Vendors providing services not directly but indirectly subject to the HIPAA privacy and security provisions (not covered entities but are business associates): Legal Accounting Consulting Information technology Financial support Claims procession and billing Data destruction/shredding Required to sign business associates agreements (BAA) Covered entity who contracts to perform business associate services or activities must protect through BAA Agree by contract to maintain privacy and security of PHI 26

Business Associate Agreements What is in a BAA? It is a contract between covered entity and business associate Responsibilities identified Understanding and acknowledgement of those responsibilities Identification of what constitutes a breach Breach notification requirements Communication requirements Termination clauses Subcontractor clauses Signed by both parties 27

HIPAA - How Does It Effect You? Does your organization have business associate agreements in place for all required vendors or partners you work with? Action necessary by covered entity and BAA to ensure they both live up to requirements Protections added Indemnification Reporting Policies in place Hardware and software Learning and training 28

Example - How Does It Affect CLA? CLA approach in the past: Comply as if we were a covered entity, but with a highest common denominator approach to EPHI Protect ALL data at the level for EPHI Education Annual education and orientation for new employees Understand requirements and responsibility (not just principal or partner responsibility) Identification of breach and how to notify and/or report Business associate agreements CLA MUST HAVE in place for all clients where EPHI is directly used or indirectly obtained 29

2014 CliftonLarsonAllen LLP Enforcement Covered Entities and Business Associates CLAconnect.com 30

Stepped Up HIPAA Related Enforcement 2012 HHS to conduct periodic audits to ensure covered entities and business associates are complying with HIPAA privacy and security rules and breach notification standards. For Phase 1 - Office for Civil Rights (OCR) has conducted 115 audits, of which 20 were completed in 2012. Entities were stratified into four different levels as follows: Level 1 Entities Large Provider/Health Plans Extensive use of IT/complicated IT/business work streams Revenues or assets > $1 billion Level 2 Entities Large regional hospital systems (3-10 hospitals/region) & Regional Insurance Companies Paper & HIT enabled workflows Revenues and/or assets between $300 million and $1 billion Level 3 Entities Community hospitals/outpatient surgery, regional pharmacy/all selfinsured companies that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small providers (10 to 50 provider practices, community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 31

Stepped Up HIPAA Related Enforcement (cont d) Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 32

Stepped Up HIPAA Related Enforcement (cont d) Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 33

Security Rule Findings 65% HITECH regulations 164.312 User activity monitoring Authentication/integrity 164.310 Media reuse and destruction 164.308 Contingency planning Risk assessment Ask yourself Are you periodically reviewing established users to determine if they are current, authorized, and have the correct access rights? Risk assessment: How frequently are you examining the information system for vulnerabilities? Monitoring of controls: How are you verifying the controls are designed to mitigate unacceptable risks? 34

Privacy Rule Findings 26% Breach Notification - 9% HITECH regulations 164.502 Deceased individuals Personal representatives Verification of the identify of those requesting ephi 164.310 Business associate contracts 164.308 Breach notification process Ask yourself What steps do you take to verify the identity of those requesting PHI? How do you identify business associates? How often are your contracts reviewed? Do your staff know what to do if a breach occurs? What steps do you take to document the occurrence of the breach and investigation results? 35

Phase 2 of OCR Audits 550-800 entities will be contacted for pre-survey OCR will use survey data to select a projected 350 covered entities to audit Audits to begin in fall of 2014 Covered entities will identify their business associates and selection from those provided will be subject to be audited in 2015 Desk audits for selected areas and comprehensive on-site audits as resources allow Focus areas for 2014-2015 audits Security risk analysis and risk management Breach content and timeliness of notifications Privacy notice and access 36

Fines and Penalties WellPoint pays $1.7M for leaving information accessible over the internet. Issues related to their implementation of changes in their IT systems. WellPoint provided a breach report. 612,402 individuals ephi was unsecured and unprotected. 37

Fines and Penalties MEEI, a Harvard medical school affiliate, and Alaska DHS have agreed to pay the HHS $1.5 and $1.7 million (respectively) to settle potential violations. 38

Fines and Penalties Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the HHS a $100,000 settlement the first small practice to be penalized over HIPAA violations. 39

Fines and Penalties Hospice of North Idaho has agreed to pay HHS a $50,000 settlement for potential violations and became the 1 st settlement related to a breach of unprotected ephi that affected <500 individuals. 40

Additional Thoughts and Stats After EHR implementations providers have seen a surge in data breaches Average breach cost was approximately $2.5MM Most were preventable 40% of breaches in 2013 involved a business associate Reputation costs are hard to quantify but are significant 41

Encryption Why it is important Lack of encryption now is the #1 reason for penalty Emails containing ephi (electronic protected health information) Data published on an internet site Mobile devices such as laptops, smart phones, or tablets Remote access sessions 42

Six Steps to Breach Prevention or Mitigation Lock down end users and infrastructure know where your data resides User identification Single point of control Anti-malware Encryption e-discovery 43

2014 CliftonLarsonAllen LLP Best Practices They are in place to protect us all! CLAconnect.com 44

HIPAA Safeguards: Administrative, Physical, and Technical Administrative safeguards the management of: Risk Employees and training Continuity Evaluation Business associates Physical safeguards securing and accounting for: Facilities Workstations Media disposal Technical safeguards logical access: System logging and review Password requirements User accounts and access 45

Safeguarding Computers Secure laptops and desktops at all times Do not loan your laptop to others Do not allow others to use your computer unattended Do not leave laptop or equipment unattended If left unattended for any reason lock the office space being used or place computer into Lock mode requiring password to re-start programs Use privacy screens if available Know your surroundings 46

Messages That Contain Sensitive or Protected Information Personnel should NOT be permitted to send emails that containssensitive PHI that is NOT encrypted PHI is defined as information about: Health status Provision of health care Payment of health care PHI linked through any of the following must be treated with care: Names, phone/fax numbers, addresses, email addresses, dates (related to care, admit, discharge, etc.) SSN, medical record numbers, health plan info, photos, device identifiers, etc. 47

Example of CLA IT Security That Is In Place Due To Being A Business Associate Administrative Safeguards Technical Safeguards Physical Safeguards Risk management IT policies Security leadership Access management Awareness Incident response Inquiry response Auditing Passwords Change control Anti-Virus/SPAM Firewall Workstation control (CSA) Web filtering Remote access FTP Encryption Portable media control Event correlation Office physical security Laptop policy Equipment disposal Data backup and storage 48

Don t We Already Have Enough Security? Can you and your employees answer YES to all of these? If I follow my organization s policies I believe that we are covered Am I following my organization s policies? Do I understand what constitutes a potential or actual breach? Do I protect data as if it is my own? 49

What Can You Do Today? Clean your offices Move any resident data off your hard drive Don t store PHI or resident data in emails Use the network or other solutions to store data Don t request or receive or send EPHI to/from anyone unless it is encrypted and is absolutely needed Return EPHI or private data when complete or delete immediately 50

Other Protections Protect discussions Public places, elevators, client location, airplane, etc Discussions with friends, spouse, family, etc. If you are in public places or travel in planes - Privacy screens on computers Provide data with mind on privacy and security (FTP site, data encrypted, data scrubbed, etc.) Don t leave sensitive information laying around at anytime Err on being overprotective of computer Limit data on your hard drive and follow Organization policy 51

Recap And What We Have Learned Today HIPAA, privacy, security are just good common sense Understand what HIPAA requires we all are responsible to know and understand Know when a breach may have occurred (covered entity or business associate) Is our business associate HIPAA compliant? can we help? Organization policy is in place to HELP and not there to HINDER our resident service and productivity More to come and breaches and fines are starting to ramp up Risk is out there - Do your part and promote privacy and security of PHI and remember it is really good business sense 52

2014 CliftonLarsonAllen LLP Chad D. Kunze, CPA Principal Chad.Kunze@CLAconnect.com 602-604-3534 Office 314-42-6512 Cell CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 53

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback