HEALTHCON 2016 HIPAA Privacy and Security Breaches 10 Things To Know Orlando April 11, 2016 Presented by Paul R. Hales, J.D. April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 2 Lost medical records complicate Joplin hospital's tornado recovery April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 3 1
1. What is a Breach? 2. Locations and Types of PHI Major Breaches 3. Penalties 4. Breach Prevention 5. 6. Cyber Crime Intentional Human Threats 7. Unintentional Human Threats 8. Contingency Planning 9. Workforce Training 10. HIPAA Compliance Program April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 4 1. What is a Breach? Breach means 45 CFR 164.402 the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Privacy Rule which compromises the security or privacy of the protected health information. April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 5 1. What is a Breach? compromises the security or privacy of the protected health information? Breach is presumed unless low probability protected health information has been compromised based on a risk assessment of four factors? April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 6 2
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 7 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 8 2. Locations and Types of PHI Major Breaches April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 9 3
BREACH HIGHLIGHTS September 2009 through August 28, 2015 Approximately 1,310 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 57% of large breaches Laptops and other portable storage devices account for 30% of large breaches Paper records are 22% of large breaches Approximately 179,000+ reports of breaches of PHI affecting fewer than 500 individuals OCR NIST 2015 10 500+ Breaches by Location as of 8/28/2015 EMR 4% Other 11% Email 8% Paper Records 22% Network Server 13% Desktop Computer 12% Laptop 20% Portable Electronic Device 10% OCR NIST 2015 11 500+ Breaches by Type of Breach as of 8/28/2015 Improper Disposal 4% Unknown 1% Other 8% Hacking/IT 10% Theft 48% Unauthorized Access/Disclosure 21% Loss 9% OCR NIST 2015 12 4
March 13, 2015 Breach Portal Wall of Shame 78,800,000 Individuals April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 13 3. Penalties Civil Criminal April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 14 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 15 5
4. Breach Prevention Lessons Learned HHS/OCR Enforcement Activities HHS/OCR Resolution Agreements HHS/OCR Guidance April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 16 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 17 HHS HIPAA Pilot Audits 2012 80% of Audited Providers Failed to Do A Risk Analysis We found deficiencies among a wide variety of entities in risk analysis one of the most fundamental privacy and security elements conduct a thorough and complete risk analysis take action based on the findings of that risk analysis April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 18 6
Why have so many failed to do a Risk Analysis? April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 19 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 20 We note that some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). NIST, a federal agency, publishes freely available material in the public domain, including guidelines. 4 4 The 800 Series of Special Publications (SP) are available on the Office for Civil Rights website specifically, SP 800-30 - Risk Management Guide for Information Technology Systems. April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 21 7
SPECIAL PUBLICATIONS (800 SERIES) Special Publications in the 800 series (established in 1990) are of general interest to the computer security community. April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 22 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 23 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 24 8
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 25 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 26 5. Cyber Criminals April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 27 9
March 13, 2015 Breach Portal Wall of Shame 78,800,000 Individuals April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 28 7. Unintentional Human Threats April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 29 Patient Attraction Patient Engagement April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 30 10
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 31 Jocelyn Samuels Director, Office for Civil Rights All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form. April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 32 Baby Pictures at the Doctor s? Cute, Sure, but Illegal Why Illegal? April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 33 11
No Valid HIPAA Authorization April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 34 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 35 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 36 12
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 37 8. Contingency Planning April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 38 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 39 13
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 40 9. Workforce Training April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 41 March 13, 2015 Breach Portal Wall of Shame 78,800,000 Individuals April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 42 14
April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 43 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 44 10.HIPAA Compliance Program Culture of Compliance Quality of Care April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 45 15
I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Physician Patient Privilege Law of Evidence April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 46 April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 47 Discussion and Questions April 11, 2016 HIPAA Breaches 10 Things To Know presented by Paul R. Hales, J.D. 48 16