ARE YOU HIP WITH HIPAA?

Similar documents
HIPAA Compliance Guide

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

8/30/2016 HIPAA: WHAT S CHANGED?

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA and Lawyers: Your stakes have just been raised

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

LEGAL ISSUES IN HEALTH IT SECURITY

1 Security 101 for Covered Entities

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HEALTHCARE BREACH TRIAGE

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Privacy & Security. Transportation Providers 2017

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Background and History

HIPAA & The Medical Practice

Determining Whether You Are a Business Associate

March 1. HIPAA Privacy Policy

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA PRIVACY AND SECURITY AWARENESS

"HIPAA RULES AND COMPLIANCE"

HIPAA: Impact on Corporate Compliance

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA Privacy, Breach, & Security Rules

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

4/15/2016. What we strive for. Reality

HIPAA, Privacy, and Security Oh My!

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

AFTER THE OMNIBUS RULE

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

Business Associate Risk

2016 Business Associate Workforce Member HIPAA Training Handbook

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Service Description

HIPAA Privacy and Security Rules

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Compliance Under the Magnifying Glass

To: Our Clients and Friends January 25, 2013

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

Effective Date: 4/3/17

Privacy Rule - Complaint Investigations

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Security How secure and compliant are you from this 5 letter word?

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

The Audits are coming!

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Eastern Iowa Mental Health and Disability Services. HIPAA Policies and Procedures Manual

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

HIPAA Privacy and Security Breaches 10 Things To Know

Getting a Grip on HIPAA

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

Meaningful Use Requirement for HIPAA Security Risk Assessment

HIPAA Privacy Overview

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

March 29, 2018 Key Principles in HIPAA Compliance

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

The Privacy Rule. Health insurance Portability & Accountability Act

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Future of Healthcare in Washington April 2, Christiansen IT Law

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

Outline. Outline. What is HIPAA? I. What is HIPAA? II. Why Should You Care? III. What Should You Do Now? I. What is HIPAA? II. Why Should You Care?

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

H 7789 S T A T E O F R H O D E I S L A N D

Transcription:

ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016

HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined $1.7 million after USB drive containing ephi stolen. Covered entity fined $150,000 for using outdated, unsupported security software.

AGENDA HIPAA Security Rule Breaches Trigger Investigations and Other Ways HIPAA is Enforced HHS Investigation Examples Employer Responses Controlling Risk Under HIPAA

HIPAA SECURITY RULE It s Not Just Privacy 4

GENERAL RULE Ensure confidentiality, integrity, and availability of ephi created, received, maintained, or transmitted Protect against reasonably anticipated: Threats to ephi security and integrity Improper use or disclosure of ephi Ensure workforce compliance 5

WHAT SECURITY MEASURES TO USE Use security measures that reasonably and appropriately implement security standards In deciding what security measures to use, consider: Size, complexity, and capabilities of the covered entity Technical infrastructure, hardware, and software security capabilities Costs of security measures Probability and criticality of potential risks to ephi 6

SECURITY STANDARDS: REQUIRED / ADDRESSABLE Some security standards are required Some security standards are addressable Assess whether safeguard is reasonable and appropriate Likely contribution to protecting ephi If reasonable and appropriate, implement it If not, document why and implement an equivalent alternative, if it is reasonable and appropriate Review and modify security measures as needed to provide reasonable and appropriate protection of ephi Maintain / update documentation of security measures 7

ADMINISTRATIVE SAFEGUARDS Security Management Process Risk analysis Assess potential risks and vulnerabilities Risk management Implement security measures to reduce risks and vulnerabilities Sanction policy Sanction employees who fail to comply with security policies System activity review Regularly review records of information system activity Security Official Develop and implement security policies and procedures 8

ADMINISTRATIVE SAFEGUARDS Workforce Security Ensure appropriate access to ephi and prevent unauthorized access Authorization or supervision of employees who work with ephi or in locations where it may be accessed (Addressable) Workforce clearance procedure to access ephi (Addressable) Procedures for terminating access to ephi (Addressable) Information Access Management Access authorization (Addressable) Granting and modifying access (Addressable) 9

ADMINISTRATIVE SAFEGUARDS Security Awareness and Training Security awareness and training program for all employees including management Security reminders (Addressable) Protection from malicious software (Addressable) Log-in monitoring (Addressable) Password management (Addressable) Security Incident Procedures Identify and respond to suspected incidents Mitigate harmful effects Document incident and outcome 10

ADMINISTRATIVE SAFEGUARDS Contingency Plan Policies for emergency situations that damage systems containing ephi Data backup plan Disaster recovery plan Protection of ephi during emergency mode Testing and revision of contingency plans (Addressable) Applications and data criticality analysis (Addressable) Periodic Security Evaluations Periodic evaluation of compliance with Security Rule 11

PHYSICAL SAFEGUARDS Facility Access Controls Limit physical access to ephi systems Contingency operations (Addressable) Facility security plan (Addressable) Safeguard from authorized physical access, tampering, theft Access control / validation procedures (Addressable) Control and validate person s access based on their role Maintenance records (Addressable) Workstation Use and Security Polices regarding use of workstations that can access ephi Physical safeguards for such workstations 12

PHYSICAL SAFEGUARDS Device and media controls Disposal of ephi and hardware or media containing ephi Removal of ephi before reusing hardware or electronic media Tracking movements and possession of hardware and electronic media (Addressable) Data backup and storage before moving equipment (Addressable) 13

TECHNICAL SAFEGUARDS Access Control Unique user IDs Emergency access procedures Automatic logoff (Addressable) Encryption / decryption (Addressable) Audit Controls Record / examine activity on systems containing ephi Integrity of ephi Protect from improper alteration or destruction Authentication of ephi (Addressable) Authentication Verify person / entity attempting to access ephi Transmission Security Integrity controls (Addressable) Encryption (Addressable) 14

BREACHES TRIGGER INVESTIGATIONS And Other Ways HIPAA Is Enforced 15

ENFORCEMENT OF HIPAA Employer reports breach affecting over 500 individuals HHS investigates Employee complains to HHS HHS investigates HHS conducts random audit State attorney general files civil action on behalf of state residents Criminal penalties for knowing violations 16

HHS INVESTIGATION HHS notified: within 60 days of any breach affecting 500 or more individuals in a state or jurisdiction, and annually of breaches affecting fewer individuals HHS investigation triggered by: breach notifications employee complaints to HHS If investigation shows HIPAA compliance efforts are lacking, HHS may require a resolution agreement to resolve the violations Over 20 resolution agreements (which are public) with covered entities Resolution agreements include: Payment of settlement amount Compliance with a corrective action plan 17

CIVIL PENALTIES Knowledge or Intent of Violation Did not know, and by exercising reasonable diligence would not have known, that violated HIPAA $Amount Per Violation $100 - $50,000 Due to reasonable cause and not willful neglect $1,000 - $50,000 Due to willful neglect Corrected 30 days: $10,000 - $50,000 Not corrected 30 days: $50,000 Up to $1,500,000 for identical violations in a calendar year For continuing violations, a separate violation occurs each day the health plan is in violation of the provision No penalty if violation not due to willful neglect and corrected within 30 days or to the extent penalty would be excessive relative to the violation HHS has 6 years to assess penalty HHS can settle for reduced penalty through a resolution agreement 18

HHS CORRECTIVE ACTION PLAN Risk Assessment and Risk Management Program Policies and Procedures Submit P&P to HHS for approval Make changes to P&P requested by HHS Distribute HHS-approved P&P to employees who will have access to PHI Obtain employee certifications that they received, understand, and will abide by the P&P Ensure employee cannot access PHI until certification received Update P&P at least annually Training Train all employees with access to PHI on HHS-approved P&P Obtain employee certifications that they received the training Ensure employee cannot access PHI until certification received Update training at least annually May also require annual refresher training 19

HHS CORRECTIVE ACTION PLAN Ongoing Monitoring of HIPAA Compliance Privacy Officer or independent monitor Quarterly / semi-annual review may include: Assessment of compliance with the corrective action plan Random sampling of employees to assess familiarity and compliance with HIPAA P&P Audit of persons having access to ephi Audit of how ephi on portable devices is secured Additional Reporting to HHS Must report to HHS within 30 days any time an employee violates any HIPAA policy or procedure Annual / biannual report Copies of all training materials Schedule of training topics covered and length of each session Attestation by Privacy Officer that all employee certifications have been obtained 20

HHS AUDITS HITECH requires HHS to perform periodic audits of compliance with the HIPAA Privacy, Security, and Breach Notification Rules Pilot Audit Program In 2011 and 2012, 115 covered entities (47 health plans) audited under pilot audit program Types of Violations Only 11% had no violations Smallest covered entities struggled with all three HIPAA components 60% of all violations were security related 2/3 incomplete or inaccurate risk assessment Privacy Rule violations 44% - uses and disclosures 20% - notice of privacy practices Only 10% of violations were breach related 21

HHS AUDITS Causes of Violations Unaware of requirement Privacy Rule 35% Notice of Privacy Practices Access of Individuals Minimum Necessary Authorizations Security Rule 27% Risk Analysis Media Movement and Disposal Audit Controls and Monitoring Breach Notification 12% Insufficient resources Incomplete implementation 22

HHS AUDITS Second Round of Audits Beginning in 2016 Focus on: risk analysis and risk management (the Security Rule) content and timeliness of breach notifications (the Breach Notification Rule) notice of privacy practices and access rights (the Privacy Rule) Comprehensive audit protocol available http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html Documents and information submitted may be subject to FOIA requests Label Confidential, redact, on-site review of highly sensitive documents 23

ATTORNEY GENERAL SUITS / CRIMINAL PENALTIES Lawsuits HITECH gave State Attorneys General the authority to bring civil actions and obtain damages on behalf of state residents for HIPAA violations Connecticut, Vermont, Massachusetts, Minnesota Damages = $100 per violation Criminal Penalties Criminal actions can be brought against any individual who wrongfully discloses PHI $50,000 fine and one year in prison for a knowing violation Up to a $250,000 fine and 10 years prison if the violation was for personal gain or maliciously 24

HHS INVESTIGATION EXAMPLES 25

HHS INVESTIGATION EXAMPLES Leased Copy Machine Affinity Health Plan, a not-for-profit managed care plan, impermissibly disclosed PHI when it returned copy machines to a leasing company without erasing the data contained on the copiers hard drives. Up to 344,579 individuals may have been affected Affinity also failed to include the leased copy machines in its HIPAA security risk assessment and failed to implement policies and procedures when returning the copiers to the leasing company Settlement: $1,215,780 and a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent and to take certain measures to safeguard all ephi 26

HHS INVESTIGATION EXAMPLES Stolen Unencrypted Laptop Concentra reported an unencrypted laptop containing ephi was stolen Concentra previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ephi was a critical risk Although steps were taken to begin encryption, HHS found Concentra s efforts were incomplete and inconsistent over time leaving patient ephi vulnerable throughout the organization HHS further found Concentra had insufficient security management processes in place to safeguard patient information Settlement: $1,725,220 and corrective action plan 27

HHS INVESTIGATION EXAMPLES Unpatched Software Anchorage Community Mental Health Services (ACMHS) reported a breach affecting 2,743 individuals due to malware ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed HHS found the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ephi on a regular basis, said OCR Director Jocelyn Samuels. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks. Settlement: $150,000 and a corrective action plan that requires ACMHS to report on the state of its compliance to HHS for a two-year period 28

EMPLOYER RESPONSES 29

FULLY-INSURED PLANS HIPAA Employer s group health plan (i.e., as an entity separate from the insurance policy issuer) is also a covered entity subject to HIPAA breach notification requirements Plan could be liable if notifications are not made by the insurer Written confirmation from insurer that it will comply with any HIPAA breach notification requirements in accordance with HIPAA Evidence from insurer that all required notifications were properly made Document the incident in accordance with HIPAA breach policies and procedures State Law Receive written confirmation from the insurer that it will: analyze what state law notification requirements apply to the employer send all notifications required under state law in accordance with state law on the employer s behalf Request evidence from the insurer that all required notifications were properly made 30

SELF-FUNDED PLANS HIPAA Review HIPAA business associate agreements (BAAs) to determine if the plan has delegated responsibility to: Determine whether breach under HIPAA occurred Make any and all required notifications under HIPAA in accordance with HIPAA Request documentation of risk assessment, copies of notifications, and evidence that required notifications were made Document the incident in accordance with HIPAA breach policies and procedures State Law Receive written confirmation from the business associate that it will: analyze what state law notification requirements apply to the employer send all notifications required under state law in accordance with state law on the employer s behalf Request evidence from the insurer that all required notifications were properly made 31

CONTROLLING RISK UNDER HIPAA HIPAA Policies Aren t Just Ugly Paper-Weights 32

CONTROLLING RISK Controlling Risk = reducing the likelihood of: Data breach Penalties during HHS audit or investigation HIPAA Policies and Procedures For privacy and security Compliant and up-to-date (final omnibus HIPAA regulations) Notice of Privacy Practices Up-to-date Accurately reflects how the health plan uses and discloses PHI Distributed in the time and manner required by HIPAA Business Associate Agreements Revised for the final omnibus HIPAA regulations Adequate indemnification provisions (or in the services agreement) Reflect employer s intentions regarding delegation of breach notification responsibilities. BAAs are not boilerplate documents 33

CONTROLLING RISK Risk Assessment and Risk Management Plan Perform a security risk assessment Coordinate with IT department Implement risk management plan Federal government risk assessment tool: http://www.healthit.gov/providers-professionals/security-risk-assessment Training All members of the workforce who may have access to PHI How to handle PHI, especially minimum necessary and portable devices Insurance Coverage Adequate insurance coverage to cover losses from cyber-attacks and HIPAA violations 34

QUESTIONS?

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback