Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

Transcription

1 Watch the Replay Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes FairWarning Executive Webinar Series May 20, 2014 #AnytimeAudit

2 Today s Panel Laura E. Rosas, JD, MPH Senior Advisor Office of the Chief Privacy Officer, Office of the National Coordinator for HIT United States Dept. of Health and Human Services Kurt Long FairWarning Founder and CEO Office: (727) Kurt@FairWarning.com

3 Agenda ONC Goal: Inspire Confidence and Trust Health Information Breaches Enforcement Highlights Privacy and Security Tools and Resources Escalating Threat Levels in Healthcare OCR HIPAA Audit Findings Building Trust into Healthcare s Future

4 Laura Rosas, JD, MPH Senior Adviser Office of the Chief Privacy Officer Privacy and Security Tools and Resources

5 Privacy and Security: A Shared Responsibility 5

6 HITPC s Privacy & Security Tiger Team Advises ONC

7 Privacy & Security Tiger Team Recommendations to Date

8 ONC Goal: Inspire Confidence and Trust

9 Our Challenge: Breaches of Health Information by Type of Breach Top Types of Breaches 51% - Theft 21% - Unauthorized Access / Disclosure 13% - Loss Source: HHS Office of Civil Rights: October 2012

10 Our Challenge: Breaches of Health Information by Location of Breach Top Locations of Breaches 23% - Laptops 23% - Paper Records 15% - Desktop Computers 14% - Portable Electronic Devices Source: HHS Office of Civil Rights: October 2012

11 Enforcement Highlights Continued focus on Security Rule compliance Affinity Health Plan over $1.2 million ephi left on photocopier drives Wellpoint - $1.7 million Faulty testing of programming updates left information accessible on web portal Idaho State University -- $400,000 Privacy Disabled firewall exposed ephi to breach Shasta Regional Medical Center -- $275,000 Patient medical records shared with media

12 Mobile Devices: Tips to Protect and Secure Health Information Use a password or other user authentication. Keep security software up to date. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software. Research mobile applications (apps) before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive health information over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device.

13 OCR s YouTube Videos Your New Rights Under HIPAA 264,157 Views Your Health Information, Your Rights 113,307 Views The Right to Access Your Health Information 84,421 Views EHRs: Privacy and Security 5,300 Views Explaining the Notice of Privacy Practices 124,705 Views The HIPAA Omnibus Rule 269,989 Views Su Informacion de Salud, Sus Derechos 503,831 Views Treatment, Payment and Health Care Operations 77,811 Views Communicating with Friends And Family 97,247 Views HIPAA Security Rule 290,615 Views

14 Protecting Patients Rights: New OCR Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest OCR Educational Links, Including Mobile Device Content HIPAA/OCR Poll Question Updated Quarterly

15 Cybersecure: Contingency Planning The latest training game focuses on disaster planning, data backup and recovery and other elements of contingency planning.

16 Models of Notice of Privacy Practices The Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) collaborated to develop model NPPs for covered entities to use: One set for health plans One set for health care providers

17 Types of Notices Available Booklet Presents the material in booklet form with design elements Layered Notice Presents a summary of the information on the first page, followed by the full content on the following pages 3. Full Page Has the design elements found in the booklet, but is formatted for full page presentation 4. Text Only Provides a text-only version of the notice

18 Meaningful Consent Website Geared toward providers, health information exchange organizations (HIEs), and other health IT implementers Gives background on meaningful consent and ONC s econsent Trial Project Provides customizable tools and resources to help you enable patients to make meaningful consent decisions

19 Security Risk Assessment Tool Downloadable Risk Assessment Tool designed to guide providers through the Risk Assessment process. The tool includes resources to understand the context of the question, examples of potential impacts to PHI if requirements aren't met, and includes actual safeguard language from the HIPAA Security Rule

20 Security Risk Assessment Tool

21 We re All In This Together

22 Download the Full Infographic Today!

23 Kurt Long FairWarning Founder and CEO Office of the National Coordinator for Health Information Technology

24 Excerpt from Oath of Hippocrates, 4th Century, B.C.E. All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal. Hippocratic Oath

25 Source: ID Theft Center Escalating Threat Levels in Healthcare

26 Healthcare Fraud and Organized Crime HHS OIG Fraud Fugitive List, Estimated $ 100 B of Fraud / Year 25% use Identity Theft of Patient, Physicians in Fraud Operations OIG Fugitive Profiles at hhs.oig.gov, Stolen Identity with insurance info $20; credit card info $1-2 (Dell SecureWorks), IRS Tax Fraud Identity Theft #1 of Dirty Dozen Dirty Dozen Tax Scams, irs.gov, Healthcare Specific Alerts, irs.gov,

27 Scaling a Criminal Enterprise International Crime Ring: over $100 MM in Fraudulent Claims Read the DOJ Indictment

28 Responding to Escalating Threats IRS Tax Fraud Sale of Patient and Physician Information to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints

29 OCR HIPAA Audit Findings: Security Area 58 of 59 providers had at least one Security finding or observation No complete & accurate risk assessment in two thirds of entities 47 of 59 providers (80%), 20 out of 35 health plans and 2 out of 7 clearinghouses Security addressable implementation specifications: Almost every entity without a finding or observation met by fully implementing the addressable specification. Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013,

30 OCR HIPAA Audit Findings: Security Area Total Audit Findings and Observations by Area of Focus and Entity Type Contingency Planning & Backups Audit Controls & Monitoring Access Management Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013,

31 Escalating Expertise Required Pre-2009 (HITECH) Global Investigations Partial FTE Expertise Gap -Removal of Harm Standard -New Reporting & Notification Requirements 2013/2014 (Post-HIPAA Omnibus) Security Incident Management Advanced Analytics, Filtering Proactive Alerts Global Investigations Security, Forensics & Compliance Expertise OCR Audit Experience Clinical Data & Workflow Expertise Investigations & Security Skills

32 Audit Preparation Resources Survey Results of Privacy & Compliance Teams, May 2014

33 Upcoming OCR HIPAA Audits: An opportunity to improve information security risk posture Risk assessment Build a plan to address deficiencies Gain executive support through business-case driven justification Raise awareness of increasing threat levels & regulatory consequences using public anecdotes & statistics Staffing, training & contingency plans for expertise shortcomings

34 Collaboration for Patients Sake FairWarning and our customers envision a healthcare industry in which patients confidently share their sensitive medical details to receive the best care possible without regard to privacy concerns.

35 Next Steps ONC Security Risk Assessment Tool For more information, please HIPAA Audits: Round 2 Details Revealed (referenced during Q&A session) A pdf copy of this presentation and the embedded links will be distributed after the event

36 Questions? Laura E. Rosas, JD, MPH Senior Advisor Office of the Chief Privacy Officer, Office of the National Coordinator for HIT United States Dept. of Health and Human Services Kurt Long FairWarning Founder and CEO Office: (727)

37 Questions/Answers Questions Answers If an OCR audit asks to see a list of our BA's, can the tool not provide this info? Other than what s listed in the notes section. The tool allows you to list all of your Business Associates, their address and the contact person in your organization for that BA. All of this information will be printed out in the report, which the organization can then provide to an auditor. Are there more reports we can get from the security risk assessment? i.e. summary reports; detailed as to who the responsible party is for completion of the remediation? You can provide as much detail as you need to in the Tool For example, you can put down the remediation activity, and the tool include that in the report. Also, as the report can be exported into an Excel format, you can add columns if needed. We have received some requests for more columns in the reporting feature. We encourage users to add these requests to so that we can compile and prioritize.

38 Questions/Answers Questions Will OCR be providing guidance on patient privacy monitoring strategies? Where does the OCR stand right now on the accounting of disclosures report? Ms. Rosas mentioned that the security risk assessment tool she reviewed with the participants was primarily for smaller practices. Is there any reason why a hospital could not use the tool as well? Answers The tool was designed for practices with 1-10 providers (not including support staff etc), community health centers and similar organizations. There is a NIST SCAP tool that was designed by OCR and NIST for larger organizations that was developed for larger organizations and is also free from their website, please see You may want to look at both tools and perform an analysis as to which best fits your organization. Also, as more hospital systems are integrating practices into their organization either financially or electronically or both, these smaller organizations are often least prepared for data sharing and HIE, especially when considering ACOs and other payment models. Encouraging or requiring these organizations that are being vertically or horizontally integrated to perform an indepth risk assessment is a critical step in avoiding breaches, and the SRA tool can be an effective means of moving those practices to develop the policies, procedures, practices and habits that can secure the ecosystem s data.

39 Questions/Answers Questions Are there any only privacy risk assessment tools that can allow entities to evaluate their compliance under HIPAA Privacy? So who is the keeper of the information gleaned from the risk assessment and how is it used? Answers There are vendors that have developed Privacy Risk Assessments, we have also received requests to incorporate privacy into the current Tool. If this is a priority for users, please provide comments in the comments section as and we will consider adding a privacy risk assessment piece. The tool is available in two versions, a windows version from our website or an ipad version from the App Store. Once it is downloaded in either format, the user is responsible for saving it locally to either a device or server. None of the information is received, transmitted or stored at healthit.gov, or the US Dept. of Health and Human Services or any other governmental agency. This does mean that the user bears the risk for safeguarding the information, backing it up etc.