Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Size: px
Start display at page:

Download "Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits"

Transcription

1 HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE) and Business Associate (BA) CE includes Health care providers who conduct certain standard administrative and financial transactions in electronic form, including doctors, clinics, hospitals, nursing home and pharmacies. Health plans. Health care clearinghouses 1

2 Who Must Comply with HIPAA Rules? Continued BA includes A person or entity, other than a workforce member, who performs certain functions or activities on your behalf, or provides certain services to or for you, when the services involve the access to, or the use or disclosure of, PHI. What constitutes PHI? HIPAA provides a list of 18 identifiers that constitute PHI. Any one of these identifiers in a dataset that could reasonably be used to identify an individual is considered PHI. You must= What is a Breach? Final rule defines breach to mean, generally, the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. 2

3 New - Breach Risk Assessment An acquisition, access, use, or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least four factors Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated Was PHI unsecured? Was PHI more than the minimum? Does the breach pose significant risk of compromise? Did improper use/disclosure only include name? 3

4 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated To whom was the information disclosed (or made accessible)? Who misused the information? What information was it? And how much PHI was involved? Was the access or disclosure intentional for self-serving, malicious, or harmful reasons? Did the violation involve: Covered entity Another patient Non-covered entity/business Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated For example: If a laptop was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never compromised, then probability of low risk In contrast, if envelopes were improperly labeled and PHI was mailed out to the wrong recipients then we can assume that the likelihood of it being viewed is high Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mitigated What was done to mitigate the potential harm? Were immediate steps taken to mitigate the risk? Not further used or disclosed Immediately destroyed Immediately returned 4

5 Exclusions to Breach Unintentional disclosure- Applies to workforce members and BAs acting under CE Made in good faith and under the scope of authority No further disclosures made Inadvertent disclosure- Authorized individuals at CE or BA to another Person or entity covered by the BA No further disclosures made Good Faith Belief- that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Real Life Examples Employee leaves USB flash drive in their car Dermatology Office Thief breaks into vehicle and takes the flash drive It was never recovered. 5

6 Dermatology Office OCR investigated to find Practice had not completed a thorough security risk analysis ~2,200 individual records on the flash drive No policies and procedures surrounding breach notification Along with a corrective action plan this practice settled with OCR on a $150,000 CMP Office for Civil Rights Radiation Oncology Practice Employee laptop was stolen from car PHI on the laptop was unencrypted 55,000 individual records in all Radiation Oncology Practice OCR investigated to find Practice had not completed a thorough security risk analysis Policies and procedures did not exist for taking hardware and disks containing PHI out of the office Along with a corrective action plan this practice settled with OCR on a $750,000 CMP Office for Civil Rights 6

7 Managed Care Organization Uses a technology company to lease business equipment Return a leased copy machine CBS Evening News was doing a report on data left on copiers Managed Care Organization OCR investigated to find Practice had not completed a thorough security risk analysis No policies and procedures surrounding leased equipment Individual at 344,579 Along with a corrective action plan this MCO settled with OCR on a $1,215,780 CMP Office for Civil Rights Used an internet-based document sharing application to store PHI PHI was unsecured Along with a stolen laptop and USB flash drive the following year Devices contained unencrypted PHI Medical Center 7

8 Managed Care Organization OCR investigated to find Did not complete a risk analysis for storing data on a cloud source Disclosed 1,093 individuals PHI Failed to timely respond to the security incident Along with a corrective action plan this Medical Center settled with OCR on a $218,400 CMP Office for Civil Rights Breach Breakdown Breach Breakdown How do you avoid this list? 8

9 Security Risk Analysis Meaningful Use Objective Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of risk management process What is a Risk Analysis? Systematic and ongoing process of: Identifying and examining potential threats and vulnerability to PHI Implementing changes to make PHI more secure, then monitoring results Process should provide detailed understanding of risk to: confidentiality, integrity, and availability of ephi 9

10 Why Conduct a Risk Analysis? Required component of Meaningful Use & HIPAA Identify non-compliance of HIPAA and other rules and regulations Identify threats and vulnerabilities Identify weaknesses that could result in unauthorized disclosures or breaches Improve processes when handling PHI Step 1: System Characterization Risk Analysis Steps Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation Step 1: System Characterization Identifies which information assets need protection based on criticality to the business and/or because ephi is processed, transmitted, or stored on the system 10

11 Step 2: Threat Identification Threat = Any potential event that can adversely impact organizational operations and assets involving protected health information Maintain, Transmit, Process, Access Consider realistic, probable human, environmental, and natural incidents that can have a negative impact on an organizations ability to protect ephi Step 3: Vulnerability Identification Vulnerability = Flaws or weaknesses in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Develop a list of vulnerabilities Focus on areas where ephi can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Step 4: Control Analysis Determine if the implemented or planned security controls will minimize or eliminate risks to ephi 11

12 Step 5: Likelihood Determination Evaluate the likelihood/probability of a threat occurring that can cause or trigger an adverse event Step 6: Impact Analysis Evaluate the impact/effect that an adverse event would have on an organization if a vulnerability were exploited Step 7: Risk Determination Risk = The potential impact that a given threat will exploit the vulnerabilities of assets (such as an information system) and thereby cause harm to an organization. Assess level of risk to the organization Risk is based off of values assigned to the likelihood and impact of a threat occurrence 12

13 Step 8: Control Recommendations For identified vulnerabilities, evaluate what needs to be done to reduce the level of risk to the IT system and its data to an acceptable level Step 9: Results Documentation Results Documentation is critical in proving that the risk analysis was performed. The HIPAA Security Rule does not specify the type of documentation required. HIPAA requires documentation of the risk analysis to be retained for six years. OCR HIPAA Audits 13

14 OCR Audits In addition to Meaningful Use Audits, you may also be audited by the Office of Civil Rights (OCR) for HIPAA compliance HITECH Act requires HHS to conduct periodic audits to ensure covered entities and business associates are meeting HIPAA compliance requirements Office for Civil Rights Pilot audit program completed Dec initial audits OCR Audits Audits concentrate on adherence to three rules: HIPAA Privacy Rule Security Rule Breach Notification Rule Office for Civil Rights Why Care About OCR Audit? Federal mandate Federal penalties (up to $1.5 million) State fines Reputation risk Business risk Legal costs Notification costs Increased number of breaches/attacks Loss of contracts Criminal and civil investigation 14

15 OCR Audit Protocol 169 total audit procedures 81 privacy audit procedures 78 security audit procedures 10 breach notification procedures Auditee Selection Criteria Covered entities of all sizes and types: Healthcare Providers Healthcare Plans Healthcare Clearinghouses Business Associates (subject to audits as of 2013) Random selection based on multiple factors: Public vs. Private Size (level of revenues/assets, # of patients/employees, use of HIT) Affiliation with other healthcare organizations Geography Type of entity and relationship to patient care Types of Entities Level 1 Level 2 Level 3 Level 4 Large provider/payer Use of HIT: extensive Revenues and/or assets greater than $1 billion Large regional hospital systems Paper and HIT enabled work flows Revenues/assets between $300 and $1 billion Community hospitals, outpatient surgery, regional pharmacy Use of HIT: mostly paper-based Revenues between $50 and $300 million Small providers: provider practices, community/rural pharmacy Use of HIT: little or none Revenues < $50 million 15

16 Pilot Program: Entity Size & Type Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total Pilot Program: Findings HIPAA Rule Most Cited in Findings Pilot Program: Findings Types of Security Rule Findings 16

17 Pilot Program: Findings Breach Notification: 500+ Breaches by Type Civil Monetary Penalties (CMPs) Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected $10,000-$50,000 $1,500,000 Willful Neglect- Not Corrected $50,000 $1,500,000 HIPAA Compliance/Enforcement *As of May 2015 Audit fines could result in $50,000 per violation and up to $1.5 million per violation of an identical provision in a single calendar year. 1 in 3 HIPAA complaints were investigated by the Office of Civil Rights (OCR). 1 in 5 breaches were due to unauthorized access and theft or loss of encrypted devices million patient health records have been compromised in HIPAA data breaches since

18 What Now?? In 2013, OIG criticized OCR s enforcement of the HIPAA Security Rule as mandated by HITECH Business Associates will be subject to audits OCR received permission to use collected CMPs to increase enforcement efforts 2015 Audits Common Audit Mistakes Failure to keep up with regulatory requirements No documented security program A reactive approach to audit Assumptions regarding business associates agreements A checkbox approach to compliance Are You Prepared? Deven McGraw, OCR Director Expects complaints to increase 90% in 2015 New Complaint Portal When asked about common mistakes by CEs: failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis (OCR) will leverage more civil penalties in

19 Kentucky REC Can Help! Kentucky REC offers the following services performed by AHIMA Certified HIPAA Privacy & Security professionals: Security Risk Analysis addressing HITECH requirements for Meaningful Use Review of Administrative, Technical & Physical safeguards Remediation plan and timeline to eliminate or mitigate identified gaps HIPAA compliant sample policies Breach Notification 19

HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

OCR Update. HIPAA Summit West September 20, Michael F. Kruley and Michael Leoz HHS Office for Civil Rights

OCR Update. HIPAA Summit West September 20, Michael F. Kruley and Michael Leoz HHS Office for Civil Rights Office of the Secretary Office for Civil Rights () Update HIPAA Summit West September 20, 2011 Michael F. Kruley and Michael Leoz HHS Office for Civil Rights REGULATORY STATUS Status of Regulatory Activities

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Update Focus on Breach Prevention

HIPAA Update Focus on Breach Prevention HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

OCR Reports on the Enforcement

OCR Reports on the Enforcement OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq. HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE

INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE INTRODUCTION TO HIPAA COMPLIANCE 2 ABOUT HIPAA COMPLIANCE Health Insurance Portability and Accountability Act (HIPAA) compliance

More information

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014 HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

5/17/ HIPAA Privacy and Security OCR Audits

5/17/ HIPAA Privacy and Security OCR Audits 2012 HIPAA Privacy and Security OCR Audits Michael D. Ebert Partner, KPMG National HIPAA Services Leader Jaime S. Pego Curcio Manager, KPMG National HIPAA Services Privacy Lead Linda Sanches OCR Senior

More information

Dissecting New HIPAA Rules and What Compliance Means For You

Dissecting New HIPAA Rules and What Compliance Means For You Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

More information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done? Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514

More information

11/5/2014 PRESENTER HIPAA OBJECTIVES PROTECTED HEALTH INFORMATION BREACH DEFINITION

11/5/2014 PRESENTER HIPAA OBJECTIVES PROTECTED HEALTH INFORMATION BREACH DEFINITION PRESENTER HIPAA BREACH: It s not a Matter of If, but WHEN Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA Senior Health Solutions Consultant & Privacy Officer clemery@avastonetech.com Telephone: 608 449 7207

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015 This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists ONCE MORE UNTO THE BREACH, DEAR FRIENDS, ONCE MORE Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third Avenue, 16th Floor, New York,

More information

HIPAA WEBINAR HANDOUT

HIPAA WEBINAR HANDOUT HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire

More information

2013 HIPAA Updates and Required Changes. Session Objectives HIPAA HISTORY 9/5/2013

2013 HIPAA Updates and Required Changes. Session Objectives HIPAA HISTORY 9/5/2013 Recorded 2013 HIPAA Updates and Required Changes Presented to: American Academy of Audiology Tuesday, Page 0 Session Objectives At the end of this session, participant will be able to: Discuss the history

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

Responding to HIPAA Breaches

Responding to HIPAA Breaches Responding to HIPAA Breaches 11/06/2015 by Kim Stanger HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

HITECH Omnibus Overview of the Rule

HITECH Omnibus Overview of the Rule HITECH Omnibus Overview of the Rule June 14, 2013 OCR Representative: Rachel Seeger WEDI Representatives: Mark Cone and David Ginsberg WEDI SNIP Privacy & Security Workgroup 1 Overview of the Omnibus Final

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA Privacy Summary Kelly McLendon, RHIA

HIPAA Privacy Summary Kelly McLendon, RHIA HIPAA Privacy Summary Kelly McLendon, RHIA This document is intended to summarize the latest HIPAA Privacy Rules in a format that is understandable by record managers and all of the stakeholders of protected

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

Meaningful Use Security Risk Analysis: Do It Right and Retain Your Incentive

Meaningful Use Security Risk Analysis: Do It Right and Retain Your Incentive Meaningful Use Security Risk Analysis: Do It Right and Retain Your Incentive Introduction Adam Kehler, CISSP Privacy and Security Specialist PA REACH East & West akehler@wvmi.org Goals 1. Understand what

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

B. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE.

B. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE. Kimberly Short Kirk and Brad Rostolsky I. HIPAA Implications of Physician-Hospital Integration As physicians and hospitals become increasing integrated, regulatory compliance is a key consideration. The

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

The HITECH Act: Protect Patients and Your Reputation

The HITECH Act: Protect Patients and Your Reputation The HITECH Act: Protect Patients and Your Reputation By: Donna Maassen Director of Compliance, and Privacy & Security Officer Extendicare Health Services, Inc. Table of Contents Executive Summary...3 The

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information Part 1: How HIPAA affects electronic transfer of protected health information It is difficult

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

Section 2: HIPAA and the HITECH Act

Section 2: HIPAA and the HITECH Act Section 2: HIPAA and the HITECH Act 1 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics

More information

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

HIPAA Training for Providers

HIPAA Training for Providers HIPAA Training for Providers [Organization] [Date] What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, which became law on August 21, 1996. HIPAA is implemented

More information

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act HIPAA Health Insurance Portability & Accountability Act This presentation and materials provided are for informational purposes only. Please seek legal advisor assistance when dealing with privacy and

More information