HIPAA Enforcement is Here

Transcription

1 HIPAA Enforcement is Here Risks and rewards for MSPs Cam Roberson Director, Reseller Channel Beachhead Solutions

2 THIS JUST IN History of HIPAA Security 1996 Congress Passes Health Insurance Portability and Accountability Act 2003 US Department of Health and Human Services (HHS) adopted HIPAA Privacy Rule, Security Rule and Enforcement Rules 2009 HITECH ACT and Interim Final Rule 2013 Omnibus Final Rule 2013 Office of Civil Rights owns enforcement of HIPAA 2015 HHS Inspector General Report OCR should strengthen oversight of CE s OCR is primarily reactive OCR must fully implement audit program 2015 OCR awards FCiFederal Audit Contract OCR Announces Phase 2 Audit Program

3 Enforcement of HIPAA Is Going To Heat Up General frustration with continued data breaches There is a revenue motivation Many agencies/firms are enabled & motivated to enforce HIPAA Health and Human Services (HHS) Office of Civil Rights (OCR) State Attorney s General Federal Trade Commission Private/contract auditors for Meaningful Use Incentive Payments Anyone can lodge a complaint Whistle blow Disgruntled employee Unhappy patient

4 Health Information, PHI and ephi? Health Information Any information created or received by health care provider, employer, life insurance company, school or university or health care clearinghouse and relates to a: person s past, present of future physical or mental health or condition Treatment provided to a person Payments made for healthcare Protected Health Information (PHI) Information that specifies or can be used to identify person Electronic Protected Health Information (ephi) That which is electronically stored & transmitted

5 HIPAA Covered Entity (CE) and Business Associate (BA) Defined The HIPAA CE includes: Healthplans, Healthcare Clearinghouses and Healthcare Providers who creates, handles and process ephi. The Business Associate (BA): Creates, receives, maintains, or transmits protected health information (ephi) on behalf of a covered entity or another business associate. no differentiation between Having Access To and Actually Accessing ephi MSPs are in most cases, BAs

6 Penalties for violations are significant HIPAA CE s and Business Associates can be fined Violations can result from audits, complaints (incl. breach)

7 HIPAA Breach Definition An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated.

8 HIPAA Breach Notification Rule CE must provide written notification to affected individuals, the HHS and in some circumstances to the media CE must include toll-free number for 90 days When affecting >500 must provide notice to prominent media outlets in that jurisdiction (within 60 days) >500 will be recognized on HHS Wall of Shame

9 HHS Wall of Shame (3/31/16)

10 Required under HIPAA Security Rule HIPAA CEs Must Understand and Assess Security Risk with a Security Risk Assessment Collect, understand and document the risk to ephi Identify and document Threats: Vulnerabilities: Assess Current Security Measures Determine Likelihood of Potential Threats Document a List of Corrective Actions Review and Update (at least) Annually

11 Get Smart About HIPAA Gain HIPAA expertise yourself Beginning with yourself Self-service tools Hire or Resell HIPAA expertise HIPAA Secure Now, Clearwater Compliance,

12 HIPAA CEs Must Engage in a Business Associate Agreement (BAA) with their Business Associates HIPAA Requires that a covered entity obtain satisfactory assurances from its Business Associate that the BA will appropriately safeguard the protected Health Information it receives or creates on behalf of the CE. The satisfactory assurances must be in writing.

13 The MSP Paradox The HIPAA CE client or prospective client may be: Unaware of the HIPAA requirements Reluctant to implement HIPAA requirements Price sensitive, unwilling to spend the dough The MSP is: The technical advisor/consultant to the HIPAA CE A Business Associate subject to the same criteria as the HIPAA CE including: Making their client enforce a BAA with themselves

14 North Memorial Hospital (HIPAA CE) and Accretive Healthcare (BA) Accretive Medical Billing and Revenue Management Services Violation 2011, settlement & lawsuits continue Unencrypted laptop stolen from Accretive employee BAA was delayed 7 months OCR fines North Memorial $1.55 Accretive Heath FTC enforces audited IT Security Plan (independent party) Minn. State Attorney General files Fed lawsuit & fined $2.5M Precluded from doing business in the state for 2 years Was fired also by North Memorial

15 Private audits under CMS generate fines and revenue opportunities MSPs Client is HIPAA CE Received Meaningful use incentives payments from Medicare & Medicaid for EMR systems Under audit by private accountancy fined $19,800 for failure to have HIPAA Security Risk Assessment in place Our MSP provided this as part of their service

16 Even small CEs subject to stiff fines Hospice of North Idaho (Hayden Idaho) Annual sales between $500K - $1M 150 patients Unencrypted laptop stolen 441 records exposed Fine leveled by HHS; $50K 5-10% of annual revenue

17 Is Your Solution HIPAA-Compliant? There is no technology or vendor approval process The burden is on the HIPAA CE and BA NIST documents provide technical guidance NIST publication , Guide to Storage Encryption The appropriate encryption solution depends upon type of storage, amount of information, the environments where data is located and threats to be mitigated. Publications describes three types of encryption including full disk encryption, volume and virtual disk encryption and file/folder encryption. NIST publication Guidelines on Firewalls NIST publication Guidelines for Media Sanitation

18 HIPAA CEs can be a profitable opportunity Run, don t walk if HIPAA CE Prospect unwilling to comply or pay However Consider using FUD when talking to prospects An enlightened CE prospect will be profitable Comprehensive relationship Regular engagements More products and services As BA you ll also be HIPAA compliant and highly secure Your skills here will translate into industries with evertightening data security regulations There are tons of resources and you re in the most cooperative & helpful industry around