HIPAA Security Overview of the Regulations

Transcription

1 HIPAA Security Overview of the Regulations

2 Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since Prior to HRM Services, Ms. Drachenberg held management positions at PacifiCare Senior Horizons, a Medicare insurance company; Apex Learning, an online education company; Microsoft and the Food and Drug Administration. Ms. Drachenberg has over fifteen years experience in software development, online training, healthcare and regulatory affairs.

3 HIPAA Risk Management Based in Fayetteville, AR with offices in Texas, Utah and California Healthcare regulatory consulting since 2008; rebranded to focus exclusively on HIPAA Security in 2013 Assisted over 100 covered entities with HIPAA Security including: Sole providers Multi-specialty clinics Multi-location specialties Hospitals Pharmacies Team of experts in IT Security and HIPAA Security including staff credentialed in Systems Security Certified Practitioner (SSCP), Certified Ethical Hacker (CEH), and EC-Council Certified Security Analyst (ECSA)

4 Data Security Doing Business in 2014

5 Electronic Health Record Breach

6 Employee Theft: Accessing Electronic Health Record

7 Stolen Laptop

8 Viruses and Hackers

9 Data Security is a Concern for Everyone

10 40 Million Credit/Debit Cards & PINs

11 Importance of HIPAA Security Stolen Credit Card = 50 Medical Identity = $50 Provider Identity = $$$$ A stolen medical identity can be used to bill tens of thousands in fraudulent claims before anyone notices. Stolen provider identities can be used to file millions of fraudulent insurance claims.

12 HIPAA Privacy vs. Security Privacy Conversations Files in plain view Release of Info Security Electronic Data Accidental Loss Malicious Theft

13 HIPAA Omnibus Rule Background

14 2009 HITECH Act & 2010 Interim Rule In 2009 the HITECH Act was passed to encourage all healthcare providers to adopt Electronic Health Records (EHRs) through the EHR Incentive Program. To address concerns regarding privacy and security of switching to electronic records and sharing data electronically, Congress increased the enforcement and penalties for failing to protect electronic health information HIPAA Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million. Violations can be assessed per patient record breached.

15 Final Rule Timeline 2013 HIPAA Omnibus Final Rule : Pilot audit program and breach investigations January 2013: Final Rule Published 180 Days to Comply: September 23, 2013 A few of the security changes in the HIPAA Omnibus Final Rule include: Business Associates can be held directly liable for breaches And a stricter definition of a breach and requirements for reporting breaches to OCR, patients and the media The Resource Guide includes a link to the HIPAA Omnibus Final Rule. This presentation focuses on the HIPAA Security Rule portion of the HIPAA Omnibus Final Rule

16 It s Not Too Late You need to start TODAY! Covered entities must be in compliance with the HIPAA Omnibus Final Rule by September 23, 2013, but just because you missed the date, doesn t mean it s too late to get into compliance. Remember: HIPAA Compliance Program takes time to implement Daily penalties can be applied Failure to start can lead to willful neglect penalties Ignoring it won t make it go away

17 Penalties, Breach Reporting & Enforcement

18 Up to $1.5 Million HIPAA Penalties Violation Minimum Penalty Maximum Penalty Individual did not know Reasonable cause Willful neglect (corrected) Willful neglect (not corrected) $100 per violation (Annual maximum $25,000 for repeat violations) $1,000 per violation (Annual maximum of $100,000 for repeat violations) $10,000 per violation (Annual maximum of $250,000 for repeat violations) $50,000 per violation (Annual maximum of $1.5 million) $50,000 per violation $1.5 million annual maximum $50,000 per violation $1.5 million annual maximum $50,000 per violation $1.5 million annual maximum $50,000 per violation $1.5 million annual maximum Maximum penalties are reserved for cases of willful neglect: conscious, intentional failure or reckless indifference to the obligation to comply

19 Breach Examples Stolen Laptop: $1.5 Million Massachusetts Eye & Ear Associates ~3,000 records Stolen Laptop: $50k Idaho Hospice Less than 500 records Firewall: $400k Idaho State University No firewall for 10+ months

20 Breach Notification & Reporting Notification to Patients and Media Some states (such as Texas) have state-level reporting requirements and regulations. Notification must include: o What happened o Information breached o What individuals should do to protect themselves o Steps covered entity is doing to investigate Notified in writing, by first-class mail as soon as possible If over 500 individuals affected, notice must also be sent to the Media Notification to Secretary of HHS If more than 500 individuals affected, within 60 days If less than 500 individuals, reported at the end of the year

21 HHS Breach Report Website As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.

22 Sample Patient Notification our office was the victim of an internet hacker complimentary one-year membership of Experian s ProtectMyID Alert

23 Audits Start FY 2014 HIPAA Compliance Audits What HHS/OCR Will Look For in HIPAA Compliance Audits Red Flags: Deficiency in Risk Analysis Data Encryption We will have a robust program focused on high-risk areas and one thing they can absolutely count on is the risk analysis ~ Leon Rodriguez Director, OCR

24 The [HITECH Act] gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules OCR developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules -HHS Press Release Other Investigations Breach Report Patient Complaint Enforcement Program You can watch the training videos here:

25 Complying with the HIPAA Security Rule

26 Reasonable Cause The amended definition of Reasonable Cause includes violations due to circumstances that: the covered entity should have known of the violation based on the exercise of ordinary business care and diligence the covered entity knows of a violation and lacks the conscious intent of willful neglect In order to demonstrate ordinary business care and diligence a covered entity must implement the current industry standards for the data security safeguards defined in the HIPAA Security Rule

27 Safeguards Safeguards are divided into 3 categories: Administrative, Technical & Physical. Below are a few of the 40+ safeguard sections. Administrative Risk Analysis Policies & Procedures Risk Management Plan User Training Technical Network/Firewall Passwords & Access Encryption Malware Protection Physical Locks Security System/Cameras Restricted Access The regulation (CFR) tells you what safeguards are needed. The National Institute of Standards and Technology (NIST) define the current standards for those safeguards.

28 Required v. Addressable If the specification is required it must be implemented. The concept of addressable implementation standard was developed to provide covered entities additional flexibility. Must do one of the following: Implement the addressable Security implementation standard Implement one or more alternative security measures to accomplish the same purpose Resources Not implement either addressable or alternative Must document decision based on risk analysis, risk mitigation strategy, what security measures are already in place and the cost of the implementation.

29 Have you: Review Your Compliance Assigned HIPAA Security Officer? Performed HIPAA Security Risk Analysis? Implemented Technical and Physical Safeguards? Implemented Administrative Safeguards? Policies & Procedures Contingency & Disaster Recovery Plan Incident Response Plan Staff Training Vetted Business Associates & Signed Agreements? Implemented Risk Management Plan?

30 Assessment Identify all of your systems and people that create, access, store and transmit Electronic Protected Health Information (EPHI). Computers o Servers o Workstations o Laptops o Tablets/mobile devices Storage/Media o External hard-drives o USB (thumb) drives o CD/DVD o Backups Printers/Faxes Software Network/Internet People Employees Contractors Business Associates

31 Risk Analysis Analyze Compliance Review all 40+ Safeguards Does it meet the NIST Standard? Is it required or addressable? Analyze Risk How likely is it to occur? Impact if it does occur? Level of Risk

32 Choose Safeguards Even Required safeguards my have several options for implementation that can affect cost and effort. Required o Administrative o Technical o Physical Addressable o Cost to implement standard o Other options for mitigation o Plan to manage risk if no safeguard is implemented

33 Implement Safeguards Administrative Policies and Procedures Workforce documentation and training Business Associates Physical Alarm system Metal keys/replace locks Technical Encryption Hardware and software Network configuration Document, document, document!

34 Risk Management Event Scheduled New Employee Terminate Employee Decommission Equipment Verify OS Updates Verify Anti-virus Scans Review network and application logs Document that you are staying in compliance with a comprehensive Risk Management Plan

35