Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Transcription

1 Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

2 Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA Secure Now!

3 Presented by:

4 Agenda A look at the current Healthcare IT Landscape 2015 HIPAA Audits HIPAA Security Rule Requirements HIPAA Omnibus Changes Major Breaches Categories Cost of Breaches How to protect patient information HIPAA Secure Now! Services

5 Healthcare IT Landscape Meaningful Use Incentives Technology Advances Increased HIPAA Enforcement Regulation Enforcement EHR / Technology Implementations Government Incentives 100+ Million Patient Records Breached

6 2015 HIPAA Audits Delayed Covered Entities (CE) Contacted 350 Covered Entities Selected 50 Business Associates (BA) Phase 2 Utilize HHS / OCR Portal to Upload Information Letters Will Be Sent to CEs 2 Weeks to Respond / Upload Information Size, Location, Services, Other Information, BA Information Desk Audits and Onsite Audits Unlike Previous Audits, Fines are Expected to be Handed Out

7 2015 HIPAA Audits Details Are Not Clear 350 CE Audits May Include: ~150 Security Rule Security Risk Assessment Business Associate Agreements Employee Training ~100 Breach Notification Rule Policy Content and Timeliness ~100 Privacy Rule - NPP / Access 50 BAs Security Risk Assessment Breach Reporting to CEs

8 HIPAA Enforcement HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees

9 Meaningful Use Audits Meaningful Use Audits Are Occurring Audits targeted at up to 20% (1 in 5) of eligible providers Organizations can be audited either pre or post payment of incentive funds Save all documentation used for attestation! Failure to perform a Security Risk Assessment is a frequent reason for failing Meaningful Use Audits Required to show Security Risk Assessment AND Work plan Failed audits may require an organization to repay a full year of incentive payments Incentive fund repayments average ~$10,000 per eligible provider Failed audit for 1 year could trigger an audit in another year Incentive payments must be repaid within 30 days of MU audit failure notice OIG Audits coming!

10 What is the Law? HIPAA Regulations Consist of 2 Major Rules: Privacy Rule and the Security Rule The Privacy Rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Security Rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ephi). Protection of ephi data from unauthorized access, whether external or internal, stored or in transit, is covered by the security rule.

11 HIPAA Security Rule Prepare for 2015 HIPAA Audits Perform a Risk Assessment NIST SP Methodology Develop Policies and Procedures Administrative, Physical and Technical Safeguards Train Employees Periodic Reminders Have an Incident Response Plan Maintain Business Associate Agreements

12 HIPAA Omnibus Rule Dates: Enforced September 23, 2013 Changes Notice of Privacy Practices (NPP) Business Associates Business Associate Agreements need to be revised Business Associates directly regulated by HIPAA Risk Assessment Policies and Procedures Employee Training Security Incident Response Plan Business Associate Agreements with Downstream Contractors Cloud Providers are Business Associates (Even if data is encrypted) AOL, Yahoo, Dropbox will not sign BAAs Microsoft Office 365 will sign BAA Google Paid Google Apps

13 HIPAA Omnibus Rule Key Changes New Data Breach Rule Guilty until proven innocent Presumed to require notification unless low probability of PHI compromised Nature & extent of PHI involved Who received or accessed PHI Potential the PHI was acquired / viewed Extent that risk to the PHI mitigated Increased Penalties Up to $1.5 million

14 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record # of records Cost 1 $ $2, $23, $233, $2,330,000

15 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record (Does not include HIPAA fines) Damage to Reputation Indirect Costs 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice

16 Cost of Breaches

17 Cost of Breaches HHS Wall of Shame

18 Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Indirect Costs Estimate $233 per record 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged) Direct Costs 1. Detection and escalation costs -forensics investigative activities, crisis management activities 2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc. 3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.

19 Breaches Categories Largest Breaches / Categories of HIPAA Breaches 1. Laptops and portable media 40% of all breaches 2. Inappropriate access to patient information - 30% of all breaches 3. Sending PHI unencrypted - 10% of all breaches 4. Hacking 10% of all breaches 5. Loss of backup tapes - 10% of all breaches

20 How to protect patient information Laptops and Portable media Laptops 1. Smartphones 2. USB Drives 3. CD/DVD We don t have patient information on our laptops or smartphones Use of encryption 1. Safe Harbor / Get out of jail free 2. Inexpensive 3. Easy to implement

21 How to protect patient information Inappropriate access to patient information What is inappropriate access? Snooping (movie star / ex-spouse) Stealing (gang member s girlfriends) Modifying / Deleting (disgruntled employees)

22 How to protect patient information Inappropriate access to patient information Ways to detect and prevent Auditing of Access Turn on and review logs If you don t look you have no idea what is going on in your EHR Employee education regarding Auditing May deter improper access

23 How to protect patient information Hacking High Profile Examples 1. Anthem - 80 million records!! 2. Community Health Systems (CHS) 4.5 million records 3. Cryptolocker- Ransom

24 How to protect patient information Hacking Protecting against hackers 1. Passwords 2. Anti-virus 3. System patching 4. Vulnerability scans <- OCR requests this whenever a breach occurs!

25 How to protect patient information Lost Backup Tapes Protecting backups 1. Holds all your data for as long as you have been using an EMR 2. Use offsite backup 3. Disaster Recovery A backup tape and ordering a new server is not a DR plan!

26 Our Services Features: Security Risk Assessment (1 hour)* Security Risk Assessment Work Plan* HIPAA Security & Privacy Policies and Procedures HIPAA Security Training for All Employees / New Employees Business Associate Agreements and Tracking Updated Notice of Privacy Practices Security Incident Response / Breach Notification * Satisfies MU and HIPAA Requirements

27 Questions?