6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013



Similar documents
HIPAA Security Rule Compliance

COMPLIANCE ALERT 10-12

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

New HIPAA regulations require action. Are you in compliance?

HIPAA Compliance: Are you prepared for the new regulatory changes?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Business Associates and HIPAA

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Legislative & Regulatory Information

University Healthcare Physicians Compliance and Privacy Policy

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

The Impact of HIPAA and HITECH

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance Guide

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Overview of the HIPAA Security Rule

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA and Mental Health Privacy:

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Bridging the HIPAA/HITECH Compliance Gap

Data Breach, Electronic Health Records and Healthcare Reform

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

Best Practices for DLP Implementation in Healthcare Organizations

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA in an Omnibus World. Presented by

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Datto Compliance 101 1

HIPAA Compliance and the Protection of Patient Health Information

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Violations Incur Multi-Million Dollar Penalties

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

BUSINESS ASSOCIATE AGREEMENT

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

SECURITY RISK ASSESSMENT SUMMARY

BUSINESS ASSOCIATE AGREEMENT TERMS

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Transcription:

Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought. 2 PRESENTED BY: Lori Laubach Health Care Partner Troy Hawes, CISM, CISA, CISSP, MCSA, MCSE, PCI ASV, PCIP, PCI QSA Manager 3 1

OBJECTIVES Overview of HIPAA Privacy Rule Review the 2013 HIPAA Privacy Rule changes under HITECH Consider how to update privacy practices Trends in security technologies Review methods to meet the security requirement under HIPAA Understand threats and attacks in health care IT security 4 EMERGING TRENDS Software as a Service (SaaS) Tablets Mobility BYOD Big Data Security and privacy Green technology/sustainability Data, information, and knowledge management 5 HIPAA BACKGROUND 6 2

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) Make sending transaction information for patient bills and other information easier. Protect patient privacy and security of a patient s electronic health information o Aug. 26, 1996 HIPAA became law. o Apr. 14, 2003 Privacy Rule Compliance Date o Apr. 14, 2004 Small Health Plan Compliance Date o Apr. 20, 2005 Security Rule Compliance Date 7 ARRA S IMPACT American Recovery and Reinvestment Act of 2009 (ARRA) now requires Business Associates to meet the obligations like a covered entity for the following: o Administrative Safeguards (164.308), o Physical Safeguards (164.310), o Technical Safeguards (164.312) and o Procedure and Documentation requirements (164.316) Compliance Due Date for Business Associates: February 17, 2010 8 HITECH ACT Health Information Technology for Economic and Clinical Health Act (HITECH Act) Title XIII of Division A of ARRA Key privacy and security elements in the HITECH Act Applies most HIPAA Security Rules directly to business associates (BAs) Applies some HIPAA Privacy regulations to BAs Imposes mandatory breach notification requirements on covered entities, business associates, and vendors who handle PHI Creates new HIPAA privacy requirements Establishes new civil and criminal penalties for noncompliance Expands enforcement authority to the states 9 3

WHAT S NEW? HITECH Privacy and Security Requirements Direct regulation of business associates (BA) New patient privacy rights New restrictions on use/disclosure of protected health information (PHI) Breach reporting requirement Increased enforcement and penalties Note: Requirements become effective one year after enactment February 17, 2010. In many cases new regulations must be issued. 10 HITECH CHANGES TO SECURITY AND PRIVACY RULES Security Rules: BAs must comply with administrative, physical, and technical safeguards and with documentation and policy requirements BAs must comply with new breach reporting rules (compliance date 9/23/09; enforcement deferred until 2/22/10) Privacy Rules: BAs must comply with the provisions required in a BA contract BAs must comply with the new privacy requirements (as of 2/18/10, or later depending on the specific requirement) 11 OMNIBUS - OVERVIEW FINALIZATION OF HIPAA Changes to the HIPAA compliance obligations comprise four rules wrapped into one: o Modifications to HIPAA privacy, security, and enforcement rules mandated by HITECH Act. o Increased and tiered civil money penalty structure o A final rule on breach notification for unsecured PHI o GINA requirements 12 4

HIPAA OMNIBUS RULE HIGHLIGHTS Omnibus Rule released January 17, 2013 increased privacy and security provisions Effective date of March 26, 2013 with compliance for both Covered Entities Expansion of Privacy and Security Rules for Business Associates Increase in penalties for non compliance New standard for determining whether a PHI breach requires notification 13 HIPAA PRIVACY 14 BUSINESS ASSOCIATES HITECH Comply with administrative, physical and technical Comply with Breach Rules New agreements Omnibus Direct Liability Subcontractors Transitional Relief 15 5

NOTICE OF PRIVACY PRACTICES HITECH Access to PHI in Electronic Format Accounting for Disclosures of PHI Minimum Necessary Fundraising/Marketing Omnibus Required Notice Items Distribution of New Notice 16 BREACH NOTIFICATION HITECH Notify the affected 60 days Burden of Proof Omnibus Breach Determination Notification Requirements for Business Associates Notification to Affected Individual and the Media Notification to the Secretary 17 PATIENT RIGHTS HITECH Access to PHI in Electronic Format Accounting for Disclosures of PHI Minimum Necessary Fundraising/Marketing Omnibus Providing PHI directly to a third party Distribution of PHI via e mail Timing requirement 18 6

THE FINAL RULE (CONT.) Individual Access to PHI Providing PHI directly to a third party Distribution of PHI via e mail Timing requirement Imposition of Fees HHS clarified that labor costs can include compiling, extracting, scanning, and burning PHI to media, skilled technical staff time spent to create and copy the electronic file, and distributing the media. 19 THE FINAL RULE (CONT.) Protected Health Information Deceased individuals Genetic information Proof of immunizations Restriction on Disclosure of PHI HHS has clarified under the final rule that this requirement applies only to covered entities that are covered health care providers 20 FINAL RULE (CONTINUED) Marketing Face to face communications; Promotional gifts of nominal value; Communications promoting health in general and not promoting a product or service from a particular provider; Communications about government and government sponsored programs; and Communications about a drug or biologic currently being prescribed and drug refill reminders. 21 7

THE FINAL RULE (CONTINUED) Sale of PHI Exceptions to required authorization Future disclosure of remuneration 22 INCREASED CIVIL PENALTIES Violation Category Did Not Know and by Exercising Reasonable Diligence, Would Not Have Known of the HIPAA Violation Penalty for Each Violation Penalty for All Violations of the Identical HIPAA Provision Occurring With the Same Year $100 $50,000 $1,500,000 Due to Reasonable Cause $1,000 $50,000 $1,500,000 Due to Willful Neglect but Corrected Due to Willful Neglect and is Not Corrected $10,000 $50,000 $1,500,000 $50,000 $1,500,000 23 MITIGATE YOUR RISK Prepare now by tightening up your rule required oversight areas before September 23, 2013: Update Policies and Procedures Privacy Notice o Patient s new right to restrict certain disclosures of PHI o Electronic copy of medical record o Response time E mailed Records o Encryption requirement 24 8

MITIGATE YOUR RISK Know The New Breach Definition o Proof of Harm Not Required Liability Insurance o Verify Coverage in Current Plan Insulate Business Associate Agreements o Keep a List o Keep a Safe Distance o Prepare for Pushback 25 HIPAA SECURITY 26 HIPAA SECURITY RULE Legislation designed to protect the confidentiality, integrity, and availability of ephi Comprised of three main categories of standards pertaining to the administrative, physical, and technical aspects of ephi Applies to the security and integrity of electronically created, stored, transmitted, received, or manipulated personal health information 27 9

DATA BREACHES - BY THE NUMBERS 538 breaches of protected health information (PHI) since 2009 21,408,505 patient health records affected since 2009 21.5% increase in # of large breaches in 2012 over 2011 but a 77% decrease in # of patient records impacted 67% of all breaches have been the result of theft or loss 57% of all patient records breached involved a business associate Historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity 28 BY THE NUMBERS (CONTINUED) 38% of incidents in 2012 were as a result of an unencrypted laptop or other portable electronic device 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents 780,000: number of records breached in the single largest incident of 2012 29 BIGGEST BREACHES FOR 2012 Utah Department of Health 780,000 records Emory Healthcare 315,000 records S.C. Dept. of Health and Human Services 228,435 records Alere Home Monitoring, Inc. 116,506 records Memorial Healthcare System, Fla. 102,153 records Howard University Hospital 66,601 records Apria Healthcare 65,700 records University of Miami 64,846 records Safe Ride Services 42,000 records Medical Integration Services, Puerto Rico 36,609 records 30 10

SECURITY RISKS Going Mobile In 2011 39% of breaches occurred on laptop or other portable device. In 2012 that number was 37.7% BYOD is biggest concern Device Type 2009 2011 2012 Laptop and other 39.2% portable device 151 55 37.7% Paper 92 23.9% 31 21.2% Computer 56 14.5% 20 13.7% Server 38 9.9% 15 10.3% Other 18 4.7% 18 12.3% Email 7 2.0% 4 2.7% Electronic Health Record 6 1.6% 2 1.4% X Ray 5 1.3% 0 0.0% Backup Tapes 4 1.0% 1 0.6% Hard Drives 3 0.8% 0 0.0% Mail, Postcards 3 0.8% 0 0.0% CD / DVD 2 0.5% 0 0.0% 385 146 Total 31 SECURITY RISKS Unauthorized Access ephi o 3rd largest breach in 2012 due to employee e mailing himself 228,000 patient records Hackers or Employees o Most breaches occur due to our employees, whether malicious or not, not hackers 32 SECURITY RISKS Physical Access o Where is data stored? Servers, workstations, laptops, smartphones, backup tapes o Who has physical access to these storage locations? Workstation Left Unattended o Is workstation in a public area? o Are there controls to lock the workstation after a certain amount of inactivity? Mobile Computing and BYOD o Adds a whole new level of complexity to protecting ephi o Are smart phones and tablets considered workstations under HIPAA? 33 11

SECURITY RISKS Business Associates (BA) o Partners who have access to your ephi o How many records and what types of ephi does each BA have access to? o Are all of your BAs compliant? o How do you perform your due diligence? 34 PROTECT YOURSELF Conduct a HIPAA Security Risk Analysis Perform regular vulnerability scanning and remediation Encrypt data on ALL devices that store or have access to ephi Perform due diligence on business associates Perform regular security awareness training for all employees and vendors 35 SECURITY RULE RECOMMENDATIONS Identify and be cognizant of how ephi is being used Apply a risk based approach toward protecting ephi and conduct a risk assessment Follow a best practice standard for information security Review and revise contracts/agreements with BAs Put monitoring controls in place to identify and respond to security breaches If taking the BYOD plunge, use a combination of MDM, MAM, policy, and training (Note: See NIST Special Publication 800 66 for guidance, including a framework for managing risk.) 36 12

CLOSING Review the HIPAA Privacy Rule changes under HITECH Consider how to improve a patient s privacy practices Review methods to meet the security requirement under HIPAA Understand threats and attacks in health care IT security Examine how organizations are changing their approaches to IT security, especially those who are in the cloud Review how to monitor and manage compliance with cloud computing best practices 37 QUESTIONS? Lori Laubach Health Care Partner (253) 284 5256 lori.laubach@mossadams.com Troy Hawes, CISM, CISA, CISSP, MCSA, MCSE, PCI ASV, PCIP, PCI QSA Manager (206) 302 6529 troy.hawes@mossadams.com 38 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information