Anatomy of an OCR Breach Investigation

Similar documents
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA Security Rule Compliance

Security Is Everyone s Concern:

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA and Mental Health Privacy:

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

Overview of the HIPAA Security Rule

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Why Lawyers? Why Now?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

HIPAA Compliance: Are you prepared for the new regulatory changes?

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Can Your Diocese Afford to Fail a HIPAA Audit?

What do you need to know?

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Audits Are Here!

HIPAA WEBINAR HANDOUT

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA and HITECH Compliance for Cloud Applications

Am I a Business Associate?

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Privacy Rule Policies

Nine Network Considerations in the New HIPAA Landscape

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA for Business Associates

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Health Information Privacy Refresher Training. March 2013

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

COMPLIANCE ALERT 10-12

Sustainable Compliance: A System for Ongoing Audit Readiness

Intelligent Vendor Risk Management

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Audits For Covered Entities and Business Associates

HIPAA Privacy and Security

HIPAA Security Risk Analysis for Meaningful Use

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

HIPAA Security Alert

HIPAA Compliance Guide

HIPAA PRIVACY AND SECURITY AWARENESS

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

What s New with HIPAA? Policy and Enforcement Update

Houston, We ve Had a Problem: Addressing Data Breaches with an Incident Response Team

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

HIPAA Audit Risk Assessment - Risk Factors

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

HIPAA Compliance Guide

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

Preparing for the HIPAA Security Rule

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

what your business needs to do about the new HIPAA rules

What Are The Odds Of a HIPAA Audit?

HIPAA Information Security Overview

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

OCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :

HIPAA Security Training Manual

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA Compliance Review Analysis and Summary of Results

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

HIPAA 101. March 18, 2015 Webinar

HIPAA COMPLIANCE PLAN FOR 2013

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Data Breach and Senior Living Communities May 29, 2015

Patient Privacy and HIPAA/HITECH

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Policy Title: HIPAA Security Awareness and Training

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

HIPAA Security Matrix

Transcription:

Anatomy of an OCR Breach Investigation HCCA 18 th Annual Compliance Institute San Diego, CA April 1, 2014 Objectives Learn key steps involved in responding to an incident Understand timeframes and review key documentation requirements Learn best practices to enhance oversight 2 1

Breach Scenario Contractor from Temp Agency Abuses weak security access controls Downloads and takes screen prints of member information Names were used to file credit card applications and false 2012 tax returns; both listed addresses other than the member s residence. Most of the elderly members were no longer filing tax returns for the 2013 Tax Season and were unaware of the fraud. Information emailed to personal account Could this happen at your organization? What would you do? 4 2

The OCR Investigation 5 Timeframe Breach CE Notification OCR Investigation CE Response OCR Finding OCR Settlement 60 Days Months 20 Days Months Many Months OCR Investigation and multiple responses may be required over many months Case cleared or moved to settlement proceedings 6 3

Immediate Next Steps 1. Assess situation to stem further disclosure 2. Complete an Incident Report 3. Determine if incident is a breach 4. Gather documentation Try to obtain signed attestation from employee/temp Ensure file is deleted, if possible 5. Mobilize incident response team Privacy Office, Information Security, Human Resources, Member Services/Customer Service, Security, Breach Response specialist 7 Stakeholders Department Involved and contingency agencies Customer Service Finance IT Human Resources Consultants Legal Counsel Credit Monitoring Services Corporate Communications / PR Team 8 4

Notification Process 1. Notify impacted members, patients 2. Place ad in local paper 3. Notify OCR, CMS, if applicable and State Attorney General (depending on your State law requirements) 4. Train customer service, develop FAQ 5. Contact Business Associates, vendors if involved 9 The waiting begins. Gather documentation to build your case file training materials, Privacy & Security policies and procedures, disciplinary action policies Further assess risks Consider whether you have adequate resources to do risk analysis or hire consultant with expertise in HIPAA Privacy & Security Finalize risk assessment, if needed Consult with HIPAA counsel 10 5

Case Study OCR Request Within 4 months, OCR responded to the online breach notification with a request for the following items: Press Release List of complaints received from members and resolution of complaints List of staff participating in training in response to the breach Risk Assessment as a result of the breach P&Ps Response due within 20 days 11 Additional Requests & additional details Follow-up requests may not be directly related to incident Requests may extend back many years Every response requires corresponding documentation Example of requests: Incident Report internal documentation or tracking of what occurred Evidence of regular system activity and audit log reviews Risk Analysis Vulnerability scan results Corrective action plans Disciplinary Action Safeguards for the transmission of ephi Privacy & Security Awareness Reminders 12 6

System activity and log review Evidence of regular system activity and audit log reviews Must be able to demonstrate that logs are captured and reviewed Configuration and log samples for the systems Procedure documents for monitoring logs and following up on incidents Signed document by administrators that logs are reviewed 13 Risk Analysis Risk Analysis Included a detailed review of Security process including P&Ps End Point Security Mobile Media and Device Security Wireless Security Malware Protection Configuration Management Vulnerability Management Secure Disposal External Breach Protection PHI Transmission Protection Password and Account Management Access Control & Management Remote Access & Authentication Training and Awareness Incident and Breach Response Third Party Security Management and hosted systems Business Continuity Management Risk Management Physical Security 14 7

Corrective Action Plan OCR may request prior risk assessments to better understand unresolved issues over the years A corrective action plan associated with findings from a risk assessment must be documented Building a corrective action on short notice is costly and may commit you to security strategies and timelines that are onerous and not completely necessary 15 Security Rule Policies &Procedures (P&Ps) Must be approved and dated and include the following: Sanctions Termination Procedures Contingency Plan Facility Security Plan Password Management Data Backup Device & Media Controls Authorization & Supervision 16 8

Other Safeguards Disciplinary Action demonstrate that immediate action was taken to sanction the employee/contractor Ensure safeguards for the transmission of ephi Privacy & Security Awareness Reminders offered to workforce members including contingent workers regarding the protection of ephi and industry best practices Conduct regular site audits 17 What s Next? OCR accepts evidence and documentation as a Corrective Action Plan (CAP) and closes breach investigation or OCR moves the investigation over to the settlement phase: Possibly more data requests to solidify the government s case Offer to settle through resolution agreement and corrective action plan (possibly through meeting) May indicate potential civil monetary penalties (CMP) that may be exposed, which may be tens of millions due to multiple alleged violations over multiple years May be some room for negotiation, but high potential CMPs may limit health care provider s leverage 18 9

Settlement Recent settlements have had less stringent corrective action plans (e.g., shorter and no independent monitoring) If you do not agree to resolution agreement: Letter of opportunity providing 30 days to provide affirmative defenses and mitigating factors Notice of proposed determination indicating proposed CMP and providing 90 days to appeal to administrative law judge (ALJ) If appeal to ALJ judge, can appeal ALJ decision to HHS Departmental Appeals Board, and can appeal DAB decision to U.S. Court of Appeals If no appeal, HHS imposes the CMPs 19 How Much Does A Breach Cost? Steps Approx. Cost Internal discovery a. $5,000 10,000 b. $10k 15,000 c. $15k 20, 000 Breach Notification & Response a. $10k 20,000 b. $20k 30,000 c. $40k 50,000 OCR LETTER RECEIVED OCR Response #1 and #2 a. $10k 20,000 b. $20k 30,000 c. $40k 50,000 OCR negotiates a settlement a. $50k 100,000 b. $100k 250,000 c. $250k 1 Million OCR requires Org to perform annual audits a. $5k $25,000 b. $25 $50,000 c. $50k $100,000 Approx. Total? a. $80k - $165,000 b. $165k - $356,000 c. $395k - $1.2Million 20 10

Costs add up 21 Steps Internal discovery Breach Notification & Response OCR Response #1 and #2 OCR negotiates a settlement for Company OCR requires Company to perform annual audits TOTAL Approx. Cost $10-15k $20-30k $40-50k $250k- 1 million c. $50-100k $370,000-1.2 million How May a Breach Affect You? 1. Patient Loyalty 2. Financial loss o o Average cost of a breach is $194/ record OCR can fine an organization up to $1.5 million per incident 3. Reputational damage 4. System downtime 5. Litigation Table: Categories of HIPAA Violations & Penalty Amounts Violation category Each violation Violations of an identical provision (in a calendar year) Did Not Know $100-25,000 $1.5 million Reasonable Cause Willful Neglect Corrected Willful Neglect Not Corrected $1,000-100,000 $1.5 million $10,000-250,000 $1.5 million $50,000-1.5M $1.5 million 22 11

Lessons Learned Established HIPAA Governance Committee confirm that CAP and risk analyses are current Created a watch list of employees who could send ephi externally HIPAA Security & Training for contingent workers Limited temp access to certain websites and personal email Ongoing Risk Analyses and evaluation of HIPAA Privacy and Security program effectiveness. Stronger communication with and oversight of temp agencies; regularly evaluate contract terms. 23 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information