HIPAA WEBINAR HANDOUT



Similar documents
How To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

What do you need to know?

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Proofpoint HIPAA Breach Report:

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

RESOLUTION AGREEMENT. I. Recitals

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

You Probably Don t Even Know

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

HIPAA Security Rule Compliance

Understanding HIPAA Regulations and How They Impact Your Organization!

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

SELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS. Current as of December attorney advertisement

SECURITY RISK ASSESSMENT SUMMARY

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Why Lawyers? Why Now?

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Philip L. Gordon, Esq. Littler Mendelson, P.C.

Information Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA 101. March 18, 2015 Webinar

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Outline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, /10/2014

Information Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

HIPAA Violations Incur Multi-Million Dollar Penalties

THE HIGH PRICE OF MEDICAL RECORD PRIVACY BREACHES

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

What s New with HIPAA? Policy and Enforcement Update

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance Guide

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Security Is Everyone s Concern:

Community First Health Plans Breach Notification for Unsecured PHI

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

OCR/HHS HIPAA/HITECH Audit Preparation

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA Privacy and Security

OCR UPDATE Breach Notification Rule & Business Associates (BA)

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

Raymond: Beyond Basic HIPAA - GSHA Convention HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

HIPAA Violations Incur Multi-Million Dollar Penalties

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

HIPAA & HITECH AND THE DISCOVERY PROCESS

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Compliance: Efficient Tools to Follow the Rules

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Healthcare Horizons Webinar Series:

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Tatiana Melnik Tampa, FL

Lessons Learned from HIPAA Audits

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

2010 HIPAA Security Environment

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

PREP Course #23: Privacy and IT Security for Researchers

HIPAA and Mental Health Privacy:

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Legal Issues in Medical Office Use of Social Media. James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Getting Hip to the HIPAA and HITECH Act Compliance

Somansa Data Security and Regulatory Compliance for Healthcare

C.T. Hellmuth & Associates, Inc.

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Network Security and Data Privacy Insurance for Physician Groups

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HIPAA Compliance Annual Mandatory Education

Overview of the HIPAA Security Rule

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Security Compliance, Vendor Questions, a Word on Encryption

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Top HIPAA Hazards and How to Avoid Them

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Datto Compliance 101 1

Transcription:

HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS Generally for 3 years Generally involves a resolution payment Internal or external monitor appointment and work plan Revision and OCR approval of policies and procedures Detailed training requirements (OCR approved) Extensive reporting duties to OCR OCR may seek to impose CMPs for uncured breach of CAP Enforcement Highlights First Civil Monetary Penalties Case (2011) Cignet Health of Prince George s County, MD - $4.3 million CMP Violated 41 patients rights by denying them access to their medical records when requested ($1.3 million in CMPs) Failed to cooperate with OCR s investigations on a continuing daily basis for over 1 year due to willful neglect ($3 million in CMPs) Mass General Hospital Resolution Agreement $1 Million Resolution Payment and 3-year CAP 1

BCBS Tennessee Employee left documents containing PHI of 192 infectious disease patients, including HIV/AIDS information, on subway CAP likely to be more expensive and burdensome than RA payment Required implementation of policies and procedures regarding physical removal and transportation of PHI off premises, laptop encryption and USB drive encryption $1.5 Million Resolution Payment and 450 Day CAP OCR investigation stemmed from a self-reported HITECH breach Theft of 57 unencrypted computer hard drives containing PHI of over 1 million members from a leased facility BCBST had relocated its staff from this site and surrendered the property except a network data closet, and had turned security services over to the local property manager. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock BCBST incurred more than $17 million in direct expenses relating to its investigation and remediation of the incident Keeping unencrypted disk drives or other sensitive data behind locked doors isn t enough: encrypt it OCR was not sympathetic to fact this was a result of theft Re-examine physical access contracts University of California at Los Angeles Health System $865,500 Resolution Payment and CAP - UCLAHS Employees repeatedly and without permissible reason looked at the electronic PHI of 2 celebrity patients From 2005-2008, unauthorized employees repeatedly looked at the electronic health records of numerous other UCLAHS patients. OCR investigations indicated: Failure to reasonably restrict access to patient information to only those employees with a valid reason to view the information Failure to train on privacy and security 2

Failure to sanction employees for accessing ephi without proper purpose CE will be held accountable for employees who access PHI to satisfy their own personal curiosity Separate DOJ criminal investigation lead to guilty plea of UCLAHS employee for one count of obtaining PHI for commercial advantage Phoenix Cardiac Surgery, P.C. $100,000 Resolution Payment and CAP Investigation indicated multi-year failures: Posted clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible (1000 patients) Daily transmitted ephi from an internet-based email account to workforce members personal Internet-based email accounts Did not have a security officer Did not conduct a security risk assessment Did not train or document training Did not have BAAs with the Internet-based email and calendar services responsible for storing and accessing ephi Small covered entities do not get a pass for failing to comply with security rule Post-HITECH Enforcement Highlights $1.7 million settlement and 3 year CAP - Alaska DHSS Breach report indicated that a portable electronic storage device (USB hard drive) possibly containing ephi was stolen from the vehicle of an Alaska DHSS employee. OCR investigation indicated: Inadequate policies and procedures in place to safeguard ephi No risk analysis Lack of security training for Alaska DHSS workforce members Lack of device and media controls Failure to address device and media encryption 3

State agencies not immune from OCR enforcement action Encrypt and track portable electronic devices containing ephi; have procedures for disposal and re-use of these devices to make sure ephi not improperly disposed of/disclosed The Rise of State AG HIPAA Enforcement Examples HITECH provided State AGs with enforcement authority for HIPAA violations State AGs may bring action under both HIPAA and/or state law. State AGs may seek to injunctive relief and CMP up to a maximum of $25,000 for all identical HIPAA violations per calendar year May file under potentially more expansive or vague state laws. Specific laws may have additional requirements either as to security or as to breach notification content/timing State AG settlements may impose burdensome and costly corrective action requirements, similar to OCR CAPs OCR now offers training to State AGs on how to enforce HIPAA (see http://www.hhshipaasagtraining.com/) CT/VT AGs - Health Net $250,000 settlement and detailed corrective action plan CT AG sued insurance provider Health Net Inc. for HIPAA and state law violations in connection with a missing disk drive that contained unencrypted PHI, social security numbers and bank accounts for nearly half a million Connecticut enrollees. Health Net waited 6 months to send notification. VT AG also sued Health Net ($55,000 settlement and CAP) relating to some 500 VT residents. MA AG - South Shore Hospital ($750,000 settlement and extensive corrective action imposed, including required third party auditing with reports to MA AG). Lost 2 of 3 boxes of un-encrypted backup tapes containing PHI over 800,000 individuals Being shipped to a contractor, Archive Data, to be erased/resold Failure to adequately safeguard patient health information under the HIPAA and state law. 4

Did not inform Archive Data that the tapes contained PHI or put in place a BAA Did not properly train its staff with respect to appropriate health data privacy protocol. None of the data encrypted 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information