Top HIPAA Hazards and How to Avoid Them



Similar documents
HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Why Lawyers? Why Now?

What do you need to know?

HIPAA WEBINAR HANDOUT

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA Compliance: Efficient Tools to Follow the Rules

Security Is Everyone s Concern:

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Training for Hospice Staff and Volunteers

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Privacy and Security

HIPAA in an Omnibus World. Presented by

HIPAA compliance audit: Lessons learned apply to dental practices

Nine Network Considerations in the New HIPAA Landscape

What s New with HIPAA? Policy and Enforcement Update

Legal Issues in Medical Office Use of Social Media. James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

HIPAA and Health Information Privacy and Security

Network Security and Data Privacy Insurance for Physician Groups

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA and Mental Health Privacy:

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

MCCP Online Orientation

HIPAA COMPLIANCE PLAN FOR 2013

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Security Rule Compliance

PHI- Protected Health Information

Health Information Privacy Refresher Training. March 2013

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Security COMPLIANCE Checklist For Employers

Overview of the HIPAA Security Rule

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Document Imaging Solutions. The secure exchange of protected health information.

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Proofpoint HIPAA Breach Report:

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

OCR UPDATE Breach Notification Rule & Business Associates (BA)

New HIPAA regulations require action. Are you in compliance?

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

HIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives

Q: How does a provider know if their system has encryption? Do big services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Security Compliance, Vendor Questions, a Word on Encryption

HIPAA Training for Staff and Volunteers

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

HIPAA Privacy & Security Rules

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

2016 OCR AUDIT E-BOOK

HIPAA Audit Risk Assessment - Risk Factors

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Guadalupe Regional Medical Center

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Am I a Business Associate?

The HITECH Act: Protect Patients and Your Reputation

When HHS Calls, Will Your Plan Be HIPAA Compliant?

HIPAA Security Risk Analysis for Meaningful Use

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

plantemoran.com What School Personnel Administrators Need to know

Part 14: USB Port Security 2015

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA - Breaking News!

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

My Docs Online HIPAA Compliance

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

SECURITY RISK ASSESSMENT SUMMARY

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA Compliance: Are you prepared for the new regulatory changes?

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

Assessing Your HIPAA Compliance Risk

Transcription:

Top HIPAA Hazards and How to Avoid Them HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements on a daily basis, and breaks down the top HIPAA hazards and how you can stay out of hot water. Snooping The Hazard. It is a common misconception that all employees of a provider have access to any PHI held by that provider. HIPAA s minimum necessary rule requires providers to restrict PHI access to those who have a legitimate need under HIPAA s Privacy Rule. If your computer and network systems allow all employees equal access to all patient PHI, you have a potential HIPAA violation on your hands. The Example. A health system learned the hard way, after employees repeatedly looked up the ephi of celebrity patients for no legitimate reason. Commonly known as snooping, this practice cost the health system $865,500 in settlement, and one snooping employee four months in jail. What You Can Do. Establish access levels for your employees based on their job functions, and ask your IT support how to set up access controls, so snooping isn t possible. If a receptionist is dying to know what his neighbor named her baby, HIPAA snooping can be avoided if that receptionist is not able to access patient records. Employee training is equally important. Make sure employees receive regular training about the HIPAA minimum necessary rule, and know that snooping is not permitted. Unencrypted Laptops and Flash Drives The Hazard. Health care employees increasingly rely on laptops and flash drives as remote access, working from home, and travel are more and more common. These devices are a handy way to travel with work information. They are also easy to lose, 1 June 2014

which carries big risks under HIPAA. If a laptop or flash drive contains ephi and is unencrypted, it poses a HIPAA Security risk. The Example. A dermatology practice entered a $150,000 settlement after an unencrypted thumb drive containing the PHI of 2,200 patients was stolen from an employee car. A hospice paid $50,000 due to a stolen unencrypted laptop. A health services company paid $1,725,220 in settlement arising out of a stolen unencrypted laptop. In each of these cases, the stolen laptop led to an OCR investigation, which identified additional HIPAA violations. Another health care provider entered a $1.5 Million HIPAA settlement after an unencrypted personal laptop containing ephi was stolen. What You Can Do. Address laptops and portable devices in your HIPAA Security risk assessment, and update the assessment whenever you introduce new forms of electronic media. Consider prohibiting the use of PHI on laptops and portable devices, unless they are encrypted. Establish a policy for whether and when laptops and portable devices can be used even if they are encrypted and certainly remind employees never to leave PHI in their cars. Don t Forget the Boss The Hazard. Most providers routinely train employees on HIPAA but many forget the boss. Individuals in a leadership position are even more likely to be asked about patients by the media. And yet many providers skip training at the executive level because they don t want to be a bother. It is in everyone s best interests, including the boss s, to make HIPAA training a bother. The Example. A medical center entered a $275,000 HIPAA settlement after two senior level executives discussed a patient s medical care with the media on at least three occasions, without the patient s authorization. In addition, senior management shared information about the patient s condition, diagnosis and treatment with the entire workforce by email. What You Can Do. Include all employees, including management, leaders and executives, in HIPAA training. These individuals help set the tone of your organization, and can lead employees to HIPAA compliance if they know what to do. Rethink Working From Home The Hazard. Well-meaning employees take work home to meet deadlines, or exceed performance expectations. When this involves PHI, employees with good intentions can 2 June 2014

create a very bad problem. How do you protect the privacy and security of PHI when it leaves your facility? The Example. A hospital entered a $1,000,000 HIPAA settlement after an employee left documents containing PHI on the subway, including PHI for patients with HIV/AIDS. The documents were never recovered, which means no one knows if they were improperly used. What You Can Do. Decide if you want to allow employees to bring work home. If so, clearly define how this can be done. It is a good idea for paper PHI to stay in your facility. Also evaluate protections for ephi. If employees are allowed to work from home, can they access ephi? If so how do you know their access is secure? How do you know your provider s ephi is safe from the view of others in the employee s home? Copiers Count The Hazard. Modern photocopiers store ephi, just like a computer. And yet many providers have not addressed photocopiers in their HIPAA Security risk assessments or policies and procedures. The Example. CBS purchased a photocopier that had previously been leased by a health plan, and found that the copier s hard drive contained ephi for 344,579 patients. One CBS Evening News expo and one $1,215,780 HIPAA settlement later, the health plan learned the hard way that copier hard drives must be cleared of ephi before sending the copier back to the leasing company. What You Can Do. Identify all equipment that stores ephi, considering copiers and faxes. Include this equipment in your HIPAA Security risk assessment and policies and procedures. Make sure employees responsible for purchasing, selling, destroying or leasing this equipment understands these procedures. Consider posting warnings on each device containing ephi with an alert that service, sale or disposal of the device should be cleared through the security officer. We re Working On It The Hazard. Many organizations seek comfort in the fact that they are working on HIPAA Privacy and/or Security policies and procedures, and are hopeful that if they are audited or have a complaint, the government will go easy on them. To the contrary, the government has recently come down hard on providers whose HIPAA compliance efforts were in progress. 3 June 2014

The Example. A health services company was investigated after an unencrypted laptop was stolen. The OCR found that the company had conducted security risk assessments and identified that lack of encryption was a risk. The company had started to encrypt, but had not yet finished. The OCR imposed a $1,725,220 penalty. Likewise, a health plan was investigated after an unencrypted laptop was stolen. The company encrypted their devices after the breach but it was too late. The OCR found a pattern of HIPAA noncompliance going back to 2005. In other words, we re working on it or even we just did that are not effective defenses. What You Can Do. Make HIPAA risk assessments, policies, procedures, and training an immediate priority. Everyone working in health care is busy but the government does not see that as an excuse. Consider sharing penalty examples with leadership, in order to motivate your organization to stick to a quick timeline for addressing HIPAA. Social Media Snafus The Hazard. 75% of employees check personal social media at least once a day while at work. Almost half of employees use social media to connect with co-workers and customers. 1 This means that prohibiting use of cell phones and social media is no longer an option: social media is here to stay. Without guidance, a minefield of HIPAA violations awaits your employees. The Example. Examples of social media HIPAA snares run the gamut from innocent, to inadvertent, to ill-intentioned: A NYC EMT posted a photo of a murder victim on his Facebook page. A paramedic posted information on his MySpace page about a rape victim he transported. Without using a name, he posted enough detail for the media to locate the victim (who sued the EMT and his employer). A nurse posted a Facebook rant about an alleged cop killer she treated. The media identified the individual and where he was being treated. Nurses posted PHI related to shift changes on Facebook for all to see. It is common for employees to post pictures of patients on Facebook. These posts can be malicious or friendly. Either way, they violate HIPAA. What You Can Do. Implement a social media policy with Do s and Don ts for social media use. Remind employees that information sent over social media is often unencrypted 1 Social Media & Workplace Collaboration, SilkRoad, available at: http://pages.silkroad.com/rs/silkroad/images/social-media-workplace-collaboration-silkroad-talenttalk- Report.pdf 4 June 2014

and unsecured and owned by the social media site. Train your employees to understand how innocent postings can violate the law. Explain that omitting a patient s name does not guarantee the patient can t be identified. Use your newsletter, paycheck stuffers, shift changes, or other methods to advance employee understanding of privacy issues and proper social media use. Rusty, Dusty Risk Assessments The Hazard. A provider conducts a HIPAA security risk assessment, but fails to update the assessment. Every time the Security Rule is updated, or that provider adds or upgrades its technology, a risk assessment must be done. The failure to update the risk assessment is itself a HIPAA violation. Plus, without a current risk assessment, the provider does not know the extent of its HIPAA risks, and has likely not mitigated them. The Example. A university entered a $400,000 HIPAA settlement after ephi for 17,500 patients was left unsecured for 10 months. The university s firewall protections were disabled and its risk assessments were incomplete and did not identify potential risks. The university did not have policies for routine review of its information security, which is why it failed to identify the disabled firewall. Similarly, a managed care company entered a $1.7 Million HIPAA settlement after an unsecured online application database left the PHI of 612,402 patients accessible to unauthorized individuals. The company failed to perform a risk assessment in response to a software upgrade. This is another reminder that new technology can bring value and efficiency to an organization, but it can also bring new HIPAA security vulnerabilities. What You Can Do. Conduct HIPAA Security risk assessments at least annually. Also conduct assessments when the HIPAA Security rule is updated or if HIPAA Security guidance is issued, and when you introduce new technology or otherwise update your IT environment. Treasure the Paper Trail The Hazard. By now it should be clear that failing to comply with HIPAA has high stakes. So does failing to document that you comply with HIPAA. The Example. A surgical practice entered a $100,000 HIPAA settlement after it posted patient appointments on a publicly accessible Internet calendar. The OCR investigated, and found a litany of HIPAA violations, such as lack of policies and procedures, lack of documentation of employee training, lack of a security risk assessment, and lack of business associate agreements. 5 June 2014

What You Can Do. Give yourself credit for compliance. Do you have informal policies? Write them down. Do you train employees on HIPAA? Have them sign in, and keep the curriculum. Did you conduct a risk assessment? Make sure it is documented, along with any updates. Do your business associates agree to safeguard your PHI? Make sure you have updated, signed business associate agreements in place. The Bottom Line: The Gloves Are Off In a recent record-breaking HIPAA settlement, two companies entered a combined $4.8 Million HIPAA settlement, which is the largest we have seen under HIPAA enforcement. A physician who developed applications for both entities attempted to deactivate a personally-owned computer server on a shared network that contained ephi. Because adequate technical safeguards were not in place, this ephi became accessible on the internet and showed up in Google searches. Upon investigation, the OCR found that the providers HIPAA security programs were lacking. The OCR sent a warning to providers who, like the providers in this settlement, are behind on HIPAA security: The message here is to get your house in order The gloves are off. 2 If you need to get your HIPAA house in order, visit MPA s web page for HIPAA resources, and to take a Free HIPAA Assessment: http://www.healthcareperformance.com Margaret Scavotto, JD Director of Compliance Services Management Performance Associates 314-343-4227 ext. 24 MCS@healthcareperformance.com 2014 Management Performance Associates. Because MPA is a consulting company and not a law firm, neither MPA nor any of its employees provide legal advice or legal services. Nothing contained in this article constitutes legal advice. It is strongly recommended that all providers consult with competent legal counsel versed in HIPAA as they address HIPAA compliance. 2 HealthcareIT News, May 8, 2014. 6 June 2014

Do-It-Yourself Compliance Tools HIPAA Tool Kit The Office of Civil Rights (OCR) is launching a new series of HIPAA Privacy, Security and Breach Notification audits in Fall 2014. Are you ready to respond to an audit? OCR audits typically involve a review of policies and procedures, plus employee interviews. Prepare yourself for a HIPAA audit with MPA s HIPAA Tool Kit: HIPAA Privacy Policy and Procedure Manual Form (includes Breach Notification) HIPAA Social Media Policy HIPAA Auditing Workbook with Dashboards (Privacy, Security and Breach Notification) HIPAA Security Threat Analysis Spreadsheet Tool MPA s privacy and breach notification policies and procedures, threat analysis and auditing workbook, combined with the Security Risk Assessment Tool provided by the OCR (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool), provide the tools you need to promote HIPAA compliance and defend a HIPAA audit. Price: $750 MPA s Compliance Subscription Service includes: Compliance Program Policy Forms o Compliance Program Policy o Board Resolution adopting Compliance Program o Code of Conduct o Employee Acknowledgments of Compliance Program and Code of Conduct o Compliance Officer & Committee Policy o Training and Education Policy 7 June 2014

Compliance Risk Area Policy Forms* o Resident Rights o Employee Screening o Billing and Claims Submission o Cost Reporting o Kickbacks, Inducements and Self-Referrals o Compliance Records o Anti-Supplementation o Medicare Part D Plan Selection o Quality Assurance Handbook and Tools Auditing and Monitoring Handbook* o Resident Rights o Employee Screening o Billing and Claims Submission o Cost Reporting o Kickbacks, Inducements and Self-Referrals o Compliance Records o Anti-Supplementation o Medicare Part D Plan Selection o Quality Assurance Handbook and Tools o Annual Review Updates to the above Forms and Tools 10% discount on MPA s Executive Training Workshop 2 hours of consulting per year * HIPAA sold separately Fee: $3295 First Year; $495 Renewal fee MPA s Compliance Subscription Service Plus includes: Everything included with the Compliance Subscription Service, plus 1 hour per month of consulting (an $1,800 value) 15% discount on MPA s Executive Training Workshop Fee: $4595 First Year; $1495 Renewal Fee Compliance Internal Marketing/Training Campaign A compliance program is only as strong as its employees. Do your employees know how to recognize non-compliance, and how to report it internally? Do your employees understand 8 June 2014

when a perk or gift is an illegal kickback? When the use of social media violates HIPAA? When the way they speak to a resident violates resident rights? Compliance is a lot to keep up with. Annual training is not enough to keep compliance top-ofmind. Invest in a compliance campaign that educates your employees on an ongoing basis, helping them do their jobs and helping you stay compliant. Annual/New Hire Compliance PowerPoint Monthly Compliance Moments for your organization to share with its employees. Monthly Compliance Moments will address one or more compliance topics a month (e.g. reporting non-compliance, HIPAA, resident rights, quality, kickbacks, documentation accuracy). Suggestions for dissemination of the Monthly Compliance Moments in unique ways Compliance Week Handbook with suggested events, trivia and content to use during your own Compliance Week. Annual Fee: $500 Compliance News Service Keep your compliance program effective with monthly compliance news. MPA prepares a monthly newsletter with the latest OIG and OCR enforcements and guidance, with tips for how you can incorporate them into your compliance program. Annual Fee: $350 For more information, contact: Margaret Scavotto, JD Director of Compliance Services Management Performance Associates 314-343-4227 ext. 24 mcs@healthcareperformance.com 9 June 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information