Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Similar documents
What s New with HIPAA? Policy and Enforcement Update

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

Sustainable Compliance: A System for Ongoing Audit Readiness

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA Security Rule Compliance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

An Independent Member of Baker Tilly International

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Security Compliance, Vendor Questions, a Word on Encryption

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

InfoGard Healthcare Services InfoGard Laboratories Inc.

Overview of the HIPAA Security Rule

HIPAA in an Omnibus World. Presented by

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Dissecting New HIPAA Rules and What Compliance Means For You

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

What Are The Odds Of a HIPAA Audit?

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

OCR/HHS HIPAA/HITECH Audit Preparation

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Security & Compliance

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Security Is Everyone s Concern:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Healthcare Compliance Solutions

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Joseph Suchocki HIPAA Compliance 2015

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Datto Compliance 101 1

Transcription:

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA Secure Now!

Presented by:

Agenda A look at the current Healthcare IT Landscape 2015 HIPAA Audits HIPAA Security Rule Requirements HIPAA Omnibus Changes Major Breaches Categories Cost of Breaches How to protect patient information HIPAA Secure Now! Services

Healthcare IT Landscape Meaningful Use Incentives Technology Advances Increased HIPAA Enforcement Regulation Enforcement EHR / Technology Implementations Government Incentives 100+ Million Patient Records Breached

2015 HIPAA Audits Delayed 550-800 Covered Entities (CE) Contacted 350 Covered Entities Selected 50 Business Associates (BA) Phase 2 Utilize HHS / OCR Portal to Upload Information Letters Will Be Sent to CEs 2 Weeks to Respond / Upload Information Size, Location, Services, Other Information, BA Information Desk Audits and Onsite Audits Unlike Previous Audits, Fines are Expected to be Handed Out

2015 HIPAA Audits Details Are Not Clear 350 CE Audits May Include: ~150 Security Rule Security Risk Assessment Business Associate Agreements Employee Training ~100 Breach Notification Rule Policy Content and Timeliness ~100 Privacy Rule - NPP / Access 50 BAs Security Risk Assessment Breach Reporting to CEs

HIPAA Enforcement HIPAA Regulations are enforced by HHS-OCR Enforcement Activities 2015 Random Audit Program Breach Investigations Covered entities Business Associates Complaint Investigations Dissatisfied patients Disgruntled employees

Meaningful Use Audits Meaningful Use Audits Are Occurring Audits targeted at up to 20% (1 in 5) of eligible providers Organizations can be audited either pre or post payment of incentive funds Save all documentation used for attestation! Failure to perform a Security Risk Assessment is a frequent reason for failing Meaningful Use Audits Required to show Security Risk Assessment AND Work plan Failed audits may require an organization to repay a full year of incentive payments Incentive fund repayments average ~$10,000 per eligible provider Failed audit for 1 year could trigger an audit in another year Incentive payments must be repaid within 30 days of MU audit failure notice OIG Audits coming!

What is the Law? HIPAA Regulations Consist of 2 Major Rules: Privacy Rule and the Security Rule The Privacy Rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Security Rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ephi). Protection of ephi data from unauthorized access, whether external or internal, stored or in transit, is covered by the security rule.

HIPAA Security Rule Prepare for 2015 HIPAA Audits Perform a Risk Assessment NIST SP 800-30 Methodology Develop Policies and Procedures Administrative, Physical and Technical Safeguards Train Employees Periodic Reminders Have an Incident Response Plan Maintain Business Associate Agreements

HIPAA Omnibus Rule Dates: Enforced September 23, 2013 Changes Notice of Privacy Practices (NPP) Business Associates Business Associate Agreements need to be revised Business Associates directly regulated by HIPAA Risk Assessment Policies and Procedures Employee Training Security Incident Response Plan Business Associate Agreements with Downstream Contractors Cloud Providers are Business Associates (Even if data is encrypted) AOL, Yahoo, Dropbox will not sign BAAs Microsoft Office 365 will sign BAA Google Paid Google Apps

HIPAA Omnibus Rule Key Changes New Data Breach Rule Guilty until proven innocent Presumed to require notification unless low probability of PHI compromised Nature & extent of PHI involved Who received or accessed PHI Potential the PHI was acquired / viewed Extent that risk to the PHI mitigated Increased Penalties Up to $1.5 million

Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record # of records Cost 1 $233 10 $2,330 100 $23,300 1000 $233,000 10000 $2,330,000

Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record (Does not include HIPAA fines) Damage to Reputation Indirect Costs 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice

Cost of Breaches

Cost of Breaches HHS Wall of Shame

Cost of Breaches Ponemon 2013 Cost of Data Breach Study: Indirect Costs Estimate $233 per record 1. Turnover of existing customers - Loss of customers / patients 2. Diminished customer acquisition - customers / patients not using a practice (Reputation is damaged) Direct Costs 1. Detection and escalation costs -forensics investigative activities, crisis management activities 2. Notification costs - IT activities to create contact database, determination of regulatory requirements, postage, etc. 3. Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.

Breaches Categories Largest Breaches / Categories of HIPAA Breaches 1. Laptops and portable media 40% of all breaches 2. Inappropriate access to patient information - 30% of all breaches 3. Email Sending PHI unencrypted - 10% of all breaches 4. Hacking 10% of all breaches 5. Loss of backup tapes - 10% of all breaches

How to protect patient information Laptops and Portable media Laptops 1. Smartphones 2. USB Drives 3. CD/DVD We don t have patient information on our laptops or smartphones Use of encryption 1. Safe Harbor / Get out of jail free 2. Inexpensive 3. Easy to implement

How to protect patient information Inappropriate access to patient information What is inappropriate access? Snooping (movie star / ex-spouse) Stealing (gang member s girlfriends) Modifying / Deleting (disgruntled employees)

How to protect patient information Inappropriate access to patient information Ways to detect and prevent Auditing of Access Turn on and review logs If you don t look you have no idea what is going on in your EHR Employee education regarding Auditing May deter improper access

How to protect patient information Hacking High Profile Examples 1. Anthem - 80 million records!! 2. Community Health Systems (CHS) 4.5 million records 3. Cryptolocker- Ransom

How to protect patient information Hacking Protecting against hackers 1. Passwords 2. Anti-virus 3. System patching 4. Vulnerability scans <- OCR requests this whenever a breach occurs!

How to protect patient information Lost Backup Tapes Protecting backups 1. Holds all your data for as long as you have been using an EMR 2. Use offsite backup 3. Disaster Recovery A backup tape and ordering a new server is not a DR plan!

Our Services Features: Security Risk Assessment (1 hour)* Security Risk Assessment Work Plan* HIPAA Security & Privacy Policies and Procedures HIPAA Security Training for All Employees / New Employees Business Associate Agreements and Tracking Updated Notice of Privacy Practices Security Incident Response / Breach Notification * Satisfies MU and HIPAA Requirements

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information