HIPAA is the Real Deal - AFMC · 2019. 9. 12. · The HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into

HIPAA is the Real DealMollie McCammon, RHIA, CHPJune 26, 2019

Copyright © 2019, AFMC, Inc.

Today’s Presenter

Mollie McCammon, RHIA, CHPAFMC – HIPAA Privacy and Security Policy Analyst


Topics

■ Patient privacy complaints■ OCR audits■ RFI-HIPAA changes coming?■ Hot HIPAA security topics ■ Business associate access■ HIPAA policies and procedures■ How to stay out of HIPAA trouble■ What to do for HIPAA this year■ Security risk analysis■ HIPAA resources


Happy Birthday, HIPAA!■ HIPAA turned 16 years old in 2019■ Health Insurance Portability and Accountability Act

US Department of Health and Human

Services (HHS)

Office for Civil Rights (OCR)

Makes the rules Enforces the rulesHIPAA


Since the compliance date of the Privacy Rule in April 2003, OCR has received more than 206,522 HIPAA complaints and has initiated more than 966 compliance reviews. Ninety-eight percent of these cases have been resolved (202,516).


Number of Cases Resolution Status as of April 30, 201926,851 Required changes in privacy practices and corrective action plans11,761 No violation had occurred35,166 OCR provided technical assistance without need for an investigation

128,738 The complaint did not present an eligible case for enforcement727 Referred to Department of Justice (DOJ) for criminal investigation

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Patient Privacy Complaints

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Most Investigated Compliance ComplaintsFrom the compliance date to the present, the compliance issues investigated and compiled in order of frequency:• Impermissible uses and disclosures of protected health

information• Lack of safeguards of protected health information• Lack of patient access to their protected health information• Lack of administrative safeguards of electronic protected health

information• Use or disclosure of more than the minimum necessary

protected health information


OCR AuditsOCR Breach Portal or HIPAA Wall of Shamehttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2019 2018 2017

Breaches submitted by covered entity

82 261 93

Individuals affected 3,034,986 11,922,201 1,811,879

Cases currently under investigation


https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

OCR Audits

Resolution Agreements and Civil Money Penalties

Year HIPAA Fines

2018 $28,683,400

2017 $20,393,200

2016 $23,504,800

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html


https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

9/12/19 Copyright © 2019 AFMC, Inc. All Rights Reserved. 9

Recently Reported Incidents (From the OCR Website)

§ Computer Theft§ Hackers

Resolution AgreementsCompany: Filefax, (Northbrook, Ill.) provided for the storage, maintenance and delivery of medical records for covered entities.

Breach: On Feb. 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell.

Investigation results: OCR’s investigation indicated that between Jan. 28 and Feb. 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefaxfacility.


Company: The Center for Children’s Digestive Health (CCDH) is a small, for-profit health care provider with a pediatric subspecialty practice with seven clinic locations in Illinois.

Breach and Investigation: In August 2015, OCR initiated a compliance review of the CCDH following the initiation of an investigation of a business associate, FileFax, Inc., which stored records containing PHI for CCDH. While CCDH began disclosing PHI to Filefaxin 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

Resolution Agreements


Company: MAPFRE Life Insurance Company of Puerto Rico is a subsidiary company of a global multinational insurance company in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

Breach: On Sept. 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device containing ePHI was stolen from its IT department where it was left overnight.

Investigation: OCR’s investigation revealed noncompliance; specifically, a failure to conduct its risk analysis and implement risk management plans and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014.

Resolution Agreements


OCR HIPAA Investigations■ Practice is notified by email■ Desk versus on-site audits■ Practice required to send

supporting documentation■ Short time frame to respond


HHS/OCR issued a request for information (RFI) asking for input on the following areas:■ Encouraging information-sharing for treatment and care coordination■ Facilitating parental involvement in care■ Addressing the opioid crisis and serious mental illness■ Accounting for disclosures of PHI for treatment, payment, and health care

operations as required by the HITECH Act■ Changing the current requirement for certain providers to make a good faith

effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices■ Comments were due February 2019

HIPAA Changes Coming?


■ Cyber attacks ■ Ransomware■ Social engineering hacks■ Texting and emailing■ BYOD – bring your own device■ Encryption

Hot HIPAA Security Topics


§ Must have business associate agreement (BAA) in place before giving vendors access to your patient information

§ There are times when BAA not needed; consider using a confidentiality agreement

§ BAA content was updated in 2013 so make sure you have the latest version• Sample available: HHS website https://www.hhs.gov/hipaa/for-

professionals/covered-entities/sample-business-associate-agreement-

provisions/index.html

§ Be specific with giving access

§ Ensure BAs are working to follow HIPAA

Business Associate Access


https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

■ Policy: statement of intent■ Procedure: the process to do it■ Includes specific steps for your

organization■ Go for quality, not the bare

minimum

HIPAA Policies and Procedures


How do I Stay out of HIPAA Trouble?■ HIPAA is common sense■ Although it’s not cut-and-dried, if you will make

an effort and be proactive, it will help you in the long run

■ To be able to prove your efforts, you must document

■ An ounce of prevention is worth a pound of cure

■ Risk analysis and annual security risk analysis


What do I Need to do for HIPAA This Year?■ Review list of BAs and agreements■ HIPAA policies and procedures review,

update or implement

■ HIPAA training for staff■ Investigate and report breaches■ Security risk analysis


Security Risk Analysis

The security risk analysis is both a legal and regulatory requirement established by HIPAA and the HITECH Act,

and is designed to ensure the privacy and security of patients’ protected health information (PHI)


■ The security risk analysis (SRA) is a very important component of the HIPAA Security Rule (enacted in 2003)

■ The rule specifies security safeguards to ensure the confidentiality, integrity and availability of ePHI

■ Any covered entity that creates, stores, transmits or receives ePHI is required to conduct (or review) a SRA at least annually

• Covered entities include (but are not limited to) providers, health plans, clearinghouses• Questions about who is a covered entity? Excellent decision tool is available from CMS – select

your questions and the guide will display the answer

• https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf



https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

■ SRA must be performed annually■ Reporting requirement for state and

federal programs■ Critical step to protect patient data■ May be performed internally or

outsourced to a third party■ Required by HIPAA Security Rule, no

one is exempt



Security Risk Analysis■ HIPAA does not specify the exact elements of an SRA■ Must cover three key elements: administrative, physical and technical

safeguards■ Any identified vulnerabilities or risks need to be documented and

addressed with a corrective action plan and/or mitigation process■ SRA is not a once-and-done requirement, it is an ongoing■ Trusted resources are available to guide you

• ONC/OCR downloadable tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

• Third party vendors• Professional associations


https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

■ Organizations with SRA expertise can save time and money• Develop custom privacy and security policies and procedures• Align your policies and procedures with HIPAA standards• Identify and document potential threats, vulnerabilities and possible impact to

your operations• Provide guidance on documenting corrective actions needed to mitigate

identified risks• Deliver report findings and supporting documentation• Consult, educate and guide your staff on HIPAA best practices• Reduce your clinical staff burden


SRA Services: Benefits For Your Practice

§ Nearly 10 years of experience successfully completing more than 1,600 SRAs, covering more than 4,000 health care professionals

§ Expertise and in-depth knowledge of HIPAA compliance standards

§ Proprietary tools and processes that address the key SRA components: administrative, technical and physical safeguards

§ Flexible and scalable service options§ Basic SRA service to an on-site, in person assessment§ New – Virtual Assessment

§ Personalized assistance§ Consult, educate and guide staff on HIPAA best practices

§ Trusted advisor and provider advocate

Why AFMC



HIPAA requirements keeping you up at night? Contact us for more information

Web: afmc.org/SRAEmail: [email protected]: 501-906-7511

mailto:[email protected]

HIPAA ResourcesKeep these handy


OCR Privacy and Security Listserv

https://www.hhs.gov/hipaa/for-professionals/list-serve/index.htmlCopyright © 2019, AFMC, Inc.

https://www.hhs.gov/hipaa/for-professionals/list-serve/index.html

HHS OCR Listserv


Cyber Security Guidance Material■ Cyber security checklist■ Ransomware guidance■ NIST cybersecurity framework■ OCR cyber awareness newsletters■ Online training resources available

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html


https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

Security Rule Educational Paper SeriesThe HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into the Security Rule and assistance with implementation of the security standards:■ Security 101 for Covered Entities■ Administrative Safeguards■ Physical Safeguards■ Technical Safeguards■ Organizational, Policies and Procedures and Documentation Requirements■ Basics of Risk Analysis and Risk Management■ Security Standards: Implementation for the Small Providerhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html


https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Additional Resources■ https://www.hhs.gov/hipaa/for-professionals/security/laws-

regulations/index.html■ https://www.hhs.gov/ocr/newsroom/index.html■ https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-

associates/index.html■ https://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/audit/protocol/index.html■ https://www.hhs.gov/hipaa/for-

professionals/security/guidance/index.html


https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.htmlhttps://www.hhs.gov/ocr/newsroom/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Questions?


[email protected]

https://afmc.org/SRA

mailto:[email protected]://afmc.org/SRA

Documents

HIPAA is the Real Deal - AFMC · 2019. 9. 12. · The HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into