Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
HIPAA is the Real DealMollie McCammon, RHIA, CHPJune 26, 2019
Copyright © 2019, AFMC, Inc.
Today’s Presenter
Mollie McCammon, RHIA, CHPAFMC – HIPAA Privacy and Security Policy Analyst
Copyright © 2019, AFMC, Inc.
Topics
■ Patient privacy complaints■ OCR audits■ RFI-HIPAA changes coming?■ Hot HIPAA security topics ■ Business associate access■ HIPAA policies and procedures■ How to stay out of HIPAA trouble■ What to do for HIPAA this year■ Security risk analysis■ HIPAA resources
Copyright © 2019, AFMC, Inc.
Happy Birthday, HIPAA!■ HIPAA turned 16 years old in 2019■ Health Insurance Portability and Accountability Act
US Department of Health and Human
Services (HHS)
Office for Civil Rights (OCR)
Makes the rules Enforces the rulesHIPAA
Copyright © 2019, AFMC, Inc.
Since the compliance date of the Privacy Rule in April 2003, OCR has received more than 206,522 HIPAA complaints and has initiated more than 966 compliance reviews. Ninety-eight percent of these cases have been resolved (202,516).
Copyright © 2019, AFMC, Inc.
Number of Cases Resolution Status as of April 30, 201926,851 Required changes in privacy practices and corrective action plans11,761 No violation had occurred35,166 OCR provided technical assistance without need for an investigation
128,738 The complaint did not present an eligible case for enforcement727 Referred to Department of Justice (DOJ) for criminal investigation
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
Patient Privacy Complaints
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
Most Investigated Compliance ComplaintsFrom the compliance date to the present, the compliance issues investigated and compiled in order of frequency:• Impermissible uses and disclosures of protected health
information• Lack of safeguards of protected health information• Lack of patient access to their protected health information• Lack of administrative safeguards of electronic protected health
information• Use or disclosure of more than the minimum necessary
protected health information
Copyright © 2019, AFMC, Inc.
OCR AuditsOCR Breach Portal or HIPAA Wall of Shamehttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2019 2018 2017
Breaches submitted by covered entity
82 261 93
Individuals affected 3,034,986 11,922,201 1,811,879
Cases currently under investigation
Copyright © 2019, AFMC, Inc.
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
OCR Audits
Resolution Agreements and Civil Money Penalties
Year HIPAA Fines
2018 $28,683,400
2017 $20,393,200
2016 $23,504,800
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
Copyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
9/12/19 Copyright © 2019 AFMC, Inc. All Rights Reserved. 9
Recently Reported Incidents (From the OCR Website)
§ Computer Theft§ Hackers
Resolution AgreementsCompany: Filefax, (Northbrook, Ill.) provided for the storage, maintenance and delivery of medical records for covered entities.
Breach: On Feb. 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell.
Investigation results: OCR’s investigation indicated that between Jan. 28 and Feb. 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefaxfacility.
Copyright © 2019, AFMC, Inc.
Company: The Center for Children’s Digestive Health (CCDH) is a small, for-profit health care provider with a pediatric subspecialty practice with seven clinic locations in Illinois.
Breach and Investigation: In August 2015, OCR initiated a compliance review of the CCDH following the initiation of an investigation of a business associate, FileFax, Inc., which stored records containing PHI for CCDH. While CCDH began disclosing PHI to Filefaxin 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.
Resolution Agreements
Copyright © 2019, AFMC, Inc.
Company: MAPFRE Life Insurance Company of Puerto Rico is a subsidiary company of a global multinational insurance company in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
Breach: On Sept. 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device containing ePHI was stolen from its IT department where it was left overnight.
Investigation: OCR’s investigation revealed noncompliance; specifically, a failure to conduct its risk analysis and implement risk management plans and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014.
Resolution Agreements
Copyright © 2019, AFMC, Inc.
OCR HIPAA Investigations■ Practice is notified by email■ Desk versus on-site audits■ Practice required to send
supporting documentation■ Short time frame to respond
Copyright © 2019, AFMC, Inc.
HHS/OCR issued a request for information (RFI) asking for input on the following areas:■ Encouraging information-sharing for treatment and care coordination■ Facilitating parental involvement in care■ Addressing the opioid crisis and serious mental illness■ Accounting for disclosures of PHI for treatment, payment, and health care
operations as required by the HITECH Act■ Changing the current requirement for certain providers to make a good faith
effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices■ Comments were due February 2019
HIPAA Changes Coming?
Copyright © 2019, AFMC, Inc.
■ Cyber attacks ■ Ransomware■ Social engineering hacks■ Texting and emailing■ BYOD – bring your own device■ Encryption
Hot HIPAA Security Topics
Copyright © 2019, AFMC, Inc.
§ Must have business associate agreement (BAA) in place before giving vendors access to your patient information
§ There are times when BAA not needed; consider using a confidentiality agreement
§ BAA content was updated in 2013 so make sure you have the latest version• Sample available: HHS website https://www.hhs.gov/hipaa/for-
professionals/covered-entities/sample-business-associate-agreement-
provisions/index.html
§ Be specific with giving access
§ Ensure BAs are working to follow HIPAA
Business Associate Access
Copyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
■ Policy: statement of intent■ Procedure: the process to do it■ Includes specific steps for your
organization■ Go for quality, not the bare
minimum
HIPAA Policies and Procedures
Copyright © 2019, AFMC, Inc.
How do I Stay out of HIPAA Trouble?■ HIPAA is common sense■ Although it’s not cut-and-dried, if you will make
an effort and be proactive, it will help you in the long run
■ To be able to prove your efforts, you must document
■ An ounce of prevention is worth a pound of cure
■ Risk analysis and annual security risk analysis
Copyright © 2019, AFMC, Inc.
What do I Need to do for HIPAA This Year?■ Review list of BAs and agreements■ HIPAA policies and procedures review,
update or implement
■ HIPAA training for staff■ Investigate and report breaches■ Security risk analysis
Copyright © 2019, AFMC, Inc.
Security Risk Analysis
The security risk analysis is both a legal and regulatory requirement established by HIPAA and the HITECH Act,
and is designed to ensure the privacy and security of patients’ protected health information (PHI)
Copyright © 2019, AFMC, Inc.
■ The security risk analysis (SRA) is a very important component of the HIPAA Security Rule (enacted in 2003)
■ The rule specifies security safeguards to ensure the confidentiality, integrity and availability of ePHI
■ Any covered entity that creates, stores, transmits or receives ePHI is required to conduct (or review) a SRA at least annually
• Covered entities include (but are not limited to) providers, health plans, clearinghouses• Questions about who is a covered entity? Excellent decision tool is available from CMS – select
your questions and the guide will display the answer
• https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf
Security Risk Analysis
Copyright © 2019, AFMC, Inc.
https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf
■ SRA must be performed annually■ Reporting requirement for state and
federal programs■ Critical step to protect patient data■ May be performed internally or
outsourced to a third party■ Required by HIPAA Security Rule, no
one is exempt
Copyright © 2019, AFMC, Inc.
Security Risk Analysis
Security Risk Analysis■ HIPAA does not specify the exact elements of an SRA■ Must cover three key elements: administrative, physical and technical
safeguards■ Any identified vulnerabilities or risks need to be documented and
addressed with a corrective action plan and/or mitigation process■ SRA is not a once-and-done requirement, it is an ongoing■ Trusted resources are available to guide you
• ONC/OCR downloadable tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
• Third party vendors• Professional associations
Copyright © 2019, AFMC, Inc.
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
■ Organizations with SRA expertise can save time and money• Develop custom privacy and security policies and procedures• Align your policies and procedures with HIPAA standards• Identify and document potential threats, vulnerabilities and possible impact to
your operations• Provide guidance on documenting corrective actions needed to mitigate
identified risks• Deliver report findings and supporting documentation• Consult, educate and guide your staff on HIPAA best practices• Reduce your clinical staff burden
Copyright © 2019, AFMC, Inc.
SRA Services: Benefits For Your Practice
§ Nearly 10 years of experience successfully completing more than 1,600 SRAs, covering more than 4,000 health care professionals
§ Expertise and in-depth knowledge of HIPAA compliance standards
§ Proprietary tools and processes that address the key SRA components: administrative, technical and physical safeguards
§ Flexible and scalable service options§ Basic SRA service to an on-site, in person assessment§ New – Virtual Assessment
§ Personalized assistance§ Consult, educate and guide staff on HIPAA best practices
§ Trusted advisor and provider advocate
Why AFMC
Copyright © 2019, AFMC, Inc.
Copyright © 2019, AFMC, Inc.
HIPAA requirements keeping you up at night? Contact us for more information
Web: afmc.org/SRAEmail: [email protected]: 501-906-7511
mailto:[email protected]
HIPAA ResourcesKeep these handy
Copyright © 2019, AFMC, Inc.
OCR Privacy and Security Listserv
https://www.hhs.gov/hipaa/for-professionals/list-serve/index.htmlCopyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/list-serve/index.html
HHS OCR Listserv
Copyright © 2019, AFMC, Inc.
Cyber Security Guidance Material■ Cyber security checklist■ Ransomware guidance■ NIST cybersecurity framework■ OCR cyber awareness newsletters■ Online training resources available
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Copyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Security Rule Educational Paper SeriesThe HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into the Security Rule and assistance with implementation of the security standards:■ Security 101 for Covered Entities■ Administrative Safeguards■ Physical Safeguards■ Technical Safeguards■ Organizational, Policies and Procedures and Documentation Requirements■ Basics of Risk Analysis and Risk Management■ Security Standards: Implementation for the Small Providerhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Copyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Additional Resources■ https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html■ https://www.hhs.gov/ocr/newsroom/index.html■ https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html■ https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/index.html■ https://www.hhs.gov/hipaa/for-
professionals/security/guidance/index.html
Copyright © 2019, AFMC, Inc.
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.htmlhttps://www.hhs.gov/ocr/newsroom/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Questions?
Copyright © 2019, AFMC, Inc.
https://afmc.org/SRA
Copyright © 2019, AFMC, Inc.
mailto:[email protected]://afmc.org/SRA