34
HIPAA is the Real Deal Mollie McCammon, RHIA, CHP June 26, 2019 Copyright © 2019, AFMC, Inc.

HIPAA is the Real Deal - AFMC · 2019. 9. 12. · The HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

  • HIPAA is the Real DealMollie McCammon, RHIA, CHPJune 26, 2019

    Copyright © 2019, AFMC, Inc.

  • Today’s Presenter

    Mollie McCammon, RHIA, CHPAFMC – HIPAA Privacy and Security Policy Analyst

    Copyright © 2019, AFMC, Inc.

  • Topics

    ■ Patient privacy complaints■ OCR audits■ RFI-HIPAA changes coming?■ Hot HIPAA security topics ■ Business associate access■ HIPAA policies and procedures■ How to stay out of HIPAA trouble■ What to do for HIPAA this year■ Security risk analysis■ HIPAA resources

    Copyright © 2019, AFMC, Inc.

  • Happy Birthday, HIPAA!■ HIPAA turned 16 years old in 2019■ Health Insurance Portability and Accountability Act

    US Department of Health and Human

    Services (HHS)

    Office for Civil Rights (OCR)

    Makes the rules Enforces the rulesHIPAA

    Copyright © 2019, AFMC, Inc.

  • Since the compliance date of the Privacy Rule in April 2003, OCR has received more than 206,522 HIPAA complaints and has initiated more than 966 compliance reviews. Ninety-eight percent of these cases have been resolved (202,516).

    Copyright © 2019, AFMC, Inc.

    Number of Cases Resolution Status as of April 30, 201926,851 Required changes in privacy practices and corrective action plans11,761 No violation had occurred35,166 OCR provided technical assistance without need for an investigation

    128,738 The complaint did not present an eligible case for enforcement727 Referred to Department of Justice (DOJ) for criminal investigation

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

    Patient Privacy Complaints

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

  • Most Investigated Compliance ComplaintsFrom the compliance date to the present, the compliance issues investigated and compiled in order of frequency:• Impermissible uses and disclosures of protected health

    information• Lack of safeguards of protected health information• Lack of patient access to their protected health information• Lack of administrative safeguards of electronic protected health

    information• Use or disclosure of more than the minimum necessary

    protected health information

    Copyright © 2019, AFMC, Inc.

  • OCR AuditsOCR Breach Portal or HIPAA Wall of Shamehttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

    2019 2018 2017

    Breaches submitted by covered entity

    82 261 93

    Individuals affected 3,034,986 11,922,201 1,811,879

    Cases currently under investigation

    Copyright © 2019, AFMC, Inc.

    https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

  • OCR Audits

    Resolution Agreements and Civil Money Penalties

    Year HIPAA Fines

    2018 $28,683,400

    2017 $20,393,200

    2016 $23,504,800

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

    Copyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

  • 9/12/19 Copyright © 2019 AFMC, Inc. All Rights Reserved. 9

    Recently Reported Incidents (From the OCR Website)

    § Computer Theft§ Hackers

  • Resolution AgreementsCompany: Filefax, (Northbrook, Ill.) provided for the storage, maintenance and delivery of medical records for covered entities.

    Breach: On Feb. 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell.

    Investigation results: OCR’s investigation indicated that between Jan. 28 and Feb. 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefaxfacility.

    Copyright © 2019, AFMC, Inc.

  • Company: The Center for Children’s Digestive Health (CCDH) is a small, for-profit health care provider with a pediatric subspecialty practice with seven clinic locations in Illinois.

    Breach and Investigation: In August 2015, OCR initiated a compliance review of the CCDH following the initiation of an investigation of a business associate, FileFax, Inc., which stored records containing PHI for CCDH. While CCDH began disclosing PHI to Filefaxin 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

    Resolution Agreements

    Copyright © 2019, AFMC, Inc.

  • Company: MAPFRE Life Insurance Company of Puerto Rico is a subsidiary company of a global multinational insurance company in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

    Breach: On Sept. 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device containing ePHI was stolen from its IT department where it was left overnight.

    Investigation: OCR’s investigation revealed noncompliance; specifically, a failure to conduct its risk analysis and implement risk management plans and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014.

    Resolution Agreements

    Copyright © 2019, AFMC, Inc.

  • OCR HIPAA Investigations■ Practice is notified by email■ Desk versus on-site audits■ Practice required to send

    supporting documentation■ Short time frame to respond

    Copyright © 2019, AFMC, Inc.

  • HHS/OCR issued a request for information (RFI) asking for input on the following areas:■ Encouraging information-sharing for treatment and care coordination■ Facilitating parental involvement in care■ Addressing the opioid crisis and serious mental illness■ Accounting for disclosures of PHI for treatment, payment, and health care

    operations as required by the HITECH Act■ Changing the current requirement for certain providers to make a good faith

    effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices■ Comments were due February 2019

    HIPAA Changes Coming?

    Copyright © 2019, AFMC, Inc.

  • ■ Cyber attacks ■ Ransomware■ Social engineering hacks■ Texting and emailing■ BYOD – bring your own device■ Encryption

    Hot HIPAA Security Topics

    Copyright © 2019, AFMC, Inc.

  • § Must have business associate agreement (BAA) in place before giving vendors access to your patient information

    § There are times when BAA not needed; consider using a confidentiality agreement

    § BAA content was updated in 2013 so make sure you have the latest version• Sample available: HHS website https://www.hhs.gov/hipaa/for-

    professionals/covered-entities/sample-business-associate-agreement-

    provisions/index.html

    § Be specific with giving access

    § Ensure BAs are working to follow HIPAA

    Business Associate Access

    Copyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

  • ■ Policy: statement of intent■ Procedure: the process to do it■ Includes specific steps for your

    organization■ Go for quality, not the bare

    minimum

    HIPAA Policies and Procedures

    Copyright © 2019, AFMC, Inc.

  • How do I Stay out of HIPAA Trouble?■ HIPAA is common sense■ Although it’s not cut-and-dried, if you will make

    an effort and be proactive, it will help you in the long run

    ■ To be able to prove your efforts, you must document

    ■ An ounce of prevention is worth a pound of cure

    ■ Risk analysis and annual security risk analysis

    Copyright © 2019, AFMC, Inc.

  • What do I Need to do for HIPAA This Year?■ Review list of BAs and agreements■ HIPAA policies and procedures review,

    update or implement

    ■ HIPAA training for staff■ Investigate and report breaches■ Security risk analysis

    Copyright © 2019, AFMC, Inc.

  • Security Risk Analysis

    The security risk analysis is both a legal and regulatory requirement established by HIPAA and the HITECH Act,

    and is designed to ensure the privacy and security of patients’ protected health information (PHI)

    Copyright © 2019, AFMC, Inc.

  • ■ The security risk analysis (SRA) is a very important component of the HIPAA Security Rule (enacted in 2003)

    ■ The rule specifies security safeguards to ensure the confidentiality, integrity and availability of ePHI

    ■ Any covered entity that creates, stores, transmits or receives ePHI is required to conduct (or review) a SRA at least annually

    • Covered entities include (but are not limited to) providers, health plans, clearinghouses• Questions about who is a covered entity? Excellent decision tool is available from CMS – select

    your questions and the guide will display the answer

    • https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

    Security Risk Analysis

    Copyright © 2019, AFMC, Inc.

    https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

  • ■ SRA must be performed annually■ Reporting requirement for state and

    federal programs■ Critical step to protect patient data■ May be performed internally or

    outsourced to a third party■ Required by HIPAA Security Rule, no

    one is exempt

    Copyright © 2019, AFMC, Inc.

    Security Risk Analysis

  • Security Risk Analysis■ HIPAA does not specify the exact elements of an SRA■ Must cover three key elements: administrative, physical and technical

    safeguards■ Any identified vulnerabilities or risks need to be documented and

    addressed with a corrective action plan and/or mitigation process■ SRA is not a once-and-done requirement, it is an ongoing■ Trusted resources are available to guide you

    • ONC/OCR downloadable tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

    • Third party vendors• Professional associations

    Copyright © 2019, AFMC, Inc.

    https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

  • ■ Organizations with SRA expertise can save time and money• Develop custom privacy and security policies and procedures• Align your policies and procedures with HIPAA standards• Identify and document potential threats, vulnerabilities and possible impact to

    your operations• Provide guidance on documenting corrective actions needed to mitigate

    identified risks• Deliver report findings and supporting documentation• Consult, educate and guide your staff on HIPAA best practices• Reduce your clinical staff burden

    Copyright © 2019, AFMC, Inc.

    SRA Services: Benefits For Your Practice

  • § Nearly 10 years of experience successfully completing more than 1,600 SRAs, covering more than 4,000 health care professionals

    § Expertise and in-depth knowledge of HIPAA compliance standards

    § Proprietary tools and processes that address the key SRA components: administrative, technical and physical safeguards

    § Flexible and scalable service options§ Basic SRA service to an on-site, in person assessment§ New – Virtual Assessment

    § Personalized assistance§ Consult, educate and guide staff on HIPAA best practices

    § Trusted advisor and provider advocate

    Why AFMC

    Copyright © 2019, AFMC, Inc.

  • Copyright © 2019, AFMC, Inc.

    HIPAA requirements keeping you up at night? Contact us for more information

    Web: afmc.org/SRAEmail: [email protected]: 501-906-7511

    mailto:[email protected]

  • HIPAA ResourcesKeep these handy

    Copyright © 2019, AFMC, Inc.

  • OCR Privacy and Security Listserv

    https://www.hhs.gov/hipaa/for-professionals/list-serve/index.htmlCopyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/list-serve/index.html

  • HHS OCR Listserv

    Copyright © 2019, AFMC, Inc.

  • Cyber Security Guidance Material■ Cyber security checklist■ Ransomware guidance■ NIST cybersecurity framework■ OCR cyber awareness newsletters■ Online training resources available

    https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

    Copyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

  • Security Rule Educational Paper SeriesThe HIPAA Security Information Series is a group of educational papers that are designed to give HIPAA-covered entities insight into the Security Rule and assistance with implementation of the security standards:■ Security 101 for Covered Entities■ Administrative Safeguards■ Physical Safeguards■ Technical Safeguards■ Organizational, Policies and Procedures and Documentation Requirements■ Basics of Risk Analysis and Risk Management■ Security Standards: Implementation for the Small Providerhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

    Copyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

  • Additional Resources■ https://www.hhs.gov/hipaa/for-professionals/security/laws-

    regulations/index.html■ https://www.hhs.gov/ocr/newsroom/index.html■ https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-

    associates/index.html■ https://www.hhs.gov/hipaa/for-professionals/compliance-

    enforcement/audit/protocol/index.html■ https://www.hhs.gov/hipaa/for-

    professionals/security/guidance/index.html

    Copyright © 2019, AFMC, Inc.

    https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.htmlhttps://www.hhs.gov/ocr/newsroom/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.htmlhttps://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

  • Questions?

    Copyright © 2019, AFMC, Inc.

  • [email protected]

    https://afmc.org/SRA

    Copyright © 2019, AFMC, Inc.

    mailto:[email protected]://afmc.org/SRA