HIPAA Compliance and Security in a Mobile World

© Clearwater Compliance | All Rights Reserved


WHY HIPAA?

“Healthcare organizations are the most vulnerable for breaches. I would rather have my identity stolen than my medical records. You can get a new social security number, but your health information is so personal and uniquely yours.”

Robert Herjavec Founder of a leading cyber security firm; investor, author and television personality (Shark Tank)


Top 5 HIPAA breach fines since 2009:

①  New York Presbyterian Hospital & Columbia University: $4.8M

②  Cignet Health Center: $4.3M

③  Triple S Management: $3.5M

④  CVS Pharmacy: $2.3M

⑤  Concentra Health Services: $1.7M

Healthcare requires HIPAA-‐compliant messaging

HIPAA violations are on the rise

Office for Civil Rights (OCR) has imposed more than $26 million fines for HIPAA privacy, security and breach notification violations to date.

And plans to collect $5 million in penalties in Q1’16.

OCR receives more than 30,000 reports about HIPAA privacy violation each year.

Source: hhs.gov, HealthcareITnews.com, healthcareinfosecurity.com


HIPAA exper;se is required

•  The OCR rules and fines are complicated requiring a deep understanding of the procedures and audits.

•  This is especially true with the increasing number of mobile devices proliferaAng the workforce.

•  Security is a hot buDon issue inside and outside the industry.


Lua secures messaging for all types of healthcare organiza;ons


6

Your Presenter

Michelle Caswell, Senior Director Legal & Compliance | JD •  More than 15 years healthcare experience •  Extensive experience in HIPAA Privacy, Security and Breach NoAficaAon Rules •  Experienced Principal Healthcare Privacy/Security Consultant, conducAng compliance audits and risk assessments; draTing policies and procedures; training staff and assisAng with remediaAon efforts

•  Former HIPAA InvesAgator for the U.S. Department of Health and Human Services, Office for Civil Rights

•  Licensed aDorney in Georgia and Tennessee •  Frequent naAonal speaker on healthcare compliance and security


7

1. HIPAA Condensed (Really, Really Condensed)


8

BoOom Line Up Front Before HITECH/Omnibus: •  “Paper Tiger” •  Healthcare industry largely ignored

•  Business Associates didn’t know or care or both!

•  InformaAon Security was woefully inadequate

A6er HITECH/Omnibus: •  “Game-‐changer” •  Healthcare industry woefully unprepared

•  Largest and most consequenAal expansion of Federal Privacy rules

•  Significant new burden on business associates

•  SubstanAally increases the magnitude of HIPAA risk and liability

Today: Help you mitigate your newly created risks and liabilities as a CE and BA (includes Subcontractors)

Think HITECH = Hey It’s Time to End your Compliance Holiday


9

HIPAA-‐HITECH En;;es

Covered En;ty •  Health care providers (that conduct e-‐transacAons), health plans, health care clearinghouses

Business Associate •  EnAty that uses or discloses PHI on behalf of a CE •  Create, receive, maintain or transmit PHI on behalf of a CE

Subcontractor (or Agent?) Sub Business Associate •  A person or enAty to whom a BA delegates a funcAon, acAvity, or service, other than in the capacity of a member of the workforce of such BA.


10

Protected Health Informa;on (PHI)

•  Protected Health InformaAon (PHI) – Past, Present, Future Mental or Physical Health, or billing related thereto

– Can be connected to individual by one of 18 idenAfiers

– All forms: Oral, wriDen, electronic, etc. – Excludes employment records and educaAon records


11

So What?

“I KEEP six honest serving-‐men (They taught me all I knew);

Their names are What and Why and When And How and Where and Who…”

-‐ Rudyard Kipling

+ Must be handling the What… Must be one of the Who…

+


12

2. The Real Problem We’re Trying to Solve


13

Who’s to Blame?

Case Examples •  Access •  AuthorizaAons •  ConfidenAal CommunicaAons •  Disclosures to Avert a Serious Threat to Health or Safety •  Impermissible Uses and Disclosures •  Minimum Necessary •  Safeguards

Common Causes •  TheT of Laptop, Servers, Backup Tapes, Mobile Devices •  Loss of Laptop, Servers, Backup Tapes, Mobile Devices •  Improper Disposal •  Misdirected CommunicaAons •  Post to Public Websites •  Missing Firewalls •  Successful Phishing


14

Do Risk Analysis And Risk Management!

• "We conAnue to see a lack of comprehensive and enterprise-‐wide risk analysis and risk management that leads to major breaches and other compliance problems,”

• “These enforcements send out an important message about compliance issues and the need for covered en;;es and business associates to take their obliga;ons seriously.”

• “When the OCR invesAgates a breach, we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... ;mely risk management prac;ces is the cornerstone of any good compliance program."

Jocelyn Samuels Director – HHS’ Office for

Civil Rights

-‐-‐ OCR/NIST Conference | September 23, 2014


15

New Audit Protocol Coming in April

•  OCR will release its proposed new protocol in April 2016 for public feedback before finalizing the final protocol

•  Updated to reflect changes included in the HIPAA Omnibus Rule

•  200 remote desk audits •  10-‐25 ‘full scale’ onsite audits •  CEs to idenAfy their BAs to create a ‘larger pool of BAs from whom to select auditees.’

Deven McGraw, OCR's Deputy Director of Health InformaAon Privacy -‐ HIMSS 2016 Conference in Las Vegas

"We are planning to revise the enAre protocol even though for the desk audits we are only going to be audiAng for selected provisions," McGraw says.

hDp://www.healthcareinfosecurity.com/interviews/hipaa-‐audits-‐progress-‐report-‐i-‐3097


16

3. One Area of Risk -‐ Tex;ng


17

Providers Won’t Give Up Tex;ng •  Nothing prohibits you from texAng

with paAents, not even HIPAA •  However, consider some liabiliAes

with texAng between your organizaAon and paAents or texAng between health providers)

•  Security Risks •  Unauthorized access to ePHI •  Lost/stolen device •  Unencrypted texts


18

Tex;ng Cont’d •  Legal Risks

•  If PHI is included in texts between provider/paAent; provider/provider; insurance/member – the messages may be subject to HIPAA

•  Could become part of paAent’s designated record set and/or legal health record

•  As such, provider may need to save texts for the legally required Ame – allowing paAent to access and amend the text messages

•  If provider thinks to delete these messages for security purpose, there may be a violaAon of law regarding retenAon requirements


19

Tex;ng Cont’d If, aTer weighing the associated risks, you determine texAng is right for you, here are some suggesAons for policies and procedures: •  Have paAents sign a consent form allowing for communicaAon between

provider and paAent. Keep consent form in paAent chart •  Include only non-‐urgent informaAon (i.e. appointment reminders, prescripAon

refills) •  If you have a paAent portal, send a text “you have a message from Dr. Smith.

Please log in to your account to see the message” •  Ensure the phone number being used is the right number •  If related to paAent treatment, incorporate into medical record


20

Tex;ng Cont’d •  Have a mobile device management

plan •  EncrypAon of mobile devices •  Password protected •  Whether it’s BYOD or company-‐

provided mobile device •  Text messages can be audited/

monitored •  UAlize secure mobile messaging, like

Lua


21

Policy defines an organizaAon’s values & expected behaviors; establishes “good faith” intent

People must include talented privacy & security & technical staff, engaged and supporAve management and

trained/aware colleagues following PnPs.

Procedures or processes – documented -‐ provide the acAons required to deliver on organizaAon’s values.

Safeguards includes the various families of administraAve, physical or technical security controls (e.g. encryp?on, firewalls, an?-‐malware, intrusion detec?on, incident management tools, etc.)

Balanced Compliance Program

Clearwater Compliance Compass™

Policy Procedures

People Safeguards


Ques;ons and Answers •  Feel free to submit quesAons into the box on your right.


THANK YOU

getlua.com [email protected]

clearwatercompliance.com [email protected]

Technology

HIPAA Compliance and Security in a Mobile World