Upload
ryan-snell
View
156
Download
1
Embed Size (px)
Citation preview
© Clearwater Compliance | All Rights Reserved
© Clearwater Compliance | All Rights Reserved
WHY HIPAA?
“Healthcare organizations are the most vulnerable for breaches. I would rather have my identity stolen than my medical records. You can get a new social security number, but your health information is so personal and uniquely yours.”
Robert Herjavec Founder of a leading cyber security firm; investor, author and television personality (Shark Tank)
© Clearwater Compliance | All Rights Reserved
Top 5 HIPAA breach fines since 2009:
① New York Presbyterian Hospital & Columbia University: $4.8M
② Cignet Health Center: $4.3M
③ Triple S Management: $3.5M
④ CVS Pharmacy: $2.3M
⑤ Concentra Health Services: $1.7M
Healthcare requires HIPAA-‐compliant messaging
HIPAA violations are on the rise
Office for Civil Rights (OCR) has imposed more than $26 million fines for HIPAA privacy, security and breach notification violations to date.
And plans to collect $5 million in penalties in Q1’16.
OCR receives more than 30,000 reports about HIPAA privacy violation each year.
Source: hhs.gov, HealthcareITnews.com, healthcareinfosecurity.com
© Clearwater Compliance | All Rights Reserved
HIPAA exper;se is required
• The OCR rules and fines are complicated requiring a deep understanding of the procedures and audits.
• This is especially true with the increasing number of mobile devices proliferaAng the workforce.
• Security is a hot buDon issue inside and outside the industry.
© Clearwater Compliance | All Rights Reserved
Lua secures messaging for all types of healthcare organiza;ons
© Clearwater Compliance | All Rights Reserved
6
Your Presenter
Michelle Caswell, Senior Director Legal & Compliance | JD • More than 15 years healthcare experience • Extensive experience in HIPAA Privacy, Security and Breach NoAficaAon Rules • Experienced Principal Healthcare Privacy/Security Consultant, conducAng compliance audits and risk assessments; draTing policies and procedures; training staff and assisAng with remediaAon efforts
• Former HIPAA InvesAgator for the U.S. Department of Health and Human Services, Office for Civil Rights
• Licensed aDorney in Georgia and Tennessee • Frequent naAonal speaker on healthcare compliance and security
© Clearwater Compliance | All Rights Reserved
7
1. HIPAA Condensed (Really, Really Condensed)
© Clearwater Compliance | All Rights Reserved
8
BoOom Line Up Front Before HITECH/Omnibus: • “Paper Tiger” • Healthcare industry largely ignored
• Business Associates didn’t know or care or both!
• InformaAon Security was woefully inadequate
A6er HITECH/Omnibus: • “Game-‐changer” • Healthcare industry woefully unprepared
• Largest and most consequenAal expansion of Federal Privacy rules
• Significant new burden on business associates
• SubstanAally increases the magnitude of HIPAA risk and liability
Today: Help you mitigate your newly created risks and liabilities as a CE and BA (includes Subcontractors)
Think HITECH = Hey It’s Time to End your Compliance Holiday
© Clearwater Compliance | All Rights Reserved
9
HIPAA-‐HITECH En;;es
Covered En;ty • Health care providers (that conduct e-‐transacAons), health plans, health care clearinghouses
Business Associate • EnAty that uses or discloses PHI on behalf of a CE • Create, receive, maintain or transmit PHI on behalf of a CE
Subcontractor (or Agent?) Sub Business Associate • A person or enAty to whom a BA delegates a funcAon, acAvity, or service, other than in the capacity of a member of the workforce of such BA.
© Clearwater Compliance | All Rights Reserved
10
Protected Health Informa;on (PHI)
• Protected Health InformaAon (PHI) – Past, Present, Future Mental or Physical Health, or billing related thereto
– Can be connected to individual by one of 18 idenAfiers
– All forms: Oral, wriDen, electronic, etc. – Excludes employment records and educaAon records
© Clearwater Compliance | All Rights Reserved
11
So What?
“I KEEP six honest serving-‐men (They taught me all I knew);
Their names are What and Why and When And How and Where and Who…”
-‐ Rudyard Kipling
+ Must be handling the What… Must be one of the Who…
+
© Clearwater Compliance | All Rights Reserved
12
2. The Real Problem We’re Trying to Solve
© Clearwater Compliance | All Rights Reserved
13
Who’s to Blame?
Case Examples • Access • AuthorizaAons • ConfidenAal CommunicaAons • Disclosures to Avert a Serious Threat to Health or Safety • Impermissible Uses and Disclosures • Minimum Necessary • Safeguards
Common Causes • TheT of Laptop, Servers, Backup Tapes, Mobile Devices • Loss of Laptop, Servers, Backup Tapes, Mobile Devices • Improper Disposal • Misdirected CommunicaAons • Post to Public Websites • Missing Firewalls • Successful Phishing
© Clearwater Compliance | All Rights Reserved
14
Do Risk Analysis And Risk Management!
• "We conAnue to see a lack of comprehensive and enterprise-‐wide risk analysis and risk management that leads to major breaches and other compliance problems,”
• “These enforcements send out an important message about compliance issues and the need for covered en;;es and business associates to take their obliga;ons seriously.”
• “When the OCR invesAgates a breach, we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... ;mely risk management prac;ces is the cornerstone of any good compliance program."
Jocelyn Samuels Director – HHS’ Office for
Civil Rights
-‐-‐ OCR/NIST Conference | September 23, 2014
© Clearwater Compliance | All Rights Reserved
15
New Audit Protocol Coming in April
• OCR will release its proposed new protocol in April 2016 for public feedback before finalizing the final protocol
• Updated to reflect changes included in the HIPAA Omnibus Rule
• 200 remote desk audits • 10-‐25 ‘full scale’ onsite audits • CEs to idenAfy their BAs to create a ‘larger pool of BAs from whom to select auditees.’
Deven McGraw, OCR's Deputy Director of Health InformaAon Privacy -‐ HIMSS 2016 Conference in Las Vegas
"We are planning to revise the enAre protocol even though for the desk audits we are only going to be audiAng for selected provisions," McGraw says.
hDp://www.healthcareinfosecurity.com/interviews/hipaa-‐audits-‐progress-‐report-‐i-‐3097
© Clearwater Compliance | All Rights Reserved
16
3. One Area of Risk -‐ Tex;ng
© Clearwater Compliance | All Rights Reserved
17
Providers Won’t Give Up Tex;ng • Nothing prohibits you from texAng
with paAents, not even HIPAA • However, consider some liabiliAes
with texAng between your organizaAon and paAents or texAng between health providers)
• Security Risks • Unauthorized access to ePHI • Lost/stolen device • Unencrypted texts
© Clearwater Compliance | All Rights Reserved
18
Tex;ng Cont’d • Legal Risks
• If PHI is included in texts between provider/paAent; provider/provider; insurance/member – the messages may be subject to HIPAA
• Could become part of paAent’s designated record set and/or legal health record
• As such, provider may need to save texts for the legally required Ame – allowing paAent to access and amend the text messages
• If provider thinks to delete these messages for security purpose, there may be a violaAon of law regarding retenAon requirements
© Clearwater Compliance | All Rights Reserved
19
Tex;ng Cont’d If, aTer weighing the associated risks, you determine texAng is right for you, here are some suggesAons for policies and procedures: • Have paAents sign a consent form allowing for communicaAon between
provider and paAent. Keep consent form in paAent chart • Include only non-‐urgent informaAon (i.e. appointment reminders, prescripAon
refills) • If you have a paAent portal, send a text “you have a message from Dr. Smith.
Please log in to your account to see the message” • Ensure the phone number being used is the right number • If related to paAent treatment, incorporate into medical record
© Clearwater Compliance | All Rights Reserved
20
Tex;ng Cont’d • Have a mobile device management
plan • EncrypAon of mobile devices • Password protected • Whether it’s BYOD or company-‐
provided mobile device • Text messages can be audited/
monitored • UAlize secure mobile messaging, like
Lua
© Clearwater Compliance | All Rights Reserved
21
Policy defines an organizaAon’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy & security & technical staff, engaged and supporAve management and
trained/aware colleagues following PnPs.
Procedures or processes – documented -‐ provide the acAons required to deliver on organizaAon’s values.
Safeguards includes the various families of administraAve, physical or technical security controls (e.g. encryp?on, firewalls, an?-‐malware, intrusion detec?on, incident management tools, etc.)
Balanced Compliance Program
Clearwater Compliance Compass™
Policy Procedures
People Safeguards
© Clearwater Compliance | All Rights Reserved
Ques;ons and Answers • Feel free to submit quesAons into the box on your right.
© Clearwater Compliance | All Rights Reserved
THANK YOU
getlua.com [email protected]
clearwatercompliance.com [email protected]