Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Steps to Compliance: Managing Business Associates PRESENTED BY.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

HIPAA and Professionalism In an age of electronic mediums.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

NAU HIPAA Awareness Training

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.

Steps to Compliance: Bring Your Own Device PRESENTED BY.

Steps to Compliance: Risk Assessment PRESENTED BY.

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

From HIPAA to HITECH OMH Briefing.

HIPAA and Portable Electronic Devices Michele Cerullo, Assistant Attorney Office of the General Counsel Jane Haughney, J.D., Privacy Consultant Professional.

2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives ing Patient Information.

HIPAA PRIVACY AND SECURITY AWARENESS.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

1 Craig D. Azoff, Director Administrative Information Systems Bill Luecken, Senior Director Information Systems Eric Steinhardt, Security Manager 13 th.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

Montgomery College Acceptable Use Policy (AUP). 2 This Acceptable Use Policy (AUP) PowerPoint presentation was developed by the Office of the Information.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

The Basics of Protecting Electronic Personal Health Information Greg Nance - CISSP, CRISC, CISA, ITIL Information Security Governance, Risk and Compliance.

PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.

Health Insurance Portability and Accountability Act of 1996

Protecting PHI & PII 12/30/2017 6:45 AM

Protection of CONSUMER information

2015 Orientation to HIPAA Privacy Rule Compliance

Use of BMC Patient Information Privacy & Security

Chapter 3: IRS and FTC Data Security Rules

No No, Yes Yes: Simple Privacy & Information Security Tips Krista Barnes, J.D. Senior Legal Officer and Director, Privacy & Information Security, Institutional.

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

The Health Insurance Portability and Accountability Act

Corporate Compliance.

HIPAA & PHI TRAINING & AWARENESS

Personal Social Media and Technology Use Policy

Jason Karn Chief Compliance Officer

Most Common Questions about HIPAA J. T

School of Medicine Orientation Information Security Training

Presentation transcript:

Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach Montez Fitzpatrick Keystone IT Margaret Scavotto, JD, CHC Management Performance Associates LeadingAge Missouri Annual Meeting September 13, 2016

The Lay of the Land 2016 10 settlements (so far) Total: $20,825,000 Average: $2,082,500 …and now the OCR will investigate small breaches too. 2015 5 settlements Total: $5,443,400 Average: $1,088,680

“Sad day at work today ” Game #1: Is it PHI? “Sad day at work today ”

“Sad day at work treating a resident in the dementia unit today ” Game #1: Is it PHI? “Sad day at work treating a resident in the dementia unit today ”

Game #1: Is it PHI? “Sad day at work treating someone so young in the dementia unit today ”

“Sad day at work treating my third grade teacher in the dementia unit today  vY” Game #1: Is it PHI?

Think of your organization’s newest, or youngest CNA Think of your organization’s newest, or youngest CNA. For the purpose of this game, put yourself in this person’s shoes. Game #2: Should I? hand down if you think the CNA would take the picture using SnapChat.

Game #3: Find the Workaround You work in the business office at Maple Hill Nursing Home. You have to get a project done today, using a spreadsheet with patient information, but you also have to leave at 4 for a doctor’s appointment and will need to work on it tonight. Maple Hill does not allow PHI on flash drives, laptops, or smartphones. What do you do?

Problem #1: A health care provider backed up all of its e-PHI on a cloud-based server. The provider did NOT have a Business Associate Agreement (BAA) with the cloud. The provider did NOT conduct a comprehensive HIPAA Security risk assessment.

How do we remove the workaround?

How do we help employees get it right?

Problem #2: A clinic gave X-Rays to a media company. The media company put the X-Rays onto electronic media in exchange for harvesting the silver. The clinic did NOT have a BAA with the media company.

How do we remove the workaround?

How do we help employees get it right?

Problem #3: A PT company posted patient testimonials with names and pictures to its website. The PT company did NOT get HIPAA authorizations from the patients.

How do we remove the workaround?

How do we help employees get it right?

Problem #4: A laptop was stolen from an unlocked treatment room overnight. The laptop was not encrypted.

How do we remove the workaround?

How do we help employees get it right?

Problem #5: A password-protected laptop was stolen, likely by a visitor who had inquired about borrowing a laptop. ePHI on the network drive was accessible by a generic username and password.

How do we remove the workaround?

How do we help employees get it right?

Problem #6: A hospital allowed a TV film crew to film two patients without a HIPAA authorization. One patient was in distress; the other was dying. The footage aired on television.

How do we remove the workaround?

How do we help employees get it right?

Problem #7: An employee clicked on and downloaded an email attachment with malware. The malware infected the employee’s computer and compromised the ePHI of 90,000 individuals.

How do we remove the workaround?

How do we help employees get it right?

Problem #8: Two hospital employees leaked a medical record to ESPN, who put the record on twitter.

How do we remove the workaround?

How do we help employees get it right?

Problem #9: Two paramedics engaged in a selfie war by text. They competed to take the most shocking pictures of themselves with patients. They were arrested and now face criminal charges.

How do we remove the workaround?

How do we help employees get it right?

Questions? Margaret Scavotto, JD, CHC Director of Compliance Services Management Performance Associates 314.434.4227 ext. 24 mcs@healthcareperformance.com © 2016 Management Performance Associates. Because MPA is a consulting company and not a law firm, neither MPA nor any of its employees provide legal advice or legal services. Nothing contained in this PowerPoint constitutes legal advice. It is strongly recommended that all providers consult with competent legal counsel versed in HIPAA as they address HIPAA compliance and develop and implement HIPAA and social media policies and procedures.

Montez Fitzpatrick Director of Information Security and Compliance Keystone Technologies 314-621-9500 mfitzpatrick@keystone-it.com