Rational HIPAA Woes for the CFO and Business Leaders

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

NAU HIPAA Awareness Training

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Health information security & compliance

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA Enforcement Past, Present and Future [Cyndi Moore] [Kevin Bernys] Rose Willis Dickinson Wright PLLC.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

HIPAA: Yesterday and Today HIPAA: Yesterday and Today / 2 Objectives State key privacy and security changes for your practice resulting from the American.

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIPAA Security Final Rule Overview

How to Survive a HIPAA Audit Compliance Counsel February 2014.

2015 Privacy & Security Refresher. Presenters  Dana Williams  Privacy Officer  (501)  Stephen Yarberry  Chief Information Security Officer.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

Health Insurance Portability and Accountability Act (HIPAA) Primer for Observers, Volunteers, Medical Students Dr. Michael Palumbo- Privacy Officer/ EVP.

The Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act of 1996

Privacy & Information Security Basics

HIPAA Administrative Simplification

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Enforcement and Policy Challenges in Health Information Privacy

HIPAA Policy & Procedure Strategies

HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;

Introduction to the PACS Security

Northern Indiana Health Information Management Association

Presentation transcript:

Rational HIPAA Woes for the CFO and Business Leaders Kirsten Ruzic Wild Wild Consulting, Inc. May 2017

What is the real risk? Cost of Regulatory (OCR) Investigation Internal Resources, $$$$ Cost of a Breach Regulatory Fines and Penalties Negative Community Perception

Risk Mitigation

What gets you Investigated by OCR? 1. Patient-complaint driven process 2. Breach Compliance Reviews 3. Reports by other individuals 4. Audits and Reviews .

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?language=es

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?language=es

Complaint Investigations YEAR INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION OBTAINED TECHNICAL ASSISTANCE TOTAL RESOLUTIONS 2013 994 7% 7,068 49% 3470 24% 2754 19% 14,286 2014 668 4% 10,653 60% 1288 5128 29% 17,737 2015 359 2% 12,785 72% 730 3820 22% 17,694 https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?language=es

Complaint Investigations YEAR INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION OBTAINED TOTAL RESOLUTIONS 2010 1529 17% 4951 54% 2709 29% 9189 2011 1302 16% 4465 53% 2595 31% 8362 2012 980 10% 5060 3361 36% 9401 https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html?language=es

Enforcement Results By State INVESTIGATED: NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: CORRECTIVE ACTION Wisconsin 10% 71% 18% Michigan 9% 73% 18%

Top Five Issues in Investigated Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2015 Impermissible Uses & Disclosures Safeguards Administrative Safeguards Access Technical Safeguards 2014 2013 Minimum Necessary 2012 2011 Notice to Individuals

What do you do to mitigate this risk? Patient Complaints are not your greatest risk. You know about most patient complaints. Understand your process for managing complaints – patient safety/quality reporting by employees, grievances and complaints from patients, hotline, etc. Ask for a report from your Safety Reporting System Should be able to mitigate this risk. Never give the government a reason to walk through the door.

Resolution Agreements Impermissible uses and disclosures Your own staff Robust education, scenarios, dialogue Sign a Confidentiality Statement to protect organization Employees should ask Safeguards – protect ePHI

Resolution Agreements Administrative Safeguards – Risk Assessment, employee access rights, training, p&p, etc Access – Patient access to their own medical record Minimum Necessary – Robust education, scenarios, dialogue

2. Breach Reports and Reviews Self-reporting – you know about these too Wall of Shame https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Largest number of records: 7,880,000 to 63,000 Since October 2009 - 1900 breach reports of 500 or more individuals 2016 = 328 2015 = 269 2014 = 312

2. Breach Reports and Reviews In breach reports of 500 or more individuals: 2013 ~257 resulted in an investigation 152 breach investigations were closed 80% (121) required corrective action 2014 ~ 285 resulted in an investigation 239 breach investigations were closed 90% (216) required corrective action

Sorted top 100 reports for largest number of individuals affected Location of Data Breached 12 – desktop 6 – EMR 7 – email 12 – laptop 36 – server 8 – paper/film 20 – other Type of Breach 34 – hacking 3 – improper disposal 5 – loss 45 – theft of portable device 26 – unauthorized access/disclosure 5 – other

Sorted bottom 100 reports for smallest number of individuals affected Type of Breach 11 – hacking 4 – improper disposal 9 – loss 35 – theft of portable device 15 – unauthorized access/disclosure 7 – other Location of Data Breached 15 – desktop 7 – EMR 6 – email 22 – laptop 10 – server 30 – paper/film 10 – other

Type of Entity Reporting Breach Largest Breaches 25 – Business Associates 21 - Health Plan 54 – Provider *largest number of providers are: private practices, general hospitals, outpatient facilities, and pharmacies Smallest Breaches over 500 15 – Business Associates 11 – Health Plan 74 – Provider *ePHI that is lost that is encrypted is not a breach!

What do you do to mitigate your risk of a Breach Review? Should be receiving an Annual Breach Report Due by March 1st of each year – 500 or more individuals Easier not to report Breach Analysis process Ask questions Be sure the risks are identified and mitigated: Conduct a risk analysis This should be an investigation Policy and procedure reviewed Re-educate employees Take necessary disciplinary action Timely

3. Reports by other individuals Non- patient reports Not really a complaint Usually know about these too

4. Audits and Reviews HITECH/ARRA of 2009 required audits and provided funding Prospectively assess for compliance Ensure Patient Rights are respected CE and BA

4. Audits and Reviews 2011-2012 - Phase 1 - pilot audit established an audit protocol (115 CE) 2013 - evaluated Pilot program 2014 - revised program and readied for Phase 2 2016 (July) – Phase 2 Desk Audits launched (166 CE and 43 BA) enhanced protocols test the efficacy of desk audits in evaluating the compliance efforts compliance improvement activity

4. Audits and Reviews Phishing Email Disguised as Official OCR Audit Communication - November 28, 2016 Pre-audit Questionnaire – must identify BAs! May initiate a compliance review No results until at least September 2017 Then on-site audits of CE and BA

4. Audits and Reviews Samples Requested and Inquiries of Management Privacy Rule Security Rule Breach Notification Will be On-site Audits of both CE and BA after completion of desk audits

4. Audits and Reviews Privacy Audits Documentation Requested 48 areas of inquiry P&P and Examples/samples Personal representatives, use and disclosure for public health, decedents, minimum necessary, notice of privacy practices, amendment requests, sanctions, right to access, etc.

4. Audits and Reviews Privacy Audits Inquiry of Management 18 inquiries INQUIRE OF MANAGEMENT how the entity recognizes personal representatives for an individual for compliance with HIPAA Rule requirements

4. Audits and Reviews Business Associate Contracts Obtain and review a sample of BAA and evaluate whether the agreements are consistent with established performance criteria the entity has established and the P&P. Inquire of Management as to whether any business associate arrangements involved onward transfers of PHI to additional business associates and subcontractors Provide a sample

4. Audits and Reviews Breach Notification Samples Requested and Inquiries of Management 12 areas of inquiry complaints to CE, sanctions of workforce members, risk assessments resulting in low probability of compromise, PHI was not secured, breach notification sent to individuals, breach over 500, etc.

4. Audits and Reviews Breach Notification Obtain a list of risk assessments in which the CE determined that was a low probability of compromise – so not reported on the Wall of Shame. Sampling methodology Inquiry of Management – Administrative requirements, timeliness of notifications, content of notification, method of notification etc.

4. Audits and Reviews HIPAA Security Obtain Security documentation to demonstrate 100 areas of inquiry Latest written Risk Analysis - 2 most recent, sanctions, access requests, termination of access, security awareness and training – malicious software, passwords, disaster recovery, contingency plans, etc.

Address the Rational Woes Ensure your organization has a good patient complaint and resolution process Summary report of open and closed cases, and timeframes Understand the process Scenario-based Education Internalized dialogue

Mitigate the Rational Woes Get a Breach Report At least annually Understand your Breach Reporting Process All Portable devises MUST be encrypted. Period BYOD or organization-owned

Mitigate the Rational Woes Support Business Associate Agreement (BAA) function Contract Management! If no one is responsible, no one is responsible. Be sure you have the BAAs you should Be sure you know what they say Hold BA accountable – audit them?

Mitigate the Rational Woes Support resources for HIPAA Security Document, document, document IT – deep, unnatural aversion to documentation Trust but verify

Mitigate the Rational Woes Risk assessment, Risk Assessment, Risk Assessment, Risk Assessment Continual process, never done Need to catch vulnerabilities and threats Regular working meetings Document discussions and decisions in meeting minutes

Mitigate the Rational Woes Cyber Insurance Manage the investigation and forensics Organizational Culture Blame? Lip service Collaboration between PO and SO Premiere Organization - Premiere Compliance Proper oversight

Use shouldn’t be sleeping Physician office with MDs using their personal portable devices for work

Kirsten Wild, RN, BSN, MBA, CHC Wild Consulting, Inc Kirsten Wild, RN, BSN, MBA, CHC Wild Consulting, Inc. Cedarburg, WI 262-993-4747 kirsten.wild@att.net