Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Privacy, Security, Confidentiality, and Legal Issues

Welcome to UF We’re from the Privacy Office and we’re here to help you… HIPAA Orientation College of Nursing– Fall 2014 Cheryl Webber, MS, RHIA University.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

HIPAA PRIVACY AND SECURITY AWARENESS.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

David G. Schoolcraft Ogden Murphy Wallace, PLLC

What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Working with HIT Systems

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Western Asset Protection

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

© 2014 By Katherine Downing, MA, RHIA, CHPS, PMP.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.

Privacy & Information Security Basics

Enforcement, Business Associates and Breach Notification. Oh my!

Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.

What is HIPAA in 2016? Presented By: Suze Shaffer, CHSP

In-depth look at the security risk analysis

HIPAA/HITECH – The Final Omnibus Rule

By: Eamon Callahan and Wilston Johnston

CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh

Chapter 3: IRS and FTC Data Security Rules

Concerns of a Privacy Advocate – and How to Respond

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

Presentation transcript:

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013

Protecting Personal Health Information HIPAA Privacy (and Security) Rule – 45 CFR 164 Meaningful Use – tied to HIPAA Security Rule and requires a security risk assessment Minimal enforcement so far, BUT increasing audits in 2014 “Data security and patient privacy are not compliance issues, they are patient care responsibilities” “Data security and patient privacy are not compliance issues, they are patient care responsibilities” “Trust is critical to building a secure electronic health infrastructure. Now more than ever consumer confidence in the privacy and security of health information is paramount as we undergo this transformation in the way in which we do the business of healthcare” “Trust is critical to building a secure electronic health infrastructure. Now more than ever consumer confidence in the privacy and security of health information is paramount as we undergo this transformation in the way in which we do the business of healthcare” Leon Rodriguez, JD – Director of the Office of Civil Rights

HIPAA Audit Findings Initial HIPAA Privacy and Security audits returned findings or observations on 89% of entities HHS/OCR has enforced 20,359 corrections upon covered entities since 2003 Over $15 million in civil penalties (since 2008) Forced implementation of new policies and practices Last year’s investigations lead to corrective action 77% of the time A 10% increase from the previous year New Omnibus Final Rule adopts higher standards, increased CMP amounts and tiered levels of culpability All business associates and subcontractors must comply with HITECH Rules and are liable for violations

Major Areas of Concern Security Rule Security accounted for 60% of findings in initial audits 58 of 59 providers had at least one security finding or observation No complete and accurate risk assessment in two thirds of entities Privacy Rule Improper uses and disclosures of PHI – nearly half of Privacy findings Updates to Privacy Protection of PHI require significant changes to EHR systems Outdated Notice of Privacy Practices does not comply with new rule requirements Breach Notification Rule Over 64,500 reports since Sept – Theft, Unauthorized Access/Disclosure, Loss Theft accounted for over half of major security breaches (over 500 affected) No incident response plan implemented to contain/minimize breach of PHI Transition to “automatic presumption” of information breach – greater burden on CEs

Arizona Rural Providers Observations: HIPAA is complex and there is a lot to know Understanding role and responsibilities of Privacy and Security Officers Business Agreements – risk of breech Documentation – or a lack of…. PHI is still out there in work areas – beware of paper! Beware of data on devices! Monitors/screens PDAs, laptops Faxes/copiers Actions: HIPAA “team” HIPAA education and training Business Agreements (new) for everyone HIPAA documentation – policies and procedures are a must Implement “clean desk policy” Implement shredding process ENCRYPT data on all devices

Performed in accordance with the methodology described in the National Institute of Standards and Technology (NIST) Guidelines SP and should include the following steps: 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation The complexity of the facility and the number of systems implemented will influence the amount of time required to complete the analysis Risk Analysis Guidance

Security Risk Assessment

Summary Understand HIPAA scope and breadth – educate, train, and share responsibility - HIPAA Security Rule – 45 CFR (a)(1) - Perform a Security Risk Assessment – know your challenges! Document, Document, Document, …. Encryption!!!!!! Recognize patient privacy and data security are compliance oriented – BUT focus on HIPAA as a patient care and customer service strategy

Discussion – Questions Thank you!! Questions? John Hoyt Partner, InTech Health Ventures