Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach

Published bySharlene Tate Modified over 7 years ago

Similar presentations

Presentation on theme: "Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach"— Presentation transcript:

1 Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach
Montez Fitzpatrick Keystone IT Margaret Scavotto, JD, CHC Management Performance Associates LeadingAge Missouri Annual Meeting September 13, 2016

2 The Lay of the Land 2016 10 settlements (so far) Total: $20,825,000
Average: $2,082,500 …and now the OCR will investigate small breaches too. settlements Total: $5,443,400 Average: $1,088,680

3 “Sad day at work today ”
Game #1: Is it PHI? “Sad day at work today ”

4 “Sad day at work treating a resident in the dementia unit today ”
Game #1: Is it PHI? “Sad day at work treating a resident in the dementia unit today ”

5 Game #1: Is it PHI? “Sad day at work treating someone so young in the dementia unit today ”

6 “Sad day at work treating my third grade teacher in the dementia unit today  vY”
Game #1: Is it PHI?

7 Think of your organization’s newest, or youngest CNA
Think of your organization’s newest, or youngest CNA. For the purpose of this game, put yourself in this person’s shoes. Game #2: Should I? hand down if you think the CNA would take the picture using SnapChat.

8 Game #3: Find the Workaround
You work in the business office at Maple Hill Nursing Home. You have to get a project done today, using a spreadsheet with patient information, but you also have to leave at 4 for a doctor’s appointment and will need to work on it tonight. Maple Hill does not allow PHI on flash drives, laptops, or smartphones. What do you do?

9 Problem #1: A health care provider backed up all of its e-PHI on a cloud-based server. The provider did NOT have a Business Associate Agreement (BAA) with the cloud. The provider did NOT conduct a comprehensive HIPAA Security risk assessment.

10 How do we remove the workaround?

11 How do we help employees get it right?

12 Problem #2: A clinic gave X-Rays to a media company. The media company put the X-Rays onto electronic media in exchange for harvesting the silver. The clinic did NOT have a BAA with the media company.

13 How do we remove the workaround?

14 How do we help employees get it right?

15 Problem #3: A PT company posted patient testimonials with names and pictures to its website. The PT company did NOT get HIPAA authorizations from the patients.

16 How do we remove the workaround?

17 How do we help employees get it right?

18 Problem #4: A laptop was stolen from an unlocked treatment room overnight. The laptop was not encrypted.

19 How do we remove the workaround?

20 How do we help employees get it right?

21 Problem #5: A password-protected laptop was stolen, likely by a visitor who had inquired about borrowing a laptop. ePHI on the network drive was accessible by a generic username and password.

22 How do we remove the workaround?

23 How do we help employees get it right?

24 Problem #6: A hospital allowed a TV film crew to film two patients without a HIPAA authorization. One patient was in distress; the other was dying. The footage aired on television.

25 How do we remove the workaround?

26 How do we help employees get it right?

27 Problem #7: An employee clicked on and downloaded an attachment with malware. The malware infected the employee’s computer and compromised the ePHI of 90,000 individuals.

28 How do we remove the workaround?

29 How do we help employees get it right?

30 Problem #8: Two hospital employees leaked a medical record to ESPN, who put the record on twitter.

31 How do we remove the workaround?

32 How do we help employees get it right?

33 Problem #9: Two paramedics engaged in a selfie war by text. They competed to take the most shocking pictures of themselves with patients. They were arrested and now face criminal charges.

34 How do we remove the workaround?

35 How do we help employees get it right?

36 Questions? Margaret Scavotto, JD, CHC Director of Compliance Services Management Performance Associates ext. 24 © 2016 Management Performance Associates. Because MPA is a consulting company and not a law firm, neither MPA nor any of its employees provide legal advice or legal services. Nothing contained in this PowerPoint constitutes legal advice. It is strongly recommended that all providers consult with competent legal counsel versed in HIPAA as they address HIPAA compliance and develop and implement HIPAA and social media policies and procedures.

37 Montez Fitzpatrick Director of Information Security and Compliance Keystone Technologies

Download ppt "Hidden HIPAA Weaknesses: How to Tackle Them and Prevent a Breach"

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA and Professionalism In an age of electronic mediums.

HIPAA and Professionalism In an age of electronic mediums.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.

Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.

CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.
Steps to Compliance: Bring Your Own Device PRESENTED BY.

Steps to Compliance: Bring Your Own Device PRESENTED BY.

Similar presentations

Ads by Google