Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lewis Creek Systems, LLC

Published byElfrieda Burns Modified over 6 years ago

Similar presentations

Presentation on theme: "Lewis Creek Systems, LLC"— Presentation transcript:

1 Lewis Creek Systems, LLC
, Texting, & Mobile Device Hazards Protecting the Organization from HIPAA Breaches and Ransomware Attacks Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC December 27, 2016 © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

2 HIPAA Privacy, Security, and Breach Rules
Privacy Rule Establishes Rights of Individuals, including confidentiality, access Controls on Uses and Disclosures, including protecting confidentiality of Protected Health Information (PHI) Security Rule Works with the Privacy Rule to protect electronic PHI Requires Risk Analysis to identify and plan the mitigation of risks Breach Notification Rule Breaches must be reported to US Department of Health and Human Services, and the affected individuals An improper use of insecure or texting may be a breach The focus of the discussion today is on the HIPAA Privacy, Security and Breach Notification Rules, which are the foundation of the most visible part of HIPAA, the controls on how information is to be used, disclosed, and protected. The Privacy Rule has been enforceable since 2003 and establishes the framework of the relationship between individuals about whom there is some health information, and the organizations that hold that information. It says what the individual’s rights are for things such as getting copies of records, or asking for corrections in the records, as well as what are the organizations’ responsibilities to manage the uses and disclosures of that information appropriately. That means there are several policies in place for managing that relationship, and its rights and obligations. The Security Rule has been enforceable since 2005 and works with the Privacy Rule to establish the appropriate safeguards to put in place to protect electronic health information. The rule is very flexible and requires that the organization conduct a Risk Analysis to identify and mitigate any areas of significant risk to the confidentiality, integrity, and availability of health information. The HIPAA Breach Notification Rule has been enforceable since February of 2010 and requires that reportable breaches of information be reported to the individuals affected as well as the US Department of Health and Human Services (HHS), and sometimes the press. It can be very expensive, damaging, and painful to suffer a breach and its reporting, so it is essential to not improperly use or disclose any health information, or it could be a reportable breach. There are examples of what NOT to do on the HHS Web site where they post all the breaches that affect 500 or more individuals – the so-called “Wall of Shame.” These breaches clearly show that the number one cause of a large breach, by number of incidents, is loss or theft of laptops and portable electronic devices. The data makes it clear that this is the number one most likely security incident that can happen, so it is especially important to be vigilant when it comes to these devices. © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

3 E-mail, Texting, and Security
and texts are inherently insecure HIPAA Security Rule requires consideration of encryption of stored and transmitted PHI Risk Analysis indicates Professional communications with PHI must be encrypted over the Internet and at rest on portable devices Consumer-grade, plain Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use may be considered a breach when used professionally with PHI Technologies for securing communications are readily available today; use encrypted attachments or secure services HHS Guidance says plain with patients is fine Patients have Privacy Rule rights to choose communications method Evaluate the risks, discuss with the individual, and document Guidance says nothing about Texting; may apply same logic to Texting © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

4 Three Issues with Texting
It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy HIPAA requires you to try to meet patient preferences for communication method It’s a new technology and people will not understand it fully for quite some time Professional communications with PHI MUST be protected per risk analysis It’s a Medical Records thing: Documentation is key to health care Regular texting doesn’t provide a paper trail of conversations and contacts If it’s part of patient care, it must be documented properly It’s a Patient Safety thing: Triage of incoming messages is essential Regular texting doesn’t automatically route to the most appropriate individual Texts may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies Texting with patients must be managed to protect patients and provide appropriate service © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

5 Four Kinds of Communications
Personal Uses, with no PHI Business Purposes, with no PHI May use unencrypted communications, plain texting, Business or Professional Purposes, with PHI Don’t include a patient’s name or other identifiable PHI in an message to someone outside of the organization unless it is secured Must use secure communications & storage, for example, for texting: WhatsApp is now secure, end-to-end, with no persistent storage WickrMe free secure texting App for iOS and android Communications with Patients May use insecure communications with patients if they request it Must use an integrated communications strategy, more than simply plain or plain texting, for example: OhMD – Pingmd – © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

6 Laptops, Portable Devices, and Texting
Physically secure devices when they’re not in use Don’t share use of your device with others Don’t mix personal and business or patient information Laptops and mobile devices must be password protected and encrypted if they provide access to PHI or if PHI is retained on the device Do not include any PHI in any regular text or messages for professional purposes Do not take patient photos on personal mobile devices If working in a public place, screen must face away from onlookers Follow guidelines when working remotely If you need to use a laptop or other portable device, such as an iPad or tablet, or even a smart phone, there are a few things to remember: Make sure it is not easily stolen when not in use. Keep it hidden if you can, locked up if you can. Whatever you use as a portable device, don’t share it with others if it has PHI on it, and keep your personal information separated from any patient information. You don’t want to accidentally show a picture of a patient when you’re showing off your vacation pictures. Laptops and devices should be password protected no matter what, and encrypted if there is any PHI retained on the device, or if the device provides access to patient information systems. Do not include PHI in any text messages and do not take any patient photos with mobile devices. Make sure to follow guidelines when working remotely, and make sure you remember all the rules. Especially today, if you work in a public area, you should expect that your screen with be photographed and harvested by passers-by. Watch your back. © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

7 Preventing Ransomware Attacks
Malware designed to deny access to your systems and PHI Encrypts data & systems; Ransom (in Bitcoin) is demanded for release Most Ransomware attacks are initiated by opening attachments, visiting infected Web sites, or clicking links that launch an attack YOU are the first line of defense for privacy and security You MUST be suspicious of ANY attachments or links in messages Verify sending address, usual message format from sender Is the message (and attachments or links) expected? If you are not sure, PICK UP THE PHONE BEFORE you go on Be suspicious and alert! Attackers may make the message look legitimate If you see any suspicious system activity, speak up! If you have questions speak with your manager, Compliance, or IT © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

8 Lewis Creek Systems, LLC
Thank you! Any Questions? Be sure to check with your compliance and IT managers to implement all your required policies and procedures for , texting, and portable devices For additional training resources and a schedule of upcoming seminars and Webinars, please visit For additional information, or if you would like to have customized training resources developed and delivered for your organization, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved

Download ppt "Lewis Creek Systems, LLC"

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Online Course Privacy Contacting Patients and Verification START Click to begin…

Online Course Privacy Contacting Patients and Verification START Click to begin…
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Similar presentations

Ads by Google