1. Jason Karn Chief Compliance Officer www.TotalHIPAA.com
Using HIPAA Privacy and Security Standards to Protect Your Whole Agency
Jason Karn
Chief Compliance Officer

2. Housekeeping
This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with any person or entity.
The materials referenced here are subject to change, so frequent review of the source material is suggested.

3. HIPAA Overview Health Insurance Portability and Accountability Act
Based on the National Institute of Standards and Technology Risk Management Framework (NIST-RMF)
Goal is to protect your client’s information, but can be used to protect your whole business

4. HIPAA Compliance is Required for:
Medical
Medicare Supplement
Drug Coverage
Dental
Vision
Long-Term Care Insurance
The size of your agency or selling only a little of these insurances does not exempt you!

5. Key HIPAA Groups
Covered Entity: Healthcare provider, clearinghouse, health plans (health insurance carriers and employers)
Business Associate: Person, group or organization that handles PHI on behalf of a Covered Entity (health insurance agents and brokers)
Subcontractor: Person, group or organization that handles PHI on behalf of a Business Associate

6. It is WAR!
In medieval times, each village had a strategy to protect themselves
Walls
Moats
Bridges
Towers
Soldiers
For the walled city, these were bandits, other cities
For a company, this could be a hacker
3 mandatory safeguards

7. What You’re Up Against Hackers Malware Ransomware Employee Mistakes
Malicious Employees

8. Step 1- How Do You Prepare?
Conduct a Risk Assessment
Administrative (who is in charge)
Physical (what physical protections will be in place)
Technical (how will you stop the enemy from crossing your wall)

9. Step 2-Create a Plan Compliance Plan
Convert the information gathered in a Risk Assessment into a document (plan) that everyone can follow
Complete both parts of your plan
Privacy
Security
Back in the day, this was building a bigger, thicker wall, and having more long range weapons to protect yourself, and serfs to throw at the problem
Today, you need to know what are your best strategic options, since you don’t have the benefit of serfs…

10. Step 3- Reinforce Your “Walls”
Network Security
Firewalls
Anti-Malware software
Offsite backups
Electronic Device Security
Desktops
Laptops
Tablets
Smart Phones
Facility Security
Fire Suppression
Security Alarm

11. Step 4- Communication Encrypted Email HIPAA compliant faxing Texting
Chat
File sharing
Video Conferencing

12. Step 5-Train Your Army
Your plan is only as good as each soldier’s preparation
Staff need to be trained on the Law and your agency’s specific policies and procedures
Social Engineering

13. Step 6 – Secure Your Assets
Encrypt the information you hold so that it is protected
Backup, Backup, Backup!

14. How much does a Breach Cost?

15. How Much Does a Breach Cost?
The average global cost of a data breach per lost or stolen record?*
Average global cost $141 per record
In the healthcare industry $380
Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
* "2017 Cost of Data Breach Study." Ponemon Institute (2017): n. pag. Web.

16. Best Ways to Protect Yourself
The key to keeping the cost down, and protecting yourself in a breach is to have a plan, protect your assets and train your staff
* "2017 Cost of Data Breach Study." Ponemon Institute (2017): n. pag. Web.

17. Examples of data breaches
Anthem Hack – $115 million settlement
Largest civil settlement for a consumer breach to date.
Sony Hack – Estimated $15 million settlement
435,000 employees were part of the class action suit.
Maximum of $10,000 paid per individual – most plaintiffs received $1-$3,000.
Triple-S Management – $3.5 million fine
Investigations indicated widespread non-compliance throughout the corporation and its subsidiaries
St. Joseph Health – $2.14 million fine
Reported that files containing ePHI were publicly accessible through internet search engines 
Advocate Health Care – $5.55 million fine
Three combined breaches affected the ePHI of approximately 4 million individuals
Triple-S Management: November 2015
Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement
Use or Disclosure of more PHI than was necessary to carry out mailings
Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI
St. Joseph Health: October 2016
Files were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.
The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them.
Upon implementation of this server and the file sharing application, SJH did not examine or modify it.
As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals
Advocate Health Care Network: August 2016
Did not conduct Risk Assessment
Implement policies and procedures and facility access controls to limit physical access
No appropriate BAA
reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

18. 12 Steps to Protect Your Agency

19. 14 Steps to Protect Your Agency
Appoint a HIPAA Privacy and Security Officer
Create an incident response team
Turn on encryption and password protection for all digital devices
Turn on Auto-Lock on all digital devices
Sign up for encryption program
Sign up for encrypted file sharing
Update software on all devices
Turn on software firewall
As a team member I’m here to walk you through this.

20. 12 Steps to Protect Your Agency
Make a list of all Subcontractors you use and 3rd parties that have access to your agency and require they sign BASA
Make a list of all places you have PHI stored in your agency - physical and electronic
Change all weak passwords to difficult ones
Turn on 2-Factor Authentication on all programs
Start using a password management program
Train all employees on HIPAA
review manual about changing passwords

21. Questions?