1. Worry Free IT HIPAA HiTech Regulations What Non-Medical Companies Need to Know May 15, 2014

2. 3 Points: 1. Some examples of non-medical companies that could be impacted: law firms, CPA firms, medical consulting firms. 2. Network 1 has been providing IT support to law firms & medical practices since 1998 3. Presentation adapted from a session Network 1 helped deliver to the Atlanta ALA chapters Technology Section in March 2014 entitled HIPAA HiTech: Requirements for Law Firms. 2

3. 3 What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act that was passed in 1996. It established new standards associated with the management of healthcare information. In its simplest form it is built around two key pillars:

4. 4 What is the HIPAA HiTech Act? Its part of the American Recovery and Reinvestment Act of 2009. It established incentives for healthcare providers to adopt electronic medical records software systems. It also expanded the scope of the HIPAA privacy and security rules.

5. 5 HIPAA HiTech in a Nutshell HIPAA HiTech really did three things: 1. Increased enforcement 2. Increased penalties 3. Cast a wider net of who is covered under the regulation

6. 6 HIPAA HiTech Casts a Wider Net In addition to Covered Entities (Healthcare plans, healthcare clearing houses and healthcare providers), HIPAA HiTech also covers: Business Associates Sub-contractors or agents of business associates Now, all of the above are referred to as Covered Entities.

7. 7 What is a Business Associate? Business Associate, or BA, is the over- arching name given to any non- medical company that conducts business with any of the aforementioned Covered Entities and, in doing so, transmits, creates, maintains or receives protected health information (PHI). Under the HIPAA HiTech Act, a BA is legally obligated to comply with the same rules and standards that apply to a Covered Entity (healthcare company).

8. 8 What is Protected Health Information? PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. Here are the 18 PHI identifiers: 1. Name 2. Region (smaller than a state) 3. Date 4. Phone # 5. Fax # 6. Email address 7. Social Security # 8. Medical record # 9. Health insurance beneficiary # 10. Account # 11. Certificate/license # 12. Vehicle identifier/license plate # 13. Device ID & serial # 14. Web URL 15. IP address 16. Finger print 17. Full face photo 18. Any other unique ID # or characteristic that could reasonably be associated to the individual

9. 9 Enforcement Historically, HIPAA fines and reprimands were triggered after an event, such as a data breach. That has changed. The Office for Civil Rights (OCR; part of the Department of Health & Human Resources) is responsible for enforcing the HIPAA HiTech regulation. Leon Rodriguez, OCR Director, takes his job very seriously. He has created a permanent HIPAA audit program that includes BAs.

10. 10 Enforcement (continued) As he focuses on ramping up the HIPAA audits of Business Associates, Mr. Rodriguez has two powerful allies and one big incentive: Powerful Allies Centers for Medicare & Medicaid Services (CMS) The States Attorney Generals Big Incentive The OCR is authorized to keep some of the money paid in fines. It was reported that as of January 2014, OCR already had $4.5 million set aside from fines levied from their audits. The OCR is serious about protecting PHI and theyve got the teeth, funds and leadership to back it up.

11. 11 Violations & Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

12. 12 Criminal Liability U.S. Department of Justice (DOJ) clarified that covered entities and specified individuals can be held criminally liable under HIPAA as follows: Those who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000 as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine with up to five years in prison. Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to ten years.

13. 13 Companies & Fines Examples of fines levied: Entity Fined Fine Violation CIGNET $4,300,000 Online database application error. Alaska Department of Health and Human Services $1,700,000 Unencrypted USB hard drive stolen, poor policies and risk analysis. WellPoint $1,700,000 Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade. Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates $1,500,000 Unencrypted laptop stolen, poor risk analysis, policies. Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives. South Shore Hospital $750,000 Backup tapes went missing on the way to contractor. Idaho State University $400,000 Breach of unsecured ePHI.

14. 14 HIPAA HiTech is Not a Technology Issue Its a business risk management issue. Dont be fooled by the HiTech moniker; in fact, there are no specific technology requirements or types of technologies identified in the regulation. Granted, technology can definitely enable compliance. However, at the end of the day it comes down to what you can reasonably and appropriately implement in your organization. With that being said, lets look at some technology-enabled best practices.

15. 15 Technology-enabled Best Practices Firewalls Have physical firewalls in place. Make sure they are up-to-date. Anti-Virus Protection Have a proven, paid version in place. Make sure it is up-to-date. Run Up-to-Date Software Make sure its actively supported (XP). Make sure it is up-to-date with patches. Hardware / Software

16. 16 Technology-enabled Best Practices Identify & Document where PHI Lives Paper? Electronic? Verbally communicated? Minimize what is Seen or Retained Dont need it? Dont have it! Encrypt or password protect information where you can. PHI within your Network

17. 17 Technology-enabled Best Practices Keep PHI Off if Possible where Risk of Theft is High Laptops (if you must have PHI: encrypt) Tablets Smart phones Thumb drives Mobile Device Management (MDM) Policy Have one. Enforce it. Have software and process to remotely wipe tablets and smartphones if they are lost or stolen. All Mobile Devices

18. 18 Technology-enabled Best Practices Backups of PHI Make sure they are encrypted. Keep in a safe, secure place re: hardware and software. Physical Access Limit both on-site and off-site access. Enforce it. Data Backup & Recovery

19. 19 Technology-enabled Best Practices Get an Assessment Know your baseline. Measure your progress. Document processes as well as your rationale for taking action and not taking action. Communicate Train and educate personnel. Formally and informally. Document, Document, Document.

20. Discussing PHI Be aware of where you are and your surroundings when talking about a case/client that involves PHI (patient information): o Office telephone: Is your door open? o Cell phone: Where are you? In public? An elevator? Whos around you? o Conversation with a co-worker: Are you in a high-traffic hallway? An elevator? A coffee shop? The restroom? o Remember and keep in mind the 18 identifiers. Dont share information with other staff members unless it is absolutely necessary for them to perform their job functions. 20 Treat PHI with the same care that you would your own information: keep it secure and protect the right to privacy Workforce Tips

21. Email Do not use Gmail/AOL/Hotmail accounts or any other consumer based email systems to send any PHI. They are not secure. Pay close attention to your incoming emails . Example - phishing attacks: o Targeted emails sent to a small number of people, typically an executive team. o Message will appear to be personal to you: often times information is pulled from social media sites or online profiles. o Email can contain links to websites or include compromised attachments. o Once clicked or opened, key loggers or some other form of malware is installed that allows remote parties to monitor your activity and steal data. 21 Workforce Tips

22. Mobility Dont download or send ePHI to anything mobile unless absolutely necessary to perform your job function. This includes laptops, iPhones, iPads, Androids, thumb drives, etc. If you have to have data on a mobile device, ensure that the data is encrypted. Do not send information via text messaging: this is not secure. 22 Minimizing where ePHI lives is a huge step in protecting it and maintaining compliance Workforce Tips

23. Mobility When you work remotely and connect in to your corporate network: o Keep documents on the office network. o Guard against copying any information to your workstation and/or device. Do not save passwords in applications such as web browsers or VPN clients: If your device is ever lost, stolen or compromised, the new owner could easily connect to the internet and access your sites without having to guess or crack your password. 23 Workforce Tips

24. Passwords Your organization has a password policy for a reason. Typically it requires you to change your password periodically and to have certain requirements to make it a strong password, such as: o 8-12 characters o Change quarterly (for example). o Should include letters, numbers and symbols 24 Workforce Tips www.howsecureismypassword.net: a website to measure the strength of a password (note: do not enter your real passwords into this or any site) o PW = stgpwb!g 33 minutes to crack with a PC o PW = stgpWb!g 24 hours to crack with a PC o PW = s2gpWb!g 72 hours to crack with a PC Dont fight your companys password policy! Do not share your passwords. Do not write your passwords on a sticky note and attach to your computer or monitor.

25. Working with Paper Keep areas where PHI is located locked at all times. Have a designated person that can lock and unlock these areas only. (Privacy Officer) If you are working with paper copies of documents that contain PHI: o Maintain control of the copies at all times. o Do not leave the copies lying around for others to see. Use fax cover sheets that have privacy statements on them. 25 Workforce Tips

26. Miscellaneous Lock your workstation when you leave your desk. + Position your monitors so people passing by your office, or coming into your office to talk to you, cannot see the information on your monitors. 26 Workforce Tips

27. Worry Free IT Richard Stokes rstokes@network1consulting.com 27