HIPAA HiTech regulations, since October 2013, have real teeth for Business Associates (BAs). If your company comes into contact with Personal Health Information (PHI) in the course of running your business then you must comply with these regulations. Many law firms and consulting firms are BAs You need to know and adhere to the HIPAA HiTECH regulations; or be subject to potentially heavy fines.
27
Worry Free IT HIPAA HiTech Regulations What Non-Medical Companies Need to Know May 15, 2014
Transcript
1. Worry Free IT HIPAA HiTech Regulations What Non-Medical
Companies Need to Know May 15, 2014
2. 3 Points: 1. Some examples of non-medical companies that
could be impacted: law firms, CPA firms, medical consulting firms.
2. Network 1 has been providing IT support to law firms &
medical practices since 1998 3. Presentation adapted from a session
Network 1 helped deliver to the Atlanta ALA chapters Technology
Section in March 2014 entitled HIPAA HiTech: Requirements for Law
Firms. 2
3. 3 What is HIPAA? HIPAA stands for the Health Insurance
Portability and Accountability Act that was passed in 1996. It
established new standards associated with the management of
healthcare information. In its simplest form it is built around two
key pillars:
4. 4 What is the HIPAA HiTech Act? Its part of the American
Recovery and Reinvestment Act of 2009. It established incentives
for healthcare providers to adopt electronic medical records
software systems. It also expanded the scope of the HIPAA privacy
and security rules.
5. 5 HIPAA HiTech in a Nutshell HIPAA HiTech really did three
things: 1. Increased enforcement 2. Increased penalties 3. Cast a
wider net of who is covered under the regulation
6. 6 HIPAA HiTech Casts a Wider Net In addition to Covered
Entities (Healthcare plans, healthcare clearing houses and
healthcare providers), HIPAA HiTech also covers: Business
Associates Sub-contractors or agents of business associates Now,
all of the above are referred to as Covered Entities.
7. 7 What is a Business Associate? Business Associate, or BA,
is the over- arching name given to any non- medical company that
conducts business with any of the aforementioned Covered Entities
and, in doing so, transmits, creates, maintains or receives
protected health information (PHI). Under the HIPAA HiTech Act, a
BA is legally obligated to comply with the same rules and standards
that apply to a Covered Entity (healthcare company).
8. 8 What is Protected Health Information? PHI is any
information about health status, provision of health care, or
payment for health care that can be linked to a specific
individual. Here are the 18 PHI identifiers: 1. Name 2. Region
(smaller than a state) 3. Date 4. Phone # 5. Fax # 6. Email address
7. Social Security # 8. Medical record # 9. Health insurance
beneficiary # 10. Account # 11. Certificate/license # 12. Vehicle
identifier/license plate # 13. Device ID & serial # 14. Web URL
15. IP address 16. Finger print 17. Full face photo 18. Any other
unique ID # or characteristic that could reasonably be associated
to the individual
9. 9 Enforcement Historically, HIPAA fines and reprimands were
triggered after an event, such as a data breach. That has changed.
The Office for Civil Rights (OCR; part of the Department of Health
& Human Resources) is responsible for enforcing the HIPAA
HiTech regulation. Leon Rodriguez, OCR Director, takes his job very
seriously. He has created a permanent HIPAA audit program that
includes BAs.
10. 10 Enforcement (continued) As he focuses on ramping up the
HIPAA audits of Business Associates, Mr. Rodriguez has two powerful
allies and one big incentive: Powerful Allies Centers for Medicare
& Medicaid Services (CMS) The States Attorney Generals Big
Incentive The OCR is authorized to keep some of the money paid in
fines. It was reported that as of January 2014, OCR already had
$4.5 million set aside from fines levied from their audits. The OCR
is serious about protecting PHI and theyve got the teeth, funds and
leadership to back it up.
11. 11 Violations & Penalties HIPAA Violation Minimum
Penalty Maximum Penalty Individual did not know (and by exercising
reasonable diligence would not have known) that he/she violated
HIPAA $100 per violation, with an annual maximum of $25,000 for
repeat violations (Note: maximum that can be imposed by State
Attorneys General regardless of the type of violation) $50,000 per
violation, with an annual maximum of $1.5 million HIPAA violation
due to reasonable cause and not due to willful neglect $1,000 per
violation, with an annual maximum of $100,000 for repeat violations
$50,000 per violation, with an annual maximum of $1.5 million HIPAA
violation due to willful neglect but violation is corrected within
the required time period $10,000 per violation, with an annual
maximum of $250,000 for repeat violations $50,000 per violation,
with an annual maximum of $1.5 million HIPAA violation is due to
willful neglect and is not corrected $50,000 per violation, with an
annual maximum of $1.5 million $50,000 per violation, with an
annual maximum of $1.5 million
12. 12 Criminal Liability U.S. Department of Justice (DOJ)
clarified that covered entities and specified individuals can be
held criminally liable under HIPAA as follows: Those who
"knowingly" obtain or disclose individually identifiable health
information in violation of the Administrative Simplification
Regulations face a fine of up to $50,000 as well as imprisonment up
to one year. Offenses committed under false pretenses allow
penalties to be increased to a $100,000 fine with up to five years
in prison. Offenses committed with the intent to sell, transfer, or
use individually identifiable health information for commercial
advantage, personal gain or malicious harm permit fines of $250,000
and imprisonment for up to ten years.
13. 13 Companies & Fines Examples of fines levied: Entity
Fined Fine Violation CIGNET $4,300,000 Online database application
error. Alaska Department of Health and Human Services $1,700,000
Unencrypted USB hard drive stolen, poor policies and risk analysis.
WellPoint $1,700,000 Did not have technical safeguards in place to
verify the person/entity seeking access to PHI in the database.
Failed to conduct a technical evaluation in response to software
upgrade. Blue Cross Blue Shield of Tennessee $1,500,000 57
unencrypted hard drives stolen. Massachusetts Eye and Ear Infirmary
and Massachusetts Eye and Ear Associates $1,500,000 Unencrypted
laptop stolen, poor risk analysis, policies. Affinity Health Plan
$1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital $750,000 Backup tapes went missing on the way
to contractor. Idaho State University $400,000 Breach of unsecured
ePHI.
14. 14 HIPAA HiTech is Not a Technology Issue Its a business
risk management issue. Dont be fooled by the HiTech moniker; in
fact, there are no specific technology requirements or types of
technologies identified in the regulation. Granted, technology can
definitely enable compliance. However, at the end of the day it
comes down to what you can reasonably and appropriately implement
in your organization. With that being said, lets look at some
technology-enabled best practices.
15. 15 Technology-enabled Best Practices Firewalls Have
physical firewalls in place. Make sure they are up-to-date.
Anti-Virus Protection Have a proven, paid version in place. Make
sure it is up-to-date. Run Up-to-Date Software Make sure its
actively supported (XP). Make sure it is up-to-date with patches.
Hardware / Software
16. 16 Technology-enabled Best Practices Identify &
Document where PHI Lives Paper? Electronic? Verbally communicated?
Minimize what is Seen or Retained Dont need it? Dont have it!
Encrypt or password protect information where you can. PHI within
your Network
17. 17 Technology-enabled Best Practices Keep PHI Off if
Possible where Risk of Theft is High Laptops (if you must have PHI:
encrypt) Tablets Smart phones Thumb drives Mobile Device Management
(MDM) Policy Have one. Enforce it. Have software and process to
remotely wipe tablets and smartphones if they are lost or stolen.
All Mobile Devices
18. 18 Technology-enabled Best Practices Backups of PHI Make
sure they are encrypted. Keep in a safe, secure place re: hardware
and software. Physical Access Limit both on-site and off-site
access. Enforce it. Data Backup & Recovery
19. 19 Technology-enabled Best Practices Get an Assessment Know
your baseline. Measure your progress. Document processes as well as
your rationale for taking action and not taking action. Communicate
Train and educate personnel. Formally and informally. Document,
Document, Document.
20. Discussing PHI Be aware of where you are and your
surroundings when talking about a case/client that involves PHI
(patient information): o Office telephone: Is your door open? o
Cell phone: Where are you? In public? An elevator? Whos around you?
o Conversation with a co-worker: Are you in a high-traffic hallway?
An elevator? A coffee shop? The restroom? o Remember and keep in
mind the 18 identifiers. Dont share information with other staff
members unless it is absolutely necessary for them to perform their
job functions. 20 Treat PHI with the same care that you would your
own information: keep it secure and protect the right to privacy
Workforce Tips
21. Email Do not use Gmail/AOL/Hotmail accounts or any other
consumer based email systems to send any PHI. They are not secure.
Pay close attention to your incoming emails . Example - phishing
attacks: o Targeted emails sent to a small number of people,
typically an executive team. o Message will appear to be personal
to you: often times information is pulled from social media sites
or online profiles. o Email can contain links to websites or
include compromised attachments. o Once clicked or opened, key
loggers or some other form of malware is installed that allows
remote parties to monitor your activity and steal data. 21
Workforce Tips
22. Mobility Dont download or send ePHI to anything mobile
unless absolutely necessary to perform your job function. This
includes laptops, iPhones, iPads, Androids, thumb drives, etc. If
you have to have data on a mobile device, ensure that the data is
encrypted. Do not send information via text messaging: this is not
secure. 22 Minimizing where ePHI lives is a huge step in protecting
it and maintaining compliance Workforce Tips
23. Mobility When you work remotely and connect in to your
corporate network: o Keep documents on the office network. o Guard
against copying any information to your workstation and/or device.
Do not save passwords in applications such as web browsers or VPN
clients: If your device is ever lost, stolen or compromised, the
new owner could easily connect to the internet and access your
sites without having to guess or crack your password. 23 Workforce
Tips
24. Passwords Your organization has a password policy for a
reason. Typically it requires you to change your password
periodically and to have certain requirements to make it a strong
password, such as: o 8-12 characters o Change quarterly (for
example). o Should include letters, numbers and symbols 24
Workforce Tips www.howsecureismypassword.net: a website to measure
the strength of a password (note: do not enter your real passwords
into this or any site) o PW = stgpwb!g 33 minutes to crack with a
PC o PW = stgpWb!g 24 hours to crack with a PC o PW = s2gpWb!g 72
hours to crack with a PC Dont fight your companys password policy!
Do not share your passwords. Do not write your passwords on a
sticky note and attach to your computer or monitor.
25. Working with Paper Keep areas where PHI is located locked
at all times. Have a designated person that can lock and unlock
these areas only. (Privacy Officer) If you are working with paper
copies of documents that contain PHI: o Maintain control of the
copies at all times. o Do not leave the copies lying around for
others to see. Use fax cover sheets that have privacy statements on
them. 25 Workforce Tips
26. Miscellaneous Lock your workstation when you leave your
desk. + Position your monitors so people passing by your office, or
coming into your office to talk to you, cannot see the information
on your monitors. 26 Workforce Tips