Thursday, January 16, 2020

HIPAA Privacy and Security Compliance Webinar

1

Please note: • All phone lines will automatically be muted on entry, and will remain muted for the length

of the presentation.• You may submit written questions via the “chat” icon shown here .

Karen WakeAVP Commercial InsuranceJohnson Financial Group

Opening Remarks

2

Agenda

3

» 11:00am• Opening remarks and introductions

» 11:00am to 11:25am• “HIPAA Refresher for Employers/Health Plan Sponsors”

• Jason Gutzman, VP Employee Benefits Consultant

» 11:25am to 11:50am• “2020 HIPAA Risk Preview”

• Steve Frew, VP Risk Consultant

» 11:50am to 12:00pm• Q&A and closing remarks

Featured Presenters

4

Jason GutzmanRHU, MHP, REBC, ChHC, CSFS,

GBA, CEBSVP Employee Benefits Consultant

Johnson Financial Group

Steve FrewJD, CIPP/US

VP Risk ConsultantJohnson Financial Group

Presented by: Jason Gutzman

HIPAA Refresher for Employers/Health Plan

Sponsors

5

» What is HIPAA» Who is subject to the HIPAA Rules» What information is Protected» Key requirements of HIPAA Rules» Enforcement» Compliance Steps

Outline

6

What is HIPAA?

7

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is federal legislation in which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers.

The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI, and breach notification rules. These important Rules were issued in 2013 and diligently enforced by the Office for Civil Rights (OCR) – a division of Health and Human Services (HHS).

HIPAA Rules

8

Health Plans are Covered Entities

9

Employers

10

Protected Health Information

11

Information Definitions

12

Privacy Rule Overview

13

Special Exception for Fully Insured Health Plans

14

Use and Disclosure Rules

15

Disclosures to Employers

16

Disclosures to Business Associates

17

Privacy Notice

18

Other Individual Rights

19

Administrative Requirements

20

Security Rule Overview

21

Risk Analysis

22

Security Safeguards

23

Examples of Safeguards

24

Breach Notification Rule Overview

25

What Is a Breach?

26

• A breach could result from many activities. » Accessing more than the minimum necessary» Failing to log off when leaving a workstation» Unauthorized access to PHI» Sharing confidential information, including passwords» Having patient-related conversations in public settings» Improper disposal of confidential materials in any form» Copying or removing PHI from the appropriate area

• Why?» Curiosity…about a co-worker or friend» Laziness…so shared sign-on to information systems» Compassion…the desire to help someone» Greed or malicious intent…for personal gain

What Constitutes a Breach?

27

Covered Entity Breach Notification Requirements

28

Common Employer Mistakes

29

Most Common HIPAA Complaints

30

HIPAA Penalties

31

What Employers Need to Do

32

When in doubt, consult with legal counsel!

Presented by: Steve Frew

2020 HIPAA Risk Preview

33

» HIPAA threats – 2020 starting line-up» OCR HIPAA enforcement» HIPAA reporting» Risk management tips

Outline

34

Threat Sources

35

Breakdown

Laptops Documents Disk drives Flash drives Desktops

Theft or Loss of Device

36

Method

Email Brute force Backdoor

Outside Attack – Hackers

37

0 10 20 30 40 50 60 70 80

Stolen Creds

Malware

Ransomware

Type of attack

Hackers

38

Error Misuse

Employees – Errors and Intent

39

40

41

• Data or hardcopy posted to wrong patient record

• Data or hardcopy not securely disposed of» Hard drives » Hardcopy in trash» Copies or printouts left in insecure setting» Multi-part forms

Improper Filing and Disposal

42

• Release after expiration of authorization• Failure to provide copies in timely manner upon

request» New OIG hot button

Late Release of Information

43

OCR HIPAA Enforcement

44

45

COVERED ENTITY AMOUNT CAUSE

Elite Dental Services –Dallas

$10,000 • Disclosed PHI in response to unfavorable YELP review

• Failure to implement P&P on social media posts

• Inadequate notice of privacyJackson Health $2,154,000 Employee selling PHI of VIPS for 5

years. Accessed more than 24,000 patient records.

46

COVERED ENTITY AMOUNT CAUSE

Korunda $85,000 Complaint of failing to provide access to medical records in format requested. OCR provided technical assistance to CE but they failed to promptly provide access

Medical Informatics Engineering

$100,000 Hacker accessed 3.5 million medical records.• Failure to conduct risk

assessment

47

COVERED ENTITY AMOUNT CAUSE

Texas HHS $1.6 million

• Failure to conduct risk assessment

• Failure to respond to known security incident

• 187 day failure to notify affected individuals

• Failure to notify media 147 daysSentara $2,175,000 Owner entity of 10 hospitals mixed

up billing and disclosed PHI of 577 patients but only reported 8 to OCR• No business associate

agreement with owner entity for billing services

• Failure to notify OCR in timely manner

48

COVERED ENTITY AMOUNT CAUSE

University of Rochester Medical Center

$3 million • Theft of unencrypted laptop disclosed PHI of 43 patients

• Failed to conduct risk assessment

• Failed to implement security measures

• Inadequate policies and procedures

• Failure to adopt encryption or document why encryption was not reasonable and adopt equivalent alternative protection

49

COVERED ENTITY AMOUNT CAUSE

Bayfront Health $85,000 Failure to provide medical records in timely manner and form -- 10 months

Cottage Health $3 million 2 breaches in two years total of 60,000+ records• Failure to conduct risk

assessment• Inadequate security measures• Failure to conduct tech

evaluation following new OS install

• Failure to have business associate agreement with contractor

HIPAA Reporting

50

Reporting <500

51

Reporting >500

52

• Breach Portal» Notice to the Secretary of HHS Breach of Unsecured

Protected Health Information» https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

Where to Report

53

Reporting Page

54

Risk Management Tips

55

Mobile Security and HIPAA

56

Secure access authentication

Encrypt

Remote wipe

Block file share

Update regularly

Approved apps only

VPN on public Wi-Fi

HIPAA Security on the Cloud

57

Business Associate Agreement:

Written agreement Privacy and security terms Duties Subcontractors:

• Audit rights• Insurance & Limits

Formulate a Defensive Strategy

Assume you will be hit

Secure your email system Data loss protection

systems Role based privileging

Multifactor access

Monitor-audit-test

Build human firewalls

Encrypt everything

58

59

Download at: https://www.johnsonbank.com/Resources/Articles/2018-10-05-HIPAA-Toolkit

Questions?

60

Thank you for attending!

61