Thursday, January 16, 2020
HIPAA Privacy and Security Compliance Webinar
1
Please note: • All phone lines will automatically be muted on entry, and will remain muted for the length
of the presentation.• You may submit written questions via the “chat” icon shown here .
Karen WakeAVP Commercial InsuranceJohnson Financial Group
Opening Remarks
2
Agenda
3
» 11:00am• Opening remarks and introductions
» 11:00am to 11:25am• “HIPAA Refresher for Employers/Health Plan Sponsors”
• Jason Gutzman, VP Employee Benefits Consultant
» 11:25am to 11:50am• “2020 HIPAA Risk Preview”
• Steve Frew, VP Risk Consultant
» 11:50am to 12:00pm• Q&A and closing remarks
Featured Presenters
4
Jason GutzmanRHU, MHP, REBC, ChHC, CSFS,
GBA, CEBSVP Employee Benefits Consultant
Johnson Financial Group
Steve FrewJD, CIPP/US
VP Risk ConsultantJohnson Financial Group
Presented by: Jason Gutzman
HIPAA Refresher for Employers/Health Plan
Sponsors
5
» What is HIPAA» Who is subject to the HIPAA Rules» What information is Protected» Key requirements of HIPAA Rules» Enforcement» Compliance Steps
Outline
6
What is HIPAA?
7
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is federal legislation in which addresses issues ranging from health insurance coverage to national standard identifiers for healthcare providers.
The portions that are important for our purposes are those that deal with protecting the privacy (confidentiality) and security (safeguarding) of health data, which HIPAA calls Protected Health Information or PHI, and breach notification rules. These important Rules were issued in 2013 and diligently enforced by the Office for Civil Rights (OCR) – a division of Health and Human Services (HHS).
HIPAA Rules
8
Health Plans are Covered Entities
9
Employers
10
Protected Health Information
11
Information Definitions
12
Privacy Rule Overview
13
Special Exception for Fully Insured Health Plans
14
Use and Disclosure Rules
15
Disclosures to Employers
16
Disclosures to Business Associates
17
Privacy Notice
18
Other Individual Rights
19
Administrative Requirements
20
Security Rule Overview
21
Risk Analysis
22
Security Safeguards
23
Examples of Safeguards
24
Breach Notification Rule Overview
25
What Is a Breach?
26
• A breach could result from many activities. » Accessing more than the minimum necessary» Failing to log off when leaving a workstation» Unauthorized access to PHI» Sharing confidential information, including passwords» Having patient-related conversations in public settings» Improper disposal of confidential materials in any form» Copying or removing PHI from the appropriate area
• Why?» Curiosity…about a co-worker or friend» Laziness…so shared sign-on to information systems» Compassion…the desire to help someone» Greed or malicious intent…for personal gain
What Constitutes a Breach?
27
Covered Entity Breach Notification Requirements
28
Common Employer Mistakes
29
Most Common HIPAA Complaints
30
HIPAA Penalties
31
What Employers Need to Do
32
When in doubt, consult with legal counsel!
Presented by: Steve Frew
2020 HIPAA Risk Preview
33
» HIPAA threats – 2020 starting line-up» OCR HIPAA enforcement» HIPAA reporting» Risk management tips
Outline
34
Threat Sources
35
Breakdown
Laptops Documents Disk drives Flash drives Desktops
Theft or Loss of Device
36
Method
Email Brute force Backdoor
Outside Attack – Hackers
37
0 10 20 30 40 50 60 70 80
Stolen Creds
Malware
Ransomware
Type of attack
Hackers
38
Error Misuse
Employees – Errors and Intent
39
40
41
• Data or hardcopy posted to wrong patient record
• Data or hardcopy not securely disposed of» Hard drives » Hardcopy in trash» Copies or printouts left in insecure setting» Multi-part forms
Improper Filing and Disposal
42
• Release after expiration of authorization• Failure to provide copies in timely manner upon
request» New OIG hot button
Late Release of Information
43
OCR HIPAA Enforcement
44
45
COVERED ENTITY AMOUNT CAUSE
Elite Dental Services –Dallas
$10,000 • Disclosed PHI in response to unfavorable YELP review
• Failure to implement P&P on social media posts
• Inadequate notice of privacyJackson Health $2,154,000 Employee selling PHI of VIPS for 5
years. Accessed more than 24,000 patient records.
46
COVERED ENTITY AMOUNT CAUSE
Korunda $85,000 Complaint of failing to provide access to medical records in format requested. OCR provided technical assistance to CE but they failed to promptly provide access
Medical Informatics Engineering
$100,000 Hacker accessed 3.5 million medical records.• Failure to conduct risk
assessment
47
COVERED ENTITY AMOUNT CAUSE
Texas HHS $1.6 million
• Failure to conduct risk assessment
• Failure to respond to known security incident
• 187 day failure to notify affected individuals
• Failure to notify media 147 daysSentara $2,175,000 Owner entity of 10 hospitals mixed
up billing and disclosed PHI of 577 patients but only reported 8 to OCR• No business associate
agreement with owner entity for billing services
• Failure to notify OCR in timely manner
48
COVERED ENTITY AMOUNT CAUSE
University of Rochester Medical Center
$3 million • Theft of unencrypted laptop disclosed PHI of 43 patients
• Failed to conduct risk assessment
• Failed to implement security measures
• Inadequate policies and procedures
• Failure to adopt encryption or document why encryption was not reasonable and adopt equivalent alternative protection
49
COVERED ENTITY AMOUNT CAUSE
Bayfront Health $85,000 Failure to provide medical records in timely manner and form -- 10 months
Cottage Health $3 million 2 breaches in two years total of 60,000+ records• Failure to conduct risk
assessment• Inadequate security measures• Failure to conduct tech
evaluation following new OS install
• Failure to have business associate agreement with contractor
HIPAA Reporting
50
Reporting <500
51
Reporting >500
52
• Breach Portal» Notice to the Secretary of HHS Breach of Unsecured
Protected Health Information» https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf
Where to Report
53
Reporting Page
54
Risk Management Tips
55
Mobile Security and HIPAA
56
Secure access authentication
Encrypt
Remote wipe
Block file share
Update regularly
Approved apps only
VPN on public Wi-Fi
HIPAA Security on the Cloud
57
Business Associate Agreement:
Written agreement Privacy and security terms Duties Subcontractors:
• Audit rights• Insurance & Limits
Formulate a Defensive Strategy
Assume you will be hit
Secure your email system Data loss protection
systems Role based privileging
Multifactor access
Monitor-audit-test
Build human firewalls
Encrypt everything
58
59
Download at: https://www.johnsonbank.com/Resources/Articles/2018-10-05-HIPAA-Toolkit
Questions?
60
Thank you for attending!
61