How We Can Help: Navigating Compliance, OCR Enforcement, and the High Risk Threat Landscape
October 18, 2016
Watch the Replay
Speakers
Robert Mireles, CIPMSr. Healthcare Privacy Specialist for Managed Privacy Services
FairWarning
Chuck BurbankCISO and Director of
Managed Privacy ServicesFairWarning
Trent Long, CHPManager of Managed
Privacy ServicesFairWarning
Tyler Carlson, CHPLead Privacy Analyst
FairWarning
Agenda• The Unseen Impact of a PHI Breach
• The Mission and Vision of OCR
• What this Year's Resolution Agreements Show the Industry is Still Missing
• OCR Enforcement Activity
• Structuring Your Monitoring Program
• Training and Remediation
• Demonstrable and Actionable Compliance
• Managed Privacy Services
The Unseen Impact of a PHI Breach
Imagine that you are the victim of some sort of incident and wind up in the hospital:
• Now imagine that your information is compromised by the hospital or doctor. How would you feel?
• What if your information was used for identity theft - or worse medical identity theft, and now you are having to fight to receive healthcare and clean up your credit?
• What is your duty as a healthcare organization to your patients?
The Mission and Vision of OCR
• To improve the health and well-being of people across the nation
• To ensure that people have equal access to services from HHS programs without facing unlawful discrimination
• To protect the privacy and security of health information
“Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals…”
View OCR’s Mission and Vision
The Industry is Still Missing the Basics
• A current and thorough Risk Analysis
-6 out of 10 settlements
• A Risk Management plan to address gaps identified in risk assessments
-6 out of 10 settlements
- In September, the ONC released new features to the Security Risk Assessment Tool
• Ongoing privacy and security training
-10 out of 10 settlements
• Up-to-date privacy and security policies
-10 out 10 settlements
Deficiency trends found in this year’s Resolution Agreements
View the Full List of Resolution Agreements
BREAKING NEWS: Released Today - $2.14 Million HIPAA
Settlement Underscores Importance of Managing Security Risk
OCR Enforcement Activity• OCR Phase 2 HIPAA Desk Audits
• Record Numbers of Resolution Agreements
• OCR’s heightened focus:
- HIPAA enforcement
- Insider abuses (Aug. 1, 2016)
- Breaches affecting fewer than 500 individuals (Aug. 18, 2016)
October 13, 2016
“OCR will continue to focus its enforcement efforts and its resources in this area on cases that identify industry-wide noncompliance, where corrective action under HIPAA may be the only remedy…”
- Jocelyn Samuels, Director of HHS Office for Civil Rights
Structuring Your Monitoring Program
FairWarning Managed Privacy Services successfully monitors over 447,000 employees on a daily basis
Blueprint for a successful monitoring program:
• HIPAA, Privacy, Security Certified experts
• Experts in clinical application audit data
• Technology experts
• Day-to-day accountability and audit readiness
This redundancy in expertise eliminates the risk of a single point in failure, such as an unexpected termination.
Training and Remediation
Successful monitoring programs require:
1. Privacy and Security training
2. Appropriate remediation for violations
3. Accountability
Demonstrable & Actionable Compliance• Use an Investigation Tool as a repository for Privacy and Security
Investigations
- Employee Complaints
- Automated Alerts
- Hacking/IT
- Improper Disposal
• Review and document every potential incident
- Make a determination if the access is business related
- Document and close all business related incidents
What if the access is not business related?
Investigations need to capture the following information, at a minimum, for an OCR Breach Report:
• Investigation type
• Description of investigation
• Affected patient count
• Systems accessed
• Type of PHI access
• Current protective measures
• Involved parties
• Occurrence Dates
• Notification Dates
• Resolution follow up actions
• Response Actions
Initiate 4-part risk of compromise assessment (OCR Mandated)
Submit OCR Breach Report
Improved compliance. More time. Less worry.
• Your data, our expertise
• Reduce your compliance workload
• Investigation management
• Create a culture of Privacy & Compliance
Managed Privacy Services