Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marion K. Jenkins, PhD, FHIMSS Executive Vice President – Healthcare 3t Systems Adjunct Faculty – HC IT – University of Denver MGMA Annual Meeting, October.

Similar presentations


Presentation on theme: "Marion K. Jenkins, PhD, FHIMSS Executive Vice President – Healthcare 3t Systems Adjunct Faculty – HC IT – University of Denver MGMA Annual Meeting, October."— Presentation transcript:

1 Marion K. Jenkins, PhD, FHIMSS Executive Vice President – Healthcare 3t Systems Adjunct Faculty – HC IT – University of Denver MGMA Annual Meeting, October 2013 HIPAA Security: How to avoid becoming the next HIPAA Headline

2 2 Outline Learning objectives Who is 3t Systems (not a commercial) HIPAA Overview – brief history, key definitions, examples of breaches to date Overview of Security Rule specifications –Administrative; Physical; Technical; Omnibus Anatomy of an actual HIPAA breach Next steps and action items for practices Questions/discussion

3 3 Learning Objectives 1.Identify the primary HIPAA risks and determine how to address them 2.Describe how HIPAA compliance can make your practice more functional 3.Avoid the primary pitfalls identified in most HIPAA assessments

4 4 Who is 3t Systems (for info/background…not a commercial) Leading healthcare IT systems integrator based in Colorado: –Consulting services –Managed services –Medical-grade cloud hosting Over 200 healthcare IT projects throughout US Large physician practices, multi-location clinics, acute care, childrens hospitals behavioral health, surgery centers, urgent/emergent care

5 5 Some macro numbers HHS-reported HIPAA breaches since 2009 –There have been nearly 650 breaches that have involved 500 or more records –Total is over 22 million patient records affected –Largest is 4.9 million records (USAF contractor) –Smallest reported breach (and not on this list) is 441 records (Hospice of Northern Idaho) –Largest pending judgments are $3-4 BILLION (Sutter Health, California) and against SAIC (USAF)

6 6 HIPAA – A Brief History HIPAA signed by President Clinton in 1996 –Primary purpose was to make HC insurance portable –Governed paper records –Massive increase in administrative burden to HC –Massive efforts on compliance and training HIPAA Security became effective in April 2005 –Most people were unaware or chose to ignore it –They assumed IT had it taken care of –Thought it was something they had already done

7 7 ARRA/HITECH Act 2009 Part of Meaningful Use stimulus – up to $54K/ $63K for physicians, millions of $$ for hospitals to adopt EHRs (Medicare/Medicaid) Max fines increased from $50,000 to $1.5 million Fines apply regardless of: –Whether docs/facilities are seeking MU funds –Whether docs/facilities qualify for MU funds (e.g., Ambulatory Surgery Centers, self-pay, etc.) –Whether the facility has or uses an EHR

8 Omnibus rule Max fines remain at $1.5 million Significant expansion of what constitutes a covered entity and who must comply Significant increase in breach notification requirements Increased enforcement, training of state Attorneys General, random audits (e.g., KPMG) Civil penalties can also be imposed Must keep all documents for 6 years

9 9 Potential risks to Covered Entity Huge fines by HHS (Office of Civil Rights) Usually must compensate victims for damages (ongoing credit monitoring services) If breach involves >500 records, entity must contact the local media (negative exposure) Civil penalties (Sutter Health in CA facing a $4 Billion class action lawsuit) Loss of productivity: investigation/remediation Public relations nightmare

10 10 HIPAA Chapter and Verse* HIPAA is contained in the Federal Register, CFR Parts 160, 162 & 164: –Section – Administrative –Section – Physical –Section – Technical –Section – Business Associate Arrangements –Section – Policies and Procedures Documentation *More than 500 pages !

11 11 What does HIPAA Security* Say? The HIPAA Security Rule requires you to protect and secure all electronic protected health information (ePHI) against: accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources. * HIPAA Security governs electronic records. HIPAA Privacy governs paper records

12 Accidental Intentional CAUSES Internal Threats External Threats HIPAA Security – Graphical Representation Destruction LossTheft Improper Access EPHI Source: internally produced graphic

13 13 Definition of ePHI ePHI is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means). Electronic media includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, , websites, digital printers/copiers/scanners, etc.

14 14 Examples of ePHI NAME (or anything that could identify a patient and/ or connect them to a clinic or a provider), and/or some or any of the following: –Demographic data (e.g., address, date of birth, sex) –Medical record number, account number, SSN –Date of service (e.g., treatment, admission, discharge) –Ancillary medical records or components: reports, images, test results, progress notes, treatment plans, dictation files, or anything similar (including partial records)

15 15 Unlikely locations of ePHI ePHI is not just confined to an EHR: – s (including server stores and local caches/PST) –Reports, documents, letters, spreadsheets etc. created by or maintained in a practice or hospital –Faxes/scans (todays printer/copiers – MFPs – store images of scans and faxes on internal hard drives) –PDFs and other static instances of data –File shares, databases, backups –Ancillary files – labs, imaging, file attachments –Scanned/attached or other external medical records –Tweets, blogs, social media posts, phone photos

16 16 Things HIPAA doesnt say… Length/complexity/change cycle of passwords Timeout or logoff time interval Type of encryption (e.g., technically WEP for WiFi is actually HIPAA compliant) Version of OS such as Win 7, Svr 08 or higher (HIPAA doesnt name vendor names/products) Actually doesnt mention laptops (or tablets, SmartPhones, PDAs, etc.), just workstations

17 17 HIPAA Security is a good thing Most HIPAA Security requirements are best business and IT practices, and help protect any vital data from theft/loss/hacking/destruction Implementing them makes HC facilities, and basically all businesses, more secure Cybersecurity legislation is in the works at both state/federal levels that is patterned after HIPAA Security and will likely govern all businesses eventually

18 18 3 Categories of Safeguards Administrative Safeguards Policy/staff/training issues – mostly HR and legal, although some are definitely technical Physical Safeguards Mostly facility and operational Technical Safeguards Technology and systems – mostly IT stuff Omnibus rule (2013) adds new requirements

19 19 Required versus Addressable Required – self-evident – your organization must comply with the requirement (although there is no single right way specified to do so). Addressable – you must determine if the require- ment is pertinent to your organization and either comply or document good cause as to why not. Cost is not a valid reason to be non-compliant. You are Required to address the Addressable ones. (So basically everything is required)

20 20 Administrative Safeguards 23 specifications, 12 of which are required Mostly concerns policies and procedures Dont be fooled because its paperwork – these safeguards are VERY IMPORTANT! Example required safeguards –Establish a Security Officer and reporting system –Conduct a complete system assessment –Establish procedures to address potential risks

21 21 Physical Safeguards 10 specifications, 4 of which are required Mostly deals with physical access/security Examples of required safeguards: –Establish physical security procedures for all devices –Establish security procedures for use, re-use and disposal of media (hard drives, USB, tapes, etc.) –Establish data backup procedures to make an exact copy of ePHI

22 22 Technical Safeguards 9 specifications, 4 of which are required Mostly deals with true I.T. stuff Examples of required safeguards: –Assign a unique identifier to track user identity –Implement mechanisms that record and examine activity in information systems containing ePHI –Implement methods to authenticate workforce access (hard user names/passwords, principle of least privilege)

23 23 Is this the biggest HIPAA threat?

24 24 No, this is the biggest HC threat: By far, the largest number of threats are caused by, or enabled by, internal users – office and clinical staff

25 25 Some recent HIPAA headlines Theft of physician laptop from Hawaii condo causes 3 rd HIPAA breach at Oregon HC unit Stanford Childrens has 4 th HIPAA breach – laptop stolen from physicians car Mass General fined $1.3 Million (178 records) UCLA settles celebrity snooping HIPAA case for $865 million. Tom Cruise, Farah Fawcett. Hospice of Northern Idaho fined $50K for breach involving only 441 records

26 26 What the HHS Breach Numbers Say Conclusion – the key words: +Theft +Laptop +Computer +Portable +Loss Are involved in the description of over 75% of all breaches Source of data: administrative/breachnotificationrule/b reachtool.html

27 27 Location of breaches Conclusion – the following locations: +Laptop +Paper +Portable +Computer Total nearly 75% of all breaches Source of data: administrative/breachnotificationrule/b reachtool.html

28 28 HHS – Types of breaches Conclusion – the following types of breaches: +Theft (+ other issues) +Unauthorized access +Loss These outnumber hacking/IT incident by over 10 : 1 margin Source of data: administrative/breachnotificationrule/b reachtool.html

29 29 Anatomy of a HIPAA Breach… close to home… HIPAA is Very Real

30 30 You dont want to get one of these nasty grams… Source of data: Personal files; used with permission

31 31 More bad news…only 15 days to respond; threatened penalties

32 32 Even more bad news…Freedom of Information Act may make this public

33 33 Prior to 2/2009: Up to $100 per violation $25,000/year cap After 2/2009: $100 to $50K per violation $1.5 MILLION/year cap

34 34 Yikes!

35 35 Call to action for practices Develop an ongoing culture of HIPAA awareness Do a HIPAA Risk Assessment (required for both Stage 1 and Stage 2 MU) Remediate issues as needed Cybersecurity legislation is in the works that is patterned after HIPAA and will affect all businesses, similar to healthcare

36 36 Biggest risks Portable devices –Laptops (including notebooks, tablets, etc.) –Workstations –USB drives , especially with attachments Files outside of your EHR (letters, reports, spreadsheets, etc.) Unpatched systems (Windows XP and Server 2003 are being dropped in early 2014)

37 37 Best remediation ideas Set up IT systems where no data is stored on local/portable devices (e.g., secure cloud) Use encrypted (not Hotmail, Gmail, etc.) Hire professional IT partners (ask your IT vendor to spell HIPAA and explain it) Assess systems, remediate issues, train staff Rinse and repeat

38 38 Review of Objectives 1.Identify the primary HIPAA risks and determine how to address them 2.Describe how HIPAA compliance can make your practice more functional 3.Avoid the primary pitfalls identified in most HIPAA assessments

39 Questions/Discussion

40 Marion K. Jenkins, PhD, FHIMSS Executive Vice President - healthcare 3t Systems More information:


Download ppt "Marion K. Jenkins, PhD, FHIMSS Executive Vice President – Healthcare 3t Systems Adjunct Faculty – HC IT – University of Denver MGMA Annual Meeting, October."

Similar presentations


Ads by Google