Presentation is loading. Please wait.

Presentation is loading. Please wait.

HSAG remains vendor neutral and this is just one of many experts on subjects of topical interest.

Similar presentations


Presentation on theme: "HSAG remains vendor neutral and this is just one of many experts on subjects of topical interest."— Presentation transcript:

1 HSAG remains vendor neutral and this is just one of many experts on subjects of topical interest.

2 Presented by: Suze Shaffer

3 ©2015 Aris Medical Solutions. All rights reserved  Define Security Risk Analysis  How to develop a Risk Management Plan  NIST and how they relate to the DHHS Security Matrix  Basic tips on how to Protect Patient Data  Consequences of Non-Compliance

4 ©2015 Aris Medical Solutions. All rights reserved Nothing contained herein should be considered to be legal advice. All recommendations are from NIST – National Institute of Standards and Technology, DHHS- Department of Health and Human Services, CMS- Centers for Medicare and Medicaid, OCR- Office for Civil Rights, and the guidelines set forth under HIPAA and the HITECH Act. Be sure to follow State Law where applicable. Always consult with your healthcare attorney when you have legal matters.

5 ©2015 Aris Medical Solutions. All rights reserved “Protect Electronic Health Information” EHR does this automatically IT Vendor takes care of this NEITHER HAS ANY THING TO DO WITH THIS CORE MEASURE!

6 ©2015 Aris Medical Solutions. All rights reserved What does a Security Risk Analysis need to include?  Have you identified where PHI and ePHI resides?  Have you assigned a Security Officer?  Do you have a Breach Notification Plan?  Do you have a Contingency Plan?  Do you have Business Associate Agreements in place with ALL your BAs?  Do you Policies and Procedures on Device and Media controls?  Do you have an inventory list that includes which devices/equipment has ePHI?  Are you monitoring your audits logs and is this documented?  Do you have a Mobile Device & Remote use Policy and Procedure in place?

7 ©2015 Aris Medical Solutions. All rights reserved  Download a DIY SRA professionals/security-risk-assessment assessment-small-physician-practice.aspx curityrule/rafinalguidancepdf.pdf  More than a Yes/No Questionnaire

8 ©2015 Aris Medical Solutions. All rights reserved  Types of threats There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental.  Likeliness of a threat A threat is the potential for a particular threat-source to successfully exercise a particular vulnerability. A vulnerability is a weakness that can be accidentally triggered or intentionally exploited. A threat-source does not present a risk when there is no vulnerability that can be exercised.  Level of Risk The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.

9 ©2015 Aris Medical Solutions. All rights reserved  75% of Risk Management is DOCUMENTED Policies is DOCUMENTED Policies and Procedures and Procedures  25% is Physical and Technical Safeguards Technical Safeguards  Documented Mitigation Plan

10 ©2015 Aris Medical Solutions. All rights reserved

11

12

13

14

15  Lack of an enforced Sanctions Policy  Audit logs are not reviewed  Staff did not apply “Minimum Necessary” standards  Lack of documented training of ALL employees  All users are not assigned a unique identifier for system access  No policies and procedures to ensure an accurate and complete Accounting of Disclosures

16 ©2015 Aris Medical Solutions. All rights reserved  No documented Confidential Communications process in place  No documented list of all users with level of access to ePHI  Notice of Privacy Practices has not been updated to Omnibus Rule requirements and does not include all disclosures  HIPAA required documentation is not kept for a period of 6 years (not to be confused with medical records)

17 ©2015 Aris Medical Solutions. All rights reserved

18 Policies and Procedures Policies and Procedures Human factor is the weakest link Human factor is the weakest link Monitor your Audit Logs Monitor your Audit Logs Termination check list Termination check list Endpoint security monitoring Endpoint security monitoring Mobile device management Mobile device management Security training Security training

19 ©2015 Aris Medical Solutions. All rights reserved Continuous education Continuous education Review your Business Associates Review your Business Associates Workstation use Workstation use Business grade firewall device Business grade firewall device Domain controller Domain controller Separate Wi-Fi for personal use Separate Wi-Fi for personal use Encryption Encryption

20 ©2015 Aris Medical Solutions. All rights reserved ComplaintHIPAA ViolationFine#Days Statutory Max/Yr Total Amt of Fine Levied Complaint filed Patient denied access to Designated Record Set $100300$25,000 Found by OCRNo right by patient to Amend record$100300$25,000 Found by OCR Employees not trained on HIPAA for past 6 Years $1006 years$25,000$150,000 Found by OCR Practice did not have a Sanctions Policy that was applied to employees that violated HIPAA $1006 years$25,000$150,000 Found by OCR Employee that violated Patient Rights to Access was not sanctioned $100300$25,000 Found by OCR HIPAA Required Documentation was not kept on Training and the practice did not have a set of Policies and Procedures $1006 years$25,000$150,000 TOTAL PENALTY $525,000

21 ©2015 Aris Medical Solutions. All rights reserved HIPAA ViolationMinimum PenaltyMaximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million

22 ©2015 Aris Medical Solutions. All rights reserved According to a Froedtert Health statement, officials learned Dec. 14, 2012 that the virus may have allowed hackers into an employee's work computer. A computer forensics company was unable to "definitively rule out the possibility the virus was able to obtain information stored in the employee's work computer account," the statement reads. The employee's work computer contained patient names, addresses, phone numbers, dates of birth, medical record numbers, health insurance information and clinical data and Social Security numbers in some cases According to a Froedtert Health statement, officials learned Dec. 14, 2012 that the virus may have allowed hackers into an employee's work computer. A computer forensics company was unable to "definitively rule out the possibility the virus was able to obtain information stored in the employee's work computer account," the statement reads. The employee's work computer contained patient names, addresses, phone numbers, dates of birth, medical record numbers, health insurance information and clinical data and Social Security numbers in some cases. Officials at Froedtert Health, a three-hospital health system based in Milwaukee, Wis., notified patients of a data breach after a computer virus may have compromised the personal health information of some 43,000 people.

23 ©2015 Aris Medical Solutions. All rights reserved Ponemon Institute estimate is $ per medical record compared to $ for a typical data breach! To calculate the average cost of a data breach, Ponemon collects both direct and indirect expenses incurred by the organization. Direct expenses include forensic experts, outsources hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs includes in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates. PLUS FINES AND PENALTIES!

24 ©2015 Aris Medical Solutions. All rights reserved Anchorage Community Mental Health Services was fined $150K for unpatched software that led to a data breach. XP Computers are no longer supported by Microsoft Servers will not be supported after July 14, 2015.

25 ©2015 Aris Medical Solutions. All rights reserved The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. APDerm agreed to a $150,000 fine. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

26 ©2015 Aris Medical Solutions. All rights reserved OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program.

27 ©2015 Aris Medical Solutions. All rights reserved OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

28 ©2015 Aris Medical Solutions. All rights reserved Intermountain, the largest health system in Utah, told federal officials in 2009 that the system may have illegally paid bonuses to 37 doctors based on how much the system earned from their patient referrals— which would be a violation of the Stark law prohibition on paying doctors in ways that would influence their referrals. Intermountain Healthcare agreed to pay more than $25 million to resolve self-disclosed allegations that it paid more than 200 doctors illegally over the course of more than a decade.

29 ©2015 Aris Medical Solutions. All rights reserved https://ocrportal.hhs.gov/ocr/br each/breach_report.jsf https://www.privacyrights.org/d ata-breach-asc

30 ©2015 Aris Medical Solutions. All rights reserved

31 Suze Shaffer, CHSP x 7

32 HSAG’s next webinar will be Thursday, March 12, 2015 on Chronic Care Management Coding for Care Management. Please be sure to take the brief evaluation survey upon exiting.


Download ppt "HSAG remains vendor neutral and this is just one of many experts on subjects of topical interest."

Similar presentations


Ads by Google