Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

David Assee BBA, MCSE Florida International University

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Breach SHOULD Be a Four Letter Word HIPAA Omnibus.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

From HIPAA to HITECH OMH Briefing.

OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health and Recent OCR Activities Sherri Morgan, JD, MSW and Marissa.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.

Company Proprietary and Confidential Texas Association of Community Health Centers - Proprietary and Confidential Fourth and Goal: Score with Meaningful.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.

Select Questions to ask your HIPAA Privacy Officer

Lewis Creek Systems, LLC

Privacy & Information Security Basics

East Carolina University

Rational HIPAA Woes for the CFO and Business Leaders

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Introduction to the PACS Security

School of Medicine Orientation Information Security Training

Presentation transcript:

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights

Revised Definition of “Breach:” Breach Presumed UNLESS: The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on: – Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); – The unauthorized person who used the PHI or to whom the disclosure was made; – Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated. Focus on risk to the data, instead of risk of harm to the individual. Risk Assessment must be documented. BREACH NOTIFICATION RULE 2

500+ Breaches by Type of Breach as of 7/29/2015 3

Breaches by Location as of 7/29/2015

5 BREACH HIGHLIGHTS September 2009 through July 29, 2015 Approximately 1,276 reports involving a breach of PHI affecting 500 or more individuals – Theft and Loss are 57% of large breaches – Laptops and other portable storage devices account for 30% of large breaches – Paper records are 22% of large breaches Approximately 177,000+ reports of breaches of PHI affecting less than 500 individuals

CLOSED INVESTIGATED CASES 6

RECENT ENFORCEMENT ACTIONS 7 St. Elizabeth’s Medical Center (electronic) Cornell Prescription Pharmacy (paper) Anchorage (electronic) Parkview (paper) NYP/Columbia (electronic) Concentra (electronic) QCA (electronic) Skagit County (electronic and paper)

Lessons Learned: HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information. Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected as well as the confidentiality of their health data. RECENT ENFORCEMENT ACTIONS 8

LESSONS LEARNED Appropriate Safeguards Prevent Breaches Evaluate the risk to e-PHI when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-PHI – Store all e-PHI to a network – Encrypt data stored on portable/movable devices & media – Employ a remote device wipe to remove data when lost or stolen – Consider appropriate data backup – Train workforce members on how to effectively safeguard data and timely report security incidents 9

/providers- professionals/security- risk-assessment RISK ANALYSIS 10

gov/mobiledevices MOBILE DEVICES 11

Medscape Resource Center: PUBLIC OUTREACH INITIATIVES es/patients-rights 12

QUESTIONS? 13