Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy & Security- The OCR, Audits, and Sanctions 2018

Published byLeontin Ioniță Modified over 5 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy & Security- The OCR, Audits, and Sanctions 2018"— Presentation transcript:

1 HIPAA Privacy & Security- The OCR, Audits, and Sanctions 2018
Presented by: G. Christopher Kelly, Esq.

2 HIPAA Privacy Rule BASICS:
HIPAA says- Never disclose ANYTHING (“PHI”): Then there are the exceptions: TPO: Treatment- no limits Payment- minimum necessary limits Healthcare Operations- minimum necessary limits Business Associates: Info necessary for their function. Patient Requests (Authorizations) Redacted Information (no longer individually identifiable)

3 Privacy Rule Patients have rights:
The Right to Inspect and Copy Information The Right to Amend The Right to Know about Disclosures Right to Request Restrictions Right to Confidential Communications Right to Receive Notice of any Breach Right to Restrict Disclosure to Insurance Right to Electronic Copies Right to Receive a Copy of this Notice

4 Privacy Rule You have duties Tell patient about their rights
Keep their information confidential= NO disclosures Exceptions: “TPO” Business Associates Minimum Necessary Rule Others: investigations, Work Comp, parents Authorization Keep track of disclosures

5 HIPAA Security Rule Addressable Administrative Safeguards
Required Specifications Security Management Process Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility Information Access Management Isolating Healthcare Clearinghouse Function Security Incident Procedures Response and Reporting Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Evaluation Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement Addressable Specifications Workforce Security Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information Access Management Access Authorization Access Establishment and Modification Security Awareness and Training Security Reminders Protection from Malicious Software Log-In Monitoring Password Management Contingency Plan Testing and Revision Procedure Applications and data criticality analysis

6 HIPAA Security Rule Technical Safeguards Physical Safeguards
Required Specifications Workstation Use Workstation Security Device and Media Controls Disposal Media Re-use Addressable Specifications Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Accountability Data Backup and Storage Technical Safeguards Required Specifications Access Control Unique User Identification Emergency Access Procedure Audit Controls Person or Entity Authentication Addressable Specifications Automatic Logoff Encryption and Decryption Integrity Mechanism to Authenticate Electronic Protected Health Information Transmission Security Integrity Controls Encryption

7 Cap for Identical Violation Per Calendar Year
HIPAA CHANGES- New Fines! Type of Violation Fine Per Violation Cap for Identical Violation Per Calendar Year Unintentional/Unknowing $100 – $50,000 $1.5 Million Reasonable Cause to Know $1,000 – $50,000 Willful Neglect –But Corrected $10,000 – $50,000 Willful Neglect – Not Corrected $50,000 +

8 VIOLATION: No Risk Analysis

9 Failure to do Risk Analysis is the #1 Deficiency Cited in HIPAA Settlements

10 What is a “Risk Analysis”?
Issue Vulnerability Risk Level (high, med., low) Safeguard/Risk Mgmt. Practice in Use Effective Date Access (Technical) Personnel (user identifcation) Unique Username and password in use Personnel (non-authorized use) Auto log-off after ____ minutes Personnel (clearance) Background and OIG exclusion list check Password Management Changed every _____days Use Termination for Terminated employees WiFi Use password protected, encrypted network version… Access (Physical) Facility/PHI Area access Facility locked, employee only access allowed by… PHI secured by…. Personnel Termination of access for terminated employees Device/Workstation access Devices with PHI located locked area… Device inventory/tracking All hardware capable of storing or viewing PHI inventoried with serial numbers and reviewed annually Device maintenance No third party access to hardware capable of storing or viewing PHI Device disposal/reuse Devices no longer in use will have all PHI wiped via…

11 This JUST in 2018 - $16 Million Settlement
FOR IMMEDIATE RELEASE October 15, 2018 Contact: HHS Press Office Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing s sent to an Anthem subsidiary after at least one employee responded to the malicious and opened the door to further attacks. Phishing Scheme No password mgmt. 79 Million individuals No risks analysis No Info System review Didn’t respond to known security incidents “Largest Breach justifies largest Settlement”- OCR

12 February 2018 - $3.5 Million Settlement
No risks analysis Lacking policies No encryption when it was reasonable

13 Policies You Need Risk Analysis Patient rights (access, etc.)
Workforce training Workforce sanctions Minimum necessary /Role-based access Designated record set Breaches of unsecured PHI Contingency Planning Disaster recovery Emergency operation mode Data backup Physical security Security incident management

14

15 April 24, 2017 - $2.5 Million Settlement

16 Encrypt Everything You Can
s Tablets Laptops PC hard drives USB drives Local and cloud servers Cell phones

17 Make Sure You Have a BAA With…

18 April 20, 2017 $31,000 Settlement

19

20 February 16, 2017 $5.5 Million Settlement

21 January 9, $475,000 Settlement

22 HIPAA VIOLATIONS Provider Violations Fine
University of Washington (Hospital) Failed to implement policies and procedures to prevent, detect, contain and correct security violations. $750,000 Triple - S (Insurance Holding Co.) Failure to implement administrative, physical & technical safeguards to protect the privacy of the beneficiaries' PHI. $3,500,000 Impermissible disclosure of beneficiaries' PHI to outside vendor with which it had no appropriate BAA. Use of disclosure of more PHI than necessary to carry out mailings. Failure to conduct accurate & thorough risk analysis that incorporates all IT equipment, applications & data systems utilizing ePHI. Failure to implement security measures sufficient to reduce the risks & vulnerabilities to its ePHI to a reasonable & appropriate level.

23 HIPAA VIOLATIONS Provider Violations Fine Cancer Care Group, PC
Laptop bag stolen from employee car. Bag contained unencrypted backup media containing patient names, addresses, birth dates, social security numbers, insurance information and clinical information of 55,000 current and former patients. $750,000 Did not conduct enterprise wide risk analysis when this breach occurred. Did not have written policy specific to removal of hardware & electronic media containing ePHI into and out of facilities. St. Elizabeth's Medical Center (Hospital) Workforce members used internet-based document sharing application to store documents containing ePHI of at least 498 individuals without having analyzed the risks associated with such a practice. $218,400 Failed to timely identify and respond to known security incident, mitigate the harmful effects of the security incident and document the incident and its outcome.

24 HIPAA VIOLATIONS Provider Violations Fine
Cornell Prescription Pharmacy Disposal of unsecured documents containing PHI of 1,610 patients in an unlocked, open container. Documents were not shredded. $125,000 Failed to implement written policies and procedures. Failed to provide training on policies and procedures. Anchorage Community Mental Health Services Breach of unsecured ePHI effecting 2,743 individuals due to malware compromising the security of its IT resources. $150,000 Adopted Sample Security Rule, but did not follow it. Did not identify and address basic risks, such as not regularly updating IT resourcees with available patches & running outdated, unsupported software.

25 HIPAA VIOLATIONS Provider Violations Fine
Columbia University Medical Center Failed to conduct accurate & thorough risk analysis that incorporates all IT equipment, applications & data systems utilizing ePHI. $1,500,000 Failed to implement processes for assessing & monitoring IT equipment, applications & data systems linked to patient databases & failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level.

26 HIPAA VIOLATIONS Provider Violations Fine
Parkview Health System (Non Profit providing community based health care services) Employees left 71 cardboard boxes of medical records unattended and accessible to unauthorized person's in driveway of physician's home, knowing physician was not there. $850,000 New York Presbyterian Hospital Disclosed ePHI of 6,800 patients to Google and other internet search engines when a computer server was errantly reconfigured. $3,300,000 Failed to conduct accurate and thorough risk analysis that incorporates all IT equipment, applications & data systems utilizing ePHI. Failed to implement processes for assessing & monitoring all IT equipment, applications & data systems linked to patient data & failed to implement security measures to reduce risks & vulnerabilities to its ePHI to a reasonable & appropriate level. Failed to implement appropriate policies & procedures for authorizing access to patient databases & failed to comply with its own policies on information access management.

27 HIPAA VIOLATIONS Provider Violations Fine Presence Health
Had paper based operating room schedules for 836 patients that went missing. Failed to notify the patients of the breach within 60 days of discovering it. $475,000 MAPFRE Life Insurance Company of Puerto Rico USB data storage device stolen from IT department. Contained ePHI of 2,209 individuals. $2,200,000 Children’s Medical Center of Dallas Children's had loss of an unencrypted, non-password protected Blackberry in Nov, 2009 which contained ePHI of 3,800 patients. Also has theft of unencrypted laptop from its premises in April, 2013 with ePHI of 2,462 patients. $3,200,000 Memorial Healthcare System Login credentials of a former employee were used for 1 year. MHS did not implement any procedures to review, modify or terminate users' rights of access on computers.

28 HIPAA VIOLATIONS Provider Violations Fine
Metro Community Provider Network In January, 2012 a hacker accessed employee's s through a phishing incident. MCPN reported the violation but did not conduct a risk analysis until mid February, Also, failed to conduct a risk analysis prior to this incident. $400,000 Center for Children's Digestive Health Did not have a BAA on file. $31,000 CardioNet Employee's laptop stolen from their vehicle. Contained ePHI of 3,491 patients. CardioNet had insufficient risk analysis and management processes in place. Did not implement HIPAA Security Rule. $2,500,000

29 HIPAA Fines by Year 2016- $23,504,800 2015- $6,193,000
$23,504,800 $24,947,000 $6,193,000 $20,393,200

30 Enforcement Efforts Reviews based on complaints
Types of Entities reviewed: Hospitals Health Plans Out Patient Facilities Pharmacies Individual Providers Private Practice Groups Mental Health Centers 2016: Random audits= “desk audits” 2017: On-site audits! 2018: YOU?

31 Questions, comments, concerns: ckelly@pwwemslaw.com www.pwwemslaw.com

Download ppt "HIPAA Privacy & Security- The OCR, Audits, and Sanctions 2018"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Similar presentations

Ads by Google