Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Published byLionel Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights."— Presentation transcript:

1 Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights

2 Revised Definition of “Breach:” Breach Presumed UNLESS: The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on: – Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); – The unauthorized person who used the PHI or to whom the disclosure was made; – Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated. Focus on risk to the data, instead of risk of harm to the individual. Risk Assessment must be documented. BREACH NOTIFICATION RULE 2

3 500+ Breaches by Type of Breach as of 7/29/2015 3

4 4 500+ Breaches by Location as of 7/29/2015

5 5 BREACH HIGHLIGHTS September 2009 through July 29, 2015 Approximately 1,276 reports involving a breach of PHI affecting 500 or more individuals – Theft and Loss are 57% of large breaches – Laptops and other portable storage devices account for 30% of large breaches – Paper records are 22% of large breaches Approximately 177,000+ reports of breaches of PHI affecting less than 500 individuals

6 CLOSED INVESTIGATED CASES 6

7 RECENT ENFORCEMENT ACTIONS 7 St. Elizabeth’s Medical Center (electronic) Cornell Prescription Pharmacy (paper) Anchorage (electronic) Parkview (paper) NYP/Columbia (electronic) Concentra (electronic) QCA (electronic) Skagit County (electronic and paper)

8 Lessons Learned: HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information. Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected as well as the confidentiality of their health data. RECENT ENFORCEMENT ACTIONS 8

9 LESSONS LEARNED Appropriate Safeguards Prevent Breaches Evaluate the risk to e-PHI when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-PHI – Store all e-PHI to a network – Encrypt data stored on portable/movable devices & media – Employ a remote device wipe to remove data when lost or stolen – Consider appropriate data backup – Train workforce members on how to effectively safeguard data and timely report security incidents 9

10 http://www.healthit.gov /providers- professionals/security- risk-assessment RISK ANALYSIS 10

11 http://www.healthit. gov/mobiledevices MOBILE DEVICES 11

12 Medscape Resource Center: PUBLIC OUTREACH INITIATIVES http://www.medscape.org/sites/advanc es/patients-rights 12

13 QUESTIONS? 13

Download ppt "Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights."

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Breach SHOULD Be a Four Letter Word HIPAA Omnibus.

Breach SHOULD Be a Four Letter Word HIPAA Omnibus.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Similar presentations

Ads by Google