1 / 25

HIPAA Security in the News

Join Roger Shindell for a presentation on lessons learned, security risk assessments, privacy management, business associate agreements, due diligence, and team training regarding HIPAA security. Explore risks and recent resolution agreements.

acrawford
Download Presentation

HIPAA Security in the News

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security in the News Presenter – Roger Shindell, MS, CHPS, CISACEO, Carosh Compliance Solutions www.Carosh.com IowaCity@Carosh.com (319) 471-4235

  2. Learning Objectives At the end of this presentation you will understand: • Lessons Learned • Conduct your Security Risk Assessment • Develop your security (and privacy) management program • Make sure you business associate agreements are in place • Make sure you conduct due diligence on your business associates • Train, train and conduct more training for your team. Risks from: Working with business associates Handling of paper records Malware Software vulnerabilities and network management County activities

  3. HIPAA Security Defined in 45 CFR Part 160 and Part 164, Subparts A and C CFR means “Code of Federal Regulations” For our purposes, any thing that would be uncovered when you conduct your required Security Risk Assessment. “In the news” means where the Office for Civil Rights has published a resolution agreement on their “Breach Portal” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf” the former “HIPAA Wall of Shame” and Resolution agreements: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html?language=es

  4. Working with Business Associates Care New England Health System (CNE). CNE provides centralized corporate support for its subsidiary affiliated covered entities, which include a number of hospitals and health care providers in Massachusetts and Rhode Island. Woman & Infants Hospital of Rhode Island (WIH), a covered entity member of CNE, experienced the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names, and, in some instances Social Security Numbers

  5. Working with Business Associates (cont..) WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule. The settlement with CNE includes a monetary payment of $400,000 and a comprehensive corrective action plan WIH was additionally fined $150,000 for the State Attorney General. HHS deemed this sufficient and did not assess additional fines

  6. Working with Business Associates (cont..) North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities OCR initiated an investigation of North Memorial following receipt of a breach report, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

  7. Working with Business Associates (cont..) • The investigation further determined that • North Memorial failed to complete a risk analysis - including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. • In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

  8. Working with Business Associates (cont..) • Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) a business associate to 6 skilled nursing facilities • Breach consisted of a lost an iPhone containing 412 records • Failed to protect health information they create, receive, maintain, or transmit from covered entities • Failed to conduct an enterprise-wide risk analysis and corresponding risk management plan. • Had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident • Resolution agreement included: • Fines of $650,000 and a corrective action plan.

  9. Handling of Paper Records Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio. Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

  10. Handling of Paper Records (cont..) • In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to: • Revise their policies and procedures, • Train staff, and • Provide an implementation report to OCR.

  11. Handling of Paper Records (cont..) Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado a local Denver news outlet investigated, on a tip, the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures. Cornell also failed to provide training on policies and procedures to its workforce. Cornell paid $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

  12. Malware Anchorage Community Mental Health Services (ACMHS), a five-facility, nonprofit organization provides behavioral health care services to children, adults, and families in Anchorage, Alaska. Inappropriate access of unsecured electronic protected health information (ePHI) affecting 2,743 individuals occureddue to malware compromising the security of its information technology resources ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

  13. Malware (cont..) In addition to the $150,000 settlement amount, the agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a two-year period. The agreement includes the requirement to conduct a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information.

  14. Software vulnerabilities and network management New York and Presbyterian Hospital (NYP) and Columbia University (CU) NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

  15. Software vulnerabilities and network management (Cont..) A breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

  16. Software vulnerabilities network management(Cont..) • NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes: • Undertaking a risk analysis, • Developing a risk management plan, • Revising policies and procedures, • Training staff, and • Providing progress reports.

  17. County Activities Skagit County, Washington, agreed to settle potential violations of HIPAA.  Skagit County agreed to a $215,000 monetary settlement OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.  OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

  18. County Activities (Cont..) • Skagit County agreed to: • Develop a corrective action plan to ensure it has in place • Written policies and procedures, • Comply with documentation requirements, • Institute adequate training of all personnel • This corrective action plan also requires Skagit County to provide regular status reports to OCR.

  19. Lessons to Learn Conduct your Security Risk Assessment Develop your security (and privacy) management program Make sure you business associate agreements are in place Make sure you conduct due diligence on your business associates Train, train and conduct more training for your team.

  20. NITS 800-30 Specification For each threat and vulnerability a risk score must be assigned Security Risk Assessment

  21. The Risk Management Process • Conduct Risk • Assessment(s) • Create Remediation Plan • Training Program • Audit • and • Manage • Correct any Deficiencies

  22. New Requirements to Conduct Due Diligence on business associates • Since 2012-2013 post Final Omnibus Rule: • Reasonably anticipate identify and protect against reasonably anticipated threats to the security or integrity of the information; • Protect against reasonably anticipated, impermissible uses or disclosures • Protect against reasonably anticipated, impermissible uses or disclosures • any “pattern of activity or practice by a business associate in violation of the business associate agreement and it fails to take reasonable steps to cure the breach and if unsuccessful, terminate the contract if feasible”

  23. Based on guidance from HHS’ audit protocol, published guidance, and resolution agreements 6. Can you provide the following: The signature pages of your most recent Security Risk Assessment? The signature page of your most recent Remediation Plan? The signature page of your HIPAA Master Policy and Procedure manual? A copy of your most recent network vulnerability scan? A sample of your most recent training materials and logs?

  24. Training Requirements: Section 164.530 of the HIPAA privacy rule states: (b) 1. Standard: training. A covered entity must train all members of its work force on the policies and procedures with respect to PHI required by this subpart, as necessary and appropriate for the members of the work force to carry out their function within the covered entity (b) 2. Implementation specifications: training. • A covered entity must provide training as follows: • To each member of the covered entity's workforce by no later than the compliance date for the covered entity; • To each new member of the work force within a reasonable period of time after the person joins the covered entity's work force • To each member of the covered entity's work force whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section • A covered entity must document that the training as described in paragraph (b)(2)(i) of this section

  25. Questions? • Roger Shindell, MS, CHPS, CISACEO, Carosh Compliance Solutions • www.Carosh.com • IowaCity@Carosh.com • (319) 471-4235

More Related