Privacy and Security Risks to Rural Hospitals

1. Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013

2. Protecting Personal Health Information • HIPAA Privacy (and Security) Rule – 45 CFR 164 • Meaningful Use – tied to HIPAA Security Rule and requires a security risk assessment • Minimal enforcement so far, BUT increasing audits in 2014 “Trust is critical to building a secure electronic health infrastructure. Now more than ever consumer confidence in the privacy and security of health information is paramount as we undergo this transformation in the way in which we do the business of healthcare” “Data security and patient privacy are not compliance issues, they are patient care responsibilities” Leon Rodriguez, JD – Director of the Office of Civil Rights

3. HIPAA Audit Findings • Initial HIPAA Privacy and Security audits returned findings or observations on 89% of entities • HHS/OCR has enforced 20,359 corrections upon covered entities since 2003 • Over $15 million in civil penalties (since 2008) • Forced implementation of new policies and practices • Last year’s investigations lead to corrective action 77% of the time • A 10% increase from the previous year • New Omnibus Final Rule adopts higher standards, increased CMP amounts and tiered levels of culpability • All business associates and subcontractors must comply with HITECH Rules and are liable for violations

4. Major Areas of Concern • Security Rule • Security accounted for 60% of findings in initial audits • 58 of 59 providers had at least one security finding or observation • No complete and accurate risk assessment in two thirds of entities • Privacy Rule • Improper uses and disclosures of PHI – nearly half of Privacy findings • Updates to Privacy Protection of PHI require significant changes to EHR systems • Outdated Notice of Privacy Practices does not comply with new rule requirements • Breach Notification Rule • Over 64,500 reports since Sept. 2009 – Theft, Unauthorized Access/Disclosure, Loss • Theft accounted for over half of major security breaches (over 500 affected) • No incident response plan implemented to contain/minimize breach of PHI • Transition to “automatic presumption” of information breach – greater burden on CEs

5. Arizona Rural Providers Observations: • HIPAA is complex and there is a lot to know • Understanding role and responsibilities of Privacy and Security Officers • Business Agreements – risk of breech • Documentation – or a lack of…. • PHI is still out there in work areas – beware of paper! • Beware of data on devices! • Monitors/screens • PDAs, laptops • Faxes/copiers Actions: • HIPAA “team” • HIPAA education and training • Business Agreements (new) for everyone • HIPAA documentation – policies and procedures are a must • Implement “clean desk policy” • Implement shredding process • ENCRYPT data on all devices

6. Risk Analysis Guidance • Performed in accordance with the methodology described in the National Institute of Standards and Technology (NIST) Guidelines SP 800-30 and should include the following steps: • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation • The complexity of the facility and the number of systems implemented will influence the amount of time required to complete the analysis

7. Security Risk Assessment

8. Summary • Understand HIPAA scope and breadth – educate, train, and share responsibility - www.healthit.gov • HIPAA Security Rule – 45 CFR 164.308(a)(1) - Perform a Security Risk Assessment – know your challenges! • Document, Document, Document, …. • Encryption!!!!!! • Recognize patient privacy and data security are compliance oriented – BUT focus on HIPAA as a patient care and customer service strategy

9. Discussion – Questions • Questions? • John Hoyt • Partner, InTech Health Ventures • Jhoyt@Intechhv.com • 520-867-8530 Thank you!!