Headline News: Anatomy of a VIP Records Breach

Executive Series Webinar

September 24, 2014

Watch the Replay

Kim Roberts, MS, RHIA, CHP

• Privacy Specialist

• Sparrow Health System

• kim.roberts@sparrow.org

Kurt Long

• Founder

• FairWarning, Inc.

• Kurt@FairWarning.com

Mike Nessen

• Customer Community Manager

• FairWarning, Inc.

• Mike@FairWarning.com

Today’s Panel

Agenda

• Sparrow Health System Introduction• VIP Records Breach Scenario• Corrective Action Plan• Lessons Learned• Escalating Threats to Data

– Patient– Employee– Physician

• Industry News: OCR Audit Update• Next Steps• Q&A

Anatomy of a VIP Records Breach

Kim Roberts, MS, RHIA, CHP

Background Information

» Location and Background

» Visit from a VIP Government Official

» State of Michigan Inquiry

» OCR Letter of Inquiry

Sequence of Events VIP Admitted using alias

VIP stay released to media by VIP staff

VIP Discharged (Four Day Stay)

CPO & CISO

meeting re: Access

Audit Plan

Full audit of VIPs

records in all systems

Department Directors review of access of identified

staff

Human Resources notified of

inappropriate access

Human Resources

investigation

Sanctions imposed

Hospital issued news release re:

disciplinary actions taken for privacy policy violations

OCR and State Inquires & Responses OCR Inquiry

Received (3 weeks)

Response sent

OCR ResponseFormally closed

( 7 months)

State Inquiry Received (1 week)

Response to the State of

Second Formal Response and meeting

Closed with follow up actions (6 months)

OCR Questions

» Did caregivers impermissibly access medical records as alleged?

» If the impermissible access occurred, when did it occur?

» How did Sparrow discover the alleged occurrences?

» What did Sparrow do as a result of its findings?

Response to the Event

» Position Statement

» Actions Taken to Monitor and Investigate

» Corrective Action Plans Outcome Objectives

» Corrective Action Plan Monitoring

Position Statement

» Chronological Statement of Events

» List Events surrounding the Breach

»Dates of Admission

»Alias Name Identification

» Actions Taken to Monitor the Investigation

»Routine Manual Review of Access Logs

Manual Review of Access Logs» Prior to Implementing FairWarning®

Concurrent Access Audit Plan

» Manual Review of Audit Files – twice daily

» Concurrent monitoring of email communications based on name and title

Retrospective Access Audit Post Discharge

» Review of 281 caregivers

» 50 to 60 hours reviewing the MR to Access Logs

VIP Review Workflow

» Email notification were sent to the Directors

»Access to account or record necessary to do their job

»More than the minimum necessary

» Inappropriate review for the role

Dear Colleague:

There was a recent visit of a high profile individual in the ________and the individual had a subsequent_________. A high level review was conducted by correlating care giver access results to the medical record. A more detailed assessment is needed to determine appropriate access for individuals under your purview. If you determine that access is inappropriate, please contact LCR to assist in the disciplinary investigation.

Audit results concerning care giver(s) working in your area are attached for your review and are highlighted. Please complete a User Access Form for each care giver and return the form electronically to me at:

Please complete your review within 1 week of the date of this e-mail.

Please consider the following questions as you review:

1) Did the individual access only those accounts or records necessary to do his/her job?

2) Did the individual access only the information contained in the account or record needed to do his/her job (Minimum Necessary)?

3) Was the access appropriate if so, indicate reason for access?

Please contact me if I can answer questions or offer assistance.

Corrective Actions Outcome Objectives Sanctions Applied

» 31 Caregivers were referred to the Department Directors

» 21 Caregivers were Sanctioned

»17 Caregivers were Terminated

»5 were Suspended and given a Level 3 Discipline

Corrective Actions Outcome Objectives

» Action Plan – Alias Name

» Policy Review for VIPs

» Overview of all Privacy Training

» Remedial Training via E-mail

»10 privacy reminders

Corrective Actions Outcome Objectives Communications

» Response to the Media

» Response to Caregivers regarding Sanctions

» Sent Privacy Email Reminders as Training to Caregivers

» News Release pertaining to Disciplinary Action

» Used focus of public attention on policies as an opportunity

Corrective Actions Outcome Objectives Communications

» Email to the Board of Directors

» Informing them of the Detroit Free Press inquiry and the anticipated news article

» Conducted a Privacy Summit

»Learning and Planning Objectives

Corrective Actions Outcome Objectives Compliance Actions and Follow Up

Centralized Electronic Access Monitoring and Reporting

» Description: System Selection, Purchase Decision and Implementation Timeline

» Description: Proactive alert of our designated VIPs

» examples: VIP record access or user access to the record of a patient, who has requested Total Privacy – Average of 800 per month

» Audit Plan to review 8 patients per month

Corrective Action Plan Monitoring» The results of the corrective action plan will be monitored in the

following ways:

» Using the FairWarning® System to conduct routine, random reviews of employee access to patient records under the following circumstances:

» Patient is a high profile individual (VIP) known to many

» Caregiver access of the record of a patient with a surname similar to that of the caregiver

» Access of his/her own record

» Patient has requested Total Privacy upon registration for services

» Random review of patient discharges by application

Corrective Action Plan Monitoring continued

» Evidence of Privacy related training:

» Orientation training rosters

» Completion of annual Privacy Test

» HIPAA Privacy Complaint Investigation Process

» Reporting Structure

Lessons Learned» Sent Privacy Email Reminders as Training

» Proficiency training to include acknowledgement of the requirement to report any alleged violations

» Audit Plan equaled 1% of Total Privacy Patients (including VIPs)

» Final Audit Plan 22% of Total Users 8,000

23

July Audit Totals by System2009 Audit Totals by System

0

100

200

300

400

500

600

700

Tsystem Impax OB tracevue Dolbey Horizon IRHIS Syngo Star

System Audited

Num

ber

of A

udits

Self-exams

Random Audits

Escalating Threats to Patient, Employee & Physician Data

´1

Lost laptops, media, paper records

Patient Complaints

Snooping

Medical & Financial ID Theft

201420122010

IRS Tax Fraud

2011 2013Pre-2010

Sale of Patient Data

to Crime Rings

Sale of Physician Data

to Crime Rings

Sale of Employee Data

to Crime Rings

• 45% of all identity theft relates back to the Healthcare Industry

• Source: ID Theft Center July 15, 2014 http://www.idtheftcenter.org/id-theft/data-breaches.html

• 60 Minutes Report: Biggest IRS Scam Around: Identity

• Source: http://www.cbsnews.com/news/irs-scam-identity-tax-refund-fraud-60-minutes/

Scaling a Criminal Enterprise

• Organized Crime: Taking advantage of healthcare vulnerabilities• IRS Tax Fraud• Financial Identity Theft

Healthcare Fraud and Organized Crime

• HHS OIG Fraud Fugitive List, Estimated $ 100 B of Fraud / Year– 25% use Identity Theft of Patient, Physicians in Fraud Operations

– OIG Fugitive Profiles at hhs.oig.gov, http://goo.gl/FYgWk1

– Stolen Identity with insurance info $20; credit card info $1-2 (Dell SecureWorks), http://tinyurl.com/khq2yex

• IRS Tax Fraud – Identity Theft #1 of “Dirty Dozen”– Dirty Dozen Tax Scams, irs.gov, http://goo.gl/lyHf7m

– Healthcare Specific Alerts, irs.gov, http://goo.gl/PQiIVV

In The News - Today

What it means to you: • Anticipate more comprehensive on-site audits• Take advantage of delay by closing gaps • Customers tell us that FairWarning® streamlines your preparation

http://www.careersinfosecurity.com/hipaa-audits-revised-game-plan-a-7296

HIPAA Audits: A Revised Game Plan More On-site Audits Planned, But All Audits on Hold for Now

In The News - Today

What it means to you:

• Meaningful Use funds are at risk

• Zero-tolerance policy for failing to document your security risk assessment

• This is a clear opportunity to improve your own information security risk posture, but the window is closing

Meaningful Use Auditors Retract $900KHospital fails to perform mandatory HIPAA Risk Assessment

http://ehrintelligence.com/2014/09/19/meaningful-use-audit-leaves-arkansas-hospital-owing-900000/

OCR HIPAA Audit Findings:Security AreaTotal Audit Findings and Observations by Area of Focus and Entity Type

Contingency Planning & Backups

Access Management

Audit Controls & Monitoring

Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013, http://abouthipaa.com/wp-content/uploads/Lessons-Learned-from-OCR-Privacy-and-Security-Audits-Sanches_Rinker_03-07-2013.pdf

Escalating Expertise Required

Pre-2009 (HITECH)

• Global Investigations

2013/2014 (Post-HIPAA Omnibus)

• Security Incident Management

• Advanced Analytics, Filtering

• Proactive Alerts

• Global Investigations

Expertise Gap

-Removal of Harm Standard-New Reporting & Notification

Requirements• Partial FTE

• Security, Forensics & Compliance Expertise

• OCR Audit Experience

• Clinical Data & Workflow Expertise

• Investigations & Security Skills

Collaboration for Patients’ Sake

FairWarning® and our customers envision a healthcare industry in which patients

confidently share their sensitive medical details to receive the best care possible

without regard to privacy concerns.

Next Steps

• ONC Security Risk Assessment Tool• For more information, please email Solutions@FairWarning.com• Managed Privacy Services Advanced Demonstration October 28,

2014 Register Now• Are You Ready for Round Two (of HIPAA Compliance Audits)?

http://www.natlawreview.com/article/are-you-ready-round-two-hipaa-compliance-audits

• A pdf copy of this presentation and the embedded links will be distributed after the event

Questions?

Please submit via the Webex Q&A or Chat windows to the right side of your screen

Kim Roberts, MS, RHIA, CHP

• Privacy Specialist

• Sparrow Health System

• kim.roberts@sparrow.org

Kurt Long

• Founder

• FairWarning, Inc.

• Kurt@FairWarning.com

Mike Nessen

• Customer Community Manager

• FairWarning, Inc.

• Mike@FairWarning.com

Questions and Answers