healthcon 2016 hipaa privacy and security breaches 10 ... · which compromises the security or...
TRANSCRIPT
4/26/2016
1
Healthicity HIPAA Manager
Presented by
Paul R. Hales, J.D.
HIPAA
Privacy and Security Breaches
10 Things To Know
HEALTHCON 2016
Orlando
April 11, 2016
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 2
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 3
Lost medical records complicate Joplin hospital's tornado recovery
4/26/2016
2
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 4
1. What is a Breach?
2. Locations and Types of PHI – Major Breaches
3. Penalties
4. Breach Prevention
5. Vital Importance of Risk Analysis
6. Cyber Crime – Intentional Human Threats
7. Unintentional Human Threats
8. Contingency Planning
9. Workforce Training
10. HIPAA Compliance Program
Healthicity HIPAA Manager
1. What is a Breach?
45 CFR §164.402
Breach means
the acquisition, access, use, or disclosure
of protected health information
in a manner not permitted by the Privacy Rule
which compromises the security or privacy of the protected health information.
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 5
Healthicity HIPAA Manager
1. What is a Breach?
compromises the security or privacy of the protected health information ?
Breach is presumed unless
low probability protected health information has been compromised
based on a risk assessment of four factors
?April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 6
4/26/2016
3
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 7
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 8
Healthicity HIPAA Manager
2. Locations and Types of PHI – Major Breaches
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 9
4/26/2016
4
BREACH HIGHLIGHTS
OCR NIST 2015 10
September 2009 through August 28, 2015
• Approximately 1,310 reports involving a breach of PHI
affecting 500 or more individuals
–Theft and Loss are 57% of large breaches
–Laptops and other portable storage devices account for
30% of large breaches
–Paper records are 22% of large breaches
• Approximately 179,000+ reports of breaches of PHIaffecting fewer than 500 individuals
500+ Breaches by Location
as of 8/28/2015
Paper Records
22%
OCR NIST 2015 11
Desktop Computer
12%
Laptop
20%
Portable Electronic
Device10%
Network Server
13%
8%
EMR
4%
Other
11%
500+ Breaches by Type of Breach
as of 8/28/2015
Theft
48%
OCR NIST 2015 12
Loss
9%
Unauthorized
Access/Disclosure
21%
Hacking/IT
10%
Improper Disposal
4%
Other
8%
Unknown
1%
4/26/2016
5
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 13
78,800,000 Individuals
Breach Portal
“Wall of Shame”
March 13, 2015
Healthicity HIPAA Manager
3. Penalties
Civil
Criminal
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 14
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 15
4/26/2016
6
Healthicity HIPAA Manager
4. Breach Prevention
Lessons Learned
HHS/OCR Enforcement Activities
HHS/OCR Resolution AgreementsHHS/OCR Guidance
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 16
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 17
Vital Importance of Risk Analysis
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 18
Vital Importance of Risk AnalysisHHS HIPAA Pilot Audits – 2012 80% of Audited Providers Failed to Do A Risk Analysis
We found deficiencies among a wide variety of
entities in risk analysis – one of themost fundamental privacy and security elements
conduct a thorough and complete risk analysis
take action based on the findings of that risk analysis
4/26/2016
7
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 19
Vital Importance of Risk Analysis
Why have so many failedto do a Risk Analysis?
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 20
Vital Importance of Risk Analysis
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 21
Vital Importance of Risk AnalysisWe note that some of the content contained in this
guidance is based on recommendations of the National
Institute of Standards and Technology (NIST). NIST, a
federal agency, publishes freely available material in
the public domain, including guidelines.4
4 The 800 Series of Special Publications (SP) are available on the
Office for Civil Rights’ website – specifically, SP 800-30 - Risk
Management Guide for Information Technology Systems.
4/26/2016
8
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 22
Vital Importance of Risk Analysis
SPECIAL PUBLICATIONS (800 SERIES)
Special Publications in the 800 series
(established in 1990) are of general interest
to the computer security community.
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 23
Vital Importance of Risk Analysis
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 24
Vital Importance of Risk Analysis
4/26/2016
9
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 25
Vital Importance of Risk Analysis
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 26
Vital Importance of Risk Analysis
Healthicity HIPAA Manager
5. Cyber Criminals
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 27
4/26/2016
10
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 28
78,800,000 Individuals
Breach Portal
“Wall of Shame”
March 13, 2015
Healthicity HIPAA Manager
7. Unintentional Human Threats
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 29
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 30
Patient Attraction
Patient Engagement
4/26/2016
11
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 31
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 32
“All covered entities, including physical therapy providers, must
ensure that they have adequate policies and procedures to
obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”
Jocelyn Samuels
Director, Office for Civil Rights
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 33
Baby Pictures at the Doctor’s? Cute, Sure, but Illegal
Why Illegal?
4/26/2016
12
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 34
No Valid HIPAA Authorization
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 35
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 36
4/26/2016
13
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 37
Healthicity HIPAA Manager
8. Contingency Planning
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 38
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 39
4/26/2016
14
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 40
Healthicity HIPAA Manager
9. Workforce Training
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 41
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 42
78,800,000 Individuals
Breach Portal“Wall of Shame”
March 13, 2015
4/26/2016
15
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 43
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 44
Healthicity HIPAA Manager
10.HIPAA Compliance Program
Culture of Compliance
Quality of Care
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 45
4/26/2016
16
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 46
I will respect the privacy of my
patients, for their problems are not
disclosed to me that the world may
know.
Physician – Patient Privilege
Law of Evidence
Healthicity HIPAA Manager
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 47
Healthicity HIPAA Manager
Discussion
and
Questions
April 11, 2016 HIPAA Breaches – 10 Things To Know presented by Paul R. Hales, J.D. 48