hipaa privacy 2017 - what should my organization be...

HIPAA Privacy 2017 - What Should My

Organization Be Doing?

Presented by:

Melissa M. Zambri80 State Street

Albany, New York 12207(518) 429-4229 (Phone)

(518) 427-3463 (Fax) [email protected]

Agenda

• Introductions

• HIPAA Investigations – OCR Audits

• 2016 OCR Audit Tools

• Audit Issues to Consider

• Penalties

• Malware/Ransomware

• Questions

HIPAA Investigations

• OCR enforces the HIPAA Privacy and Security Rules

• OCR investigates complaints and conducts compliance reviews.– If the OCR investigates a complaint, the OCR will notify the

person who filed the complaint and the covered entity in the complaint.

– If the complaint includes facts that could violate the criminal provision of HIPAA, then the OCR may refer the case to the DOJ.

– The OCR will try to resolve the case through,• Voluntary compliance;

• Corrective action; and/or

• Resolution agreement.

– The OCR may also impose civil money penalties if the covered entity does not resolve the matter in a satisfactory manner.

HIPAA Investigation Flowchart

Government Audits: Who Does

OCR Interview• President, CEO or Director

• HIPAA Privacy Compliance Officer

• IT Director

• Security Officer

• Computer Hardware Specialist

• Person in Charge of Data Back-Up

• Person in Charge of Physical Security

• Human Resources Representative

• Director of Training

• Incident Response Team Leader

OCR HIPAA Audits: Phase 1 &

Phase 2

• Phase 1: (2011-2012): OCR implemented a pilot audit program and assessed 115 covered entities’ HIPAA compliance.

• Phase 2: Building on Phase 1 with enhanced protocols and adding business entities to the audit program.– OCR will review the policies and procedures adopted

and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

– Between 200-250 audits in total.

OCR Audits Cont.

• When did Phase 2 start?• Covered entities received notification letters on July 11, 2016;

Business associate audits starting now.

• Who can be audited?– Every covered entity and business associate may be audited.

• How will providers be selected?– Covered entities and business associates were sent a request

for contact information.

– Covered entities and business associates got a pre-audit questionnaire to assist OCR in creating a potential audit subject pool.

• Ignoring requests for this information is a bad idea.

– Auditees selected through a random sampling process from the developed audit pool and notified of their participation.

OCR Audits Cont.• How does the audit program work?

– Common audit techniques employed

• Selected entitles will be sent an email notification and will be asked to provide documents

electronically.

• Auditors will review documentation and share draft findings with the entity.

– After receiving the draft report, auditees have 10 business days to send comments.

– Final audits will be completed 30 business days after the auditee’s response.

– Most of the audits will be desk audits.

• Covered entities and business associates

• These audits were expected to be completed by December 2016.

– A third set of audits may occur onsite, where a broader scope of HIPAA requirements

will be examined.

• After the audit

– In the event of serious compliance issues, OCR may investigate further with a

compliance review.

– OCR will not post a listing of audited entities or the findings in a way that identifies the

audited entity, but OCR may be required to release certain material under the Freedom

of Information Act (e.g., notification letters).

What Covered Entities Should Do

• Consider internal audits.

― Security risk audit tool released March 2014.

• Document internal audit results and efforts

towards compliance.

• Coordinate privacy and security staff, policies

and procedures.

Remember: If OCR audits or investigates a

covered entity, they will ask what steps were

taken. Covered entities should do the easy stuff

and document each step.

OCR 2016 HIPAA Desk Audit Guidance on

Selected Protocol Elements

Overview

• Selected Protocol Elements

– Privacy

– Security

– Breach Notification

HIPAA Desk Audit Guidance: Privacy

• Notice of Privacy Practices Content Requirements– Does the CE:

• Have a notice of privacy practices?

• Include in its notice a description of permitted uses and disclosures?

• Notify individuals of its legal duties with respect to their PHI?

• Provision of Notice – Electronic Notice– Does a CE that maintains a website prominently post its notice?

– Does the CE implement a P&P, if any, to provide the notice electronically, consistent with the standard?

• Right to Access– How does the CE entity enable the access rights of an individual?

HIPAA Desk Audit Guidance:

Security • Security Management Process:

– Risk Analysis• Does the entity (CE or BA) have a P&P in place to conduct an accurate

and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains or transmits?

• Has the entity (CE or BA) conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?

– Risk Management• Does the entity (CE or BA) have P&Ps in place regarding a risk

management process sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level?

• Has the entity (CE or BA) implemented security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level?


Breach Notification

• Timeliness of Notification

– Were individuals notified of breaches within the required time period?

• Content of Notification

– Inquire of management whether the CE has used a standard template or form letter for notification to individuals for all breaches or for specific types of breaches.

• Does it include the required elements?

– Obtain and review a list of breaches.

Privacy OCR Audit Protocols

• Privacy

– Confidential communications:

• How does the entity provide for and accommodate requests

by individuals for confidential communications?

– Disclosures by whistleblowers:

• Are whistleblower policies and procedures consistent with the

requirements of this performance criterion?

– Business associate contracts:

• Does the covered entity enter into business associate

contracts as required?

• Do these contracts contain all required elements?

Privacy OCR Audit Protocols Cont.

• Prohibited uses and disclosures

• Permitted uses and disclosures

• Personal representatives

• Requirements for group health plans

• Authorizations for uses and disclosures required

• Uses and Disclosures . . .

– E.g., the individual present, disaster relief purposes, required by law

Security OCR Audit Protocols

• Security

– Facility Access Controls: • Does the entity have policies and procedures in place regarding

access to and use of facilities and equipment that house ePHI?

– Workstation Use: • Obtain and review an inventory of the locations and types of

workstations;

• Obtain and review documentation demonstrating workstation use policies and procedures implemented.

– Device and Media Controls -- Data Backup and Storage Procedures:

• Does the entity create a retrievable, exact copy of ePHI when needed, before movement of equipment?

Security OCR Audit Protocols Cont.

• Assigned Security Responsibility

• Workforce Security

• Information Access Management

• Security Awareness and Training

• Security Incident Procedures

• Contingency Plan

• Evaluation

• Business Associate Contracts and Other Arrangements

• Workstation Security

Breach Notification OCR Audit

Protocols• Breach Notification

– Notice to Individuals:

• Does the covered entity have policies and procedures for notifying individuals of a breach of their protected health information?

– Methods of Notification:

• Does the covered entity have policies and procedures for notifying an individual, an individual's next of kin, or a personal representative of a breach?

• More Areas– Administrative Requirements

– Training

– Complaints

– Sanctions

– Refraining from Retaliatory Acts

– Policies and Procedures

– Notice to Individuals


Recommendations• Review the document request list and question/answer

for each protocol.

• Entities must only provide the specified documents, not compendiums of all P&Ps.

• Workforce members include employees, on-site contractors, students, and volunteers.

• If documents of implementation are not available, the entity must provide instances from equivalent previous time periods to complete the sample.

• Use the most up-to-date documents.– Document requests refer to versions in use as of the date

of the audit notification and document request, unless otherwise specified.

Audit Issues to Consider

What I do when I conduct a HIPAA audit.

Audit Issues To Consider – Security

Management• Risk Analysis (most recent)

– Formal or informal, documentation, criteria, periodic, know where

information is?

– Inventory of all information systems to include network diagrams

listing hardware and software used to store, transmit or maintain

EPHI

– List of all Primary Domain Controllers (PDC) and servers

– Inventory log recording the owner and movement of media and

devices that contain EPHI

• Risk Management Plan (addressing risks identified in the Risk Analysis)

– Consideration of security when purchasing software and equipment

• Audit Logs, Access Reports, Security Incident Tracking – formal or

informal process, implementation, periodic updates

• Security Officer Job Description

Audit Issues To Consider – Workforce

Security

• Formal levels of access policy based on criteria, approval

and communication, coordinated with job descriptions.

• Supervision of personnel – will ask for organizational chart.

• Do staff have knowledge, skills, training necessary?

Background checks and confidentiality agreements.

• Is there a policy on how access is granted?

• Termination of access – voluntary and involuntary; recover

devices, deactivate access, timely done.

• Does IT system have capacity to set access controls? Are

they utilized and if not why?

• List of individuals and contractors with access to EPHI

including copies of pertinent business associate

agreements.

Audit Issues To Consider – Security

Awareness and Training

• Is training provided – what is included?

• OCR will ask for materials.

• Is staff trained on the vulnerabilities of

malicious software?

• Can you show all staff received training?

• Is training updated periodically to coordinate

with changes in technology?

Audit Issues To Consider – Security Incident

Procedures

• Policies on security incidents?

• Communicated to staff?

• Documentation and maintenance of records of

security incidents?

• Could you show the documentation and

records?

Audit Issues To Consider – Contingency,

Data Back-Up, Disaster Recovery Plans

• Formal contingency plan exist?

• Disaster recovery plan exist?

• Data back-up plan exist?

• Could operations continue in the event of an

emergency?

• Periodic testing and revision of plans?

• Preventive measures identified and addressed?

• Restore data?

• Back-up copies exist?

Audit Issues To Consider – Evaluation

• Internal or external evaluation of your security

systems?

• If external consultants, qualifications?

• Remediation options and recommendations

considered?

• Decisions documented?

• Reevaluated when systems/security changes?

Audit Issues To Consider – Facility Access

Control

• Formal controls on use of facility and equipment

• Prevention measures to safeguard against

unauthorized physical access, tampering and theft

• How do you control access by staff, contractors,

visitors and probationary employees?

• Is access addressed in Disaster Recovery Plan?

Emergency Operations Plan?

• Are repairs and modifications to physical components

of facility documented?

Audit Issues To Consider – Workstation Use

• Are all workstations identified?

• Secure workstations - onsite, laptop, and home system usage

• Are allowable activities known?

• Unauthorized access prevented?

– Unattended workstations

– Limit view

– Dispose of information

• Inventory list exists, process for updating?

• Workstations in secure areas?

• Locked doors, cameras, security?

• System timeouts?

• Passwords?

Audit Issues To Consider – Device and

Media Controls

• How is hardware and software disposed?

• How is EPHI disposed? Media? Equipment? Do you

know where all the information is?

• Could you prove disposal policies are being carried

out?

• How is the movement of hardware and media tracked?

• How is it stored onsite?

• Offsite?

• Protection from elements?

• Removal of EPHI before reuse of media?

Audit Issues To Consider – Access Controls

• Encryption – type, keys protected, ability to modify or create keys

restricted, management of keys.

• Access needs of users considered (read only, modify, full access).

• How are IDs established and assigned?

• They will look at new hires to see what process they went through to get

an access ID.

• Do you have generic or system IDs – how are these maintained and

protected?

• Who has the ability to add, delete or modify user access?

• Systems reviewed on a periodic basis?

• Emergency policy?

• Automatic logoff?

• They will look at list of terminated employees and job transfers to see how

access was handled.

Audit Issues To Consider – Audit Controls

• Audit controls in place?

• Upgrades needed?

• Communicated to workforce?

• Which systems and applications are

audited?

Audit Issues To Consider – Integrity/Person or

Entity Authentication/Transmission Security

• Ensure policies exist to ensure access controls prevent

improper alteration and destruction.

• Could you show that information was not altered

improperly?

• How do your systems authenticate a user (password, smart

card, biometric, combination)? Used appropriately? Tested

and upgraded? Other methods considered?

• Formal policies?

• List of software used to manage and control access to the

Internet

• Mechanisms to ensure integrity of data during transmission

- including portable media transmission (i.e. laptops, cell

phones, thumb drives)

Audit Issues To Consider – Breach

• Formal policy – will review carefully

• Procedure to notify individuals

• Can request letters

• Will ask if there have been breaches where

notification of media was required

• Will check notices to HHS OCR

• Will ask if a BA has ever informed you of a breach

• Will ask how one assesses whether information

was compromised

Audit Issues To Consider – Privacy

• Will ask how deceased individual information is

handled

• Will ask about personal representatives

• Will review notice of privacy practices and inquire

as to whether it was followed

• Will ask for whistleblower policies

• Will ask about process and policies for confidential

communications

• Will review business associate agreement and ask

about whether signed agreements exist


• Will ask about consent and authorization policies

• Will ask for sample consents/authorizations used

• Will ask about policies regarding requests for

information by friends and family and others involved in

care when person is present and not

• Will ask about responding to court orders and other

litigation matters – may ask for samples

• Will ask about disclosures for public health activities –

may ask for samples

• Will ask about disclosures related to child abuse


• Will ask about disclosures to health oversight agencies

– may ask for samples

• Will ask about disclosures to law enforcement – may

ask for samples

• Will ask about disclosures regarding decedents – may

ask for samples

• Will ask about disclosures for specialized government

functions (correctional institutions, etc.) – may ask for

samples

• May ask how workers’ compensation requests are

handled


• Will ask about minimum necessary and workforce

access – will compare access to job functions

• Will ask about minimum necessary and disclosures of

information

• Will look at any policies and procedures related to use

of information in fundraising and whether policies are

followed – will look at a disclosure of a list to the

fundraising unit

• Will look at verification procedures and will ask about

recent requests and how verification was performed

• Will ask for data use agreements if used


• Will look at de-identification policies and

practices

• Will look at Notice of Privacy Practices

• Will look at recent acknowledgements to see if

dates correspond to first date of service

• Will look at how one can receive a Notice

• Will review website to see if Notice is posted

• Will look to see if records maintained for six

years


• Will review policies on receiving communications by

alternative means or at alternative locations – will ask

for examples of requests made and accommodated

• Will review policies on requesting restrictions – will ask

for examples of requests made and whether

accommodated

• Will ask about access to individuals served

– Will ask about policies, forms

– Will ask for examples

– Will look at any fee charged

– Will look at timeliness

– Will look at any denials of access


• Will look for policies on amendment

– Will look at requests

– Will look at timeliness of response

– Will look at denials

• Will look for policies on accounting

– Will look at procedures for requests

– Timeliness

– Documentation


• Will look for training

– For everyone

– For new staff

• Will look for complaint policy

– Receipt, processing, documented

– Will review complaints made over period of time and

ask for documentation

– Will ask for resolution and proof of sanctions,

including analysis of reasonableness

• Will look for written policies and procedures


• Will look for reasonable safeguards– Electronic, written, oral

• Is all PHI stored in locked file cabinets, desk drawers, or

rooms to which only appropriate individuals have physical

and administrative access?

• Are all files locked when employees leave the office

premises?

• Do employees clear their desks of PHI when leaving their

desks?

• How is mail handled?

• What are the procedures regarding the shredding of

records?

• How are fax and copy machines secured to ensure that

PHI is only viewable and retrievable by appropriate

employees?


– Are employees allowed to remove paper or electronic files containing

PHI from the premises, laptops, etc.? Is a sign out log used? Are

there policies and procedures related thereto? Training on

safeguarding?

– What steps have been taken to ensure that oral communications

involving PHI cannot be inappropriately overheard?

– How are voice mail boxes secured from inappropriate access?

– Are offices locked during non-business hours? Are forms or

documents containing PHI left after business hours placed in a locked

box outside of the office or in a secure mail slot?

– Do individuals use portable devices to transmit or store protected

health information? Are there policies regarding employee use of

their own technology in this regard (home computer, phone)?

– Were the policies and procedures distributed to relevant staff? How

are they available?


• Will look for mitigation

techniques

• Will look for non-intimidation and

non-retaliation policies

Audit Issues To Consider – EHR

Fraud Vulnerabilities

• Copying and Pasting

–Checking for accuracy?

–Policies and training?

–Audit logs?

• False/Irrelevant Documentation

Audit Issues To Consider – EHR Fraud

Vulnerabilities• Original documents should be maintained and

modifications tracked as amendments.

• Auditors should have read only rights.

• Do you know who prints or e-mails

documents?

• Do you know who disables the audit log?

• What data is recorded? Date, time, user

identification, access type (creating, editing,

viewing data).

• Do you delete audit logs?

Tiered Increase in Monetary Penalties

Did Not Know & Would Not Have Known with Reasonable Diligence:

– As low as $100 for each violation, up to $25,000 in a calendar

year.

Reasonable Cause & No Willful Neglect:

– As low as $1,000 for each violation, up to $100,000 in a

calendar year.

Willful Neglect:

– $10,000 for each violation, up to $250,000 in a calendar year.

Where No Correction:

– As high as $50,000 for each violation, up to $1,500,000 in a

calendar year.

Social Media: It is Everywhere

Improper Social Media Posting

• Posting a medical record displaying a patient name

• Photo of a patient

• Posting identifiable patient information

• Comments about patients– E.g., “Robert De Niro is here for a physical!”

E-Mail

Security Rule: Secure electronic protected health information (“e-PHI”)

• Email NOT expressly prohibited for sending e-PHI

• Must implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access of e-PHI sent and received

• Encryption is addressable, but hard to argue it is not best practice

• The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected

E-Mail Tips

• Musts:

– Double check email addresses

– Be careful of autofilled addresses

– Minimal amount of information necessary

• Other clients included

– Be careful of cc’s

– No PHI to personal email

– Use of personal phones

– Danger of pictures

– Encryption only as good as use.

• Musts:

– Double check email addresses

– Be careful of autofilled addresses

– Minimal amount of information necessary

• Other clients included

– Be careful of cc’s

– No PHI to personal email

– Use of personal phones

– Danger of pictures

– Encryption only as good as use.

E-Mail Tips

Must you reply all? Beware of groups

Before forwarding, CHECK WHAT IS AT THE BOTTOM OF

THE CHAIN!

Write for publicationShould that be in

writing?

Don’t forward privileged

communication too far

HIPAA Developments

Affinity Health Plan—Photocopier Memory

• HIPAA Violation: Affinity Health Plan returned multiple photocopiers to

leasing company without erasing confidential medical information

contained on copier hard drives. CBS then purchased a photocopier

previously leased by Affinity. CBS informed Affinity that the copier that

Affinity had used contained confidential medical information on the hard

drive.

– Affinity estimated breach affected up to 344,579 individuals.

– Affinity filed a breach report with OCR.

• OCR Investigation Indicated Affinity:

– Impermissibly disclosed individuals’ PHI by failing to implement proper

policies and procedures when returning the leased photocopiers.

– Failed to incorporate the electronic protected health information (ePHI)

stored on photocopier hard drives in its risks and vulnerabilities

analysis required by the Security Rule.

• Penalty: Settled potential HIPAA violations for $1,215,780.

HIPAA Developments

WellPoint—Internet Accessible ePHI

• HIPAA Violation: WellPoint on-line application database left individuals’ electronic

protected health information (ePHI) accessible to unauthorized users.

– WellPoint reported breach affected 612,402 individuals

• OCR Investigation Indicated WellPoint Did Not:

– Implement required Security Rule administrative and technical safeguards.

– Implement adequate policies and procedures for authorizing access to the on-line

application database.

– Perform appropriate technical evaluations when upgrading information systems’

software.

– Have technical safeguards maintained in its application database necessary to

verify the person or entity seeking access to ePHI.

• Penalty: Paid HHS $1.7 million.

Note: HIPAA-covered entities should take caution when implementing changes to

information systems, especially when changes involve updating Web-based applications

or portals used to provide consumer access to electronic health data.

HIPAA Developments

APDerm, P.C.—Stolen Thumb Drive

• HIPAA Violation: Adult & Pediatric Dermatology, P.C., of Concord, MA,

reported to OCR after an unencrypted thumb drive containing

electronic protected health information (ePHI) was stolen from an

APDerm staff member’s vehicle.

– Stolen thumb drive contained the ePHI of approximately 2,200

individuals.

– The thumb drive was never recovered.

• OCR Investigation Indicated APDerm Did Not:

– Conduct an accurate or thorough analysis of potential risks and

vulnerabilities to the confidentiality of ePHI as part of its security

management process.

– Comply with requirements of the Breach Notification Rule requiring

written policies and procedures and training workforce members.

• Penalty: Settled potential HIPAA violations with OCR for $150,000.

HIPAA Developments

Skagit County, Washington—Public Website

• HIPAA Violation: Skagit County inadvertently moved electronic

protected health information (ePHI), containing infectious

disease testing and treatment records for 1581 individuals to a

County maintained publicly accessible server.

• OCR Investigation Indicated:

– General and widespread non-compliance.

– Skagit County violated:

• HIPAA Privacy Rules

• Security Rules

• Breach Notification Rules

• Penalty: Settled potential HIPAA violations for $215,000.

– Settlement included Skagit County commitment to work

closely with HHS to correct HIPAA compliance deficiencies.

HIPAA Developments

Concentra Health Services—Stolen Laptop

• HIPAA Violation: Compliance review of Concentra Health Services (Concentra)

after OCR received breach report that an unencrypted laptop was stolen from one

of its facilities.

• OCR Investigation Indicated Concentra:

– Completed multiple risk analyses that revealed failing to encrypt laptops,

desktop computers, medical equipment, tablets and other devices containing

electronic protected health information (ePHI) created a critical risk.

– Began steps to implement proper encryption, but efforts remained incomplete

and inconsistent leaving patient ePHI vulnerable throughout the organization.

– Maintained insufficient security management processes to safeguard patient

information.

• Penalty: Settled potential HIPAA violations with OCR for $1,725,220.

– Settlement included Concentra agreement to adopt a corrective action plan to

remedy non-compliance.

HIPAA Developments

More Stolen Laptops

• HIPAA Violation: The University of Mississippi Medical Center (UMMC) notified OCR of a breach after a password-protected laptop went missing. It was later concluded that the laptop was stolen by a visitor. The investigation revealed that an active directory, with 67,000 files, was accessible due to inadequate username/password safeguards.

• OCR Investigation Indicated UMMC Failed to:

– Implement proper physical safeguards at work stations.

– Assign unique user names.

– Notify the appropriate individuals after the breach.

– Manage risks and vulnerabilities to its systems.

– Implement polices and procedures to prevent, detect, contain and correct security violations.

• Penalty: Settled alleged HIPAA violations with OCR for $2,750,000.

– Required to adopt a corrective action plan to help ensure future HIPAA compliance.

HIPAA Developments

Stolen Laptop—Corrected Too Late

• HIPAA Violation: Unencrypted laptop computer was stolen from a workforce member’s car.

– Laptop contained the ePHI of 148 individuals.

– Following discovery of this breach, Provider encrypted all devices.


– Provider violated Security Rule despite immediate correction.

• Penalty: Settled potential HIPAA violations for $250,000.

– Settlement required Provider to:

• Provide HHS with an updated risk analysis and corresponding risk management plan including specific security measures to reduce the risks to and vulnerabilities of ePHI.

• Retrain workforce and document ongoing compliance efforts.

HIPAA Developments

NY Presbyterian Hosp. & Columbia Univ.—

Shared Network . . . • NYP & CU: New York Presbyterian Hospital (NYP) and Columbia University (CU)

operate a shared data network and shared network firewall administered by

employees of both entities.

– The shared network links to NYP patient information systems containing ePHI.

• HIPAA Violation: NYP and CU filed a joint breach report following the disclosure of

ePHI including NYP patients’ status, vital signs, medications, and laboratory

results.

– Breach made publicly accessible the ePHI of 6,800 NYP patients.

– Breach occurred when a CU physician who developed applications for both

NYP and CU attempted to deactivate a personally-owned computer server on

the network containing NYP patient ePHI.

– Because of a lack of technical safeguards, deactivation of the server resulted in

ePHI being accessible on internet search engines.

– NYP & CU learned of the breach after receiving a complaint when the surviving

partner of a former NYP patient found his or her deceased partner’s ePHI on

the internet.

. . . NY Presbyterian Hosp. & Columbia Univ.


– NYP & CU impermissibly disclosed NYP patients’ ePHI on the internet.

– Neither NYP nor CU made efforts prior to the breach to assure the server

security or confirm the server contained appropriate software protections.

– Neither entity conducted accurate or thorough risk analyses identifying all

the systems that access NYP patients’ ePHI.

– Neither entity developed adequate risk management plans addressing the

potential threats and hazards to the security of ePHI.

– NYP failed to implement appropriate policies and procedures for

authorizing access to its databases and failed to comply with its own

policies on information access management.

• Penalty: NYP settled potential HIPAA violations with OCR for $3,300,000.

CU settled potential HIPAA violations with OCR for $1,500,000.

– Both entities agreed to a substantive corrective action plan, including

undertaking a risk analysis, developing a risk management plan, revising

policies and procedures, training staff, and providing progress reports.

HIPAA Developments

Parkview Health System• OCR Investigation Indicated:

– Parkview is a nonprofit health care system that provides community-based health

care services to individuals in northeast Indiana and northwest Ohio.

– OCR received complaint from a retiring physician.

– Parkview took custody of medical records pertaining to approximately 5,000 to

8,000 patients while assisting the retiring physician to transition her patients to

new providers, and while considering the possibility of purchasing some of the

physician’s practice.

– Parkview employees, with notice that the physician was not at home, left 71

cardboard boxes of these medical records unattended and accessible to

unauthorized persons on the driveway of the physician’s home, within 20 feet of

the public road and a short distance away from a heavily trafficked public

shopping venue.

– Parkview cooperated with OCR throughout its investigation.

• Penalty: $800,000.

– Corrective action plan to revise policies and procedures, train staff, and provide

an implementation report to OCR.

HIPAA Developments

Employee Access to ePHI

• HIPAA Violation: Memorial Healthcare System (MHS) reported to OCR that employees impermissibly accessed and disclosed to affiliated physician office staff the PHI of 115,143 individuals. It was discovered that the login information of a former employee of an affiliated physician's office was used from April 2011 to April 2012, without detection. This affected 80,000 individuals, despite the existence of workforce access polices and procedures.

• OCR Investigation Indicated MHS Failed To:

– Implement procedures for reviewing, modifying and/or terminating user’s right of access.

– Review records of information system activity by workforce users and users at affiliated physician practices even though previous risk analyses showed risk in these areas.

• Penalty: Settled potential HIPAA violations for $5.5 Million.

– Implement a corrective action plan.

– Agreed to complete a risk analysis and risk management plan.

– Revise Polices and Procedures.

HIPAA Developments

Report breaches in a timely fashion

• HIPAA Violation: Presence Health, one of the largest health care networks serving Illinois, failed to report a breach within time limits of the HIPAA Breach Notification Rule. After discovering missing paper-based documentation, Presence Health failed to notify each of the 836 individuals affected by the breach within the 60 days, as required by law.


– The breach occurred on October 22, 2013 and Presence sent a breach notification to OCR on January 31, 2014.

– Presence Health failed to notify affected individuals, prominent media outlets, and OCR without unreasonable delay.

• Penalty: Presence Health agreed to settle potential HIPAA violations by paying $475,000.

– Presence Health was also required to implement a corrective action plan.

– This is the first HIPAA enforcement action for lack of timely breach notification.

Other HIPAA Developments

• CVS and Rite Aid— Pay Millions for Failure to Dispose of Information Properly

• Cignet Health—Civil Monetary Penalty of $4.3 Million for Failure to Provide

Access to Patient Records and Failure to Cooperate with Investigation

• Mass. General—Pays $1,000,000 for PHI Left on Subway

• Alaska Medicaid– $1,700,000 to Settle Possible Violations of Security Rule

• Massachusetts Eye and Ear Infirmary & Associates Inc.–$1.5 Million to Settle

Potential Violations of Security Rule

• The Hospice of North Idaho–$50,000 to Settle Potential Violations of the

Security Rule.

― Involved Unencrypted Laptop Computer Containing the EPHI of 441

Patients.

― Laptops Containing E-PHI Were Regularly Used by the Organization as

Part of Their Field Work.

• Home Care Provider – settled related to employee bringing information home

and its inappropriate viewing

Malware:

OCR and HHS Guidance

Beware of Malware: OCR Investigation

• HIPAA Violation: The University of Massachusetts Amherst (UMass) reported a

breach to the OCR when a workstation in its Center for Language, Speech, and

Hearing (“Center”) was infected with a malware program. The malware caused

the disclosure of 1,670 individuals’ ePHI.

• OCR Investigation Indicated UMass Failed to:

– Designate the Center as a health care component.

– Implement Policies and Procedures at the Center to ensure HIPAA

compliance.

– Provide technical security measures at the Center, such as a firewall.

• Penalty: UMass agreed to settle potential HIPAA violations by paying $650,000.

– UMass was also required to implement a corrective action plan.

– The corrective action plan required a comprehensive and thorough risk

analysis, as well as a review of Polices and Procedures.

Malware – Ransomware: Overview

• What is it? – Ransomware is a type of malicious software that attempts to deny access to a user’s data until a

ransom is paid.

• How to prevent it?– Backups

– Risk analysis

– Staff training

– Incident response

– Penetration testing • Hacking into your own system to test security

• How to respond?– Implement a security incident response.

– Have a business continuity plan.

– Contact law enforcement immediately:• Local FBI field office

• Secret Service, Electronic Crimes Tasks Force

– Paying the ransom is NOT encouraged.• Paying does not guarantee an organization will regain access to their data.

• Victims can be targeted again or asked to pay more money.

• Paying can inadvertently encourage the use of ransomware.

Malware – Ransomware: Prevention

Be Prepared: Follow the HIPAA Security Rule

• Implement security measures

– Security management process

» Conduct risk analyses

• Identify threats and vulnerabilities

» Implement procedures to guard against and detect malicious software

» Train users on detecting and reporting malicious software

» Use access controls to limit access to ePHI

• Have contingency plans

– Maintain frequent backups

» Consider offline backups

– Be able to recover data from backups

– Disaster and emergency plans

• Security incident procedures should include a plan for ransomware attacks

– E.g., isolate infected computer systems

Malware – Ransomware: Response

Responding to a ransomware attack -

make a fact specific determination.

• Is it a security incident?

• Was there a breach of PHI?

Malware – Ransomware:

Response Cont.

• What if the ePHI encrypted by the ransomware was already

encrypted to comply with HIPAA, is this a reportable

breach?

– Again, this requires a fact specific determination.

• A breach notification may not be required if the ePHI

is encrypted in a manner consistent with HHS

guidance.

• This may require an additional analysis to ensure that

the encryption by the entity has rendered the affected

PHI unreadable, unusable and indecipherable to

unauthorized persons.

Most Common Calls

• Lost laptop, etc.

• Items stolen from car.

• Employee or ex-employee divulging

information to those outside provider.

• Curiosity looks.

• Misfired e-mail or wrong mail.

• No shredding or incinerating.

• Encryption debate.

What To Do Now

• Go over your notes from today.

• Consider an internal audit with relevant staff.

• Perform an unannounced walkthrough of the

Agency’s sites.

• Document it and your efforts.

• Make small changes.

• If OCR comes, remember, they will ask what

you did.

Thank you for your time.

Questions?

hipaa privacy 2017 - what should my organization be...

Documents