HIPAA Security 2019
Download as PPTX, PDF1 like305 views
This presentation discusses the importance of HIPAA, its key components, cybersecurity threats, and compliance violations along with their consequences. It outlines the role of business associates in handling protected health information and provides examples of significant violations and recommended corrective actions. Additionally, it addresses the increasing cybersecurity risks facing healthcare providers and emphasizes the need for ongoing security measures and education.
HIPAA Security 2019
- 1. HIPAA Security Dr. Jose I. Delgado
- 2. Introduction This presentation covers: • HIPAA’s Importance – beyond the regulation • What is HIPAA • HIPAA Security Key Components • Cybersecurity • Lessons Learned • Recommendations
- 3. Disclaimer This information is not intended to be legal advice and does not intend to create an attorney-client relationship. The information hereby presented is for educational purposes only.
- 4. Objectives Understand: • Basics of HIPAA Security • Cybersecurity threats in 2019 • Remediation actions and recommended steps
- 5. Perspective on the law Practicing without license • Jail or prison. • Misdemeanor maximum jail sentence of up to one year. • Felony offenses can face eight years or more in a state prison. • Fines. • Misdemeanor fines normally do not exceed $1,000 • Felony fines exceed $10,000.
- 6. Perspective on the Law HIPAA Security Violation • Civil Violations • $100 to $50,000 per violation (or record) • Maximum penalty of $1.5 million per year per violation’s type • Criminal Violations • "knowingly" obtain or release information • fine of up to $50,000, as well as imprisonment up to 1 year. • Offenses committed under false pretenses • $100,000 fine, with up to 5 years in prison. • Offenses committed with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm • fines of $250,000 and imprisonment up to 10 years.
- 7. State Attorneys American Recovery and Reinvestment Act of 2009, • The Health Information Technology for Clinical and Economic Health (HITECH) Act gave State Attorneys General the authority to bring civil actions on behalf of state residents for HIPAA violations The HITECH Act permits State Attorneys General to: • Obtain damages on behalf of state residents • Enjoin further violations of the HIPAA Privacy and Security Rules. OCR developed HIPAA Enforcement Training for State Attorneys designed to: • Teach how to use their new authority to enforce the HIPAA • Aid in investigating and seeking damages for HIPAA violations
- 8. Violations and Outcomes • Who: Insurance company, Triple-S (Puerto Rico) • What/Why: Widespread non-compliance • Failure to implement Administrative, Privacy, and Technical safeguards • Lack of appropriate Business Associate Agreements • Failure to conduct accurate/thorough Risk Analysis • Settlement: $3.5 Million • Corrective Action Plan: • Conduct Risk Analysis and Implement Risk Management Plan • Implement Process for Evaluating Environmental and Operational Changes • Distribution and Updating of Policies and Procedures • Training
- 9. Violations and Outcomes • Who: Raleigh Orthopedic (North Carolina) • What: Breach report, 17,300 patient records • Why: Handed over x-rays and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $750,000 • Corrective Action Plan: • Business Associate Agreements • Revise Policies and Procedures Related to Business Associate Relationships • Training
- 10. Violations and Outcomes • Who: Anthem Inc • What: Breach report, 79 million patient records • Why: Series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. • Settlement: $16,000,000 • Corrective Action Plan: • Security Management Process • Development and Distribution of Policies and Procedures
- 11. Violations and Outcomes • Who: Advanced Care Hospitalists PL (ACH) • What: Breach report, 400 patient records • Why: Handed over billing data and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $500,000 • Corrective Action Plan: • Business Associate Agreement • Risk Analysis and Risk Management • Adoption, Distribution, and Updating of Policies and Procedures • Training
- 12. What is HIPAA • HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; • Reduces health care fraud and abuse; • Mandates industry-wide standards for health care information on electronic billing and other processes; and • Requires the protection and confidential handling of protected health information HIPAA is organized into five separate "Titles."
- 13. HIPAA Title 1 Title 2 Preventing Health Care Fraud Medical Liability Reform Administrative Simplification Electronic Data Interchange Privacy Security Security Standards Genera Rule Administrative Safeguards 9 Standards 21 Specifications Technical Safeguards 5 Standards 7 Specifications Physical Safeguards 4 Standards 8 Specifications Organizational Requirements Policies and Procedures Title 3 Title 4 Title 5
- 14. Privacy vs Security Privacy Security Applies to Protected Health Information Applies to Electronic Protected Health Information Requires HIPAA Privacy Officer Requires HIPAA Security Officer Guidelines are broad Guidelines are specific Requires Annual Training Requires Annual Training plus Security Reminders Requires Policies and Procedures Requires Policies and Procedures
- 15. Security Categories Administrative safeguards: Administrative functions including but not limited to assignment or delegation of security responsibility to an individual and security training requirements. Physical safeguards: Facility, entry points and access. Includes restricting access to EPHI and retaining off site computer backups. Technical safeguards: Refers to the technology used as well as automated processes used to protect data and control access to data.
- 16. Required and Addressable Required - If a particular specification is “required”, then the covered entity must take action to implement the specification. Addressable - Implement the specification if reasonable and appropriate • If implementing the specification is not reasonable and appropriate – • Document the rationale supporting the decision and, • Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose or • Not implement the addressable implementation specification or an equivalent alternative measure, if the standard could still be met and implementing the specification or an alternative would not be reasonable or appropriate. Under no conditions should any covered entity considered addressable specifications as optional requirements.
- 17. Business Associate • A Business Associate is a person or entity that creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity. • A Covered Entity may be a Business Associate of another Covered Entity.
- 18. Omnibus Rule Business Associate Definition • A health information organization, e-prescribing gateway, or other entity that provides data transmission services to a covered entity and requires access on a routine basis to protected health information (PHI). • an entity that is a mere conduit that does not require access to PHI is not included. • A subcontractor. If a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA. • There must be a HIPAA compliant business associate agreement between the business associate and its subcontractor. • A person who creates, receives, maintains or transmits PHI on behalf of a covered entity. • Physical storage facilities or companies that store electronic PHI are business associates.
- 19. Key About Business Associates Covered Entities must have a valid Business Associate Agreement 01 Covered Entities must obtain assurances that Business Associates are in Compliance with HIPAA 02 Covered Entities must terminate relationship with Business Associates that refuse to be compliant with HIPAA Security 03
- 20. Examples of Business Associates • Data processing companies • Medical Transcription specialists • Data Transmission companies • Medical Equipment suppliers • Document Shredding companies • Data Storage Firms • Audit Consultants • Accountants • External Auditors • Electronic Health Data Exchange
- 21. Business Associates and risk* 59% of Business Associates reported a data breach 29% of business Associates experienced two breaches or more 80% of BAs reported malware attacks and nearly half were hit by advanced persistent threats *Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute
- 22. Cybersecurity Ventures 2019 Report • Cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. • Cyber attacks are the fastest growing crime in the U.S. • Cloud computing will wipe out data centers altogether over the next 3-4 years. • Microsoft helps frame digital growth with its estimate that data volumes online will be 50 times greater in 2020 than they were in 2016. • Cisco confirmed that cloud data center traffic will represent 95 percent of total data center traffic by 2021.
- 23. Cybersecurity Reports Global spending on cybersecurity will exceed $1 trillion cumulatively for the 5 year period from 2017-2021, according to Cybersecurity Ventures Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 14 seconds by 2019, and every 11 seconds by 2021 Cybercrime will more than triple the number of job openings to 3.5 million Healthcare providers have been the bullseye for hackers over the past three years and are expected to continued to be so Medical information is worth more than 10-times your credit card number on the black market
- 25. Healthcare Cybersecurity Threats Cloud security Unsecured mobile devices Ransomware People IoT (Internet of things)
- 26. Internet of Things (IoT) System of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers ( UIDs ) and the ability to transfer data over a network without requiring human-to- human or human-to-computer interaction. • Amiko.IO focuses on providing products for respiratory disease management, complete with an AI-powered platform. • InfoBionic’s MoMe Kardia provides remote monitoring of cardiac arrhythmia. • PillCamTM , by Medtronic, is a line of swallowable capsules that allow visualization of the esophagus, stomach, small bowel, and colon.
- 27. Services to Consider Update Security Patches Automatic monitoring systems Antimalware systems • Antivirus • Ransomware Protection • Backups and Contingency Plans
- 28. Plan of Action Assign a Security Officer Have a third party perform a Security Risk Assessment Introduce automated audits and measures Develop and implement Policies Conduct Education/training Annual Training and Security Reminders Review Business Associate Agreements and Compliance
- 29. Reminder Security is not a one-time project, but rather an on- going, dynamic process that will create new challenges as covered entities’ organizations and technologies change.
- 30. Dr. Jose I. Delgado Taino Consultants Inc., CEO DrDelgado@tainoconsultants.com tainoconsultants.com