Slayt 1 - jotform.com

Slayt 1 - jotform.com

The 5 most common HIPAAcompliance mistakes and how to overcome them By Planet HIPAA and JotForm Todays Objectives Understand key requirements of HIPAA requirements Discuss Why HIPAA cant be ignored in 2019 Discuss common HIPAA Mistakes in 2018

Understand simple steps to overcome common HIPAA mistakes Health Insurance Portability and Accountability Act (HIPAA) of 1996 First attempt at development of federal rules and regulations to protect the privacy and security of Protected Health Information (PHI) 2013 Final

ARRA/HITECH Provision on Privacy and Security 2005 Security Rule

Mandated 1996 HIPAA Regulation Enacted 2003 Privacy Rule Mandated

2009 Interim ARRA/HITECH Provision on Privacy and Security What is HHS Looking at?

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including: Encouraging information-sharing for treatment and care coordination Facilitating parental involvement in care Addressing the opioid crisis and serious mental illness Accounting for disclosures of PHI for treatment, payment, and

health care operations as required by the HITECH Act Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices Tell Me! Today How Confident are you

in your organizations HIPAA Compliance? Tell Me! What are your biggest barriers to feeling confident about your HIPAA Compliance

Program The Truth Is HIPAA Expectations Have created confusion and misunderstanding across

organizations Lets Talk Common Confusion and Misunderstanding with HIPAA My organization is compliant

because we have our Notice of Privacy Practices created and provide it to patients We created policies and procedures in 2003 and 2005 and dont need to do anything else

My organization has great practices when it comes to HIPAA and we dont have to write them down My organization is too small to have to implement all the HIPAA documentation requirements

My Electronic Record Vendor Took Care of Everything I Need to Do with Privacy and Security I purchased a HIPAA Compliance Manual and it is all I need to have a compliant HIPAA program!

We educated our workforce on HIPAA previously and dont need to do it again! HIPAA in the EVERY News Improper Binder Disposal Creates PHI

Privacy Concern Roper St. Francis, Valley Professionals Phishing Attacks Breach Patient Data HealthITSecurity on Feb 3, 2019 Charleston, South Carolina-based Roper St. Francis Healthcare and Valley Professionals Community Health Center (VPCHC) in Indiana recently began notifying

patients that their data was potentially breached after employees fell victim to targeted phishing campaigns. Thirteen Roper St. Francis employees fell victim to a large-scale phishing campaign, which was discovered on November 30. Access was blocked upon discovery. Officials said the investigation determined the hacker had access between November 15 and December 15.

23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack HIPAA Journal on February 5, 2019 Dr. DeLuca Dr. Marciano & Associates, P.C., a primary eye care clinic in Prospect, CT, has experienced a ransomware attack that has resulted in the encryption of files containing patients protected health information. The attack occurred on November 29, 2018. Prompt action was taken to

shut down the network to prevent the spread of the infection, but it was not possible to stop the encryption of files on two servers used to store patientrelated files. A ransom demand was received but no payment was made. The encrypted files were successfully restored from backups. An investigation of the breach revealed that the two servers affected by the attack contained patient files that included information such as patient names, Social Security numbers, and some treatment information.. HealthITSecurity on December 21, 2017

A binder containing a log with certain patient PHI was mistakenly recycled on October 17, 2017, according to an NYU Langone Health statement. Information related to presurgical insurance authorizations from NYU Langone Health Pediatric Surgery Associates was included in the binder.

The organizations cleaning company reportedly recycled the binder, which contained certain data on approximately 2,000 patients. The information included names, dates of birth, dates of service, diagnosis codes, current procedural terminology codes, insurers names and identification numbers.

29K Impacted by SSM Health Data Breach from Unauthorized Access HealthITSecurity on January 4, 2018 SSM Health recently reported that it experienced a potential data breach after an employee accessed patient records without authorization. The access occurred between February 13, 2017 and October

20, 2017 when the employee was working in the customer service call center, according to SSM Health. At the time, the employee had PHI access to perform regular job functions. Data Breach Update Data Breaches continue to rise at an alarming rate Cybersecurity has created more threats to healthcare organizations 2569 Large Scale Data Breaches since September 2009

167,551,371 Individuals Impacted 2019 (so far) 22 2018 366 2017 - 359 2016 327 2013 274 2012 208

2011 196 2015 269 2010 198 2014 295\

2009 18 Theft & Loss are still the leading causes of healthcare data breaches Source: https://www.hipaajournal.com/analysis-of-healthcare-data-breaches/ Source: https://www.hipaajournal.com/analysis-of-healthcare-data-breaches/

The 5 Most Common HIPAA-Compliance Mistakes Mistake #1: Missing Organization Specific Policies and Procedures

HIPAA Without a Solid Foundation HIPAAs Policy and Procedure Requirements Privacy Rule Documentation Requirement A covered entity must develop

and implement written privacy policies and procedures that are consistent with the Privacy Rule Requirements Security Rule Documentation Requirement Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment Breach Notification Rule Documentation Requirement A covered entity is

required to comply with the administrative requirements of the HIPAA Privacy Rule How to be specifically Vague Sample Statement from P&Ps A risk analysis will be conducted in June and

December every year. The risk analysis report will be provided to the Organizations Board of Directors within 10 days of the conclusion of the Risk Analysis.

Specifically Vague A risk analysis will be conducted annually, with major technology changes, or updates to regulations. The risk analysis report will be provided to the Organizations Board of

Directors at the conclusion of the Risk Analysis Report Generation. Source: https://www.hhs.gov/about/news/2018/11/26/allergy-practice-pays-125000-to-settle-doctors-disclosure-of-patient-information-to-a-reporter.html Mistake #2: Not having a Regular

Process for Conducting a Risk Analysis & Mitigation Of Identified Risks Over 95% of all HIPAA Corrective Action Plan indicate that there is a missing or insufficient

Risk Analysis HIPAA Risk Analysis HIPAA Risk Management Conduct an accurate and thorough assessment of the potential risks and

vulnerability to the confidentiality, integrity, and availability of ePHI held by the covered entity Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

Purpose of the Risk Analysis Basic Steps to Risk Management Identify potential risks to the organization Plan Development

Mitigate threats and vulnerabilities Implementation Reduce and/or prevent potential breaches of ePHI Evaluation and Monitoring

Sample Risk Analysis Steps 1. Identify the scope of the analysis (Understand Systems with Protected Health Information). 2. Identify and document potential threats and vulnerabilities. 3. Assess current security measures. 4. Determine the likelihood of threat occurrence. 5. Determine the potential impact of threat occurrence.

6. Determine the level of risk (Likelihood + Impact = Risk). 7. Identify security measures and finalize documentation. https://www.cda.org/news-events/conducting-a-risk-analysis-key-for-hipaa-compliance Source: https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html Source: https://www.hhs.gov/sites/default/files/fresenius-racap.pdf

Mistake #3: Lack of Employee HIPAA Education Employees and human error often top the list as the healthcare sectors biggest threat.

HIPAAs Policy and Procedure Requirements Privacy Rule Documentation Requirement A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by the privacy rule and as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. Security Rule Documentation Requirement Implement a security awareness and training program for all members of the workforce (even management)

Periodic Updates (A) - provide periodic security updates Breach Notification Rule Documentation Requirement A covered entity must train all workforce members on the breach notification policy and procedures Building a Strong HIPAA Training Program Establish a schedule Stay consistent

Provide annual big HIPAA Training Test the Knowledge Provide Periodic Update Create a written policy and procedure Have an easy process for questions from workforce Maintain documentation Source: https://www.hhs.gov/about/news/2017/05/23/careless-handling-hiv-information-costs-entity.html

Source: https://www.hhs.gov/sites/default/files/st-lukes-signed-ra-cap.pdf Mistake #4: Not Establishing Business Associate Agreements

What is a Business Associate? A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. An individual or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the

service involves the disclosure of PHI. Mere Conduits narrow definition and only apply to courier services such as the Postal Service or Internet Service Provider Requirements of a Business Associate Agreement Describe the permitted and required uses of protected health information by the business associate

Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.

If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Source: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html Mistake #5: Lack of Use of

Technical Safeguards HIPAA is a Technology Neutral Regulation HIPAA is scalable and allows for flexibility Interpretation is not to use technology to support

compliance Addressable v. Required Standards are broken up into two categories (45 CRF 164.306(d)) Addressable the covered entity must assess the reasonableness and appropriateness of the safeguard to protect the entitys ePHI The size, complexity and capability of the covered entity

The covered entity technical infrastructure, hardware, and software security capabilities The costs of security measures The probability and criticality of potential risks to ePHI. Required the covered entity must comply with the standard and implement policies and/or procedures that meet the requirement

Examples How Technology Can Support Compliance Encryption for Data at Rest (computers, server) Encryption for Data in Motion (e-mail) Notification of Inactive Users Usernames and Passwords Intrusion Detection Software Update to Date Antivirus Solution Strong Firewall

Backup Solutions ENCRYPTION Unsure of how you are doing With HIPAA Compliance Try Out our Free HIPAA Check Up https://www.planethipaa.com/hipaa-checkup

References https://healthitsecurity.com/news/reduce-employee-email-risk-by-taking-decisions -away-from-users https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements /index.html www.hipaajournal.com https://www.jotform.com/what-is-hipaa-compliance/

Recently Viewed Presentations

  • Chinese Civilization - PC\|MAC

    Chinese Civilization - PC\|MAC

    Chinese Civilization The Zhou & The Qin. ... Feudal System: A political system in which nobles, or lords, are granted the use of lands that legally belong to the king. In return, the nobles owe loyalty and military service to...
  • War of 1812 - Moore Public Schools

    War of 1812 - Moore Public Schools

    Settlers were constantly facing Indian attacks, especially from Tecumseh, who was leading a Pan-Indian resistance movement. Battle of Tippecanoe led to the destruction of the center of this Indian movement. Natives entered into a formal alliance with G.B., and began...
  • Advancing Excellence in Americas Nursing Homes Keep Moving!!

    Advancing Excellence in Americas Nursing Homes Keep Moving!!

    How will mobility be measured? Uses 2 new composite measures constructed from MDS-3 items. of Residents with Improvement in . Personal Movement. looks at how independently an individual can move in bed, transfer, or walk in their room and corridor.
  • Applying Geostatistical Methods to Lattice Data: An Initial

    Applying Geostatistical Methods to Lattice Data: An Initial

    Applying Geostatistical Methods to Lattice Data: An Initial Examination of U.S. Presidential Elections in Iowa A.C. Thomas Statistics 225 December 14, 2004
  • Ionic Compounds and Metals

    Ionic Compounds and Metals

    Section Summary. Ionic compounds contain ionic bonds formed by the attraction of oppositely charged ions. Ions in an ionic compound are arranged in a repeating pattern called a lattice. Ionic compounds are electrolytes; they conduct electricity in liquid and aqueous...
  • Presentation to the Portfolio Committee on Agriculture and

    Presentation to the Portfolio Committee on Agriculture and

    SPG. RSG. E CAPE. F STATE. GAUTENG. KZN. LIMPOPO. MPLANGA. N CAPE. N WEST. W CAPE. TOTAL. 1. These statistics have been compiled based on the information reflected in the Database of Settled Restitution Claims. 2. In order to improve...
  • Why Lean? What is Lean? How Do I Lead the Journey?

    Why Lean? What is Lean? How Do I Lead the Journey?

    How We Design Work for Continuous Improvement 4. How We Lead and Develop Our People Research into the structure of the Toyota Production System has been documented in Decoding the DNA of the Toyota Production System by S. Spear and...
  • Dimensional Analysis

    Dimensional Analysis

    Ratio of Pressure forces to Inertial Force An important parameter in Aerodynamics In cavitation studies, Dp(see formula for Cp) is taken as p - pv where p is the liquid pressure and pv is the liquid vapour pressure, The Cavitation...