Making Memories Matter
2015 WALA Spring Conference
A ‘Real World’ Approach on How to
Achieve HIPAA Compliance
Jeff Grady, David Hosack, Curtis Urlakis, Holly
Schlenvogt, Barbara Zabawa
Friday, March 20
10:30 am
2015 WALA
Annual Conference
A ‘Real World’ Approach On How To Achieve
HIPAA Compliance
Presented By:
Jeff Grady, Senior Director of Three Pillars Technology
David Hosack, Account Executive, Marsh & McLennan Agency
Holly Schlenvogt, MSH, CPM, Director of Privacy & Security, Three Pillars Technology
Barbars Zabawa, JD, MPH, Health Law Attorney, Center for Health Law Equity LLC
Curtis J. Urlakis, Executive Director, Community Living Arrangements, Inc.
Real World HIPAA Compliance
• Why is Business Associate status more important today than it was several years ago prior to HIPAA/HITECH?
• It use to be the practice that someone would hand you a BAA (Business Associate Agreement) and you’d barely read or skim through it and simply ask where do I sign – sign it and it would be stuck away in a file somewhere and that’s the last you paid any attention to it – what’s changed and why is that former approach to addressing a BAA not smart and could be dangerous?
• If I use an outside firm to support our technology solutions that handle, transmit or store our PHI/ePHI – should I have a BAA in place with them? What if they say that they don’t have to look at our ePHI to perform their services?
2
Real World HIPAA Compliance
(cont.)
• I’ve looked at the HIPAA Compliance Check-up and the first item on the list talks about having conducted a proper HIPAA Security Risk Analysis: We haven’t done that (or at least, I don’t think so) - if someone broke into our offices and stole a laptop with all our residents health information, that wasn’t encrypted, could we still be found in ‘willful neglect’ since we didn’t intentionally lose the laptop (it was stolen) - we did have an alarm system and locks on our doors and we did have the good intention to ‘get around’ to having someone look at our HIPAA compliance status ASAP, sometime next year?
• I asked my insurance broker about cyber insurance and he said not to worry we have you covered – should I feel safe and confident that we’ll be protected in the event of a breach and loss of PHI (protected health information)?
• What would be the top 3 to 4 questions that I should ask my insurance broker about our cyber liability insurance?
Barbara Zabawa, JD, MPH
2015 WALA Conference
Who Does HIPAA Apply To
Covered Entities:
• Health Plans (licensed insurers, ERISA plans, HMOs, Medicare, etc.)
• Providers (physicians, hospitals, home health, pharmacies, dental) who conduct one or more of the HIPAA-defined transactions electronically
• KEY: HIPAA does not apply to non-billing agencies with paper records
• Clearinghouses
5
Original HIPAA:
Business Associates
What is a Business Associate
• Not a member of the Covered Entity (CE’s) workforce who:
Performs a function or activity using individually identifiable health information involving:
• Claims processing or administration
• Data analysis, processing or administration
• Utilization review • QA • Billing • Benefit management • Practice management • Re-pricing 6
Original HIPAA
Business Associate (cont.)
2. Performs any other function or activity regulated by HIPAA; or3. Provides any of the following services to or for the CE (and which involves the disclosure of individually identifiable health information):
• Legal • Actuarial • Accounting • Consulting • Data aggregation • Management • Administrative • Accreditation • Financial 7
Final HIPAA Omnibus Rule
Business Associates
Expands definition of BA• Companies that “maintain” PHI on behalf of a CE
• Data storage company
• Patient safety organizations
• Companies that transmit PHI to a CE
8
Final HIPAA Omnibus Rule
Business Associates (cont.)
• PHR vendors
• Subcontractors to BAs that create, receive, maintain or transmit PHI on behalf of the BA.
Final HIPAA Omnibus Rule
Business Associates (cont.)
• Previously, business associates were not directly subject to the HIPAA privacy and security requirements. Instead, business associates were indirectly subject to HIPAA through BAAs.
• HITECH requires business associates to comply with the same HIPAA administrative, physical and technical safeguard rules as covered entities, as well as the new privacy provisions.
• Business associates now have increased responsibility to protect PHI and disclose instances where PHI has been accessed or shared.
10
Final HIPAA Omnibus Rule
Business Associates (cont.)
Specifically, the Final Rule makes BAs directly liable for: • Uses and disclosures of PHI in violation of the BAA or
Security Rule
• Failing to disclose PHI to the HHS Secretary to investigate Covered Entity compliance with Privacy Rule
• Failing to disclose PHI to comply with individual’s request for electronic copy of PHI
• Failing to make reasonable efforts to limit uses and disclosures of PHI to minimum necessary
11
Final HIPAA Omnibus Rule
Business Associates (cont.)
• Final Rule also requires BAs to enter into a BAA with its subcontractors.
• If BA becomes aware of pattern or practice of subcontractor that constitutes material breach or violation of BAA, then BA must take reasonable steps to cure breach or terminate contract, if feasible.
Final HIPAA Omnibus Rule
Business Associates (cont.)
• BAA amendments:
• Require BAs to comply with Security Rule
• Require BA to report to CE Breach of Unsecured PHI
• Require BA to enter into BAA with subcontractor
• Require BA to comply with Privacy Rule to extent BA must carry out a CE’s obligation under Privacy rule
13
BAA Examples
• Software vendor for a Covered Entity
• BAA required?
• Disclosures to health plan sponsor (such as employer) by a group health plan
• BAA required?
14
BAA Examples (cont.)
• Covered entity’s janitorial or electrician service persons • BAA required?
• Provider submits claim to health plan for payment • BAA required?
• Financial institution processes debit, credit or other payment mechanisms of provider’s patients.
• BAA required?
BAA Examples (cont.)
• Health care clearinghouse that translates a claim from a non-standard format into a non-standard transaction on behalf of a provider and forwards the processed transaction to a payer.
• BAA required?
• An Attorney whose legal services to a covered entity involve access to PHI.
• BAA required?
• Physicians with hospital privileges
• BAA needed between physician and hospital?
16
BAA Examples (cont.)
• Beneficial resource:
http://www.hhs.gov/ocr/privacy/hip
aa/faq/business_associates/index.ht
ml
17Willful Neglect
•
“The conscious, intentional failure or
reckless indifference to the obligation
to comply with the administrative
simplification provision violated.”
•
45 CFR s. 160.401
Holly Schlenvogt, MSH, CPM
2015 WALA Conference
A Little About HIPAA
• Four key sections:
• Electronic Transactions & Code Sets
• Security
• Breach Notifications
• Privacy
20
The Privacy Rule • Requires we protect all
protected health information (PHI): paper, conversations, faxes, emails, in systems, etc.
• Provides patients with rights in respect to their PHI
The Security Rule
Ensure the confidentiality, integrity, and availabilityof all electronic protected health information (ePHI) we create, receive, maintain, or transmit: • In computer systems/ applications • On portable devices • In transactions 21 Effective date: April 20, 2005 Effective date: April 13, 2003
Breach Notifications
• Complete a “breach risk assessment” to determine if a breach of “unsecured PHI” happened.
• Breach of unsecured PHI:
• Notify residents/guardians
• Notify the Secretary (HHS)
• Notify the media, if >500 residents
22
P
rivacy, Security, Breach
Notifications
High Level Requirements
To protect PHI and ePHI:
• Designation of a:
• Privacy Official (Officer)
• Security Official (Officer)
• Written andimplemented policies and procedures (P&Ps)
• Administrative, physical, and technical controls
• Training…training…training
23
Examples of Privacy P&Ps
• Minimum Necessary
• Uses and Disclosures
• Restriction Requests
• Notice of Privacy Practices
• Business Associate
Examples of Security P&Ps
• Risk Management• Complete security risk analysis
• Mitigate identified risks
• Contingency Plan
• Auditing
• Incidents
• System Access • Role based access
• Password controls
• Automatic logoffs
• Facility Access
• Encryption 25
HHS Settles Case with
Phoenix Cardiac Surgery
• Posted patient clinical and surgical appointments on an Internet-based calendar that was publicly accessible
• $100,000 settlement • Corrective action plan • Why?
• Implemented few HIPAA Privacy and Security P&Ps • Limited safeguards in place to protect ePHI
• No security official
• Did not complete a security risk analysis • No documented training • Did not obtain BAAs
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.html 26
Training…Training…Training
• Explain what they need to do to protect PHI, such as:
• Lock unattended workstations
• Provide your user name and password to anyone
• Do not save PHI on laptops, computers, smart phones
• Lock PHI in cabinets/offices when not in use & after hours
• Cover all P&Ps that apply to them
• Provide examples of incidents and what to report
Employees Sharing PHI in Public
You receive a call from a
resident’s guardian who is
upset. He is upset because an
employee gossiped about the
resident at a party over the
weekend.
• What should you do?
• How can you prevent this from happening?
28
Cybercriminal Motives
According to an article published byYourIdentitySafe:
• Our identities are worth between $.50 to $150 in the black market/underground economy (a place where criminals exchange stolen data on the internet).
http://www.youridentitysafe.com/internet-identity-theft/34what-is-your-identity-worth
29
Why are Privacy & Security so Important
• Good safeguards:
•
Protect PHI•
Help prevent bad things from happening • Residents deserve to know that the organization protectstheir confidentiality • It helps establish trust • It is the right thing to do
Real Life Example
By: Curtis & Holly
A Few HIPAA Resources
•
www.hipaacow.org
•
http://www.sans.org/security-resources/
•
http://csrc.nist.gov/publications/PubsSPs.html
•
http://www.hhs.gov/ocr/privacy/hipaa/administ
rative/combined/index.html
•
http://www.hhs.gov/ocr/privacy/hipaa/administ
rative/securityrule/securityruleguidance.html
32Cyber Risk Presentation
Breach Numbers
• 675 million Records breached in the U.S. since 2005
• Average cost per record, $240.00
• 42 percent of breaches are in the Medical/Healthcare industry
• 29% are Hacking, 15% Subcontract/Third Party, Accidental 11.5%, 7.9% data on the move
• Out of 12,840 C-level poll respondents , 46% said “Yes” to the question: “Does your company have insurance coverage for Cyber Breaches?”
• From a threat perspective, Cyber Security is one of the top three things most concerning CEO’s in 2014
• Average value of a lost or stolen lap top is $49, 246, the data breach portion is responsible for over 80% of the total cost
34
Breach Numbers (cont.)
• Median avg. cost per company for detection and recovery from a cyber crime is $5.9 million
• The range of cost is $1.5 million to $36.5 million for detection and recovery
• 40% of companies that don’t have a policy in place, believe their IT controls would not allow an attack
• Majority feel that their traditional insurance policies would respond
• Number of Claims doubling on an annual basis
• “Privacyrights.org”
35
HIPAA Settlements
Data Breach Results in $4.8 Million HIPAA Settlements New York and Presbyterian Hospital
• New York and Presbyterian Hospital (NYP) has agreed to pay OCR $3,300,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, and will adopt a corrective action plan to evidence their remediation of these findings.
Columbia University
• Columbia University (CU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, including a $1,500,000 monetary settlement and corrective action plan to address deficiencies in its HIPAA compliance program.
Breach Laws
• State by state
• National data breach notification law – Compliance
• Notify as soon as possible
• Not to exceed 45 days
• Over 1000 records, notify consumer reporting agencies
• Fines
37
Overview
Introduction/Background Purchase Cyber Today
3 Critical Steps
Cyber Risk policy
38
Purchasing Cyber Today?
1. Manu scripted Policy / Customer “Centric”
2. Evolution / Ever Changing
3. More Complex – Carriers/Brokers
Three Part Plan
1. Pre-Assessment – Already had a breach?
2. Procure Insurance
3. Breach Recovery Plan
40
Pre-assessment
• 16 pages, mostly yes/no?-Check the boxes-Many to choose from-Pass around
• Reviews Security Policy and Standards • Physical Security • Network Management • Access Management • System Maintenance • Compliance • Vendor Management 41
Purchase Insurance
1. Any Shape or Size
2. Almost Any Price
3. Insurance Industry
4. Line Item
5. Leadership-Cyber Champion
Dare to Compare Policies
1. Sublimit on Breach Notification2. Authorize vs. Non-Authorized
3. Hard Data-Flash Drive-Briefcase
4. Duty to Notify vs. Willing to Notify
5. Vendors-Contracted Rates vs. List of names
6. Dedicated Claims Adjusters
7. Remote Data Wiping Discount
8. 3rdParty BI
9. D&O Network Liability Coverage
10. Copier Cartridge Disposal
11. Prior acts coverage
12. HIPAA Coverage
13. Coverage for fines by the state
43
Breach Recovery Plan
1. Vetting your Vendorsa) Breach Notification Firm
b) PR Firm
c) IT Forensic Firm
d) Attorney (State Reg.)
2. 75% Higher Rates
3. Best Service / Best Price
4. Step by Step Process
5. Not Traditional Insurance / Fire Drill
a) Who is Responsible?
b) Timing is Crucial
c) IT’s New Role / Pushback 44
