How to Avoid HIPAA Headaches amp Why HIPAA Might Be the Least of Your Compliance Challenges Mike Semel Mike Semel President Chief Compliance Officer SEMEL Consulting 35year IT business ownermanager ID: 769962
Download Presentation The PPT/PDF document "How to Avoid HIPAA Headaches" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
How to Avoid HIPAA Headaches &Why HIPAA Might Be the Least of Your Compliance Challenges
Mike SemelMike SemelPresident Chief Compliance OfficerSEMEL Consulting35-year IT business owner/manager15-year certified HIPAA Professional EMT/ER Tech/FD Rescue Captain/IndyCar Safety TeamHospital CIO School District CIO Cloud Backup Service COO Member, FBI Infragard Chair, CompTIA Security Community (retired)
Speaking, Writing
Amazon Best-Seller
IndyCar Safety Team
Cast of CharactersAccretive HealthNorth Memorial Hospital23,000 PatientsMinnesota Attorney GeneralFederal Trade CommissionHHS Office for Civil RightsAttorneysShareholdersNew York Stock Exchange
What HappenedAccretive unencrypted laptop stolen from employee’s car23,000 patient records lost
Accretive – lost laptop, abusive collectionsMarket Cap $ 865.7 millionMarket Cap$ 197.45 million STOCK – $ 30/SHARELOST LAPTOP, ABUSIVE COLLECTIONS ALLEGATIONS FINED$ 2.5m & BANNED BY STATE ATTORNEY GENERAL CEO & CFO REPLACED $ 14 MILLION CLASS ACTION SETTLEMENT FTC 20-YEAR MONITORED COMPLIANCE PROGRAM STOCK $ 1.95/SHAREDELISTED BYNYSE Loss of $ 668.25 million In Market Cap 2016 North Memorial Hospital Fined $ 1.55 million for not signing a BAA with Accretive
Patient Data Published to InternetCottage Health’s IT company installed a server and accidently published it to the InternetPatients Googled Themselves & Got their Medical RecordsIT company did not have enough insurance so Cottage Health filed a claim with its cyber-liability carrier, Columbia CasualtyPatients sued, lawsuit settled for $ 4.1 millionColumbia Casualty paid settlement and lawyer’s fees, but said it was still investigating…
Columbia Casualty alleges that Cottage Health's application for coverage under the Columbia policy "contained misrepresentations and/or omissions of material fact that were made negligently or with intent to deceive concerning Cottage's data breach risk controls," according to the insurer's lawsuit.
Privacy & Confidentiality Compliance is…Having to meet requirements set by others.
Privacy Compliance Requirements (set by others)Federal & State LawsIndustry Regulations PCI, Professional LicensingContractual ObligationsCyber Insurance Policy Requirements
Security is…The protection of data against… LOSS, THEFT, and UNAUTHORIZED ACCESS.
Threats Have Changed Then Now
Security Is More Important Now
2017 Verizon Data Breach Investigations Report 81% of hacking-related breaches leveraged stolen and/or weak passwords Basics Still Count
How To Approach SecuritySecurity is a BUSINESS problem With a TECHNICAL solution
2017 Cost of a Data Breach Report Per Record Across All Industries Per Medical Record $ 225 10,000 records -- $ 2- $ 4 million 25,000 records -- $ 5 - $ 10 million 100,000 records -- $ 20 – $ 40 million $ 380 Source: 2017 Ponemon Cost of a Data Breach Report
Increasing HIPAA Penalties 2014 – 2015$ 14 million 2016 – 2017$ 42 million2018 YTD $ 3.6 million
Director, HHS Office for Civil RightsRoger SeverinoHas already signed off on penalties totaling$ 8.9 million
Increased State Legislation New York SHIELD Act
Increased Litigation
Data Protection = Consumer Protection
Will Cyber Liability Insurance Pay Off?
50 State Data Breach LawsProtect: Social Security Number – patients, employees, applicantsDriver’s License Number or state issued ID cardAccount number, credit or debit card with access infoSome Protect Medical Records Different Reporting & Notification Requirements than HIPAA
What is PHI & ePHI ?Protected Health InformationIdentifiable (18 different identifiers)Plus treatment and/or diagnostic information Electronic Protected Health InformationPHI in electronic formWords, images, voice messagesOn any media – devices, portable, cloud
HIPAACovered Entities Must Bill electronicallyDoctorsDentistsHospitalsSkilled Nursing FacilitiesPharmacies Health Plans Business Associates Maintain or Access PHI IT Companies EHR software Data Centers Cloud Vendors Paper Shredding Records Storage Copier Repair BillingCollectionsHealthcare org. lawyers Expert WitnessesAccountantsTranscription
HIPAA - More Than a Risk Analysis
HIPAA Audit
HIPAA GuidanceCloud Services & Data Centers ARE Business AssociatesEven if they don’t access records; even if data is encrypted Ransomware Attack is a Data BreachCan only charge $ 6.50 for medical record copy unless you do a complete cost analysis.
HIPAA Outlives You by 50 years
You Can Lose Your LicenseConfidentiality is a Licensing and Certification Requirement
Data is Worth More Than Gold
NIST CSFVoluntary Cyber Security FrameworkFor All Businesses Developed through Government & Private Sector collaborationMaps to HIPAA & state requirements41 pagesFlexibleGood defense
FOCUS OF MOST IT DEPARTMENTS EXPAND YOUR FOCUS NIST CSF
ActualAssessmentFindings
Previous AuditsCompliant!Secure!Accounting Firm22-year old college graduate with checklist Self-Assessments
Client Example
Client Assessment – Breach Liability
Client Assessment – Main Server 6,493 Social Security Numbers 404 Birth Dates 100 Visa card numbers 1 Mastercard 1 Amex
Client Assessment – Main Server No Encryption No Endpoint Protection Missing 80+ Patches
Client Example - Computers 27 Windows XP computers Windows 2003 Servers No Patches since April, 2014
Client Example - Users 276 Users with Passwords that Never Expire92 Users who have not logged in >30 days 78 Generic User Names (cannot identify user)
Audit Controls So, how can we tell who accessed or copied the data?No Logging No Activity Reviews
Notice of Privacy PracticesDid Not Meet Current StandardsNot Properly Posted
Fees for Medical Records CopiesDifferent fees for patients & lawyersDid not meet federal standardsOvercharging everyone
Paper Records Not Secure
No Tested Incident Management Plan
10 Actionable Take-Aways
Security & Compliance are Executive Responsibilities. Involve Yours.Identify ALL Your Compliance Requirements.Base Your Decisions on Data , not Assumptions or Guessing.Quantify Your Risks So You Know How Much to Invest in Security.Implement an IT Security Framework with Certified Professionals.Train Your Staff & Document Everything. Keep documents for 6 years.Invest Enough to Protect Your Organization. Get Your Own Independent Opinion before Regulators Give Theirs.Have Experienced Experts Available for Compliance Complaints, Audits, Incidents, & Breach Response.Treat Data Like !
For a Free Copy ofHow to Avoid HIPAA Headaches & our HIPAA Compliance Checklist Text HEALTHIT to 844-335-3635Go to the link and enter your information so we know where to send your book.