Conducting a HIPAA risk assessment is a legal requirement, and this webinar will equip healthcare organizations with the knowledge and tools necessary to fulfill this obligation. By understanding the risks that threaten the confidentiality, integrity, and availability of protected health information, organizations can take proactive measures to mitigate these risks and establish a robust compliance framework.
Attending the "How to Conduct a HIPAA Risk Assessment Webinar" will empower healthcare organizations to embark on a continuous risk assessment process, enabling them to stay informed about evolving threats and ensure ongoing compliance with HIPAA standards and implementation specifications. By embracing the insights and best practices shared in the webinar, organizations can strengthen their security posture and safeguard patient information effectively.
Register,
https://conferencepanel.com/conference/how-to-conduct-a-hipaa-risk-assessment-and-the-surprising-danger-of-not-doing-one
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
HIPAA Compliance Made Easy: Conducting a Risk Assessment
1. How to Conduct a HIPAA Risk
Assessment and the Surprising Danger
of Not Doing One
by
Mark R. Brengelman, JD, MA
Attorney at Law
Frankfort, Kentucky
1
2. About Mark R. Brengelman
• Holds Bachelor's and Master's Degrees in Philosophy from Emory University, Atlanta,
Georgia
• Earned a Juris Doctorate from the University of Kentucky College of Law, Lexington,
Kentucky
• Served out a successful twenty year career with state government in Kentucky, including….
now in private practice since 2012
• Was a former Assistant Attorney General assigned to multiple state licensure boards in health
care and other professions – General Counsel and Prosecuting Attorney
• Has presented Continuing Education for over 50 national and state organizations and private
companies, including the Kentucky Office of the Attorney General, the Kentucky Bar
Association, the National Attorneys General Training and Research Institute, and the
Federation of Associations of Regulatory Boards and eight of its member associations in
psychology, physical therapy, dentistry, nursing, veterinary medicine, emergency medical
services, state licensed contractors, and athletic trainers
• Has represented all three branches of state government and now a local municipality in
governmental ethics and now a state licensure board
Represents:
• licensees before state boards and in other professional matters
• two government ethics commissions and a state board
• parents and kids in confidential child abuse and neglect cases, termination of parental
rights, and adoption proceedings
I help health care practitioners, kids/parents, and government agencies navigate the law and
ethics and make the rules understandable as applied to them.
3. Based upon the content of this program, you will be able effectively to identify:
• Risk assessment under the HIPAA laws
• Vulnerability, threat, and risk analysis
• Scope of risk assessment
• Identifying potential threats and vulnerabilities
• Assessing security measures in place
• Determining threat occurrence, likelihood, and impact
• Finalize documentation of the risk assessment
• Regular review and updates to risk assessment for new employees, new laws, and new technology
• The surprising danger of not doing a HIPAA risk assessment
How to Conduct a HIPAA Risk Assessment
3
4. Disclaimer! Goals of the content of this program – what this does and does not cover:
• Does provide a broad overview of federal Risk Assessment under HIPAA in health care
• Does not cover everything about Risk Assessment or everything about how these apply to any specific
health care entity (i.e., hospital, clinic) or health care practitioner (i.e., dentist, physician)
• Does educate the person attending to ask the right questions in their own profession/health care entity
about compliance with federal law and Risk Assessment under HIPAA
Additional disclaimers:
• I do not practice Risk Assessment in HIPAA cases or consult on them
• I do work in health care regulatory law and professional licensure where there are legal standards of
confidentiality – comparison on professional licensure law confidentiality and HIPAA
How to Conduct a HIPAA Risk Assessment
4
5. Basics of federal HIPAA Risk Assessment – the importance of HIPAA:
• HIPAA risk assessments help in identifying and implementing the most effective and appropriate administrative, physical,
and technical safeguards to secure electronic protected health information
• A risk analysis is a requirement in federal law
• Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the
standards and implementation specifications of HIPAA
• Your health care organization should determine the most appropriate way to achieve HIPAA compliance, taking into account
the characteristics of the organization and its environment
• Your health care agency must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health information
• In addition to an express requirement to conduct a risk analysis, the HIPAA law indicates risk analysis is a necessary tool in
reaching substantial compliance with many other standards and implementation specifications
• The outcome of the risk assessment process is a critical factor in assessing whether an implementation specification or an
equivalent measure is reasonable and appropriate
How to Conduct a HIPAA Risk Assessment
5
6. Risk Assessment under the HIPAA laws:
• National Institute of Standards and Technology (NIST) helps organizations better understand the requirements
of the HIPAA Security Rule, implement those requirements, and assess those implementations in their
operational environment
• Users include HIPAA covered entities, business associates, and other organizations such as those providing
HIPAA Security Rule implementation, assessment, and compliance services
• The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil
Rights (OCR) have jointly launched the HIPAA Security Risk Assessment (SRA) Tool
• The SRA tool’s features make it useful in assisting small and medium-sized health care practices and
business associates in complying with HIPAA’s Security Rule
How to Conduct a HIPAA Risk Assessment
6
7. Vulnerability, threat, and risk analysis:
• Risk Analysis is a requirement in 45 CFR § 164.308(a)(1)(ii)(A)
• Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and
carry out the standards and implementation specifications in the Security Rule
• A risk analysis is foundational, and must be understood to address specific safeguards and technologies that
will best protect PHI
• The Risk Assessment guidance is not intended to provide a one-size-fits-all blueprint for compliance with the
risk analysis requirement - clarifies expectations for organizations working to meet the requirements
How to Conduct a HIPAA Risk Assessment
7
8. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• Examine a landmark settlement in the amount of $650,000 levied against a business associate entity
of a nursing home system for improper HIPAA security violations involving an everyday device we all
rely on and keep in our pockets – a cellular telephone – here a smartphone
• The U.S. Department of Health and Human Services investigated a security breach involving multiple
nursing homes and hundreds of itemized violations of the HIPAA security rule; ultimately, this civil
settlement was reached to resolve the matter
• Note: civil settlement was with the U.S. government, not with private patients for money damages
(no information anyone person sued for that)
• How does the security rule apply to the use of cell phones by health care providers?
• How could violations result in a whopping $650,000 administrative fine?
• This extraordinary administrative fine was not the end of the matter, but was the start of a compliance
period designed to rectify these violations
How to Conduct a HIPAA Risk Assessment
8
9. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• “Catholic Nonprofit To Pay $650K Settlement In HIPAA Breach” – from Law360, June 30, 2016:
• Catholic health non-profit – paid $650,000 in HIPAA-related penalties
• Stolen mobile device compromised the protected health information of hundreds of nursing home residents
• Agreement between the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) and the U.S.
Department of Health and Human Services, Office for Civil Rights (OCR), includes implementation of a
corrective action plan for allegedly breaching HIPAA security laws
• “Business associates must implement the protections of the HIPAA security rule for the electronic protected
health information they create, receive, maintain or transmit from covered entities,” Jocelyn Samuels, director of
the OCR, said in a statement
• This landmark, 2016 agreement dated back to violations starting February 2014
• Six separate nursing homes for which CHCS provided management and information technology services
complained to OCR about a breach of unsecured electronic protected health information
How to Conduct a HIPAA Risk Assessment
9
10. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• “Catholic Nonprofit To Pay $650K Settlement In HIPAA Breach” – from Law360, June 30, 2016:
• Breach involved the theft of a CHCS-issued employee iPhone
• Note: maybe the only thing they did right! Recommendation on employer-issued electronics, but there
must be follow up with all that
• History: OCR enforces federal standards around privacy and security for people's health information and
launches an investigation in April 2014 into CHCS's non-compliance with HIPAA
• The investigation found the security policies and procedures did not comply with the federal standards
that govern the protection of individually identifiable health information
• The iPhone was unencrypted, with no password, and contained extensive personal information, including
Social Security numbers, information regarding diagnosis and treatment, medical procedures, names of
family members and legal guardians and medication information
How to Conduct a HIPAA Risk Assessment
10
11. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• “Catholic Nonprofit To Pay $650K Settlement In HIPAA Breach” – from Law360, June 30, 2016:
• At the time of the theft, CHCS did not have policies that addressed what to do in the event of a
security incident, such as mobile devices containing personal health information stolen from its facility
• CHCS also did not have in place any risk analysis or management plan
• Note: if they had had one, would it have identified this weakness? Would anybody have asked about
using passwords, etc.?
• Since September 2013 (until 2014), CHCS has not conducted required assessments of the potential
risks and vulnerabilities to the confidentiality and availability of the electronic personal information it
holds, nor has it implemented security measures to sufficiently reduce those risks and vulnerabilities
• These are both HIPAA violations on their own – did not have to wait for an actual breach, but this
actual breach revealed this violation, so now you have multiple problems
• The $650,000 fine was not enough!
How to Conduct a HIPAA Risk Assessment
11
12. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• “Catholic Nonprofit To Pay $650K Settlement In HIPAA Breach” – from Law360, June 30, 2016:
• CHCS must revise and maintain its written policies and procedures, including password management, login
monitoring, data backup plans, and security-related training for employees who have access to people’s health
data
• The agreement may result in further action against the non-profit under HIPAA rules if there is non-compliance
– two year monitoring process
• “Corrective Action Plan” – attached as Appendix A to the agreement
• Note: I have the entire Agreement
• How did we get to $650,000? I have not done the math, but . . . .
• 412 individuals were ultimately affected by the combined breaches
• Let us do the math: that is $1,000 per person, and other amounts for the other HIPAA non-compliance issues
• Doesn’t insurance pay for all of that? Not!
How to Conduct a HIPAA Risk Assessment
12
13. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• “Catholic Nonprofit To Pay $650K Settlement In HIPAA Breach” – from Law360, June 30, 2016:
• This is my speculation – the Agreement does not itemize the amount
• No admission of liability (how can I secure a $650,000 fine when no one did anything wrong?!?!?)
• Note: No reports of unauthorized access to patient information on the stolen mobile phone; all potentially
affected individuals were timely notified (now that is a HIPAA requirement they apparently met)
• From the OCR itself:
• Press release issued in the case for all the world to see – this reflects the public nature of final action by
the federal government’s OCR
• Unsure if CHCS issued its own press release – it sure could
• Is this the future of HIPAA enforcement? Two-thirds of a million dollars?
• “Business Associates Beware: More HHS Enforcement Ahead” – from Law360, July 18, 2016:
How to Conduct a HIPAA Risk Assessment
13
14. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• Is this the future of HIPAA enforcement? Two-thirds of a million dollars?
• “Record $5.5M HIPAA Deal Foreshadows Future Enforcement” – from Law360, August 23, 2016:
• In August 2016, Advocate Health Care System agreed to pay a then-record $5.55 million to settle a
variety of HIPAA violations; two year corrective action plan and numerous corrective actions to remedy
the described failures
• Two year corrective action plan seems consistent
How to Conduct a HIPAA Risk Assessment
14
15. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• Is this the future of HIPAA enforcement? Two-thirds of a million dollars?
• “Record $5.5M HIPAA Deal Foreshadows Future Enforcement” – from Law360, August 23, 2016:
• Advocate was the largest health system in Illinois and operated more than 400 sites of care and 12
acute care hospitals
• Statement: “The OCR has entered into settlement agreements in the past few months for
increasing amounts of $650,000, $2.7 million, $2.75 million, and the Advocate settlement of $5.5
million
How to Conduct a HIPAA Risk Assessment
15
16. The $650,000 HIPAA violations case – the surprising danger of not doing a HIPAA Risk Assessment:
• Is this the future of HIPAA enforcement? Two-thirds of a million dollars?
• “Business Associates Beware: More HHS Enforcement Ahead” – from Law360, July 18, 2016:
• Reported as the first time a Business Associate entered into a resolution agreement
• Factors: shaped by the size and services of the business associate, non-profit status where a higher
fine may impact the ability of the entity to serve “vulnerable and underserved populations,” and the
absence of risk analysis and risk management
• Nothing like a $650,000 fine to get your attention – and the industry
How to Conduct a HIPAA Risk Assessment
16
17. Summary and tips for avoiding liability and risk:
For individual health care practitioners:
• Read and understand your profession’s practice act and know what current practice standards are and
current confidentiality in general – usually the standards are very broad in professional licensure
• Follow the appropriate standard of care
• Use a nationally recognized and “HIPAA compliant” software and medical records system
• Train all your staff and re-train them
How to Conduct a HIPAA Risk Assessment
17
18. Summary and tips for avoiding liability and risk:
For health care facilities:
• Know your HIPAA confidentiality or hire someone who does – your facility is liable
• Have regular training on HIPAA rules for everyone (employees/volunteers) – recommended annual
training for anyone who has access to PHI
• Document your facility’s Risk Assessments accurately – that is your best defense to a federal HIPAA
investigation that will mitigate damages if there is a security breach
• Outsource HIPAA Risk Assessment where necessary
• But large entities will have their own IT and HIPAA compliance offices, so just do that!
How to Conduct a HIPAA Risk Assessment
18