HIPAA Threats & Breaches                     2012                     © 2012 Dexcomm                     All Rights Reserv...
Contents                                                                                                        O         ...
Why Perform a Risk Assessment?                                                             The best answer to this ques on...
How to                   Perform a HIPAA Risk Assessment     01 Take Inventory                            02 Define Vulnera...
How to                    Perform a HIPAA Risk Assessment      05 Iden fy Risk Level                           06 Employ C...
HIPAA breaches can s ll happen.                                                             What do HIPAA breaches look li...
What if I discover a breach?     01 Gather Informa on  02 Make Contact                                              03 Defi...
Who & When to contact for a breach                Who             When the breach is under 500 records                    ...
The Dexcomm Difference                                                                Since 1989, before the implementation...
Be er Business Associates by Design                        Connec ng Your Prac ce to the Resources You Need Conducting HIP...
Upcoming SlideShare
Loading in …5

HIPAA Threats and Breaches


Published on

HIPAA Threats and Breaches

If you are entrusted with protected health information, you have the responsibility to protect that data from accidental or malicious exposure. Learn how and where to use resources to manage your risks in a cost-effective and efficient manner.

This ebook will provide:
•An easy-to-use risk assessment template
•A security checklist
•HIPAA required documentation forms for disclosures and breaches

  • Be the first to comment

  • Be the first to like this

HIPAA Threats and Breaches

  1. 1. HIPAA Threats & Breaches  2012  © 2012 Dexcomm  All Rights Reserved 
  2. 2. Contents  O ur passion is properly serving customers. Operating as a 24/7/365 Telephone Answering Service and Medical Exchange since November of 1954 we have developed skills and techniques               that allow us to delight a wide range of clients. As we have grown and prospered for over 50 years we feel now is a great time to give Why Perform a Risk Assessment?        3 something back to our customers, prospective customers and any- How to Perform a HIPAA Risk Assessment      4  one seeking to improve their business success. Included in this Security Checklist book are tips and tools that we hope will make your job a bit easier Easy Risk Assessment Template each day. One of the great learning tools we have employed is the HIPAA breaches can s ll happen        6  willingness to learn from our mistakes. Please take advantage of What If I’ve Discovered a Breach?        7  our many years of experience and avoid some of the pitfalls that    Accounting for Disclosures we have learned to overcome. Our hope is that you and your office Documentation for HIPAA Breaches can adopt some of these tools to make your life a bit less compli- Who to Contact and When          8  cated and allow you a bit more uninterrupted leisure time. The Dexcomm Difference          9  Thanks for listening, Jamey Hopper PLEASE NOTE - Our e-books are designed to provide information President about the subject matter covered. It is distributed with the under-        Dexcomm  standing that the authors and the publisher are not engaged in ren- dering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  3. 3. Why Perform a Risk Assessment?  The best answer to this ques on may be obvious...but it’s the law!     Aside from that, there are several good reasons to performing a HIPAA Risk Assessment in your office. A risk  assessment can help you to iden fy where your Protected Health Informa on (PHI) lies in your organiza on.  From equipment to files, there is PHI being stored everywhere....so, protect yourself. Don’t let your office be  another case study. PHI for Personal Gain  Employees & Facebook  Fined $100K for Calendar  A licensed practical nurse (LPN) pled guilty A temporary employee at a California hospi- A five-physician practice became the first to wrongfully disclosing a patient’s health tal posted a picture of someone’s medical small practice to enter into a resolution 01 Case Study  02 Case Study  03 Case Study  information for personal gain. The woman record to his Facebook page and made fun agreement that included a civil money pen- faces a maximum of ten (10) years impris- of the patient’s condition. alty over charges that it violated the HIPAA onment, a $250,000 fine or both. Having Details of the health data breach indicate Privacy and Security Rules. A complaint shared the patient’s information with her that the temporary employee, who was pro- was filed alleging that the practice was post- husband, the husband contacted the patient vided by a staffing agency, shared a photo ing surgery and appointment schedules on and told the patient that he was going to on his Facebook page of a medical record an Internet-based calendar that was publicly use the information against him in an up- displaying a patient’s full name and date of accessible. coming legal proceeding. admission. How does this affect me? Techniques on preventing a breach  Are you are risk? HIPPA                 Share this e‐book! 
  4. 4. How to  Perform a HIPAA Risk Assessment  01 Take Inventory  02 Define Vulnerability  03 Iden fy Controls  04 Classify Impact  Take an inventory in your office of Vulnerability is a flow or weakness in Controls are security systems, fire- Each threat or vulnerability should be equipment like hardware, software, the system which could be exploited. walls or other regulators that are assessed in light of the impact the operating systems, operating envi- Ask yourself, “is this a threat?” For currently employed to protect PHI event would have on PHI and the IT ronment, remotes, removable me- example, “do vendors or consultants from threats. system: loss of confidentiality dia, mobile devices and backup create, receive, maintain transmit e- (unauthorized use or disclosure); loss media. Does it create, transmit or PHI on behalf of my office? If so, of integrity of the data (typos or miss- store e-PHI? If so, it falls under the what are the potential threats?” In ing information); or a loss of data HIPAA Security Rule and is rele- addition, ask yourself, “What are the availability (viruses and malware). vant to this risk assessment. human, natural and environmental Use numeric values, or “low”, threats to information systems that “medium”, “high”. contain PHI?” Guidance on Risk Analysis   Cer fied Health IT Product List  HIPAA—Security considera ons        Requirements under the HIPAA  45 C.F.R. § 164.306(b)(2)(iv).  Security Rule    HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  5. 5. How to  Perform a HIPAA Risk Assessment   05 Iden fy Risk Level   06 Employ Controls   07 Priori ze   08 Manage  Compare the likelihood that the threat Consider whether the threat or its Assign a numeric value to designate Develop and implement a risk man- will be realized or become an event impact may be reduced or eliminat- level of priority. This will help you to agement plan from the Risk Assess- to the level of impact the risk, if real- ed by employing a control method, achieve risk management based on ment. Implement, maintain and con- ized, will have. Using the same value such as stronger passwords, secu- that level of threat, impact and the tinuously evaluate security measures system when classifying the impact rity patches, etc. This should also availability of controls to reduce or (controls). using numeric values, or “low”, include a cost benefit analysis. eliminate the risk. “medium”, “high”.     Dexcomm’s Security Checklist  Easy Risk Assessment Template    HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  6. 6. HIPAA breaches can s ll happen.  What do HIPAA breaches look like?     An internal or external party reports a viola on   A review of server logs indicates unauthorized access   Equipment is reported lost or stolen  Costly Vendor Mistake  Unauthorized Access  Where is Your Laptop?  A recent example of this accountability is a In the spring of 2010, Huping Zhou, a Chi- A laptop computer containing patient rec- lawsuit filled by the Minnesota Attorney nese immigrant living in California, was ords went missing from a Louisiana hospi- 01 Case Study  02 Case Study  03 Case Study  General against Accretive Health, Inc., a fined $2,000 and sentenced to four months tal. Information on the laptop contained PHI debt collection agency that is part of a New in prison. He continued to access private (protected health information) for 17,130 York private equity fund conglomerate. The medical records through an electronic pass- patients, gathered for a study from 2000 to agency has a role in managing the revenue word-protected database. His previous su- 2008. A search was initiated as soon as the and health care delivery systems at two pervisor, former co-workers and other high- hospital learned of the disappearance of the Minnesota hospital systems. In 2011, an profile celebrity patients were among those missing device, which police are still investi- Accretive employee lost a laptop computer whose privacy Zhou violated over a three- gating. The missing laptop has not resur- containing unencrypted health data about week period in 2003. patients.  Do your vendors get HIPAA? How does this affect me? Learn about mobile device breaches HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  7. 7. What if I discover a breach?  01 Gather Informa on  02 Make Contact  03 Define Resolu on  04 Document  Ask who, what, when, where, how. Relevant parties may include pa- In cases where breaches happen, Document each step you took to re- Who was it disclosed to, how was it tients, employees, authorities, me- the medical office must communi- solve the HIPAA breach. disclosed, when was it disclosed, etc. dia, Secretary of HHS. cate steps to prevent them from happening again. The HIPAA Secu- rity Rule also requires that you com- municate this information to the rel- evant parties. Accoun ng for Disclosures  Documenta on for HIPAA Breaches  HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  8. 8. Who & When to contact for a breach  Who  When the breach is under 500 records  When the breach is 500 and over  No later than 60 days from the discovery of the breach, No later than 60 days from the discovery of the breach, you must notify affected individuals in written form by Individual  you must notify affected individuals in written form by first-class mail, phone or email first-class mail, phone or email No later than 60 days from the discovery of the breach, you must notify prominent media outlets serving your Media  Not applicable state or jurisdiction No later than 60 days from the discovery of the breach, On an annual basis, you must notify the Secretary of Secretary of HHS  you must notify the Secretary of Health and Human Health and Human Services Services If you are a Business Associate: If you are a Business Associate: Covered En ty  You must notify the Covered Entity no later than 60 You must notify the Covered Entity no later than 60 days days from the discovery of the breach from the discovery of the breach HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  9. 9. The Dexcomm Difference  Since 1989, before the implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Dexcomm focused on and conducted confidentiality training because of our long history and understanding of the medical community we so proudly serve. We are committed to bring our award- winning service and in-depth knowledge of HIPAA to a new standard of excel- lence. Dexcomm experts have recently founded and instituted a national certifi- cation program for medical operators. This program is designed to develop a superior class of operators, who answer Administra ve Safeguards  for the medical community, which will Physical Safeguards  change the way our industry serves you.  Regular in-house training and instruction of  Password protected access to information HIPAA and HITECH Visit us at www.dexcomm.com to learn and facilities  Education provided by a legal HIPAA consult- more about the Dexcomm difference.  Proper destruction of documents and equip- ant and RN ment  Background checks and regular drug screen- ing of staff Technical Safeguards   An expert Security and Privacy Officer  All employees, visitors and contractors are  Multiple levels of encrypted data backup required to sign confidentiality agreements and security upon entering  Innovative secure messaging systems for mo- bile devices HIPPA                   COMMUNICATION                 EXPERTS   Share this e‐book! 
  10. 10. Be er Business Associates by Design  Connec ng Your Prac ce to the Resources You Need Conducting HIPAA Risk Assessments to protect your medical office is a must, but ongoing assessments and compliance is vital to en-suring protection.At Dexcomm, our business associates rely on our services to accurately take and deliver their messages while safeguarding their bestinterest legally as well as financially. Our Experts are continuously developing complimentary resources tools to assist you in yoursuccess.To find out go to: dexcomm.com  dexcomm.com/ resources  mybusinessheard.com  @sk the Expert  Interested in Dexcomm’s services? Get a QuoteDexcomm  877.339.2666 Corporate: 518 Pa n Rd. Carencro, LA 70520