PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
This document discusses cybersecurity threats facing the healthcare industry. It notes that attacks are rising, with various types of vulnerabilities being exploited like phishing and malware. Recent healthcare breaches are described where patient data was compromised. Legislation around data privacy like HIPAA and PCI are changing to increase protections and penalties for noncompliance. Lessons from the troubled Healthcare.gov rollout emphasize the importance of thorough testing. The document advocates that healthcare organizations understand their risks and have plans to securely manage and protect sensitive patient data across different locations and systems. It promotes the use of data masking and de-identification tools to reduce copies of identifiable data.
The document outlines best practices for securing healthcare data in the cloud. It discusses how healthcare organizations are increasingly adopting cloud services but have concerns about data security. Breaches of healthcare data are common due to the high value of medical records on black markets. The document then provides recommendations for securing data, including understanding what data needs to be in the cloud, defining access policies, complying with regulations like HIPAA, and using encryption or tokenization techniques. Following these best practices can help healthcare organizations take advantage of cloud services while maintaining strong data security.
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
The passage discusses how the HITECH Act updated and strengthened the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). It made HIPAA compliance more important and challenging for covered entities by extending requirements to business associates, increasing penalties, and requiring stricter auditing and breach notification. To comply with HIPAA, organizations need to implement an access governance framework that provides a unified view of user access across systems and enables dynamic access management, audit capabilities, and prevention of inappropriate access. The increased focus on compliance under HITECH presents an opportunity for organizations to improve access risk management and security.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
This document discusses cybersecurity threats facing the healthcare industry. It notes that attacks are rising, with various types of vulnerabilities being exploited like phishing and malware. Recent healthcare breaches are described where patient data was compromised. Legislation around data privacy like HIPAA and PCI are changing to increase protections and penalties for noncompliance. Lessons from the troubled Healthcare.gov rollout emphasize the importance of thorough testing. The document advocates that healthcare organizations understand their risks and have plans to securely manage and protect sensitive patient data across different locations and systems. It promotes the use of data masking and de-identification tools to reduce copies of identifiable data.
The document outlines best practices for securing healthcare data in the cloud. It discusses how healthcare organizations are increasingly adopting cloud services but have concerns about data security. Breaches of healthcare data are common due to the high value of medical records on black markets. The document then provides recommendations for securing data, including understanding what data needs to be in the cloud, defining access policies, complying with regulations like HIPAA, and using encryption or tokenization techniques. Following these best practices can help healthcare organizations take advantage of cloud services while maintaining strong data security.
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
The passage discusses how the HITECH Act updated and strengthened the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). It made HIPAA compliance more important and challenging for covered entities by extending requirements to business associates, increasing penalties, and requiring stricter auditing and breach notification. To comply with HIPAA, organizations need to implement an access governance framework that provides a unified view of user access across systems and enables dynamic access management, audit capabilities, and prevention of inappropriate access. The increased focus on compliance under HITECH presents an opportunity for organizations to improve access risk management and security.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
The document provides a summary and analysis of data breaches of protected health information (PHI) reported to the Department of Health and Human Services from 2009 to 2012. Some key points:
- There were 538 large breaches affecting over 21 million patient records since 2009.
- In 2012, there were 146 breaches affecting over 2.4 million people, though this was a significant decrease from previous years.
- Theft and loss of devices like laptops and backup disks accounted for many breaches, though hacking incidents increased in 2012 with one breach affecting 780,000 records.
- Breaches involving business associates, who are now directly liable under new rules, have impacted over 12 million patient records in total since
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
This document discusses why information security is now a business-critical function for law firms. It notes that law firms now rely heavily on information systems and electronic data, but this increased use of technology also brings greater risks. The document outlines five reasons why law firms need to make information security a priority: 1) the sensitive nature of legal information, 2) the large amounts of valuable data law firms store, 3) reliance on trusted information systems for business functions, 4) the widespread adoption of various systems and technologies, and 5) growing compliance requirements regarding data protection. It stresses that law firms must understand the security threats and risks in order to adequately protect their systems and client data.
This document discusses the importance of HIPAA compliance and being prepared for audits. It outlines 10 methods organizations can take to secure protected health information and satisfy auditors. These include installing smart filters to detect and encrypt sensitive data in emails and attachments, ensuring secure data transfer between systems and partners, and implementing an auditable secure messaging system to track messages and prove compliance. The document is promoting the services of DataMotion to help healthcare organizations address HIPAA requirements and security challenges.
The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
HIPAA compliance for Business Associates has become critical as you deal with medical professionals. During this webinar we will explain the law and what Business Associates need to know and do and how to differentiate your firm to acquire new and maintain current clients.
In this webinar, we will discuss:
-The steps on how to become HIPAA compliant as a Business Associate
-What an effective BAA should include
-How to help existing and new healthcare clients with compliance
-Why it is important to differentiate yourself as HIPAA compliant
The document analyzes data breach records from 2005-2015 to examine trends by industry. It finds that healthcare, education, government, retail, and finance were most commonly affected, accounting for over 80% of breaches. Personal information was the most frequently stolen record type, compromised through various methods like device loss, insider leaks, and hacking. The analysis also looks specifically at breach trends in the healthcare industry, where loss of portable devices like laptops was a primary source of compromises.
Where in the world is your PII and other sensitive data? by @druva incDruva
This document discusses the growing problem of businesses failing to adequately protect consumers' personal information. It notes that personal data has become increasingly dispersed across mobile devices and cloud computing. While this increases risks, many businesses are not taking proper steps to identify, locate, and protect sensitive personal data from unauthorized access and data breaches. The document provides recommendations for businesses to better secure personal information by identifying where it is stored, limiting access, implementing secure technologies, and automating risk identification.
The HIPAA Security Rule sets out strict guidelines for Covered Entities to maintain electronic records of their protected health information.
Fortunately, Omnibus allows Covered Entities to share access to their ePHI to third-party experts called Business Associates, and specifically identifies cloud service providers as viable options. This webinar will review how to leverage the cloud to safeguard your organization’s ePHI, including:
· What HIPAA requires.
· How to the assess your current protection level.
· Bridging the gap between your protection level and HIPAA requirements
This document discusses the challenges organizations face with effectively managing large amounts of information. It notes that by 2017, 33% of Fortune 100 organizations will experience an information crisis due to their inability to govern and trust their enterprise information. It outlines services from Berkeley Research Group to help organizations develop an information governance framework, including assessing their current state, creating policies, implementing records management, ensuring legal holds, and classifying data for privacy, security, and records scheduling. The goal is to enable organizations to defensibly dispose of up to 70% of stored data.
Many healthcare organizations assume that patient data, as covered under HIPAA,
is the primary target of hackers. However, cybercriminals operate with the objective of
attaining as much valuable data as possible. This data is usually in the form of
employee HR data like direct deposit, social security and any other information that
would enable identity theft.
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
This document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR) which takes effect in May 2018. It outlines five key security challenges that the GDPR addresses: 1) mobile workers accessing systems remotely, 2) privileged users having broad access rights, 3) risks from ransomware and malware, 4) insecure employee onboarding and offboarding processes, and 5) lack of accurate auditing and reporting on personal data access. The document then provides recommendations for addressing each challenge through strategies like context-aware access controls, dynamic user privileges, whitelisting applications, automating user provisioning and deprovisioning, and improved logging and reporting of personal data access.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
The document discusses best practices for securing healthcare data stored in the cloud. It notes that while cloud-based applications can improve patient care and reduce costs, data security concerns prevent many healthcare organizations from fully utilizing the cloud. Breaches of healthcare data are common due to the high value of medical records on the black market. The document recommends using a cloud data protection platform to encrypt or tokenize sensitive data before it is sent to the cloud. This protects the data while still allowing cloud-based applications to function properly. It provides best practices for healthcare organizations to classify data assets, control access, develop security policies, and comply with regulations like HIPAA to securely leverage cloud computing.
The document provides a summary and analysis of data breaches of protected health information (PHI) reported to the Department of Health and Human Services from 2009 to 2012. Some key points:
- There were 538 large breaches affecting over 21 million patient records since 2009.
- In 2012, there were 146 breaches affecting over 2.4 million people, though this was a significant decrease from previous years.
- Theft and loss of devices like laptops and backup disks accounted for many breaches, though hacking incidents increased in 2012 with one breach affecting 780,000 records.
- Breaches involving business associates, who are now directly liable under new rules, have impacted over 12 million patient records in total since
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
This document discusses why information security is now a business-critical function for law firms. It notes that law firms now rely heavily on information systems and electronic data, but this increased use of technology also brings greater risks. The document outlines five reasons why law firms need to make information security a priority: 1) the sensitive nature of legal information, 2) the large amounts of valuable data law firms store, 3) reliance on trusted information systems for business functions, 4) the widespread adoption of various systems and technologies, and 5) growing compliance requirements regarding data protection. It stresses that law firms must understand the security threats and risks in order to adequately protect their systems and client data.
This document discusses the importance of HIPAA compliance and being prepared for audits. It outlines 10 methods organizations can take to secure protected health information and satisfy auditors. These include installing smart filters to detect and encrypt sensitive data in emails and attachments, ensuring secure data transfer between systems and partners, and implementing an auditable secure messaging system to track messages and prove compliance. The document is promoting the services of DataMotion to help healthcare organizations address HIPAA requirements and security challenges.
The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
HIPAA compliance for Business Associates has become critical as you deal with medical professionals. During this webinar we will explain the law and what Business Associates need to know and do and how to differentiate your firm to acquire new and maintain current clients.
In this webinar, we will discuss:
-The steps on how to become HIPAA compliant as a Business Associate
-What an effective BAA should include
-How to help existing and new healthcare clients with compliance
-Why it is important to differentiate yourself as HIPAA compliant
The document analyzes data breach records from 2005-2015 to examine trends by industry. It finds that healthcare, education, government, retail, and finance were most commonly affected, accounting for over 80% of breaches. Personal information was the most frequently stolen record type, compromised through various methods like device loss, insider leaks, and hacking. The analysis also looks specifically at breach trends in the healthcare industry, where loss of portable devices like laptops was a primary source of compromises.
Where in the world is your PII and other sensitive data? by @druva incDruva
This document discusses the growing problem of businesses failing to adequately protect consumers' personal information. It notes that personal data has become increasingly dispersed across mobile devices and cloud computing. While this increases risks, many businesses are not taking proper steps to identify, locate, and protect sensitive personal data from unauthorized access and data breaches. The document provides recommendations for businesses to better secure personal information by identifying where it is stored, limiting access, implementing secure technologies, and automating risk identification.
The HIPAA Security Rule sets out strict guidelines for Covered Entities to maintain electronic records of their protected health information.
Fortunately, Omnibus allows Covered Entities to share access to their ePHI to third-party experts called Business Associates, and specifically identifies cloud service providers as viable options. This webinar will review how to leverage the cloud to safeguard your organization’s ePHI, including:
· What HIPAA requires.
· How to the assess your current protection level.
· Bridging the gap between your protection level and HIPAA requirements
This document discusses the challenges organizations face with effectively managing large amounts of information. It notes that by 2017, 33% of Fortune 100 organizations will experience an information crisis due to their inability to govern and trust their enterprise information. It outlines services from Berkeley Research Group to help organizations develop an information governance framework, including assessing their current state, creating policies, implementing records management, ensuring legal holds, and classifying data for privacy, security, and records scheduling. The goal is to enable organizations to defensibly dispose of up to 70% of stored data.
Many healthcare organizations assume that patient data, as covered under HIPAA,
is the primary target of hackers. However, cybercriminals operate with the objective of
attaining as much valuable data as possible. This data is usually in the form of
employee HR data like direct deposit, social security and any other information that
would enable identity theft.
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
This document discusses strategies for complying with the EU's General Data Protection Regulation (GDPR) which takes effect in May 2018. It outlines five key security challenges that the GDPR addresses: 1) mobile workers accessing systems remotely, 2) privileged users having broad access rights, 3) risks from ransomware and malware, 4) insecure employee onboarding and offboarding processes, and 5) lack of accurate auditing and reporting on personal data access. The document then provides recommendations for addressing each challenge through strategies like context-aware access controls, dynamic user privileges, whitelisting applications, automating user provisioning and deprovisioning, and improved logging and reporting of personal data access.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
Healthcare organizations (HCOs) are facing three major IT security and compliance
challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions
are becoming more common and costly....
The document discusses best practices for securing healthcare data stored in the cloud. It notes that while cloud-based applications can improve patient care and reduce costs, data security concerns prevent many healthcare organizations from fully utilizing the cloud. Breaches of healthcare data are common due to the high value of medical records on the black market. The document recommends using a cloud data protection platform to encrypt or tokenize sensitive data before it is sent to the cloud. This protects the data while still allowing cloud-based applications to function properly. It provides best practices for healthcare organizations to classify data assets, control access, develop security policies, and comply with regulations like HIPAA to securely leverage cloud computing.
PYA Principal Barry Mathis presented “Hot Topics in Privacy and Security,” at the Florida Hospital Association's 14th Annual Health Care Corporate Compliance Education Retreat.
The presentation explored:
• Changes in the privacy and security ecosystem.
• Emerging technology risks and hot topics.
• What happens to hacked data.
• How to best protect data.
Healthcare Compliance: HIPAA and HITRUSTControlCase
ControlCase discusses the following:
•Healthcare compliance in general
•What is HIPAA
•What is HITRUST
•How do they relate?
•Advantages of being HITRUST certified
The document discusses risk management in companies. It provides questions for senior executives and IT executives about risks to the business from data security, regulatory compliance, and technological issues. It also summarizes statistics about the high costs of data breaches for companies and discusses how outsourcing some risk management functions can help companies focus on compliance in today's complex regulatory environment.
1) Many common myths exist around which organizations need to comply with security and compliance standards like HIPAA, PCI DSS, SSAE 16, and ISAE 3402. In reality, these standards apply to more organizations than commonly thought.
2) Achieving compliance across multiple locations and facilities is challenging but provides organizations assurance their controls and security measures are consistently applied.
3) 365 Data Centers is highlighted as one of the few data center providers to achieve compliance certification across all of their facilities, demonstrating their ability to consistently meet stringent industry standards.
The document discusses challenges in managing sensitive patient data for healthcare organizations and compliance with regulations like HIPAA. It summarizes a report that found 94% of organizations surveyed experienced a data breach in the past two years, but many lacked response plans or tools to determine breach size and cause. The document promotes a company's HIPAA assessment and compliance training services, arguing that proper information governance is important given laws like HIPAA and the risks of lawsuits and fines from data mishandling.
The document summarizes the current security and privacy landscape based on a presentation by insurance professionals. It outlines the latest threats such as identity theft and data breaches. It discusses regulatory environments like data breach notification laws and privacy acts. It also provides examples of security and privacy insurance claims that have been paid out to cover costs from data breaches and privacy violations.
Insider Breaches and Data Theft by Employees and ContractorsButlerRubin
Daniel Cotter, attorney at Butler Rubin (http://www.butlerrubin.com/) examines the risk of cybersecurity and data theft by employees and contractors within an organization, and what you can do to prevent it, including:
What types of risks are presented by insiders and contractors?
How to effectively establish policies and procedures to decrease exposure to employee breaches and thefts?
How to effectively manage third party vendors and their access to your data?
How to design an effective privacy program?
How big a problem employees and contractors are to your data security?
For more information on Daniel Cotter, go to http://www.butlerrubin.com/attorneys/daniel-a-cotter/.
It is now more important than ever to ensure your breach security is on par or better than the rest of the industry. Review these slides to ensure you understand the regulations surrounding patient privacy and how to prevent future breaches.
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches ”
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
This document discusses the importance of HIPAA compliance and being prepared for audits. It outlines 10 methods organizations can take to secure protected health information and satisfy auditors. These include installing smart filters to detect and encrypt sensitive data in emails and attachments, ensuring secure data transfer between systems, enabling secure internal and external communications, automating workflows to reduce errors, and implementing an auditable secure messaging system. The penalties for noncompliance with HIPAA are also highlighted.
This document provides information on how to implement HIPAA compliance. It begins by explaining what HIPAA is and who it impacts, such as health care providers, health plans, and clearinghouses. It defines protected health information and the obligations of covered entities and business associates. It emphasizes the importance of having business associate agreements, security policies, training programs, and conducting audits. It provides tips for securing data transmission, backups, access controls, and shredding paper records. The document stresses that HIPAA compliance is essential to avoid penalties for violations and data breaches.
This document summarizes a presentation on data breaches. It discusses the current breach landscape, with billions of records compromised annually worldwide. It provides tips for responding to breaches, including assembling a response team, conducting investigations, and effecting notices. It also covers developments in US and foreign data privacy laws, including the Massachusetts Data Security Requirements and new rules in India. Litigation and insurance issues related to data breaches are also summarized.
This webinar discusses HIPAA compliance and preparing for audits. It covers increased fines for noncompliance, mandatory audits by HHS, and documentation required. Attendees will learn about recent rule changes, audit procedures, and how to develop security policies to meet requirements. The webinar founder has 30 years of healthcare compliance experience and will provide tools and best practices for avoiding penalties.
This document provides a three-step plan for healthcare providers to strengthen cybersecurity:
1) Conduct a cybersecurity risk assessment to identify vulnerabilities
2) Purchase cyber insurance to transfer some risks and costs of breaches
3) Consider moving data and IT services to a qualified cloud provider that specializes in healthcare security and compliance. Outsourcing to an experienced cloud provider can improve capabilities while potentially reducing long-term costs compared to maintaining IT systems in-house.
What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services (HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically - also known as electronic protected health information (ePHI).
Meeting these standards? That's compliance.
Similar to HIPAA Security Trends and Future Expectations (20)
“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”PYA, P.C.
PYA Principal Martie Ross spoke at the virtual North Carolina Healthcare Association Critical Access Hospital Statewide Meeting. The two-day event, “Quality Focus is a Finance Focus,” provided critical access hospital leaders with the opportunity to network and review data-informed strategies as well as updates to the Medicare Flexibility Program Project. It also provided guidance on federal compliance and tracking of Provider Relief Funds.
In “CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting,” Martie gave an overview of the history of distribution of those funds as well as regulations and guidelines including:
Statutory Language
Reporting Requirements
Use of Funds Calculation
Expenses
Risk Management
Martie presented Thursday, March 4, 2021.
If you would like guidance related to Provider Relief Fund regulations, or for assistance with any matter related to strategy and integration, compliance, or valuation, contact one of our PYA executives at (800) 270-9629.
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...PYA, P.C.
The Georgia Hospital Association (GHA) Compliance Officers Roundtable, an active GHA group that meets quarterly and includes educational sessions featuring government representatives, industry experts, and other thought leaders speaking about compliance-related issues, conducted their latest meeting virtually. PYA Principals Lori Foley, Tynan Kugler, and Valerie Rock were among the presenters at this quarter’s event. In their session, they:
Described key elements associated with 2021 E/M changes, and strategies for preparation and implementation.
Explained the impact of 2021 E/M changes on physician compensation and contracting, including potential mitigation approaches.
Presented key components of Stark Law and Anti-Kickback Statute final rules.
Provided an update on the CARES Act.
The Compliance Certification Board offered CEUs for this event, which took place on Friday, December 4, 2020.
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...PYA, P.C.
On October 22nd, the Department of Health and Human Services released revised Provider Relief Fund (PRF) reporting requirements. Under HHS’ September 19 directive, “lost revenue” was defined narrowly as a negative change in year-over-year patient care operating net income. Now, HHS will permit providers to use PRF funds to cover the difference between their 2019 and 2020 actual patient care revenue with some adjustments for COVID-related expenses. The October 22nd notice is available here.
PYA Principals Martie Ross and Michael Ramey hosted a complimentary 30-minute webinar, “Trick or Treat? October 22nd Revisions to Provider Relief Fund Reporting Requirements” on Thursday, October 29th.
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance” PYA, P.C.
PYA Principal and Chief Compliance Officer Shannon Sumner and Consulting Senior Manager Susan Thomas presented “Regulatory Compliance Enforcement Update: Getting Results from the Guidance” at the virtual 2020 Montana Healthcare Conference. They reviewed the sources of regulatory enforcement and investigation information—guidelines, statutory updates, best practices, settlements, case studies, etc.—available to healthcare organizations. They will also discuss how to interpret and implement the guidance in order to strengthen the compliance function and protect the organization. The presentation covered:
Compliance regulatory requirements for healthcare organizations.
Guidance available for consideration in organizational compliance programs.
Internal and external reporting to ensure regulatory requirements are met.
Best practices for implementation of guidance.
Case studies for illustration of guidance implementation.
“Federal Legislative and Regulatory Update,” Webinar at DFWHCPYA, P.C.
The Dallas Fort Worth Hospital Council (DFWHC) and PYA co-hosted an exclusive complimentary webinar, “Federal Legislative and Regulatory Update,” on Wednesday, September 23.
DFWHC President/CEO Stephen Love hosted a discussion with PYA Senior Manager Kathy Reep about concerns that have dropped from the radar during the last four months of COVID-19, addressing issues for which hospitals must prepare in approaching 2021. This session focused on these key areas:
Appropriate use criteria
Transparency
Site neutral payments
The future of the Medicare Trust Fund
The federal budget
Key provisions of the final rule for the inpatient prospective payment system for FY2021 and the proposed outpatient rule for CY2021
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...PYA, P.C.
On September 19, the Department of Health and Human Services (HHS) published its Post-Payment Notice of Reporting Requirements. The Notice details the reporting requirements for all Provider Relief Fund (PRF) recipients that have received $10,000 or more in aggregate payments.
Under the PRF Terms and Conditions, a recipient may use the funds only for healthcare-related expenses and lost revenue attributable to coronavirus. The Notice provides the clearest direction to date regarding permissible uses of PRF funds.
PYA offered a 45-minute complimentary webinar that explained the new reporting requirements and delved into permissible uses. While many questions remain, we provided practical advice on the next steps in the reporting process.
The webinar took place Monday, October 5 at 11 a.m. EDT.
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...PYA, P.C.
The proposed rule would significantly impact physician compensation by re-valuing outpatient E/M services. It increases reimbursement for E/M codes but reduces the conversion factor, resulting in higher payments for some specialties and lower payments for others. This redistribution could increase revenue for specialists providing many E/M services but decrease revenue for proceduralists. Employers may need to adjust physician contracts to account for these changes. The rule also introduces new E/M guidelines and codes effective 2021, requiring preparation from medical practices.
Webinar: “Cybersecurity During COVID-19: A Look Behind the ScenesPYA, P.C.
Cybersecurity breaches have been in the news almost daily for some time now. COVID-19 has amplified the problem, as “bad actors” seize upon the opportunity to take advantage of hospitals at their most vulnerable time. Given this climate and an aging HIPAA rule, it is difficult to anticipate and prepare for the future.
PYA Principal Barry Mathis presented “Cybersecurity During COVID-19: A Look Behind the Scenes,” on Wednesday, August 12, 2020. This one-hour, complimentary webinar was hosted by PYA in conjunction with the Montana Hospital Association as Part 2 of the Frontier States Town Hall Meeting.
Barry covered information related to HIPAA, cybersecurity, and a special behind-the-scenes view into the tradecraft of bad actors. This unique presentation included:
Recent enforcement trends by the Office for Civil Rights.
The current environment for ransomware.
An opportunity to watch as Barry logs onto the Dark Web and shows you first-hand how bad actors operate.
Ideas for managing cybersecurity threats.
On Friday, August 21, 2020, a webinar co-hosted by PYA prepared hospitals for a new rule taking effect on January 1, 2021, to address price transparency in healthcare. The Centers for Medicare & Medicaid Services published a rule in November 2019 requiring hospitals to establish, update, and make public a list of their standard charges for items and services they provide. In addition to the current requirement to post standard charges on their websites, the Final Rule requires hospitals to publish online, in a machine-readable format, their payer-specific negotiated rates for 300 “shoppable” services and their standard charges for all items and services provided, defined as the gross charge, payer-specific negotiated charges, discounted cash price, and the de-identified minimum and maximum charges.
As we approach January 2021, it is vital that hospitals understand the requirements of the pricing transparency rule and options for compliance. It is unlikely that this rule will “go away”–court decisions are always subject to appeal, and there is even concern that Congress is considering action that would transform these requirements from regulation to legislation.
During the complimentary webinar, PYA Senior Manager Kathy Reep discussed hospital requirements related to pricing transparency, and Chris Kenny, Partner in the Washington, D.C., office of King & Spalding, addressed concerns related to compliance and the legal challenges associated with the final transparency rule.
This webinar was presented in conjunction with:
Dallas-Fort Worth Hospital Council
Florida Hospital Association
Georgia Hospital Association
Kansas Hospital Association
Louisiana Hospital Association
Montana Hospital Association
Not a surprise to most — healthcare is making headlines on an international level. Though not front and center, still of importance to the hospital community are issues working their way through government agencies and the legislature.
As one of the keynote speakers of this year’s virtual Florida Institute of CPAs Health Care Industry Conference, PYA Senior Manager Kathy Reep presented a “Federal Legislative and Regulatory Update.” She covered a number of current issues affecting healthcare providers, including:
Price transparency.
Congressional action on surprise billing.
The Administration’s budget for 2021.
Medicare proposed rules related to hospital inpatient payments and post-acute care for FY2021.
The virtual event took place June 23-24, 2020.
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain MarketPYA, P.C.
The COVID-19 pandemic will materially affect U.S. provider industry structure, as financial weaknesses are exposed, risk tolerances are tested, and uncertainties persist. As a result, provider mergers-and-acquisitions (M&A) activities across industry sectors will likely spike in the short- to medium-term future. Providers of all types need to be aware of, and prepared for, the changes they will face.
In this 45-minute joint webinar, PYA Principal Brian Fuller and Juniper Advisory Managing Director Jordan Shields provided a real-time assessment of the COVID-19 pandemic, as well as shared predictions for what the extending crisis means in coming years for M&A activity in the provider space.
The webinar took place Thursday, August 6, 2020, at 11 a.m. EDT.
Since March, PYA experts have closely tracked and carefully evaluated the pandemic’s impact on employed physician compensation. During this complimentary one-hour webinar, PYA Principals Angie Caldwell and Martie Ross highlighted five immediate considerations for hospitals and health systems to manage the storm. They also explored five longer-term considerations impacting future planning.
This webinar took place Friday, July 24, 2020, at 11 a.m. EDT, and was held in conjunction with:
Dallas-Fort Worth Hospital Council
Florida Hospital Association
Kansas Hospital Association
Montana Hospital Association
The COVID-19 pandemic has exposed organizational and industry weaknesses. To build a more resilient delivery system, leaders now must engage their governing boards in re-calibrating strategic plans, re-evaluating investments, and re-imagining hospitals’ and health systems’ roles in their communities.
In this 45-minute webinar, PYA Principals Martie Ross and Brian Fuller provided a framework for these critical discussions including root-cause analysis, market assessment, new realities, guiding principles, and strategic and operational priorities.
This webinar originally took place on Wednesday, June 24, 2020.
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...PYA, P.C.
PYA, in conjunction with the Montana Hospital Association, recently co-hosted a Frontier States Town Hall Meeting webinar, “Free Money With Strings Attached: CARES Act Considerations for Frontier States’ Healthcare Provider Organizations.” Principals Lori Foley, Martie Ross, and David McMillan introduced the CARES Act Provider Relief Fund including distribution formulas, the attestation process, the verification and application process, and ongoing recordkeeping requirement. They also answered attendees’ numerous questions regarding these matters.
Webinar: “Got a Payroll? Don’t Leave Money on the Table”PYA, P.C.
Under the CARES Act, every employer with a payroll has an opportunity to retain cash–whether they have a PPP loan or not. What employers need to know right now.
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) along with the Payroll Protection Program (PPP) offer all business owners relief, but the details can be confusing or overlooked.
Perhaps you don’t fully understand how the deferral of the employer’s share of Social Security taxes works. Maybe you wonder if the deferral even applies to you—good news, it does if you have a payroll!
Failure to fully understand your options could cost you money, at a time when “cash is king.”
As part of PYA’s ongoing commitment to sharing helpful guidance, Tax Principals Debbie Ernsberger and Mark Brumbelow outlined issues and opportunities within the CARES Act, and answered questions during a one-hour webinar that originally aired on Wednesday, May 20, 2020.
Webinar: So You Have a PPP Loan. Now What?PYA, P.C.
The CARES Act provides relief to small businesses through Paycheck Protection Program (PPP) loans, but receiving the loan is only the first part of the equation. PYA discussed what businesses need to know and do next.
Failure to fully understand the requirements for PPP loan forgiveness could cost employers money, at a time when every penny counts. Employers need to stay up-to-date on recent activities regarding the PPP loan forgiveness application, necessary documentation, and other best practices to ensure they are well-prepared for the next steps under the PPP.
As part of PYA’s ongoing commitment to sharing helpful guidance, Tax Principals Debbie Ernsberger and Mark Brumbelow outlined PPP loan forgiveness requirements and answered questions during a one-hour webinar on Wednesday, June 3, 2020.
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”PYA, P.C.
What to do with your physician compensation plan in the face of the COVID-19 pandemic? It’s a question that leaves administrators searching for answers.
PYA Principal Angie Caldwell and Senior Manager Katie Culver introduced several key considerations for provider compensation during and after the COVID-19 pandemic. In PYA’s complimentary webinar, they:
Summarized the current environment impacting physician compensation associated with the pandemic.
Provided an overview of the Stark Blanket Waivers and opportunities created for physician compensation.
Described restoration and recovery strategies for physician resources.
PYA hosted this one-hour webinar Tuesday, April 28, 2020, at 11 a.m. EDT in conjunction with the Florida Hospital Association.
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...PYA, P.C.
The document provides information on the $100 billion Provider Relief Fund established by the CARES Act to reimburse healthcare providers for expenses or lost revenues attributable to COVID-19. It summarizes that $30 billion has been distributed based on providers' 2019 Medicare billings, with no repayment obligation. It outlines the attestation process to accept funds within 30 days and confirms that providers must comply with terms including using funds only for COVID-19 care and not balance billing uninsured patients. The document advises on accounting, compliance, and tax implications of the relief funds.
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”PYA, P.C.
Hospitals and providers need to think creatively, strategically, and long-term about capital and cashflow under the pressures of the COVID-19 pandemic. A one-hour webinar hosted by PYA discussed the current state of capital markets for non-profit healthcare systems, and considerations for capital management, including the role of real estate assets.
PYA Principal Michael Ramey joined Realty Trust Group Senior Vice-President Michael Honeycutt and Ponder & Company Managing Director Jeffrey B. Sahrbeck to present “Hospitals, Capital, and Cashflow, Under COVID-19” In this webinar, they covered:
Hospital industry capital market updates and trends, including how the capital markets are responding to the crisis.
Access to capital under recent regulations.
Cash preservation techniques for hospitals considering real estate operations and assets.
The webinar took place Thursday, April 9, 2020, at 11 a.m. EDT.
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...PYA, P.C.
Late on March 30, CMS released an interim rule which, among other things, significantly expands Medicare telehealth coverage, even beyond the initial Section 1135 waivers. PYA’s complimentary one-hour webinar explained these changes and how they make telehealth an even more attractive option in response to the COVID-19 pandemic.
PYA Principals Martie Ross and Valerie Rock addressed the latest developments, including:
New reimbursement for telephone-only services.
Broader coverage for remote patient monitoring.
New payments for rural health clinics and federally qualified health centers.
Use of telehealth to meet supervision requirements.
New rules regarding coding and billing as well as the changed payment rates for telehealth services.
The webinar took place Friday April 3, 2020, at 11 a.m. EDT.
Get Covid Testing at Fit to Fly PCR TestNX Healthcare
A Fit-to-Fly PCR Test is a crucial service for travelers needing to meet the entry requirements of various countries or airlines. This test involves a polymerase chain reaction (PCR) test for COVID-19, which is considered the gold standard for detecting active infections. At our travel clinic in Leeds, we offer fast and reliable Fit to Fly PCR testing, providing you with an official certificate verifying your negative COVID-19 status. Our process is designed for convenience and accuracy, with quick turnaround times to ensure you receive your results and certificate in time for your departure. Trust our professional and experienced medical team to help you travel safely and compliantly, giving you peace of mind for your journey.www.nxhealthcare.co.uk
Michigan HealthTech Market Map 2024. Includes 7 categories: Policy Makers, Academic Innovation Centers, Digital Health Providers, Healthcare Providers, Payers / Insurance, Device Companies, Life Science Companies, Innovation Accelerators. Developed by the Michigan-Israel Business Accelerator
The facial nerve, also known as cranial nerve VII, is one of the 12 cranial nerves originating from the brain. It's a mixed nerve, meaning it contains both sensory and motor fibres, and it plays a crucial role in controlling various facial muscles, as well as conveying sensory information from the taste buds on the anterior two-thirds of the tongue.
The Importance of Black Women Understanding the Chemicals in Their Personal C...bkling
Certain chemicals, such as phthalates and parabens, can disrupt the body's hormones and have significant effects on health. According to data, hormone-related health issues such as uterine fibroids, infertility, early puberty and more aggressive forms of breast and endometrial cancers disproportionately affect Black women. Our guest speaker, Jasmine A. McDonald, PhD, an Assistant Professor in the Department of Epidemiology at Columbia University in New York City, discusses the scientific reasons why Black women should pay attention to specific chemicals in their personal care products, like hair care, and ways to minimize their exposure.
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...rightmanforbloodline
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - 34.
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - 34.
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - 34.
This particular slides consist of- what is Pneumothorax,what are it's causes and it's effect on body, risk factors, symptoms,complications, diagnosis and role of physiotherapy in it.
This slide is very helpful for physiotherapy students and also for other medical and healthcare students.
Here is a summary of Pneumothorax:
Pneumothorax, also known as a collapsed lung, is a condition that occurs when air leaks into the space between the lung and chest wall. This air buildup puts pressure on the lung, preventing it from expanding fully when you breathe. A pneumothorax can cause a complete or partial collapse of the lung.
English Drug and Alcohol Commissioners June 2024.pptxMatSouthwell1
Presentation made by Mat Southwell to the Harm Reduction Working Group of the English Drug and Alcohol Commissioners. Discuss stimulants, OAMT, NSP coverage and community-led approach to DCRs. Focussing on active drug user perspectives and interests
English Drug and Alcohol Commissioners June 2024.pptx
HIPAA Security Trends and Future Expectations
1. HIPAA Security Trends and Future
Expectations
December 3, 2019
Presented by:
Barry Mathis
Principal | PYA, P.C.
2. Page 1
(800) 270-9629
bmathis@pyapc.com
PYA, P.C.
2220 Sutherland Avenue
Knoxville, TN 37919
Barry has nearly three decades of experience in the information technology
(IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and
IT risk management consultant. He has performed and managed complicated
HIPAA security reviews and audits for some of the most sophisticated
hospital systems in the country. Barry is a visionary, creative, results-oriented
senior-level healthcare executive with demonstrated experience in planning,
developing, and implementing complex information-technology solutions to
address business opportunities, while reducing IT risk and exposure. He is
adept at project and crisis management, troubleshooting, problem solving,
and negotiating. Barry has strong technical capabilities combined with
outstanding presentation skills and professional pride. He is a prudent risk
taker with proficiency in IT risk management, physician relations, strategic
development, and employee team building.
Barry is a member of United States Marine Corps, Health Care Compliance
Association, Association of Healthcare Internal Auditors, Healthcare
Information Management Systems Society and Information Systems Audit
and Control Association. He was an Honor Graduate in Systems
Programming from the United States Marine Corps Computer Sciences
School (MCCDC) in Quantico, VA. He is a Certified Database Management
Specialist and a Certified Cyber Security Framework Practitioner.
Barry Mathis
Principal
3. Page 2
HIPAA Then and Now
Enforcement Without Funding
Meaningful Use Impacts
Expectations Today
Hot Enforcement Trends by the OCR
Current Impact of Ransomware
Breach Notification and Incident Response
Managing Cybersecurity Threats
Potential Changes to HIPAA Based on Recent OCR
Communications
Additional Case Studies
Agenda
4. Page 3
HIPAA Then and Now
Enforcement Without Funding
1996 unfunded mandate
Lots of talk, but mostly ignored with the exception of privacy
If IT security had been “enforced,” it would have crippled the industry
2003 Transaction and Code Set Standards
Finally something useful
The goal was to simplify
2012 Transaction and Code Set Update
5. Page 4
HIPAA Then and Now
2013 Omnibus
Business associates must comply independently of the covered
entity
BAAs all the rage in three waves
Everybody gets one
Wait, don’t sign
Evaluate the need, and sign when your lawyer agrees
2019
HIPAA Risk Analysis results and HIPAA audit results are
common requests during OCR, CMS, and civil investigations
6. Page 5
HIPAA Then and Now
Meaningful Use Impacts
Money makes a difference
$30 billion gets the HIPAA train moving
Can’t have federal $ without federal audits
Office of the National Coordinator
OCR & OIG
Many healthcare organizations complete their very first HIPAA
Security Risk Analysis in 2012
Electronic medical record boom
Lots of money for limited long-term returns
7. Page 6
HIPAA Then and Now
Impact of Ransomware
Initially there were two basic types of ransomware
Lock - Locked user out of systems, unless passcode was provided
Crypto – Encrypted data, so it could not be used without a key
“According to the FBI, total ransomware payments in the U.S. have, in
some years, exceeded $1 billion. There were scant high-profile
ransomware victims in recent months, but the problem is highly likely to
bounce back strongly in 2019. Ransomware attacks come in waves, and
the next one is due.”
FBI, December 2018
8. Page 7
HIPAA Then and Now
Current environment for ransomware
Now there is a third type of ransomware that is gaining ground
quickly
DataKeeper – Franchised ransomware
To become an affiliate and have a hands-on experience with the Datakeeper
ransomware, it is necessary to sign up on its website, without any activation
fee; the owner of a new Datakeeper-based infection is promised a share of
every ransom fee paid by the victim
Franchised clients of the Datakeeper ransomware are provided with a pack of
features enabling them to customize their destructive software
A Datakeeper-based threat may also be instructed to attempt running
administrative rights such as deleting backups or recovery points
9. Page 8
Cases that OCR closes fall into five categories:
1. Resolved After Intake & Review (No Investigation)
OCR closes these cases after determining that OCR lacks
jurisdiction, or that the complaint, referral, breach report, news
report, or other instigating event will not be investigated
For example, OCR will close cases where: the organization
alleged to have violated the HIPAA Rules is not a covered entity
or business associate and/or no protected health information
(PHI) is involved; the behavior by the organization does not
implicate the HIPAA Rules; the complainant refuses to provide
consent for his/her information to be disclosed as part of the
investigation; or OCR otherwise decides not to investigate the
allegations
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
10. Page 9
Cases that OCR closes fall into five categories:
2. Technical Assistance (No Investigation):
OCR provides Technical Assistance to the covered entity,
business associate, and complainant through early
intervention by investigators located in Headquarters or a
Regional Office
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
11. Page 10
Cases that OCR closes fall into five categories:
3. No Violation* (Investigated):
OCR investigates and does not find any violations of the
HIPAA Rules
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
12. Page 11
Cases that OCR closes fall into five categories:
4. Corrective Action Obtained* (Investigated):
OCR investigates and provides technical assistance to or
requires the covered entity or business associate to make
changes regarding HIPAA-related privacy and security
policies, procedures, training, or safeguards; in some cases,
technical assistance is provided after investigation without
requiring specific corrective action--for example, when the
covered entity or business associate has already taken
corrective action during the investigation or within the 60-
day window prior to notifying OCR of the breach incident
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
13. Page 12
Cases that OCR closes fall into five categories:
5. Other:
OCR may decide not to investigate a case further if:
(A). It is referred to the Department of Justice for prosecution
(B). It involved a natural disaster
(C). It was pursued, prosecuted, and resolved by state authorities
(D). The covered entity or business associate has taken steps to
comply with the HIPAA Rules, and OCR determines enforcement
resources are better/more effectively deployed in other cases
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
14. Page 13
Hot Enforcement Trends by the OCR
Settlement numbers over the past 3 years were greater than the
total settlements in the decade prior (33 settlements since 2016)
$25.7 million dollars worth of HIPAA settlements in 2018
The OCR Director expressed interest in finding “big, juicy,
egregious” privacy breaches to send a clear message
There is now a clear punitive element to resolutions
As of August 31, 2019, OCR has settled or imposed a civil money
penalty in 65 cases resulting in a total dollar amount of
$102,681,582
In another 11,907 cases, OCR investigations found no violation had
occurred
15. Page 14
The data table below shows the enforcement results by calendar year
according to the type of closure for each category; this is the number of
investigations that OCR had resolved
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
16. Page 15
Results of 2018 Investigations
Source: https://www.hhs.gov/sites/default/files/ocr-enforcement-results-2018.jpg
17. Page 16
Recent November 2019 Breaches
2,500 4,200 8,800 12,000 16,000
55,000
106,000
268,000
0
50,000
100,000
150,000
200,000
250,000
300,000
Laptop Mobile
Electronic
Device
Printed
Media
Desktop
Computer
Electronic
Health
Record
Servers Other Email
November 2019 Breaches by People Affected
(rounded)
Skewed as a result of the
Texas Health Resources
breach (87,000 affected)
Source Data: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
18. Page 17
Breach Notification
HIPAA requires notification in the event of a breach of
unsecured PHI
Notification must be made to the patient, government, and in
some cases the media
Breach acquisition, access, use, or disclosure of PHI in a
manner not permitted under the Privacy Rule which
compromises the security or privacy of the PHI
ePHI encrypted by ransomware has been acquired (i.e.,
unauthorized individuals have taken possession or control of the
information)
That makes the attack a BREACH unless
19. Page 18
Low Probability of Compromise
Factors you must consider:
Nature and extent of PHI
Who used the PHI or to whom the disclosure was made
Was PHI acquired/viewed
Has risk been mitigated
May also want to consider:
Risk of unavailability of data
Risk to integrity of data
Was PHI exfiltrated
Must maintain documentation of the risk assessment
20. Page 19
Breach Incident Response
Develop a plan before a breach occurs
Create a site profile that includes contacts, legal, finance, and public
relations
The Incident Response Plan should designate:
Roles and responsibilities:
Notify your regional FBI field agent, PR firms, legal counsel, your
cybersecurity insurer (only to the extent required in your policy), etc.; and
Identify a data forensics team to determine the source and scope of the
breach and ensure vulnerable systems are patched as soon as possible
Timelines
A communication plan for all audiences (employees, patients, board
members, etc.)
Determine reporting obligations under federal and state law requirements
21. Page 20
Managing Cybersecurity Threats
This year HHS released a guidance document on Health Industry
Cybersecurity Practices: Managing Threats and Protecting Patients
(HICP)
The purpose of the HICP is to:
1. Raise awareness of cybersecurity
2. Provide vetted cybersecurity practices
3. Move organizations towards consistency in mitigating cybersecurity
threats to the sector; and
4. Aid healthcare and public health organizations to develop meaningful
cybersecurity objectives and outcomes
HHS identified e-mail phishing, ransomware, loss or theft of
equipment or data, insider, accidental, or intentional data loss, and
attacks against connected medical devices as the 5 most common
threats to patient health information
22. Page 21
Managing Cybersecurity Threats
The HICP noted 10 cybersecurity practices to mitigate those
threats:
1. E-mail protection systems
2. Endpoint protection systems
3. Access management
4. Data protection and loss prevention
5. Asset management
6. Network management
7. Vulnerability management
8. Incident response
9. Medical device security
10. Cybersecurity policies
Technical Guides were included within the HICP for small
organizations and medium/large organizations to implement
these practices
23. Page 22
Potential Changes to HIPAA
On December 12, 2018, the OCR released an RFI requesting
public comments on potential changes to HIPAA
The RFI focused on HIPAA requirements that limit or discourage
coordination of care without meaningfully contributing to the
protection of the privacy or security of an individual’s PHI
Potential revisions to the following requirements:
Accounting of disclosures
Patient’s right to access
Timeframes for responding to information requests
Potential exceptions to the minimum necessary rules
Public comments are due by February 11, 2019
24. Page 23
Potential Changes to HIPAA
The Office of the National Coordinator for Health Information
Technology (ONC) has also indicated potential changes on the
horizon:
Draft Strategy on Reducing Burden Relating to the Use of Health
IT and EHRs
Three goals noted in the draft strategy:
1. Reduce the effort and time required to record health information in
EHRs for clinicians;
2. Reduce the effort and time required to meet regulatory reporting
requirements for clinicians, hospitals, and healthcare organizations;
and
3. Improve the functionality and intuitiveness (ease of use) of EHRs
Comments ended February 11th, 2019
26. Page 25
Top 10 Breaches Reported for 2019
• An agency was hacked for eight months between August 1, 2018, and
March 30, 2019, 25 million patients affected
• An insurer reported a nine-year hack on its servers, which potentially
breached the data of 2.96 million patients
• A health information services group’s misconfigured database led to a
personal health data breach of 1.57 million
• A healthcare system’s misconfigured server resulted in
974,000 patients having their data exposed online for three weeks
• A cyberattack on a statement processing group potentially
compromised a wide range of data from a host of clients, including
demographic details and Social Security numbers of approximately
600,000 patients
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
27. Page 26
Top 10 Breaches Reported for 2019
• A breach at a state agency caused by a massive phishing campaign;
in total, 625,000 patients and 2.5 million emails were compromised
• A hacking incident at a medical group impacting 400,000 patients in
February
• Several employees of an academic medical center fell victim to
phishing attacks; the personal and health data of about
326,629 patients was potentially breached
• An unauthorized third-party gained access to employee and hosted
email accounts at a hospital, a potential data breach of 278,016
patients
• A server migration error at a software solutions company exposed
277,319 patients’ personal and medical data
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
29. Page 28
Costly investigations
Big health companies: 6 of 10 payouts last year involved
household names
$16 million dollar deal involving over 79 million people; no safeguards in
place to detect hackers and failed to conduct an annual risk analysis
$4.3 million dollar deal for failing to encrypt devices
Lower fines for smaller companies with specific HIPAA
shortcomings
$100,000 settlement for failing to properly dispose of PHI
$125,000 settlement for a doctor’s disclosure of patient PHI to a reporter
$111,400 settlement for failing to terminate a former employee’s access to
ePHI
30. Page 29
Enforcement Trends by the OCR
OCR Settles First Case in HIPAA Right-of-Access
Initiative
A health system has paid $85,000 to the Office for Civil Rights at the U.S.
Department of Health and Human Services and has adopted a corrective
action plan to settle a potential violation of the right-of-access provision of
the HIPAA Rules after it failed to provide a mother timely access to
records about her unborn child
OCR initiated its investigation based on a complaint from the mother
As a result, the health system directly provided the individual with the
requested health information more than nine months after the initial
request
The HIPAA Rules generally require covered healthcare providers to
provide medical records within 30 days of the request, and providers can
only charge a reasonable cost-based fee
31. Page 30
Software configuration error
Covered Entity: Integrated Delivery Network
Issue: Misconfiguration error in the billing system
A health system with hospitals and clinics in 16 counties, serving about 7
million patients each year; officials filed breach reports for each of its 15
hospitals impacted by the security incident
Officials first learned about the security incident on August 23; a
misconfiguration error allowed for patient data to be matched with, and sent to,
the incorrect guarantor for nearly three months between July 19, 2019, and
September 4, 2019, resulting in the breach affecting over 87,000 people
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
32. Page 31
Not every investigation ends costly
Pharmacy Chain Enters into Business Associate Agreement with Law Firm
Covered Entity: Pharmacy Chain
Issue: Impermissible Uses and Disclosures; Business Associates
A complaint alleged that a law firm working on behalf of a pharmacy chain in
an administrative proceeding impermissibly disclosed the PHI of a customer of
the pharmacy chain; OCR investigated the allegation and found no evidence
that the law firm had impermissibly disclosed the customer’s PHI; however, the
investigation revealed that the pharmacy chain and the law firm had not
entered into a business associate agreement, as required by the Privacy Rule,
to ensure that PHI is appropriately safeguarded; without a properly executed
agreement, a covered entity may not disclose PHI to its law firm; to resolve
the matter, OCR required the pharmacy chain and the law firm to enter into a
business associate agreement
Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
33. Page 32
How you react matters
Physician Revises Faxing Procedures to Safeguard PHI
Covered Entity: Healthcare Provider
Issue: Safeguards
A doctor's office disclosed a patient's HIV status when the office mistakenly faxed
medical records to the patient's place of employment instead of to the patient's
new healthccare provider; the employee responsible for the disclosure received a
written disciplinary warning, and both the employee and the physician apologized
to the patient; to resolve this matter, OCR also required the practice to revise the
office's fax cover page to underscore a confidential communication for the
intended recipient; the office informed all its employees of the incident and
counseled staff on proper faxing procedures
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case3
34. Page 33
Cleanup will always be part of the response
Health Plan Corrects Computer Flaw That Caused Mailing of EOBs to
Wrong Persons
Covered Entity: Health Plans
Issue: Safeguards
A national health maintenance organization sent explanation of benefits (EOB) by
mail to a complainant's unauthorized family member; OCR's investigation
determined that a flaw in the health plan's computer system put the protected
health information of approximately 2,000 families at risk of disclosure in violation
of the Rule; among the corrective actions required to resolve this case, OCR
required the insurer to correct the flaw in its computer system, review all
transactions for a six-month period and correct all corrupted patient information
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case16