SlideShare a Scribd company logo

HIPAA Security Trends and Future Expectations

Download as PPTX, PDF
PYA, P.C.
PYA, P.C.

PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on: - Current HIPAA enforcement activities and future developments. - Case studies that highlight the changing HIPAA landscape. - Cyber threats that impact covered entities and business associates.

Healthcare
1 of 36
HIPAA Security Trends and Future Expectations December 3, 2019 Presented by: Barry Mathis Principal | PYA, P.C.
Page 1 (800) 270-9629 bmathis@pyapc.com PYA, P.C. 2220 Sutherland Avenue Knoxville, TN 37919 Barry has nearly three decades of experience in the information technology (IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk management consultant. He has performed and managed complicated HIPAA security reviews and audits for some of the most sophisticated hospital systems in the country. Barry is a visionary, creative, results-oriented senior-level healthcare executive with demonstrated experience in planning, developing, and implementing complex information-technology solutions to address business opportunities, while reducing IT risk and exposure. He is adept at project and crisis management, troubleshooting, problem solving, and negotiating. Barry has strong technical capabilities combined with outstanding presentation skills and professional pride. He is a prudent risk taker with proficiency in IT risk management, physician relations, strategic development, and employee team building. Barry is a member of United States Marine Corps, Health Care Compliance Association, Association of Healthcare Internal Auditors, Healthcare Information Management Systems Society and Information Systems Audit and Control Association. He was an Honor Graduate in Systems Programming from the United States Marine Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified Database Management Specialist and a Certified Cyber Security Framework Practitioner. Barry Mathis Principal
Page 2  HIPAA Then and Now  Enforcement Without Funding  Meaningful Use Impacts  Expectations Today  Hot Enforcement Trends by the OCR  Current Impact of Ransomware  Breach Notification and Incident Response  Managing Cybersecurity Threats  Potential Changes to HIPAA Based on Recent OCR Communications  Additional Case Studies Agenda
Page 3 HIPAA Then and Now  Enforcement Without Funding  1996 unfunded mandate  Lots of talk, but mostly ignored with the exception of privacy  If IT security had been “enforced,” it would have crippled the industry  2003 Transaction and Code Set Standards  Finally something useful  The goal was to simplify  2012 Transaction and Code Set Update
Page 4 HIPAA Then and Now  2013 Omnibus  Business associates must comply independently of the covered entity  BAAs all the rage in three waves  Everybody gets one  Wait, don’t sign  Evaluate the need, and sign when your lawyer agrees  2019  HIPAA Risk Analysis results and HIPAA audit results are common requests during OCR, CMS, and civil investigations
Page 5 HIPAA Then and Now  Meaningful Use Impacts  Money makes a difference  $30 billion gets the HIPAA train moving  Can’t have federal $ without federal audits  Office of the National Coordinator  OCR & OIG  Many healthcare organizations complete their very first HIPAA Security Risk Analysis in 2012  Electronic medical record boom  Lots of money for limited long-term returns
Page 6 HIPAA Then and Now  Impact of Ransomware  Initially there were two basic types of ransomware  Lock - Locked user out of systems, unless passcode was provided  Crypto – Encrypted data, so it could not be used without a key “According to the FBI, total ransomware payments in the U.S. have, in some years, exceeded $1 billion. There were scant high-profile ransomware victims in recent months, but the problem is highly likely to bounce back strongly in 2019. Ransomware attacks come in waves, and the next one is due.” FBI, December 2018
Page 7 HIPAA Then and Now  Current environment for ransomware  Now there is a third type of ransomware that is gaining ground quickly  DataKeeper – Franchised ransomware  To become an affiliate and have a hands-on experience with the Datakeeper ransomware, it is necessary to sign up on its website, without any activation fee; the owner of a new Datakeeper-based infection is promised a share of every ransom fee paid by the victim  Franchised clients of the Datakeeper ransomware are provided with a pack of features enabling them to customize their destructive software  A Datakeeper-based threat may also be instructed to attempt running administrative rights such as deleting backups or recovery points
Page 8 Cases that OCR closes fall into five categories: 1. Resolved After Intake & Review (No Investigation) OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated For example, OCR will close cases where: the organization alleged to have violated the HIPAA Rules is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior by the organization does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
Page 9 Cases that OCR closes fall into five categories: 2. Technical Assistance (No Investigation): OCR provides Technical Assistance to the covered entity, business associate, and complainant through early intervention by investigators located in Headquarters or a Regional Office Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
Page 10 Cases that OCR closes fall into five categories: 3. No Violation* (Investigated): OCR investigates and does not find any violations of the HIPAA Rules Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
Page 11 Cases that OCR closes fall into five categories: 4. Corrective Action Obtained* (Investigated): OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards; in some cases, technical assistance is provided after investigation without requiring specific corrective action--for example, when the covered entity or business associate has already taken corrective action during the investigation or within the 60- day window prior to notifying OCR of the breach incident Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
Page 12 Cases that OCR closes fall into five categories: 5. Other: OCR may decide not to investigate a case further if: (A). It is referred to the Department of Justice for prosecution (B). It involved a natural disaster (C). It was pursued, prosecuted, and resolved by state authorities (D). The covered entity or business associate has taken steps to comply with the HIPAA Rules, and OCR determines enforcement resources are better/more effectively deployed in other cases Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
Page 13 Hot Enforcement Trends by the OCR  Settlement numbers over the past 3 years were greater than the total settlements in the decade prior (33 settlements since 2016)  $25.7 million dollars worth of HIPAA settlements in 2018  The OCR Director expressed interest in finding “big, juicy, egregious” privacy breaches to send a clear message  There is now a clear punitive element to resolutions  As of August 31, 2019, OCR has settled or imposed a civil money penalty in 65 cases resulting in a total dollar amount of $102,681,582  In another 11,907 cases, OCR investigations found no violation had occurred
Page 14 The data table below shows the enforcement results by calendar year according to the type of closure for each category; this is the number of investigations that OCR had resolved Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
Page 15 Results of 2018 Investigations Source: https://www.hhs.gov/sites/default/files/ocr-enforcement-results-2018.jpg
Page 16 Recent November 2019 Breaches 2,500 4,200 8,800 12,000 16,000 55,000 106,000 268,000 0 50,000 100,000 150,000 200,000 250,000 300,000 Laptop Mobile Electronic Device Printed Media Desktop Computer Electronic Health Record Servers Other Email November 2019 Breaches by People Affected (rounded) Skewed as a result of the Texas Health Resources breach (87,000 affected) Source Data: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
Page 17 Breach Notification  HIPAA requires notification in the event of a breach of unsecured PHI  Notification must be made to the patient, government, and in some cases the media  Breach  acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI  ePHI encrypted by ransomware has been acquired (i.e., unauthorized individuals have taken possession or control of the information)  That makes the attack a BREACH unless
Page 18 Low Probability of Compromise  Factors you must consider:  Nature and extent of PHI  Who used the PHI or to whom the disclosure was made  Was PHI acquired/viewed  Has risk been mitigated  May also want to consider:  Risk of unavailability of data  Risk to integrity of data  Was PHI exfiltrated  Must maintain documentation of the risk assessment
Page 19 Breach Incident Response  Develop a plan before a breach occurs  Create a site profile that includes contacts, legal, finance, and public relations  The Incident Response Plan should designate:  Roles and responsibilities:  Notify your regional FBI field agent, PR firms, legal counsel, your cybersecurity insurer (only to the extent required in your policy), etc.; and  Identify a data forensics team to determine the source and scope of the breach and ensure vulnerable systems are patched as soon as possible  Timelines  A communication plan for all audiences (employees, patients, board members, etc.)  Determine reporting obligations under federal and state law requirements
Page 20 Managing Cybersecurity Threats  This year HHS released a guidance document on Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)  The purpose of the HICP is to: 1. Raise awareness of cybersecurity 2. Provide vetted cybersecurity practices 3. Move organizations towards consistency in mitigating cybersecurity threats to the sector; and 4. Aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes  HHS identified e-mail phishing, ransomware, loss or theft of equipment or data, insider, accidental, or intentional data loss, and attacks against connected medical devices as the 5 most common threats to patient health information
Page 21 Managing Cybersecurity Threats  The HICP noted 10 cybersecurity practices to mitigate those threats: 1. E-mail protection systems 2. Endpoint protection systems 3. Access management 4. Data protection and loss prevention 5. Asset management 6. Network management 7. Vulnerability management 8. Incident response 9. Medical device security 10. Cybersecurity policies  Technical Guides were included within the HICP for small organizations and medium/large organizations to implement these practices
Page 22 Potential Changes to HIPAA  On December 12, 2018, the OCR released an RFI requesting public comments on potential changes to HIPAA  The RFI focused on HIPAA requirements that limit or discourage coordination of care without meaningfully contributing to the protection of the privacy or security of an individual’s PHI  Potential revisions to the following requirements:  Accounting of disclosures  Patient’s right to access  Timeframes for responding to information requests  Potential exceptions to the minimum necessary rules  Public comments are due by February 11, 2019
Page 23 Potential Changes to HIPAA  The Office of the National Coordinator for Health Information Technology (ONC) has also indicated potential changes on the horizon:  Draft Strategy on Reducing Burden Relating to the Use of Health IT and EHRs  Three goals noted in the draft strategy: 1. Reduce the effort and time required to record health information in EHRs for clinicians; 2. Reduce the effort and time required to meet regulatory reporting requirements for clinicians, hospitals, and healthcare organizations; and 3. Improve the functionality and intuitiveness (ease of use) of EHRs  Comments ended February 11th, 2019
Page 24 Top HIPAA Breaches 2019
Page 25 Top 10 Breaches Reported for 2019 • An agency was hacked for eight months between August 1, 2018, and March 30, 2019, 25 million patients affected • An insurer reported a nine-year hack on its servers, which potentially breached the data of 2.96 million patients • A health information services group’s misconfigured database led to a personal health data breach of 1.57 million • A healthcare system’s misconfigured server resulted in 974,000 patients having their data exposed online for three weeks • A cyberattack on a statement processing group potentially compromised a wide range of data from a host of clients, including demographic details and Social Security numbers of approximately 600,000 patients Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
Page 26 Top 10 Breaches Reported for 2019 • A breach at a state agency caused by a massive phishing campaign; in total, 625,000 patients and 2.5 million emails were compromised • A hacking incident at a medical group impacting 400,000 patients in February • Several employees of an academic medical center fell victim to phishing attacks; the personal and health data of about 326,629 patients was potentially breached • An unauthorized third-party gained access to employee and hosted email accounts at a hospital, a potential data breach of 278,016 patients • A server migration error at a software solutions company exposed 277,319 patients’ personal and medical data Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
Page 27 Other Case Studies
Page 28 Costly investigations  Big health companies: 6 of 10 payouts last year involved household names  $16 million dollar deal involving over 79 million people; no safeguards in place to detect hackers and failed to conduct an annual risk analysis  $4.3 million dollar deal for failing to encrypt devices  Lower fines for smaller companies with specific HIPAA shortcomings  $100,000 settlement for failing to properly dispose of PHI  $125,000 settlement for a doctor’s disclosure of patient PHI to a reporter  $111,400 settlement for failing to terminate a former employee’s access to ePHI
Page 29 Enforcement Trends by the OCR  OCR Settles First Case in HIPAA Right-of-Access Initiative  A health system has paid $85,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services and has adopted a corrective action plan to settle a potential violation of the right-of-access provision of the HIPAA Rules after it failed to provide a mother timely access to records about her unborn child  OCR initiated its investigation based on a complaint from the mother  As a result, the health system directly provided the individual with the requested health information more than nine months after the initial request  The HIPAA Rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee
Page 30 Software configuration error Covered Entity: Integrated Delivery Network Issue: Misconfiguration error in the billing system  A health system with hospitals and clinics in 16 counties, serving about 7 million patients each year; officials filed breach reports for each of its 15 hospitals impacted by the security incident  Officials first learned about the security incident on August 23; a misconfiguration error allowed for patient data to be matched with, and sent to, the incorrect guarantor for nearly three months between July 19, 2019, and September 4, 2019, resulting in the breach affecting over 87,000 people Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
Page 31 Not every investigation ends costly Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates  A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain; OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI; however, the investigation revealed that the pharmacy chain and the law firm had not entered into a business associate agreement, as required by the Privacy Rule, to ensure that PHI is appropriately safeguarded; without a properly executed agreement, a covered entity may not disclose PHI to its law firm; to resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
Page 32 How you react matters Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Healthcare Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new healthccare provider; the employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient; to resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient; the office informed all its employees of the incident and counseled staff on proper faxing procedures https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case3
Page 33 Cleanup will always be part of the response Health Plan Corrects Computer Flaw That Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member; OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule; among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six-month period and correct all corrupted patient information https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case16
Page 34 Questions?
Page 35 Thank You! Barry Mathis bmathis@pyapc.com (800) 270-9629 pyapc.com

Recommended

The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
EMC
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 

Recommended

The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
EMC
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)
Aspiration Software LLC
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
Glenn E. Davis
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
Druva
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
Compliancy Group
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
Margaret (Peggy) Daley
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
Appsian
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
Abhishek Sood
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
Peter Goldbrunner
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 

More Related Content

What's hot

Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)
Aspiration Software LLC
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
Glenn E. Davis
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
Druva
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
Compliancy Group
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
Margaret (Peggy) Daley
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
Appsian
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
Abhishek Sood
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
Peter Goldbrunner
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 

What's hot (19)

Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)Law_Firm_Info_Security_Report_June2011 (1)
Law_Firm_Info_Security_Report_June2011 (1)
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 

Similar to HIPAA Security Trends and Future Expectations

What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
PYA, P.C.
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 
365 infographic-compliance
365 infographic-compliance365 infographic-compliance
365 infographic-compliance
365 Data Centers
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
Allison Walton
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
Don Grauel
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and Contractors
ButlerRubin
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
Provider Resources Group
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
Law Practice Strategy
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 

Similar to HIPAA Security Trends and Future Expectations (20)

What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Accounting
AccountingAccounting
Accounting
 
365 infographic-compliance
365 infographic-compliance365 infographic-compliance
365 infographic-compliance
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Insider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and ContractorsInsider Breaches and Data Theft by Employees and Contractors
Insider Breaches and Data Theft by Employees and Contractors
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 

More from PYA, P.C.

“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
PYA, P.C.
 
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
PYA, P.C.
 
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
PYA, P.C.
 
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance” “Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
PYA, P.C.
 
“Federal Legislative and Regulatory Update,” Webinar at DFWHC
“Federal Legislative and Regulatory Update,” Webinar at DFWHC “Federal Legislative and Regulatory Update,” Webinar at DFWHC
“Federal Legislative and Regulatory Update,” Webinar at DFWHC
PYA, P.C.
 
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
PYA, P.C.
 
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
PYA, P.C.
 
Webinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
Webinar: “Cybersecurity During COVID-19: A Look Behind the ScenesWebinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
Webinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
PYA, P.C.
 
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
PYA, P.C.
 
Federal Regulatory Update
Federal Regulatory UpdateFederal Regulatory Update
Federal Regulatory Update
PYA, P.C.
 
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain MarketWebinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
PYA, P.C.
 
07 24-20 pya webinar covid physician compensation
07 24-20 pya webinar covid physician compensation07 24-20 pya webinar covid physician compensation
07 24-20 pya webinar covid physician compensation
PYA, P.C.
 
Engaging Your Board In the COVID-19 Era
Engaging Your Board In the COVID-19 EraEngaging Your Board In the COVID-19 Era
Engaging Your Board In the COVID-19 Era
PYA, P.C.
 
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
PYA, P.C.
 
Webinar: “Got a Payroll? Don’t Leave Money on the Table”
Webinar: “Got a Payroll? Don’t Leave Money on the Table”Webinar: “Got a Payroll? Don’t Leave Money on the Table”
Webinar: “Got a Payroll? Don’t Leave Money on the Table”
PYA, P.C.
 
Webinar: So You Have a PPP Loan. Now What?
Webinar: So You Have a PPP Loan. Now What?Webinar: So You Have a PPP Loan. Now What?
Webinar: So You Have a PPP Loan. Now What?
PYA, P.C.
 
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
PYA, P.C.
 
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
PYA, P.C.
 
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
PYA, P.C.
 
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
PYA, P.C.
 

More from PYA, P.C. (20)

“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
“CARES Act Provider Relief Fund: Opportunities, Compliance, and Reporting”
 
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
PYA Presented on 2021 E/M Changes and a CARES Act Update During GHA Complianc...
 
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
Webinar: “Trick or Treat? October 22nd Revisions to Provider Relief Fund Repo...
 
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance” “Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
“Regulatory Compliance Enforcement Update: Getting Results from the Guidance”
 
“Federal Legislative and Regulatory Update,” Webinar at DFWHC
“Federal Legislative and Regulatory Update,” Webinar at DFWHC “Federal Legislative and Regulatory Update,” Webinar at DFWHC
“Federal Legislative and Regulatory Update,” Webinar at DFWHC
 
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
On-Demand Webinar: Compliance With New Provider Relief Funds Reporting Requir...
 
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
Webinar: “While You Were Sleeping…Proposed Rule Positioned to Significantly I...
 
Webinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
Webinar: “Cybersecurity During COVID-19: A Look Behind the ScenesWebinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
Webinar: “Cybersecurity During COVID-19: A Look Behind the Scenes
 
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
Webinar: CMS Pricing Transparency — Final Rule Requirements, Compliance Chall...
 
Federal Regulatory Update
Federal Regulatory UpdateFederal Regulatory Update
Federal Regulatory Update
 
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain MarketWebinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
Webinar: Post-Pandemic Provider Realignment — Navigating An Uncertain Market
 
07 24-20 pya webinar covid physician compensation
07 24-20 pya webinar covid physician compensation07 24-20 pya webinar covid physician compensation
07 24-20 pya webinar covid physician compensation
 
Engaging Your Board In the COVID-19 Era
Engaging Your Board In the COVID-19 EraEngaging Your Board In the COVID-19 Era
Engaging Your Board In the COVID-19 Era
 
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
Webinar: Free Money with Strings Attached – Cares Act Considerations for Fron...
 
Webinar: “Got a Payroll? Don’t Leave Money on the Table”
Webinar: “Got a Payroll? Don’t Leave Money on the Table”Webinar: “Got a Payroll? Don’t Leave Money on the Table”
Webinar: “Got a Payroll? Don’t Leave Money on the Table”
 
Webinar: So You Have a PPP Loan. Now What?
Webinar: So You Have a PPP Loan. Now What?Webinar: So You Have a PPP Loan. Now What?
Webinar: So You Have a PPP Loan. Now What?
 
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
Webinar: “Making It Work—Physician Compensation During the COVID-19 Pandemic”
 
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
Webinar: “Provider Relief Fund Payments – What We Know, What We Don’t Know, W...
 
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
Webinar: “Hospitals, Capital, and Cashflow Under COVID-19”
 
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
PYA Webinar: “Additional Expansion of Medicare Telehealth Coverage During COV...
 

Recently uploaded

Monopoly PCD Pharma Franchise in Tripura
Monopoly PCD Pharma Franchise in TripuraMonopoly PCD Pharma Franchise in Tripura
Monopoly PCD Pharma Franchise in Tripura
SKG Internationals
 
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
DR Jag Mohan Prajapati
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
40fortunate
 
Management of Post Operative Pain: to make doctors conscious about the benefi...
Management of Post Operative Pain: to make doctors conscious about the benefi...Management of Post Operative Pain: to make doctors conscious about the benefi...
Management of Post Operative Pain: to make doctors conscious about the benefi...
Nilima65
 
Get Covid Testing at Fit to Fly PCR Test
Get Covid Testing at Fit to Fly PCR TestGet Covid Testing at Fit to Fly PCR Test
Get Covid Testing at Fit to Fly PCR Test
NX Healthcare
 
leprosy Case detection and diagnosis.pptx
leprosy Case detection and diagnosis.pptxleprosy Case detection and diagnosis.pptx
leprosy Case detection and diagnosis.pptx
habtegirma
 
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
Levi Shapiro
 
FACIAL NERVE
FACIAL NERVEFACIAL NERVE
FACIAL NERVE
aditigupta1117
 
Sexual Disorders.gender identity disorderspptx
Sexual Disorders.gender identity disorderspptxSexual Disorders.gender identity disorderspptx
Sexual Disorders.gender identity disorderspptx
Pupayumnam1
 
The Importance of Black Women Understanding the Chemicals in Their Personal C...
The Importance of Black Women Understanding the Chemicals in Their Personal C...The Importance of Black Women Understanding the Chemicals in Their Personal C...
The Importance of Black Women Understanding the Chemicals in Their Personal C...
bkling
 
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
xkute
 
Vicarious movements or trick movements_AB.pdf
Vicarious movements or trick movements_AB.pdfVicarious movements or trick movements_AB.pdf
Vicarious movements or trick movements_AB.pdf
Arunima620542
 
GIT BS.pptx about human body their structure and
GIT BS.pptx about human body their structure andGIT BS.pptx about human body their structure and
GIT BS.pptx about human body their structure and
MuzafarBohio
 
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdfnhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
Carolyn Harker
 
geriatric changes in endocrine system.pdf
geriatric changes in endocrine system.pdfgeriatric changes in endocrine system.pdf
geriatric changes in endocrine system.pdf
Yes No
 
National Rural Health Mission(NRHM).pptx
National Rural Health Mission(NRHM).pptxNational Rural Health Mission(NRHM).pptx
National Rural Health Mission(NRHM).pptx
Jyoti Chand
 
muscluskeletal assessment...........pptx
muscluskeletal assessment...........pptxmuscluskeletal assessment...........pptx
muscluskeletal assessment...........pptx
RushikeshHange1
 
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
rightmanforbloodline
 
Pneumothorax and role of Physiotherapy in it.
Pneumothorax and role of Physiotherapy in it.Pneumothorax and role of Physiotherapy in it.
Pneumothorax and role of Physiotherapy in it.
Vishal kr Thakur
 
English Drug and Alcohol Commissioners June 2024.pptx
English Drug and Alcohol Commissioners June 2024.pptxEnglish Drug and Alcohol Commissioners June 2024.pptx
English Drug and Alcohol Commissioners June 2024.pptx
MatSouthwell1
 

Recently uploaded (20)

Monopoly PCD Pharma Franchise in Tripura
Monopoly PCD Pharma Franchise in TripuraMonopoly PCD Pharma Franchise in Tripura
Monopoly PCD Pharma Franchise in Tripura
 
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
DELIRIUM BY DR JAGMOHAN PRAJAPATI.......
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Management of Post Operative Pain: to make doctors conscious about the benefi...
Management of Post Operative Pain: to make doctors conscious about the benefi...Management of Post Operative Pain: to make doctors conscious about the benefi...
Management of Post Operative Pain: to make doctors conscious about the benefi...
 
Get Covid Testing at Fit to Fly PCR Test
Get Covid Testing at Fit to Fly PCR TestGet Covid Testing at Fit to Fly PCR Test
Get Covid Testing at Fit to Fly PCR Test
 
leprosy Case detection and diagnosis.pptx
leprosy Case detection and diagnosis.pptxleprosy Case detection and diagnosis.pptx
leprosy Case detection and diagnosis.pptx
 
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
Michigan HealthTech Market Map 2024 with Policy Makers, Academic Innovation C...
 
FACIAL NERVE
FACIAL NERVEFACIAL NERVE
FACIAL NERVE
 
Sexual Disorders.gender identity disorderspptx
Sexual Disorders.gender identity disorderspptxSexual Disorders.gender identity disorderspptx
Sexual Disorders.gender identity disorderspptx
 
The Importance of Black Women Understanding the Chemicals in Their Personal C...
The Importance of Black Women Understanding the Chemicals in Their Personal C...The Importance of Black Women Understanding the Chemicals in Their Personal C...
The Importance of Black Women Understanding the Chemicals in Their Personal C...
 
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
一比一原版(UoA毕业证)昆士兰科技大学毕业证如何办理
 
Vicarious movements or trick movements_AB.pdf
Vicarious movements or trick movements_AB.pdfVicarious movements or trick movements_AB.pdf
Vicarious movements or trick movements_AB.pdf
 
GIT BS.pptx about human body their structure and
GIT BS.pptx about human body their structure andGIT BS.pptx about human body their structure and
GIT BS.pptx about human body their structure and
 
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdfnhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
nhs fpx 4000 assessment 4 analyzing a current health care problem or issue.pdf
 
geriatric changes in endocrine system.pdf
geriatric changes in endocrine system.pdfgeriatric changes in endocrine system.pdf
geriatric changes in endocrine system.pdf
 
National Rural Health Mission(NRHM).pptx
National Rural Health Mission(NRHM).pptxNational Rural Health Mission(NRHM).pptx
National Rural Health Mission(NRHM).pptx
 
muscluskeletal assessment...........pptx
muscluskeletal assessment...........pptxmuscluskeletal assessment...........pptx
muscluskeletal assessment...........pptx
 
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
TEST BANK FOR Health Assessment in Nursing 7th Edition by Weber Chapters 1 - ...
 
Pneumothorax and role of Physiotherapy in it.
Pneumothorax and role of Physiotherapy in it.Pneumothorax and role of Physiotherapy in it.
Pneumothorax and role of Physiotherapy in it.
 
English Drug and Alcohol Commissioners June 2024.pptx
English Drug and Alcohol Commissioners June 2024.pptxEnglish Drug and Alcohol Commissioners June 2024.pptx
English Drug and Alcohol Commissioners June 2024.pptx
 

HIPAA Security Trends and Future Expectations

  • 1. HIPAA Security Trends and Future Expectations December 3, 2019 Presented by: Barry Mathis Principal | PYA, P.C.
  • 2. Page 1 (800) 270-9629 bmathis@pyapc.com PYA, P.C. 2220 Sutherland Avenue Knoxville, TN 37919 Barry has nearly three decades of experience in the information technology (IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk management consultant. He has performed and managed complicated HIPAA security reviews and audits for some of the most sophisticated hospital systems in the country. Barry is a visionary, creative, results-oriented senior-level healthcare executive with demonstrated experience in planning, developing, and implementing complex information-technology solutions to address business opportunities, while reducing IT risk and exposure. He is adept at project and crisis management, troubleshooting, problem solving, and negotiating. Barry has strong technical capabilities combined with outstanding presentation skills and professional pride. He is a prudent risk taker with proficiency in IT risk management, physician relations, strategic development, and employee team building. Barry is a member of United States Marine Corps, Health Care Compliance Association, Association of Healthcare Internal Auditors, Healthcare Information Management Systems Society and Information Systems Audit and Control Association. He was an Honor Graduate in Systems Programming from the United States Marine Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified Database Management Specialist and a Certified Cyber Security Framework Practitioner. Barry Mathis Principal
  • 3. Page 2  HIPAA Then and Now  Enforcement Without Funding  Meaningful Use Impacts  Expectations Today  Hot Enforcement Trends by the OCR  Current Impact of Ransomware  Breach Notification and Incident Response  Managing Cybersecurity Threats  Potential Changes to HIPAA Based on Recent OCR Communications  Additional Case Studies Agenda
  • 4. Page 3 HIPAA Then and Now  Enforcement Without Funding  1996 unfunded mandate  Lots of talk, but mostly ignored with the exception of privacy  If IT security had been “enforced,” it would have crippled the industry  2003 Transaction and Code Set Standards  Finally something useful  The goal was to simplify  2012 Transaction and Code Set Update
  • 5. Page 4 HIPAA Then and Now  2013 Omnibus  Business associates must comply independently of the covered entity  BAAs all the rage in three waves  Everybody gets one  Wait, don’t sign  Evaluate the need, and sign when your lawyer agrees  2019  HIPAA Risk Analysis results and HIPAA audit results are common requests during OCR, CMS, and civil investigations
  • 6. Page 5 HIPAA Then and Now  Meaningful Use Impacts  Money makes a difference  $30 billion gets the HIPAA train moving  Can’t have federal $ without federal audits  Office of the National Coordinator  OCR & OIG  Many healthcare organizations complete their very first HIPAA Security Risk Analysis in 2012  Electronic medical record boom  Lots of money for limited long-term returns
  • 7. Page 6 HIPAA Then and Now  Impact of Ransomware  Initially there were two basic types of ransomware  Lock - Locked user out of systems, unless passcode was provided  Crypto – Encrypted data, so it could not be used without a key “According to the FBI, total ransomware payments in the U.S. have, in some years, exceeded $1 billion. There were scant high-profile ransomware victims in recent months, but the problem is highly likely to bounce back strongly in 2019. Ransomware attacks come in waves, and the next one is due.” FBI, December 2018
  • 8. Page 7 HIPAA Then and Now  Current environment for ransomware  Now there is a third type of ransomware that is gaining ground quickly  DataKeeper – Franchised ransomware  To become an affiliate and have a hands-on experience with the Datakeeper ransomware, it is necessary to sign up on its website, without any activation fee; the owner of a new Datakeeper-based infection is promised a share of every ransom fee paid by the victim  Franchised clients of the Datakeeper ransomware are provided with a pack of features enabling them to customize their destructive software  A Datakeeper-based threat may also be instructed to attempt running administrative rights such as deleting backups or recovery points
  • 9. Page 8 Cases that OCR closes fall into five categories: 1. Resolved After Intake & Review (No Investigation) OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated For example, OCR will close cases where: the organization alleged to have violated the HIPAA Rules is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior by the organization does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
  • 10. Page 9 Cases that OCR closes fall into five categories: 2. Technical Assistance (No Investigation): OCR provides Technical Assistance to the covered entity, business associate, and complainant through early intervention by investigators located in Headquarters or a Regional Office Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
  • 11. Page 10 Cases that OCR closes fall into five categories: 3. No Violation* (Investigated): OCR investigates and does not find any violations of the HIPAA Rules Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
  • 12. Page 11 Cases that OCR closes fall into five categories: 4. Corrective Action Obtained* (Investigated): OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards; in some cases, technical assistance is provided after investigation without requiring specific corrective action--for example, when the covered entity or business associate has already taken corrective action during the investigation or within the 60- day window prior to notifying OCR of the breach incident Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
  • 13. Page 12 Cases that OCR closes fall into five categories: 5. Other: OCR may decide not to investigate a case further if: (A). It is referred to the Department of Justice for prosecution (B). It involved a natural disaster (C). It was pursued, prosecuted, and resolved by state authorities (D). The covered entity or business associate has taken steps to comply with the HIPAA Rules, and OCR determines enforcement resources are better/more effectively deployed in other cases Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
  • 14. Page 13 Hot Enforcement Trends by the OCR  Settlement numbers over the past 3 years were greater than the total settlements in the decade prior (33 settlements since 2016)  $25.7 million dollars worth of HIPAA settlements in 2018  The OCR Director expressed interest in finding “big, juicy, egregious” privacy breaches to send a clear message  There is now a clear punitive element to resolutions  As of August 31, 2019, OCR has settled or imposed a civil money penalty in 65 cases resulting in a total dollar amount of $102,681,582  In another 11,907 cases, OCR investigations found no violation had occurred
  • 15. Page 14 The data table below shows the enforcement results by calendar year according to the type of closure for each category; this is the number of investigations that OCR had resolved Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
  • 16. Page 15 Results of 2018 Investigations Source: https://www.hhs.gov/sites/default/files/ocr-enforcement-results-2018.jpg
  • 17. Page 16 Recent November 2019 Breaches 2,500 4,200 8,800 12,000 16,000 55,000 106,000 268,000 0 50,000 100,000 150,000 200,000 250,000 300,000 Laptop Mobile Electronic Device Printed Media Desktop Computer Electronic Health Record Servers Other Email November 2019 Breaches by People Affected (rounded) Skewed as a result of the Texas Health Resources breach (87,000 affected) Source Data: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html
  • 18. Page 17 Breach Notification  HIPAA requires notification in the event of a breach of unsecured PHI  Notification must be made to the patient, government, and in some cases the media  Breach  acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI  ePHI encrypted by ransomware has been acquired (i.e., unauthorized individuals have taken possession or control of the information)  That makes the attack a BREACH unless
  • 19. Page 18 Low Probability of Compromise  Factors you must consider:  Nature and extent of PHI  Who used the PHI or to whom the disclosure was made  Was PHI acquired/viewed  Has risk been mitigated  May also want to consider:  Risk of unavailability of data  Risk to integrity of data  Was PHI exfiltrated  Must maintain documentation of the risk assessment
  • 20. Page 19 Breach Incident Response  Develop a plan before a breach occurs  Create a site profile that includes contacts, legal, finance, and public relations  The Incident Response Plan should designate:  Roles and responsibilities:  Notify your regional FBI field agent, PR firms, legal counsel, your cybersecurity insurer (only to the extent required in your policy), etc.; and  Identify a data forensics team to determine the source and scope of the breach and ensure vulnerable systems are patched as soon as possible  Timelines  A communication plan for all audiences (employees, patients, board members, etc.)  Determine reporting obligations under federal and state law requirements
  • 21. Page 20 Managing Cybersecurity Threats  This year HHS released a guidance document on Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)  The purpose of the HICP is to: 1. Raise awareness of cybersecurity 2. Provide vetted cybersecurity practices 3. Move organizations towards consistency in mitigating cybersecurity threats to the sector; and 4. Aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes  HHS identified e-mail phishing, ransomware, loss or theft of equipment or data, insider, accidental, or intentional data loss, and attacks against connected medical devices as the 5 most common threats to patient health information
  • 22. Page 21 Managing Cybersecurity Threats  The HICP noted 10 cybersecurity practices to mitigate those threats: 1. E-mail protection systems 2. Endpoint protection systems 3. Access management 4. Data protection and loss prevention 5. Asset management 6. Network management 7. Vulnerability management 8. Incident response 9. Medical device security 10. Cybersecurity policies  Technical Guides were included within the HICP for small organizations and medium/large organizations to implement these practices
  • 23. Page 22 Potential Changes to HIPAA  On December 12, 2018, the OCR released an RFI requesting public comments on potential changes to HIPAA  The RFI focused on HIPAA requirements that limit or discourage coordination of care without meaningfully contributing to the protection of the privacy or security of an individual’s PHI  Potential revisions to the following requirements:  Accounting of disclosures  Patient’s right to access  Timeframes for responding to information requests  Potential exceptions to the minimum necessary rules  Public comments are due by February 11, 2019
  • 24. Page 23 Potential Changes to HIPAA  The Office of the National Coordinator for Health Information Technology (ONC) has also indicated potential changes on the horizon:  Draft Strategy on Reducing Burden Relating to the Use of Health IT and EHRs  Three goals noted in the draft strategy: 1. Reduce the effort and time required to record health information in EHRs for clinicians; 2. Reduce the effort and time required to meet regulatory reporting requirements for clinicians, hospitals, and healthcare organizations; and 3. Improve the functionality and intuitiveness (ease of use) of EHRs  Comments ended February 11th, 2019
  • 25. Page 24 Top HIPAA Breaches 2019
  • 26. Page 25 Top 10 Breaches Reported for 2019 • An agency was hacked for eight months between August 1, 2018, and March 30, 2019, 25 million patients affected • An insurer reported a nine-year hack on its servers, which potentially breached the data of 2.96 million patients • A health information services group’s misconfigured database led to a personal health data breach of 1.57 million • A healthcare system’s misconfigured server resulted in 974,000 patients having their data exposed online for three weeks • A cyberattack on a statement processing group potentially compromised a wide range of data from a host of clients, including demographic details and Social Security numbers of approximately 600,000 patients Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
  • 27. Page 26 Top 10 Breaches Reported for 2019 • A breach at a state agency caused by a massive phishing campaign; in total, 625,000 patients and 2.5 million emails were compromised • A hacking incident at a medical group impacting 400,000 patients in February • Several employees of an academic medical center fell victim to phishing attacks; the personal and health data of about 326,629 patients was potentially breached • An unauthorized third-party gained access to employee and hosted email accounts at a hospital, a potential data breach of 278,016 patients • A server migration error at a software solutions company exposed 277,319 patients’ personal and medical data Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
  • 29. Page 28 Costly investigations  Big health companies: 6 of 10 payouts last year involved household names  $16 million dollar deal involving over 79 million people; no safeguards in place to detect hackers and failed to conduct an annual risk analysis  $4.3 million dollar deal for failing to encrypt devices  Lower fines for smaller companies with specific HIPAA shortcomings  $100,000 settlement for failing to properly dispose of PHI  $125,000 settlement for a doctor’s disclosure of patient PHI to a reporter  $111,400 settlement for failing to terminate a former employee’s access to ePHI
  • 30. Page 29 Enforcement Trends by the OCR  OCR Settles First Case in HIPAA Right-of-Access Initiative  A health system has paid $85,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services and has adopted a corrective action plan to settle a potential violation of the right-of-access provision of the HIPAA Rules after it failed to provide a mother timely access to records about her unborn child  OCR initiated its investigation based on a complaint from the mother  As a result, the health system directly provided the individual with the requested health information more than nine months after the initial request  The HIPAA Rules generally require covered healthcare providers to provide medical records within 30 days of the request, and providers can only charge a reasonable cost-based fee
  • 31. Page 30 Software configuration error Covered Entity: Integrated Delivery Network Issue: Misconfiguration error in the billing system  A health system with hospitals and clinics in 16 counties, serving about 7 million patients each year; officials filed breach reports for each of its 15 hospitals impacted by the security incident  Officials first learned about the security incident on August 23; a misconfiguration error allowed for patient data to be matched with, and sent to, the incorrect guarantor for nearly three months between July 19, 2019, and September 4, 2019, resulting in the breach affecting over 87,000 people Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
  • 32. Page 31 Not every investigation ends costly Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates  A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain; OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI; however, the investigation revealed that the pharmacy chain and the law firm had not entered into a business associate agreement, as required by the Privacy Rule, to ensure that PHI is appropriately safeguarded; without a properly executed agreement, a covered entity may not disclose PHI to its law firm; to resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20
  • 33. Page 32 How you react matters Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Healthcare Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new healthccare provider; the employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient; to resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient; the office informed all its employees of the incident and counseled staff on proper faxing procedures https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case3
  • 34. Page 33 Cleanup will always be part of the response Health Plan Corrects Computer Flaw That Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member; OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule; among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six-month period and correct all corrupted patient information https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case16
  • 36. Page 35 Thank You! Barry Mathis bmathis@pyapc.com (800) 270-9629 pyapc.com