© 2013 Bitglass CONFIDENTIAL DO NOT DISTRIBUTE

BYOD and HIPAA Friends or Foes?

Welcome – Logistics

• Download the slides for today’s program by clicking the

attachment button on your screen

• Also, the question button allows you may type your

questions. We’ll look at those questions at the end of the

program and answer as many as we can

• During the webinar we may ask you, the audience, a

question. Please use the vote button to log in your answer

• This webinar will be available immediately after the

presentation at BrightTalk

Today’s Speakers

Sarah E. Swank, Esq.

Principal, Health Law Group

Rich Campagna

VP, Products & Marketing

Today’s Agenda

• Introduction

• HIPAA/HITECH and BYOD

• Practical Solutions for Health Care Providers

• Bitglass Solution

Introduction

Clinicians collecting data at

bedside via mobile

81%% of healthcare providers

supporting BYOD

0%

10%

20%

30%

40%

50%

2013

2014

BYOD use is exploding…

But so are the fines…

FINED: $1,500,000

HIPAA and HITECH

The History of HIPAA

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Standard Transactions

• Privacy Rule

• Security Rule

Health Information Technology for Economic and Clinical Health

(HITECH)

• Meaningful Use

• New Regulations - September 23, 2013

• Proactive Auditing

• State Attorney General Actions

• Criminal Actions

Overview of New HIPAA Regulations

• Business associates

• Enforcement

• Electronic access

• Marketing

• Fundraising

• No sale of PHI

• Right to request restrictions

Impermissible uses and disclosures of protected health information

Lack of safeguards of protected health information

Lack of patient access to their protected health information

Uses or disclosures of more than the minimum necessary protected health information

Lack of administrative safeguards of electronic protected health information

Most Frequent OCR Complaints

The Cost of Non-compliance

11

HIPAA/HITECH Enforcement

• Mass general employee, who had taken patient files

home, left the folders on the subway train and they were

never recovered

• Investigation initiated after media reports of incident and a

complaint from an individual whose PHI was lost

• Settled with OCR through Resolution Agreement and

Corrective Action Plan

12

HIPAA/HITECH Enforcement

Mass General Settlement

$1 million resolution amount

Corrective Action Plan

Internal monitor

Hospice of North Idaho

The Hospice of North Idaho

• Fine: $50,000

• Breach: Unencrypted

laptop computer stolen

containing ePHI of 441

patients

• Findings:

• Had not conducted a risk

analysis to safeguard ePHI

• No policies or procedures to

address mobile device

security as required by the

HIPAA Security Rule

Breach Notifications

• Covered entities and business associates must provide

notification of breaches of unsecured protected health

information

PHI is unsecured if it is NOT:

• Encrypted

• Destroyed

New Technologies, New Focus

1. Recent enforcement focus on mobile

1. Lack of policies and procedures directly addressing mobile

- Tracking

- Authentication

- Security (including, encryption)

1. Problem across all sizes and types of entities

1. Check out the “Wall of Shame”www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Practical Solutions

• Who owns the devices?

• Are personal devices registered?

• Secure information exchange (HTTPS, VPN, etc)

• Back up PHI on servers

• Remote wipe of data

• Policy and procedures

• Training

Mobile Devices

Culture of Compliance

Compliance involves active engagement of

leadership within an organization

A successful compliance program includes:

• Employee training

• Vigilant implementation of policies and procedures

• Regular internal audits

• Prompt action plan to respond to incidents.

• Analyze, evaluate, and correct potential risk areas

Protect Data

1. Encrypt data anywhere it

goes

2. Enforce application access

controls

3. Control, filter, encrypt and

monitor email

4. Forbid storing data on mobile

devices

5. Wipe data immediately if lost

or stolen

6. Implement DLP: network,

email, web, systems, mobile

7. Use application delivery

framework

Gov’t Recommendations: Five steps to manage mobile devices

STEP 1: Decide

STEP 2: Assess

STEP 3: Identify

STEP 4: Develop, Document, and Implement

STEP 5: Train

Bitglass

Security & Compliance DLP, Clientless Selective Wipe, Access

Control, Passcode & Encryption Enforcement

Audit & Visibility Audit Logs, Suspicious Activity Alerts, etc.

Deploy in Minutes Lightweight, Easy-to-deploy

Mobility Anywhere, any device; mobile and laptop

Transparency Native experience for employees

Privacy No capture of personal data

Bitglass BYOD Security

Meets Staff Expectations

Solves IT Pain Points

Case Study

Large Hospital Chain

• Challenge: HIPAA Compliance with Mobile

• Environment: MSFT Exchange and BYOD

• Why Bitglass?

- DLP and Data Tracking Extend to BYOD

- Does not invade user privacy

- Works with or without MDM (multiple affiliations)

- Bitglass team responsiveness to evolving needs

Questions?

Rich Campagna

Bitglass

Campbell, CA

(408) 203-7090

rich@bitglass.com

@bitglass

Sarah E. Swank

OBER | KALER

Washington, DC

(202) 326-5003

seswank@ober.com

@swanksarah