HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE Amanda Foster Erin Frankenberger.
PHI & HIPAA
If you can't read please download the document
description
PHI & HIPAA. Are You Ready For A HIPAA Audit?. Legal Information Is Not Legal Advice - PowerPoint PPT Presentation
Transcript of PHI & HIPAA
Slide 1
PHI & HIPAAAre You Ready For AHIPAA Audit?
Legal Information Is Not Legal AdviceThis site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.Who Has Business AssociateAgreements In Place?
OCR/HSS Deadline was September 23, 2013Do You Have PHI?(Protected Health Information)
What Is PHI?HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium" that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
5Electronic Protected Health InformationePHIPhysicians who conduct any of the below named transactions electronically are required to comply with HIPAA:
ASC2 X12 837 Health Care Claim: Professional ASC X12 835 Health Care Claim Payment/Remittance Advice ASC X12 276 Heath Care Claim Status Request ASC X12 277 Health Care Claim Status Response ASC X12 270 Health Care Eligibility Benefit Inquiry ASC X12 271 Response ASC X12 278 Health Care Services Review Information - Review ASC X12 278 Health Care Services Review Information - Response ASC X12 837 Health Care Claim: Professional ASC X12 834 Benefit Enrollment and Maintenance ASC X12 820 Payment Order and Remittance Advice3
De-identified: Information that has certain identifiers (see identifiers below) removed in accordance with 45 CFR 164.514; no longer considered to be Protected Health Information. Identifiers: Under the HIPAA Privacy Rule identifiers include the following: 1. Names 2. Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000). 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older) 4. Telephone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier).Why Do Thieves Want PHI?Old School Theft Was For Credit ID Fraud & Issuing Credit Cards
New School Theft Is DeviousFraudulent Tax Returns
Ringleader of $11.7M identity theft and tax fraud sentenced to more than 26 yearsConvicted woman begs for mercy, claims she paid taxes on the stolen money
She filed most of the fraudulent returns an estimated 1,400 of them from her home in Fort Lauderdale, from her friends' houses in Broward County and a hotel in Charlotte, N.C., prosecutors said. Many of the victims' identities were obtained from a nurse who worked at a local hospital, prosecutors said.New School Theft Is DeviousGang Members Want Your PHI
Street Crimes Is For Chumps
Why sling dope on the corner of an apartment building, when you can rent a room at a hotel nearby and have a tax return party? You can make up to $40,000 or $50,000 in one night, N. Miami PoliceGang members are getting their girlfriends to get jobs at healthcare organizations with the sole purpose of stealing electronic patient information.The girlfriends show up to work, steal a sizable amount of data and then never return. The larger the medical practice, the longer it will take for the company to realize.If you get a job as an administrator or data person, you have access to all of this information. And with medical its a double hitits not only about the money, but also the health insurance. That is a valuable commodity in the marketplaceits big dollars.Detective Craig Catlin of the North Miami Beach Police Department Gang Unit goes so far as to call it an epidemic among the citys street gangs. Every gang member is doing this, Catlin says. Its a business to themtheyre doing burglaries and then having other members commit the fraud.New School Theft Is Devious Thieves Steal The Insurance Policy
Identity theft, has spawned a vicious new kind of crime: medical identity theft. Thieves steal your personal information to line their own pockets with fraudulent claims against your own health policy.Obtain free treatment. Medical ID thieves who dont have their own health coverage often receive free medical treatment, courtesy of your policy. They assume your identity at a hospital or clinic, and your policy receives the bills.Buy addictive drugs. Medical personnel with access to your data may use your identity to obtain prescription drugs to sell, or feed their own addictions. New School Theft Is DeviousHeisenberg Wants Your PHI
Pam Dixon, founder and executive director of the World Privacy Forum, said data analysis her organization is currently performing on records from the Justice Department, the Federal Trade Commission and HHS Office for Civil Rights has revealed a really weird pattern of correlation between medical record breaches, medical identity theft and meth amphetamine trafficking.Theyll go in and by whatever means they can, they will acquire healthcare files and start getting prescriptions for meth amphetamine precursors. Theyll steal peoples identities, a lot of them, and theyll write prescriptions for that. They would parse out these prescriptions over a long, long period of time and over a lot of people.PHI Theft Has Arrived In Louisiana
The Dentist noticed money was missing, but it wasn't until one of her patients got a call from the FBI that she realized what was happening and contacted the FBI and state police.
"They came over and we found out that a patient list had been printed up from all the patients in my office. And there was also a handwritten list in her handwriting with her daughter's name and email at the bottom," said Wyatt. "It had specific patients that had been targeted and every one of those patients had been a victim of identity theft."
Wyatt said patients' identities were used to set up credit card accounts and get fake IDs. The FBI Is Investigating PHI Theft Locally
The Unprotected PHI Is Out ThereA local Special Agent visited our office to discuss the audit tracking abilities of a particular billing software we sold.Where Is Your PHI?
Appointing A Security Officer and Performing A Risk Analysis Is The First Step In HIPAA Compliance.
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Once a physician / practice has identified where PHI is stored and moved electronically, they must determine if any of these places are at risk for not having appropriate safeguards for protecting ePHI (aka vulnerabilities). Meaning, where are the places in your practice where ePHI could be vulnerable to access not allowed under HIPAA and what are you doing to ensure patients data is protected? The physician / practice should then turn their attention to addressing any identified vulnerabilities in order to reduce their risks of a breach.
If You Have PHI You Are Accountable To HIPAANow The Headaches BeginCompliance Is Costly & Time Consuming
If You have not performed an audit of PHI and addressed the items found in CFR 45: 164.308 to 165.530 You are guilty of Willful Neglect in the eyes of OCR & HSS and are susceptible to an Audit and fines. HIPAA Standards Matrix
The HIPAA Security Standards Matrix is a good synopsis of what standards must be implemented. They Fall into Three Sections or Safeguards:
Administrative SafeguardsPhysical SafeguardsTechnical SafeguardsNIST Provides Resource GuideFor Implementing HIPAA
NIST publishes a wide variety of publications on information security. These publications serve as a valuable resource for federal agencies, as well as public, nonfederal agencies and private organizations, seeking to address existing and new federal information security requirements.NIST Standards Can QuicklyBecome Very Technical
Part Of NIST Standard For Secure PasswordsComputer & Network Security Standards Require ProfessionalIT Services. Relying On OnesNephew or Cousin Will Not Meet HIPAA Expectations.Back To The Big Three Components of the Security Standard"Administrative safeguards" focus on workforce training and contingency planning (45 CFR 164.308). The cornerstones, however, are risk analysis and risk managementboth "required." Critical and thorough risk analysis must take place before any attempt at regulatory compliance is made. "Physical safeguards" are concerned with access both to the physical structures of a covered entity and its electronic equipment (45 CFR 164.310). ePHI and the computer systems upon which it resides must be protected from unauthorized access, in accordance with defined policies and procedures. Some of the requirements under the physical safeguards heading can be accomplished through the use of electronic security systems. "Technical safeguards" may be the most difficult part of the security regulations to comprehend and implement for those lacking technical savvy. HIPAA Standards Which Can get You Into Trouble: Quick
164.308(a)(5)Protection From Malicious Software
When Does Malicious Software Become A HIPAA Breach?RansomWare On A Computer With ePHI Is A HIPAA Breach
What About Your StandardAnti-virus Program Scan?
Dozens Of Problems FoundWhat Do They Mean?8/13/2013 11:56:20 AMScan took 00:35:47.118 items found.
Babylon.Toolbar: [SBI $DEB52F26] Program directory (Directory, nothing done) C:\ProgramData\Babylon\
Babylon.Toolbar: [SBI $C8B4B0BD] Program directory (Directory, nothing done) C:\Users\User\AppData\Roaming\BabSolution\
Delta.Toolbar: [SBI $85F92549] User settings (Registry Key, nothing done) HKEY_USERS\S-1-5-21-3449885064-820364532-706496229-1006\Software\BabSolution
Delta.Toolbar: [SBI $43010DDC] Class ID (Registry Key, nothing done) HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
Delta.Toolbar: [SBI $1E0125E9] Settings (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Delta
Delta.Toolbar: [SBI $C36E11F4] Settings (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde
Delta.Toolbar: [SBI $14654384] Settings (Registry Key, nothing done) Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\escort.DLL
Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\escort.DLL
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Montera.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\priam_bho.DLL
Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\priam_bho.DLL
Wajam: [SBI $8F399DD1] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
If W32.QAKBOT Is Found On Your Computer: You Have A HIPAA Breach
An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts.W32.QAKBOT is a worm that spreads through network drives and removable drives. After the initial infection, usually the result of clicking on a malicious link on a Web page, it can download additional files, steal information and open a back door on the compromisedmachine. The worm also contains a rootkit that allows it to hide its presence and it works slowly to avoid detection. Its ultimate goal is clearly theft of information, said Shunichi Imano, a Symantec researcher.
Qakbot is especially aggressive and normally targets online banking, although it has the ability to mutate itself to switch targets and change its methods. The cyber-criminals behind the infection could have remotely instructed the virus to go after names, addresses and Social Security numbers stored in the state systems instead of focusing on banking sites.In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen, according to Patrick Fitzgerald, a senior security response manager at Symantec.Where Are Employees Surfing On YOUR Computers?Do You Have An Employee Policy For Acceptable Internet Use?Virus removal examples. When will an infection constitute a BREACH?36You Now Must Keep ALL Software & Anti-Virus Up To Date
Data Backup & Disaster Recovery Plans Are Now Mandatory
Is The Government Really Going To Check To See If I Have A Disaster Recovery Plan?Let Me Tell You The Tale OfMarty Hahne
Marty Is A Magician From Ozark, Mo.
Marty produces Casey the rabbit In the finale of a show for children at the Little Angles Learning Academy in Battlefield, Mo.A badge Wielding Agent Of The USDA Approached Marty After The Show
Where Is Your Federal License For The Rabbit? demanded the agent.Marty had to pay a $100.00 USDA license for CaseyNow Marty & Casey Are In The System!
Now The USDA Wants A WRITTEN Disaster & Recovery Plan For Casey The Rabbit.Marty Submitted A Proper Plan
The Moral Of Caseys Tail?
No Entity Is Too Small To Escape Government Enforcement.&It Really Is A Good IdeaTo Backup & Have A Disaster/Business -Continuity Plan.Physical SafeguardsHIPAA Requires Reviews From Employees' Badges To Alarm Systems
Physical SafeguardsNo More Servers Under Desks.
HIPAA Wants Controlled Access To Servers. Audit Controls Must Be In Place On Servers.Physical SafeguardsPhysical Computers Are GOLD To Identity Thieves
Rather than Network Hacking, We are seeing an increase in physical Smash & GrabOf computers, laptops & servers
Physical SafeguardsWorkstation & Laptop Locks
Physical SecurityA Quick Case Study
Olson & White Orthodontics A St. Louis suburb-based orthodontist office is notifying 10,000 patients that their protected health information and Social Security numbers have been compromised following the recent burglary of company computers and hardware.
According to the Health Information Trust Alliance, In 2011, it is estimated that the average cost per record of a healthcare data breach was $240.00 10,000 X $240.00 = $2,400,000.00Estimated Cost Before Any Punitive Fines From HIPAAPhysical SafeguardsDisposal & Re-use
The Department of Health and Human Services (HHS) announced a settlement on August 14, 2013, with Affinity Health Plan (Affinity), which included a payment of $1,215,780, for a HIPAA security violation caused by Affinitys failure to remove Electronic Protected Health Information (EPHI) from the hard drive of a leased photocopier that was returned to the leasing company.The $1,215,780 Fine Does Not Include The Cost Of Notification To 344,579 Patients.Equipment With Similar Internal Hard Drives:
Fax machinesDesktop Copy MachinesAll In One Scanner CopiersDesktops-Laptops-Servers-Tablets-Smart PhonesPhysical SafeguardsWe Now Require BA Agreement To Repair Computers Containing ePHI
Physical SafeguardsWe Provide Verification Of Data Destruction To NIST Standards
Technical SafeguardsThe IT Nightmare
Technical SafeguardsHIPAA Requires Professional Risk Analysis
Technical SafeguardsIdaho State Universitys $400,000 Firewall
The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU.
OCRs investigation indicated that ISUs risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.
Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.Technical SafeguardsEncryptionAdvocate Health Care who in August reported the second largest HIPAA data breach to date after four unencrypted laptops were stolen from its facility, compromising the protected health information and Social Security numbers of more than 4 million people has now been slapped with a class action lawsuit filed by affected patients.
Technical SafeguardsEncryption
HIPAA fine for breach under 500 patientsThe HHS Office for Civil Rights (OCR) fined the Hospice of North Idaho $50,000 for a data breach. The breach resulted from an unencrypted laptop that was stolen from an employees car. The laptop contained electronic protected health information (ePHI) of 441 patients.OCR Director Leon Rodriguez states what seems to be more and more clear everyday:
This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients health information. said OCR Director Leon Rodriguez. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.Technical SafeguardsEncryption
Tabby May Help Prevent Laptop Theft, But HIPAA Will Still Want Accountability.Encryption Is Almost A Get Out Of Jail Free Card. Had The Four Stolen Laptops Been Encrypted To NIST Standards, HIPAA Would Not Have Required Breach Notification.Technical SafeguardsEncryption Requires Discipline
Identifying What Is EncryptedIdentifying Where Files Are EncryptedMaintaining KeysTraining StaffTesting Data RecoveryTechnical SafeguardsSecondary Liability Right Of Private Action
Two plaintiffs, representing patients affected by the breach, assert that Advocate Health Care failed to take the necessary precautions required to safeguard patients' protected health information. The unencrypted laptops were stolen from an "unmonitored" room, one with "little or no security to prevent unauthorized access," the lawsuit read. Are You A victim Of the Advocate Health Care HIPAA breach? If so, I know a guy who knows a guy, whos sisters friend made big bucks suing for a HIPAA breach
HIPAA Audits & BreachesCan You Be Selected For An Audit?HIPAA Audits & BreachesCan You Be Selected For An Audit?
Initial Period For Random Audits Has Ended. New Protocols Being Developed.HIPAA Audits & BreachesCan You Be Selected For An Audit?
Complaints To The HSS Website Can Trigger An AuditHIPAA Audits & BreachesCan You Be Selected For An Audit?
A disgruntled employee or patient can email OCR complaining that your office has not done a risk analysis or implemented any HIPAA protocols. OCR Will take notice.HIPAA Audits & Breaches
A Reported Data Breach Of ePHI Will Trigger An Audit. 64% Of Breaches Are Discovered Externally.Forty Percent of 2013 HIPAA Breaches Involved Business AssociatesHIPAA Audits & Breaches
HIPAA Audits & Breaches
HIPAA Audits & BreachesCan You Be Selected For An Audit?
HIPAA Audits & BreachesWhat An Audit Looks Like
HIPAA Audits & BreachesDont Show Up On The Wall Of Shame
Google Search Is The True Wall Of ShameKnow Your business AssociatesYour In It With Them
Billing ServiceCollection ServiceLawyersIT VendorMedical Record Disposal Co.EHR VendorAnswering ServiceTranscriptionistLabsImaging CentersPrivate PayersMedical Transport Co.Cleaning Service
And The List Goes On
HIPAA Now Requires ComprehensiveBusiness Associates Agreements71Basic Remedial Action Performing a new risk assessment
Revising policies and procedures
Improving physical security by installing new security systems or by relocating equipment or records to a more secure area
Training or retraining workforce members who handle protected health information;
Adopting encryption technologies
Establish Acceptable Use Rules For Internet
Imposing sanctions on workforce members who violated policies and procedures primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access
Changing passwords
Revising business associate contracts to more explicitly require protection for confidential information. In both
Contact Your Liability/Malpractice Insurance Company
REMEMBERIf It Is Not DocumentedIt Did Not Happen.HIPAA Will WantIt In Writing. 72
Synergy Solutions 3200 Ridgelake Dr. Suite 203Metairie LA 70002
Telephone (504) 834-9550 Facsimile (504) 834-5755 Toll Free 866-834-8030 [email protected] Daigle: 504-834-9550 Ext [email protected]
Frank J [email protected] ext 116
www.GoToSynergyMSP.comLegal Information Is Not Legal AdviceThis site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.74
