SlideShare a Scribd company logo

HIPAA Security 2019

Download as PPTX, PDF
Jose Ivan Delgado, Ph.D.
Jose Ivan Delgado, Ph.D.

The current healthcare system in the United States is heavily influenced by HIPAA Security. This translates into a need to understand technology and cybersecurity beyond the use of anti-malware applications. This presentation presents some of the basics Covered Entities and Business Associates must be aware of as it relates to HIPAA Security.

Healthcare
1 of 30
HIPAA Security Dr. Jose I. Delgado
Introduction This presentation covers: • HIPAA’s Importance – beyond the regulation • What is HIPAA • HIPAA Security Key Components • Cybersecurity • Lessons Learned • Recommendations
Disclaimer This information is not intended to be legal advice and does not intend to create an attorney-client relationship. The information hereby presented is for educational purposes only.
Objectives Understand: • Basics of HIPAA Security • Cybersecurity threats in 2019 • Remediation actions and recommended steps
Perspective on the law Practicing without license • Jail or prison. • Misdemeanor maximum jail sentence of up to one year. • Felony offenses can face eight years or more in a state prison. • Fines. • Misdemeanor fines normally do not exceed $1,000 • Felony fines exceed $10,000.
Perspective on the Law HIPAA Security Violation • Civil Violations • $100 to $50,000 per violation (or record) • Maximum penalty of $1.5 million per year per violation’s type • Criminal Violations • "knowingly" obtain or release information • fine of up to $50,000, as well as imprisonment up to 1 year. • Offenses committed under false pretenses • $100,000 fine, with up to 5 years in prison. • Offenses committed with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm • fines of $250,000 and imprisonment up to 10 years.
State Attorneys American Recovery and Reinvestment Act of 2009, • The Health Information Technology for Clinical and Economic Health (HITECH) Act gave State Attorneys General the authority to bring civil actions on behalf of state residents for HIPAA violations The HITECH Act permits State Attorneys General to: • Obtain damages on behalf of state residents • Enjoin further violations of the HIPAA Privacy and Security Rules. OCR developed HIPAA Enforcement Training for State Attorneys designed to: • Teach how to use their new authority to enforce the HIPAA • Aid in investigating and seeking damages for HIPAA violations
Violations and Outcomes • Who: Insurance company, Triple-S (Puerto Rico) • What/Why: Widespread non-compliance • Failure to implement Administrative, Privacy, and Technical safeguards • Lack of appropriate Business Associate Agreements • Failure to conduct accurate/thorough Risk Analysis • Settlement: $3.5 Million • Corrective Action Plan: • Conduct Risk Analysis and Implement Risk Management Plan • Implement Process for Evaluating Environmental and Operational Changes • Distribution and Updating of Policies and Procedures • Training
Violations and Outcomes • Who: Raleigh Orthopedic (North Carolina) • What: Breach report, 17,300 patient records • Why: Handed over x-rays and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $750,000 • Corrective Action Plan: • Business Associate Agreements • Revise Policies and Procedures Related to Business Associate Relationships • Training
Violations and Outcomes • Who: Anthem Inc • What: Breach report, 79 million patient records • Why: Series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. • Settlement: $16,000,000 • Corrective Action Plan: • Security Management Process • Development and Distribution of Policies and Procedures
Violations and Outcomes • Who: Advanced Care Hospitalists PL (ACH) • What: Breach report, 400 patient records • Why: Handed over billing data and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $500,000 • Corrective Action Plan: • Business Associate Agreement • Risk Analysis and Risk Management • Adoption, Distribution, and Updating of Policies and Procedures • Training
What is HIPAA • HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; • Reduces health care fraud and abuse; • Mandates industry-wide standards for health care information on electronic billing and other processes; and • Requires the protection and confidential handling of protected health information HIPAA is organized into five separate "Titles."
HIPAA Title 1 Title 2 Preventing Health Care Fraud Medical Liability Reform Administrative Simplification Electronic Data Interchange Privacy Security Security Standards Genera Rule Administrative Safeguards 9 Standards 21 Specifications Technical Safeguards 5 Standards 7 Specifications Physical Safeguards 4 Standards 8 Specifications Organizational Requirements Policies and Procedures Title 3 Title 4 Title 5
Privacy vs Security Privacy Security Applies to Protected Health Information Applies to Electronic Protected Health Information Requires HIPAA Privacy Officer Requires HIPAA Security Officer Guidelines are broad Guidelines are specific Requires Annual Training Requires Annual Training plus Security Reminders Requires Policies and Procedures Requires Policies and Procedures
Security Categories Administrative safeguards: Administrative functions including but not limited to assignment or delegation of security responsibility to an individual and security training requirements. Physical safeguards: Facility, entry points and access. Includes restricting access to EPHI and retaining off site computer backups. Technical safeguards: Refers to the technology used as well as automated processes used to protect data and control access to data.
Required and Addressable Required - If a particular specification is “required”, then the covered entity must take action to implement the specification. Addressable - Implement the specification if reasonable and appropriate • If implementing the specification is not reasonable and appropriate – • Document the rationale supporting the decision and, • Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose or • Not implement the addressable implementation specification or an equivalent alternative measure, if the standard could still be met and implementing the specification or an alternative would not be reasonable or appropriate. Under no conditions should any covered entity considered addressable specifications as optional requirements.
Business Associate • A Business Associate is a person or entity that creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity. • A Covered Entity may be a Business Associate of another Covered Entity.
Omnibus Rule Business Associate Definition • A health information organization, e-prescribing gateway, or other entity that provides data transmission services to a covered entity and requires access on a routine basis to protected health information (PHI). • an entity that is a mere conduit that does not require access to PHI is not included. • A subcontractor. If a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA. • There must be a HIPAA compliant business associate agreement between the business associate and its subcontractor. • A person who creates, receives, maintains or transmits PHI on behalf of a covered entity. • Physical storage facilities or companies that store electronic PHI are business associates.
Key About Business Associates Covered Entities must have a valid Business Associate Agreement 01 Covered Entities must obtain assurances that Business Associates are in Compliance with HIPAA 02 Covered Entities must terminate relationship with Business Associates that refuse to be compliant with HIPAA Security 03
Examples of Business Associates • Data processing companies • Medical Transcription specialists • Data Transmission companies • Medical Equipment suppliers • Document Shredding companies • Data Storage Firms • Audit Consultants • Accountants • External Auditors • Electronic Health Data Exchange
Business Associates and risk* 59% of Business Associates reported a data breach 29% of business Associates experienced two breaches or more 80% of BAs reported malware attacks and nearly half were hit by advanced persistent threats *Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute
Cybersecurity Ventures 2019 Report • Cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. • Cyber attacks are the fastest growing crime in the U.S. • Cloud computing will wipe out data centers altogether over the next 3-4 years. • Microsoft helps frame digital growth with its estimate that data volumes online will be 50 times greater in 2020 than they were in 2016. • Cisco confirmed that cloud data center traffic will represent 95 percent of total data center traffic by 2021.
Cybersecurity Reports Global spending on cybersecurity will exceed $1 trillion cumulatively for the 5 year period from 2017-2021, according to Cybersecurity Ventures Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 14 seconds by 2019, and every 11 seconds by 2021 Cybercrime will more than triple the number of job openings to 3.5 million Healthcare providers have been the bullseye for hackers over the past three years and are expected to continued to be so Medical information is worth more than 10-times your credit card number on the black market
Patient Data Targeted (Business Associates) 0% 10% 20% 30% 40% 50% 60% 55% 41% 23% 21% 6% 6% 3%
Healthcare Cybersecurity Threats Cloud security Unsecured mobile devices Ransomware People IoT (Internet of things)
Internet of Things (IoT) System of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers ( UIDs ) and the ability to transfer data over a network without requiring human-to- human or human-to-computer interaction. • Amiko.IO focuses on providing products for respiratory disease management, complete with an AI-powered platform. • InfoBionic’s MoMe Kardia provides remote monitoring of cardiac arrhythmia. • PillCamTM , by Medtronic, is a line of swallowable capsules that allow visualization of the esophagus, stomach, small bowel, and colon.
Services to Consider Update Security Patches Automatic monitoring systems Antimalware systems • Antivirus • Ransomware Protection • Backups and Contingency Plans
Plan of Action Assign a Security Officer Have a third party perform a Security Risk Assessment Introduce automated audits and measures Develop and implement Policies Conduct Education/training Annual Training and Security Reminders Review Business Associate Agreements and Compliance
Reminder Security is not a one-time project, but rather an on- going, dynamic process that will create new challenges as covered entities’ organizations and technologies change.
Dr. Jose I. Delgado Taino Consultants Inc., CEO DrDelgado@tainoconsultants.com tainoconsultants.com

Recommended

Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Hipaa
HipaaHipaa
Hipaateammayco
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 

Recommended

Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Hipaa
HipaaHipaa
Hipaateammayco
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaadigitalpractice
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Hipaa
HipaaHipaa
Hipaabelziebub
 
HIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAHIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAjbhicks
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
Hitech Act
Hitech ActHitech Act
Hitech ActDeborah Obasogie
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
HIPAA
HIPAA HIPAA
HIPAA ravelo1212
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...Skoda Minotti
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Compliancy Group
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690camillemaxwell2
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
 

More Related Content

What's hot

HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
HIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAHIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAjbhicks
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...Skoda Minotti
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Compliancy Group
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690camillemaxwell2
 

What's hot (20)

HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECH
 
What is hipaa
What is hipaaWhat is hipaa
What is hipaa
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAAHIPAA Training: Preventing Employees from Violating HIPAA
HIPAA Training: Preventing Employees from Violating HIPAA
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for Startups
 
HIPAA
HIPAA HIPAA
HIPAA
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690
 

Similar to HIPAA Security 2019

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxchristinemaritza
 
Hipaa changes 2018 and how to comply
Hipaa changes 2018 and how to complyHipaa changes 2018 and how to comply
Hipaa changes 2018 and how to complySangeetha Parandhaman
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondBreaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondConference Panel
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldRyan Snell
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
HIPAA Compliance Made Easy: Conducting a Risk Assessment
HIPAA Compliance Made Easy: Conducting a Risk AssessmentHIPAA Compliance Made Easy: Conducting a Risk Assessment
HIPAA Compliance Made Easy: Conducting a Risk AssessmentConference Panel
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 

Similar to HIPAA Security 2019 (20)

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docxCHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
CHAPTER3 Maintaining ComplianceMANY LAWS AND REGULATIONS.docx
 
Hipaa changes 2018 and how to comply
Hipaa changes 2018 and how to complyHipaa changes 2018 and how to comply
Hipaa changes 2018 and how to comply
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
 
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondBreaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
HIPAA Compliance Made Easy: Conducting a Risk Assessment
HIPAA Compliance Made Easy: Conducting a Risk AssessmentHIPAA Compliance Made Easy: Conducting a Risk Assessment
HIPAA Compliance Made Easy: Conducting a Risk Assessment
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 

More from Jose Ivan Delgado, Ph.D.

Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsJose Ivan Delgado, Ph.D.
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesJose Ivan Delgado, Ph.D.
 

More from Jose Ivan Delgado, Ph.D. (20)

Macra 101
Macra 101Macra 101
Macra 101
 
Macra 2017
Macra 2017Macra 2017
Macra 2017
 
Healthcare unplug oct
Healthcare unplug octHealthcare unplug oct
Healthcare unplug oct
 
Healthcare unplug
Healthcare unplugHealthcare unplug
Healthcare unplug
 
Meaningful use 2016
Meaningful use 2016Meaningful use 2016
Meaningful use 2016
 
Icd 10 general presentation
Icd 10 general presentationIcd 10 general presentation
Icd 10 general presentation
 
Icd 10 codes
Icd 10 codesIcd 10 codes
Icd 10 codes
 
Colors only god could create
Colors only god could createColors only god could create
Colors only god could create
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and Organizations
 
Meaningful use 2015
Meaningful use 2015Meaningful use 2015
Meaningful use 2015
 
Healhcare Billing Comparison
Healhcare Billing ComparisonHealhcare Billing Comparison
Healhcare Billing Comparison
 
Services, Compliance and Innovation
Services, Compliance and InnovationServices, Compliance and Innovation
Services, Compliance and Innovation
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Healthcare Compliance Software
Healthcare Compliance SoftwareHealthcare Compliance Software
Healthcare Compliance Software
 
Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)
 
Healthcare update 2
Healthcare update 2Healthcare update 2
Healthcare update 2
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future Challenges
 
From paper to digital
From paper to digitalFrom paper to digital
From paper to digital
 
Where do you fall
Where do you fallWhere do you fall
Where do you fall
 
Healthcare and 2013
Healthcare and 2013Healthcare and 2013
Healthcare and 2013
 

Recently uploaded

ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYDrmayuribhise
 
Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...amynickle2106
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书rnrncn29
 
lupus quiz.pptx for knowing lupus thoroughly
lupus quiz.pptx for knowing lupus thoroughlylupus quiz.pptx for knowing lupus thoroughly
lupus quiz.pptx for knowing lupus thoroughlyRitasman Baisya
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfSasikiranMarri
 
Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?HelenBevan4
 
Artificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsArtificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsParag Kothawade
 
unit-3 blood product B.Pharma 3rd year .pptx
unit-3 blood product B.Pharma 3rd year .pptxunit-3 blood product B.Pharma 3rd year .pptx
unit-3 blood product B.Pharma 3rd year .pptxBkGupta21
 
Biology class 12 assignment neet level practise chapter wise
Biology class 12 assignment neet level practise chapter wiseBiology class 12 assignment neet level practise chapter wise
Biology class 12 assignment neet level practise chapter wiseNAGKINGRAPELLY
 
Single Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarSingle Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarCareLineLive
 
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdf
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdfPreventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdf
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdfAditiAlishetty
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfeurohealthleaders
 
Low Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxLow Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxShubham
 
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...The Lifesciences Magazine
 
Field exchange, Issue 72 April 2024 FEX-72.pdf
Field exchange, Issue 72 April 2024 FEX-72.pdfField exchange, Issue 72 April 2024 FEX-72.pdf
Field exchange, Issue 72 April 2024 FEX-72.pdfMohamed Miyir
 
FAMILY in sociology for physiotherapists.pptx
FAMILY in sociology for physiotherapists.pptxFAMILY in sociology for physiotherapists.pptx
FAMILY in sociology for physiotherapists.pptxMumux Mirani
 
MVP Health Care City of Schenectady Presentation
MVP Health Care City of Schenectady PresentationMVP Health Care City of Schenectady Presentation
MVP Health Care City of Schenectady PresentationMVP Health Care
 
TEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSTEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSPeterJamesVitug
 
EMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionEMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionJannelPomida
 
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSSARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSNehaSaini499770
 

Recently uploaded (20)

ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGYANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
ANTIGEN- SECTION IMMUNOLOGY DEPARTMENT OF MICROBIOLOGY
 
Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
 
lupus quiz.pptx for knowing lupus thoroughly
lupus quiz.pptx for knowing lupus thoroughlylupus quiz.pptx for knowing lupus thoroughly
lupus quiz.pptx for knowing lupus thoroughly
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
 
Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?
 
Artificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsArtificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid Dynamics
 
unit-3 blood product B.Pharma 3rd year .pptx
unit-3 blood product B.Pharma 3rd year .pptxunit-3 blood product B.Pharma 3rd year .pptx
unit-3 blood product B.Pharma 3rd year .pptx
 
Biology class 12 assignment neet level practise chapter wise
Biology class 12 assignment neet level practise chapter wiseBiology class 12 assignment neet level practise chapter wise
Biology class 12 assignment neet level practise chapter wise
 
Single Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarSingle Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So Far
 
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdf
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdfPreventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdf
Preventing Common Nutritional Deficiencies In Poultry Flocks (PPT).pdf
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
 
Low Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptxLow Vision Case (Nisreen mokhanawala).pptx
Low Vision Case (Nisreen mokhanawala).pptx
 
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...
Importance of Assessing Level of Consciousness in Medical Care | The Lifescie...
 
Field exchange, Issue 72 April 2024 FEX-72.pdf
Field exchange, Issue 72 April 2024 FEX-72.pdfField exchange, Issue 72 April 2024 FEX-72.pdf
Field exchange, Issue 72 April 2024 FEX-72.pdf
 
FAMILY in sociology for physiotherapists.pptx
FAMILY in sociology for physiotherapists.pptxFAMILY in sociology for physiotherapists.pptx
FAMILY in sociology for physiotherapists.pptx
 
MVP Health Care City of Schenectady Presentation
MVP Health Care City of Schenectady PresentationMVP Health Care City of Schenectady Presentation
MVP Health Care City of Schenectady Presentation
 
TEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSTEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESS
 
EMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionEMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass Destruction
 
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSSARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
 

HIPAA Security 2019

  • 1. HIPAA Security Dr. Jose I. Delgado
  • 2. Introduction This presentation covers: • HIPAA’s Importance – beyond the regulation • What is HIPAA • HIPAA Security Key Components • Cybersecurity • Lessons Learned • Recommendations
  • 3. Disclaimer This information is not intended to be legal advice and does not intend to create an attorney-client relationship. The information hereby presented is for educational purposes only.
  • 4. Objectives Understand: • Basics of HIPAA Security • Cybersecurity threats in 2019 • Remediation actions and recommended steps
  • 5. Perspective on the law Practicing without license • Jail or prison. • Misdemeanor maximum jail sentence of up to one year. • Felony offenses can face eight years or more in a state prison. • Fines. • Misdemeanor fines normally do not exceed $1,000 • Felony fines exceed $10,000.
  • 6. Perspective on the Law HIPAA Security Violation • Civil Violations • $100 to $50,000 per violation (or record) • Maximum penalty of $1.5 million per year per violation’s type • Criminal Violations • "knowingly" obtain or release information • fine of up to $50,000, as well as imprisonment up to 1 year. • Offenses committed under false pretenses • $100,000 fine, with up to 5 years in prison. • Offenses committed with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm • fines of $250,000 and imprisonment up to 10 years.
  • 7. State Attorneys American Recovery and Reinvestment Act of 2009, • The Health Information Technology for Clinical and Economic Health (HITECH) Act gave State Attorneys General the authority to bring civil actions on behalf of state residents for HIPAA violations The HITECH Act permits State Attorneys General to: • Obtain damages on behalf of state residents • Enjoin further violations of the HIPAA Privacy and Security Rules. OCR developed HIPAA Enforcement Training for State Attorneys designed to: • Teach how to use their new authority to enforce the HIPAA • Aid in investigating and seeking damages for HIPAA violations
  • 8. Violations and Outcomes • Who: Insurance company, Triple-S (Puerto Rico) • What/Why: Widespread non-compliance • Failure to implement Administrative, Privacy, and Technical safeguards • Lack of appropriate Business Associate Agreements • Failure to conduct accurate/thorough Risk Analysis • Settlement: $3.5 Million • Corrective Action Plan: • Conduct Risk Analysis and Implement Risk Management Plan • Implement Process for Evaluating Environmental and Operational Changes • Distribution and Updating of Policies and Procedures • Training
  • 9. Violations and Outcomes • Who: Raleigh Orthopedic (North Carolina) • What: Breach report, 17,300 patient records • Why: Handed over x-rays and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $750,000 • Corrective Action Plan: • Business Associate Agreements • Revise Policies and Procedures Related to Business Associate Relationships • Training
  • 10. Violations and Outcomes • Who: Anthem Inc • What: Breach report, 79 million patient records • Why: Series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. • Settlement: $16,000,000 • Corrective Action Plan: • Security Management Process • Development and Distribution of Policies and Procedures
  • 11. Violations and Outcomes • Who: Advanced Care Hospitalists PL (ACH) • What: Breach report, 400 patient records • Why: Handed over billing data and associated PHI to potential business partner without first executing a business associate agreement. • Settlement: $500,000 • Corrective Action Plan: • Business Associate Agreement • Risk Analysis and Risk Management • Adoption, Distribution, and Updating of Policies and Procedures • Training
  • 12. What is HIPAA • HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; • Reduces health care fraud and abuse; • Mandates industry-wide standards for health care information on electronic billing and other processes; and • Requires the protection and confidential handling of protected health information HIPAA is organized into five separate "Titles."
  • 13. HIPAA Title 1 Title 2 Preventing Health Care Fraud Medical Liability Reform Administrative Simplification Electronic Data Interchange Privacy Security Security Standards Genera Rule Administrative Safeguards 9 Standards 21 Specifications Technical Safeguards 5 Standards 7 Specifications Physical Safeguards 4 Standards 8 Specifications Organizational Requirements Policies and Procedures Title 3 Title 4 Title 5
  • 14. Privacy vs Security Privacy Security Applies to Protected Health Information Applies to Electronic Protected Health Information Requires HIPAA Privacy Officer Requires HIPAA Security Officer Guidelines are broad Guidelines are specific Requires Annual Training Requires Annual Training plus Security Reminders Requires Policies and Procedures Requires Policies and Procedures
  • 15. Security Categories Administrative safeguards: Administrative functions including but not limited to assignment or delegation of security responsibility to an individual and security training requirements. Physical safeguards: Facility, entry points and access. Includes restricting access to EPHI and retaining off site computer backups. Technical safeguards: Refers to the technology used as well as automated processes used to protect data and control access to data.
  • 16. Required and Addressable Required - If a particular specification is “required”, then the covered entity must take action to implement the specification. Addressable - Implement the specification if reasonable and appropriate • If implementing the specification is not reasonable and appropriate – • Document the rationale supporting the decision and, • Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose or • Not implement the addressable implementation specification or an equivalent alternative measure, if the standard could still be met and implementing the specification or an alternative would not be reasonable or appropriate. Under no conditions should any covered entity considered addressable specifications as optional requirements.
  • 17. Business Associate • A Business Associate is a person or entity that creates, receives, maintains, or transmits protected health information on behalf of a Covered Entity. • A Covered Entity may be a Business Associate of another Covered Entity.
  • 18. Omnibus Rule Business Associate Definition • A health information organization, e-prescribing gateway, or other entity that provides data transmission services to a covered entity and requires access on a routine basis to protected health information (PHI). • an entity that is a mere conduit that does not require access to PHI is not included. • A subcontractor. If a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA. • There must be a HIPAA compliant business associate agreement between the business associate and its subcontractor. • A person who creates, receives, maintains or transmits PHI on behalf of a covered entity. • Physical storage facilities or companies that store electronic PHI are business associates.
  • 19. Key About Business Associates Covered Entities must have a valid Business Associate Agreement 01 Covered Entities must obtain assurances that Business Associates are in Compliance with HIPAA 02 Covered Entities must terminate relationship with Business Associates that refuse to be compliant with HIPAA Security 03
  • 20. Examples of Business Associates • Data processing companies • Medical Transcription specialists • Data Transmission companies • Medical Equipment suppliers • Document Shredding companies • Data Storage Firms • Audit Consultants • Accountants • External Auditors • Electronic Health Data Exchange
  • 21. Business Associates and risk* 59% of Business Associates reported a data breach 29% of business Associates experienced two breaches or more 80% of BAs reported malware attacks and nearly half were hit by advanced persistent threats *Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute
  • 22. Cybersecurity Ventures 2019 Report • Cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. • Cyber attacks are the fastest growing crime in the U.S. • Cloud computing will wipe out data centers altogether over the next 3-4 years. • Microsoft helps frame digital growth with its estimate that data volumes online will be 50 times greater in 2020 than they were in 2016. • Cisco confirmed that cloud data center traffic will represent 95 percent of total data center traffic by 2021.
  • 23. Cybersecurity Reports Global spending on cybersecurity will exceed $1 trillion cumulatively for the 5 year period from 2017-2021, according to Cybersecurity Ventures Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 14 seconds by 2019, and every 11 seconds by 2021 Cybercrime will more than triple the number of job openings to 3.5 million Healthcare providers have been the bullseye for hackers over the past three years and are expected to continued to be so Medical information is worth more than 10-times your credit card number on the black market
  • 26. Internet of Things (IoT) System of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers ( UIDs ) and the ability to transfer data over a network without requiring human-to- human or human-to-computer interaction. • Amiko.IO focuses on providing products for respiratory disease management, complete with an AI-powered platform. • InfoBionic’s MoMe Kardia provides remote monitoring of cardiac arrhythmia. • PillCamTM , by Medtronic, is a line of swallowable capsules that allow visualization of the esophagus, stomach, small bowel, and colon.
  • 27. Services to Consider Update Security Patches Automatic monitoring systems Antimalware systems • Antivirus • Ransomware Protection • Backups and Contingency Plans
  • 28. Plan of Action Assign a Security Officer Have a third party perform a Security Risk Assessment Introduce automated audits and measures Develop and implement Policies Conduct Education/training Annual Training and Security Reminders Review Business Associate Agreements and Compliance
  • 29. Reminder Security is not a one-time project, but rather an on- going, dynamic process that will create new challenges as covered entities’ organizations and technologies change.
  • 30. Dr. Jose I. Delgado Taino Consultants Inc., CEO DrDelgado@tainoconsultants.com tainoconsultants.com