The current healthcare system in the United States is heavily influenced by HIPAA Security. This translates into a need to understand technology and cybersecurity beyond the use of anti-malware applications. This presentation presents some of the basics Covered Entities and Business Associates must be aware of as it relates to HIPAA Security.
2. Introduction
This presentation covers:
• HIPAA’s Importance – beyond the regulation
• What is HIPAA
• HIPAA Security Key Components
• Cybersecurity
• Lessons Learned
• Recommendations
3. Disclaimer
This information is not intended to be legal advice
and does not intend to create an attorney-client
relationship. The information hereby presented is for
educational purposes only.
5. Perspective on
the law
Practicing without license
• Jail or prison.
• Misdemeanor maximum jail sentence of up
to one year.
• Felony offenses can face eight years or more
in a state prison.
• Fines.
• Misdemeanor fines normally do not exceed
$1,000
• Felony fines exceed $10,000.
6. Perspective on
the Law
HIPAA Security Violation
• Civil Violations
• $100 to $50,000 per violation (or record)
• Maximum penalty of $1.5 million per year per
violation’s type
• Criminal Violations
• "knowingly" obtain or release information
• fine of up to $50,000, as well as imprisonment up
to 1 year.
• Offenses committed under false pretenses
• $100,000 fine, with up to 5 years in prison.
• Offenses committed with the intent to sell, transfer or
use for commercial advantage, personal gain or
malicious harm
• fines of $250,000 and imprisonment up to 10 years.
7. State
Attorneys
American Recovery and Reinvestment Act of 2009,
• The Health Information Technology for Clinical and Economic
Health (HITECH) Act gave State Attorneys General the authority
to bring civil actions on behalf of state residents for HIPAA
violations
The HITECH Act permits State Attorneys General to:
• Obtain damages on behalf of state residents
• Enjoin further violations of the HIPAA Privacy and Security
Rules.
OCR developed HIPAA Enforcement Training for
State Attorneys designed to:
• Teach how to use their new authority to enforce the HIPAA
• Aid in investigating and seeking damages for HIPAA violations
8. Violations and Outcomes
• Who: Insurance company, Triple-S (Puerto Rico)
• What/Why: Widespread non-compliance
• Failure to implement Administrative, Privacy, and
Technical safeguards
• Lack of appropriate Business Associate
Agreements
• Failure to conduct accurate/thorough Risk Analysis
• Settlement: $3.5 Million
• Corrective Action Plan:
• Conduct Risk Analysis and Implement Risk
Management Plan
• Implement Process for Evaluating Environmental
and Operational Changes
• Distribution and Updating of Policies and
Procedures
• Training
9. Violations and
Outcomes
• Who: Raleigh Orthopedic (North Carolina)
• What: Breach report, 17,300 patient
records
• Why: Handed over x-rays and associated
PHI to potential business partner without
first executing a business associate
agreement.
• Settlement: $750,000
• Corrective Action Plan:
• Business Associate Agreements
• Revise Policies and Procedures Related
to Business Associate Relationships
• Training
10. Violations and
Outcomes
• Who: Anthem Inc
• What: Breach report, 79 million patient
records
• Why: Series of cyberattacks led to the
largest U.S. health data breach in history
and exposed the electronic protected
health information of almost 79 million
people.
• Settlement: $16,000,000
• Corrective Action Plan:
• Security Management Process
• Development and Distribution of
Policies and Procedures
11. Violations and
Outcomes
• Who: Advanced Care Hospitalists PL (ACH)
• What: Breach report, 400 patient records
• Why: Handed over billing data and
associated PHI to potential business partner
without first executing a business associate
agreement.
• Settlement: $500,000
• Corrective Action Plan:
• Business Associate Agreement
• Risk Analysis and Risk Management
• Adoption, Distribution, and Updating of
Policies and Procedures
• Training
12. What is HIPAA
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act
that was passed by Congress in 1996. HIPAA does the following:
• Provides the ability to transfer and continue health insurance coverage for
millions of American workers and their families when they change or lose
their jobs;
• Reduces health care fraud and abuse;
• Mandates industry-wide standards for health care information on electronic
billing and other processes; and
• Requires the protection and confidential handling of protected health
information
HIPAA is organized into five separate "Titles."
13. HIPAA
Title 1 Title 2
Preventing
Health Care
Fraud
Medical Liability
Reform
Administrative
Simplification
Electronic Data
Interchange
Privacy Security
Security
Standards
Genera Rule
Administrative
Safeguards
9 Standards
21 Specifications
Technical
Safeguards
5 Standards
7 Specifications
Physical
Safeguards
4 Standards
8 Specifications
Organizational
Requirements
Policies and
Procedures
Title 3 Title 4 Title 5
14. Privacy vs Security
Privacy Security
Applies to Protected Health Information Applies to Electronic Protected Health Information
Requires HIPAA Privacy Officer Requires HIPAA Security Officer
Guidelines are broad Guidelines are specific
Requires Annual Training Requires Annual Training plus Security Reminders
Requires Policies and Procedures Requires Policies and Procedures
15. Security Categories
Administrative safeguards: Administrative functions including but not
limited to assignment or delegation of security responsibility to an
individual and security training requirements.
Physical safeguards: Facility, entry points and access. Includes restricting
access to EPHI and retaining off site computer backups.
Technical safeguards: Refers to the technology used as well as automated
processes used to protect data and control access to data.
16. Required and
Addressable
Required - If a particular specification is “required”,
then the covered entity must take action to
implement the specification.
Addressable - Implement the specification if
reasonable and appropriate
• If implementing the specification is not reasonable and
appropriate –
• Document the rationale supporting the decision and,
• Implement an equivalent measure that is reasonable and
appropriate and that would accomplish the same purpose or
• Not implement the addressable implementation specification
or an equivalent alternative measure, if the standard could
still be met and implementing the specification or an
alternative would not be reasonable or appropriate.
Under no conditions should any covered entity considered
addressable specifications as optional requirements.
17. Business Associate
• A Business Associate is a
person or entity that creates,
receives, maintains, or
transmits protected health
information on behalf of a
Covered Entity.
• A Covered Entity may be a
Business Associate of
another Covered Entity.
18. Omnibus Rule
Business
Associate
Definition
• A health information organization, e-prescribing gateway,
or other entity that provides data transmission services
to a covered entity and requires access on a routine basis
to protected health information (PHI).
• an entity that is a mere conduit that does not require
access to PHI is not included.
• A subcontractor. If a business associate subcontracts part
of its function requiring access or use of PHI to another
organization, that subcontractor is also subject to HIPAA.
• There must be a HIPAA compliant business associate
agreement between the business associate and its
subcontractor.
• A person who creates, receives, maintains or transmits
PHI on behalf of a covered entity.
• Physical storage facilities or companies that store
electronic PHI are business associates.
19. Key About Business Associates
Covered Entities must
have a valid Business
Associate Agreement
01
Covered Entities must
obtain assurances
that Business
Associates are in
Compliance with
HIPAA
02
Covered Entities must
terminate relationship
with Business
Associates that refuse
to be compliant with
HIPAA Security
03
20. Examples of Business
Associates
• Data processing companies
• Medical Transcription specialists
• Data Transmission companies
• Medical Equipment suppliers
• Document Shredding companies
• Data Storage Firms
• Audit Consultants
• Accountants
• External Auditors
• Electronic Health Data Exchange
21. Business
Associates
and risk*
59% of Business Associates
reported a data breach
29% of business Associates
experienced two breaches or more
80% of BAs reported malware
attacks and nearly half were hit by
advanced persistent threats
*Fifth Annual Benchmark Study on Privacy and Security of
Healthcare Data by the Ponemon Institute
22. Cybersecurity Ventures 2019 Report
• Cybercrime will cost the world in excess of $6
trillion annually by 2021, up from $3 trillion in
2015.
• Cyber attacks are the fastest growing crime in the
U.S.
• Cloud computing will wipe out data centers
altogether over the next 3-4 years.
• Microsoft helps frame digital growth with its
estimate that data volumes online will be 50
times greater in 2020 than they were in 2016.
• Cisco confirmed that cloud data center traffic
will represent 95 percent of total data center
traffic by 2021.
23. Cybersecurity
Reports
Global spending on cybersecurity will exceed $1 trillion
cumulatively for the 5 year period from 2017-2021, according
to Cybersecurity Ventures
Cybersecurity Ventures predicts that a business will fall victim
to a ransomware attack every 14 seconds by 2019, and every
11 seconds by 2021
Cybercrime will more than triple the number of job openings
to 3.5 million
Healthcare providers have been the bullseye for hackers over
the past three years and are expected to continued to be so
Medical information is worth more than 10-times your
credit card number on the black market
26. Internet of Things (IoT)
System of interrelated computing devices,
mechanical and digital machines, objects, animals
or people that are provided with unique
identifiers ( UIDs ) and the ability to transfer data
over a network without requiring human-to-
human or human-to-computer interaction.
• Amiko.IO focuses on providing products for
respiratory disease management, complete
with an AI-powered platform.
• InfoBionic’s MoMe Kardia provides remote
monitoring of cardiac arrhythmia.
• PillCamTM , by Medtronic, is a line of
swallowable capsules that allow visualization
of the esophagus, stomach, small bowel,
and colon.
27. Services to
Consider
Update Security Patches
Automatic monitoring systems
Antimalware systems
• Antivirus
• Ransomware Protection
• Backups and Contingency Plans
28. Plan of Action
Assign a Security Officer
Have a third party perform a Security Risk Assessment
Introduce automated audits and measures
Develop and implement Policies
Conduct Education/training Annual Training and Security Reminders
Review Business Associate Agreements and Compliance
29. Reminder
Security is not a one-time project, but rather an on-
going, dynamic process that will create new
challenges as covered entities’ organizations and
technologies change.
30. Dr. Jose I. Delgado
Taino Consultants Inc., CEO
DrDelgado@tainoconsultants.com
tainoconsultants.com