PHI & HIPAA Are You Ready For A HIPAA Audit? Legal Information Is Not Legal Advice This site provides information about the law designed.
Download ReportTranscript PHI & HIPAA Are You Ready For A HIPAA Audit? Legal Information Is Not Legal Advice This site provides information about the law designed.
PHI & HIPAA
Are You Ready For A
HIPAA Audit?
Legal Information Is Not Legal Advice
This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is
not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to
make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our
information, and your interpretation of it, is appropriate to your particular situation.
Who Has Business Associate
Agreements In Place?
OCR/HSS Deadline was September 23, 2013
Do You Have PHI?
(Protected Health Information)
What Is PHI?
• HIPAA regulations define health
information as "any information,
whether oral or recorded in any form
or medium" that
• “is created or received by a health care
provider, health plan, public health
authority, employer, life insurer, school
or university, or health care
clearinghouse"; and
• “relates to the past, present, or future
physical or mental health or condition
of an individual; the provision of health
care to an individual; or the past,
present, or future payment for the
provision of health care to an
individual."
Electronic Protected Health Information
ePHI
• Physicians who conduct any of the below named transactions
electronically are required to comply with HIPAA:
•
•
•
•
•
•
•
•
•
•
•
ASC2 X12 837 Health Care Claim: Professional
ASC X12 835 Health Care Claim Payment/Remittance Advice
ASC X12 276 Heath Care Claim Status Request
ASC X12 277 Health Care Claim Status Response
ASC X12 270 Health Care Eligibility Benefit Inquiry
ASC X12 271 Response
ASC X12 278 Health Care Services Review Information - Review
ASC X12 278 Health Care Services Review Information - Response
ASC X12 837 Health Care Claim: Professional
ASC X12 834 Benefit Enrollment and Maintenance
ASC X12 820 Payment Order and Remittance Advice3
De-identified:
Information that has certain identifiers (see “identifiers” below) removed in accordance
with 45 CFR 164.514; no longer considered to be Protected Health Information.
Identifiers: Under the HIPAA Privacy Rule “identifiers” include the following:
1. Names
2. Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed
by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three
digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000).
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,
discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age
(except that such ages and elements may be aggregated into a single category of age 90 or older)
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (excluding a random identifier code
for the subject that is not related to or derived from any existing identifier).
Why Do Thieves Want PHI?
Old School Theft Was For Credit ID Fraud
& Issuing Credit Cards
New School Theft Is Devious
Fraudulent Tax Returns
Ringleader of $11.7M identity theft and
tax fraud sentenced to more than 26 years
Convicted woman begs for mercy, claims she paid taxes
on the stolen money
She filed most of the fraudulent returns
– an estimated 1,400 of them – from her
home in Fort Lauderdale, from her
friends' houses in Broward County and a
hotel in Charlotte, N.C., prosecutors
said. Many of the victims' identities
were obtained from a nurse who
worked at a local hospital, prosecutors
said.
New School Theft Is Devious
Gang Members Want Your PHI
Gang members are getting their girlfriends to get jobs
at healthcare organizations with the sole purpose of
stealing electronic patient information.
“If you get a job as an administrator or data person, you
have access to all of this information. And with medical it’s
a double hit—it’s not only about the money, but also the
health insurance. That is a valuable commodity in the
marketplace—it’s big dollars.”
The girlfriends show up to work, steal a sizable
amount of data and then never return. The larger
the medical practice, the longer it will take for the
company to realize.
Detective Craig Catlin of the North Miami Beach Police
Department Gang Unit goes so far as to call it an “epidemic”
among the city’s street gangs. “Every gang member is doing
this,” Catlin says. “It’s a business to them—they’re doing
burglaries and then having other members commit the fraud.”
Street Crimes Is For Chumps
Why sling dope on the corner of an apartment
building, when you can rent a room at a hotel
nearby and have a tax return party? You can make
up to $40,000 or $50,000 in one night,”
N. Miami Police
New School Theft Is Devious
Thieves Steal The Insurance Policy
Identity theft, has spawned a vicious new kind
of crime: medical identity theft. Thieves steal
your personal information to line their own
pockets with fraudulent claims against your
own health policy.
Obtain free treatment. Medical ID thieves who
don’t have their own health coverage often
receive free medical treatment, courtesy of
your policy. They assume your identity at a
hospital or clinic, and your policy receives the
bills.
Buy addictive drugs. Medical personnel with
access to your data may use your identity to
obtain prescription drugs to sell, or feed their
own addictions.
New School Theft Is Devious
Heisenberg Wants Your PHI
Pam Dixon, founder and executive director of
the World Privacy Forum, said data analysis her
organization is currently performing on records
from the Justice Department, the Federal
Trade Commission and HHS’ Office for Civil
Rights has revealed “a really weird pattern” of
correlation between medical record breaches,
medical identity theft and meth amphetamine
trafficking.”
“They’ll go in and by whatever means they can,
they will acquire healthcare files and start getting
prescriptions for meth amphetamine precursors.
They’ll steal people’s identities, a lot of them, and
they’ll write prescriptions for that. They would
parse out these prescriptions over a long, long
period of time and over a lot of people.”
PHI Theft Has Arrived In Louisiana
The Dentist noticed money was missing, but it wasn't until one of her patients got a call from the
FBI that she realized what was happening and contacted the FBI and state police.
"They came over and we found out that a patient list had been printed up from all the patients in
my office. And there was also a handwritten list in her handwriting with her daughter's name and
email at the bottom," said Wyatt. "It had specific patients that had been targeted and every one of
those patients had been a victim of identity theft."
Wyatt said patients' identities were used to set up credit card accounts and get fake IDs.
The FBI Is Investigating
PHI Theft Locally
A local Special Agent visited our
office to discuss the audit tracking
abilities of a particular billing
software we sold.
The Unprotected PHI Is Out There
Where Is Your PHI?
Appointing A Security Officer
and Performing A Risk Analysis
Is The First Step In HIPAA Compliance.
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
Where Is PHI?
If You Have PHI
You Are Accountable To HIPAA
Once a physician / practice has identified where PHI is stored and moved
electronically, they must determine if any of these places are at risk for not having
appropriate safeguards for protecting ePHI (aka “vulnerabilities”). Meaning, where
are the places in your practice where ePHI could be vulnerable to access not allowed
under HIPAA and what are you doing to ensure patient’s data is protected? The
physician / practice should then turn their attention to addressing any identified
vulnerabilities in order to reduce their risks of a breach.
Now The Headaches Begin
Compliance Is Costly & Time Consuming
If You have not performed
an audit of PHI and
addressed the items found
in CFR 45: §164.308 to
§165.530 You are guilty of
“Willful Neglect” in the
eyes of OCR & HSS and are
susceptible to an Audit and
fines.
HIPAA Standards Matrix
The HIPAA Security Standards Matrix is a
good synopsis of what standards must be
implemented. They Fall into Three Sections
or “Safeguards”:
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards
NIST Provides Resource Guide
For Implementing HIPAA
NIST publishes a wide
variety of publications on
information security. These
publications serve as a
valuable resource for
federal agencies, as well as
public, nonfederal agencies
and private organizations,
seeking to address existing
and new federal
information security
requirements.
NIST Standards Can Quickly
Become Very Technical
Computer & Network Security
Standards Require Professional
IT Services. Relying On One’s
Nephew or Cousin Will Not
Meet HIPAA Expectations.
Part Of NIST Standard For Secure Passwords
Back To The Big Three
Components of the Security Standard
"Administrative safeguards" focus on workforce training and contingency
planning (45 CFR §164.308). The cornerstones, however, are risk analysis and risk
management—both "required." Critical and thorough risk analysis must take
place before any attempt at regulatory compliance is made.
"Physical safeguards" are concerned with access both to the physical structures
of a covered entity and its electronic equipment (45 CFR §164.310). ePHI and the
computer systems upon which it resides must be protected from unauthorized
access, in accordance with defined policies and procedures. Some of the
requirements under the physical safeguards heading can be accomplished
through the use of electronic security systems.
"Technical safeguards" may be the most difficult part of the security regulations
to comprehend and implement for those lacking technical savvy.
HIPAA Standards Which Can get You Into
Trouble: Quick
164.308(a)(5)
Protection From
Malicious Software
When Does Malicious
Software Become A
HIPAA Breach?
RansomWare On A Computer With
ePHI Is A HIPAA Breach
What About Your Standard
Anti-virus Program Scan?
Dozens Of Problems Found
What Do They Mean?
8/13/2013 11:56:20 AM
Scan took 00:35:47.
118 items found.
Babylon.Toolbar: [SBI $DEB52F26] Program directory (Directory,
nothing done)
C:\ProgramData\Babylon\
Babylon.Toolbar: [SBI $C8B4B0BD] Program directory
(Directory, nothing done)
C:\Users\User\AppData\Roaming\BabSolution\
Delta.Toolbar: [SBI $85F92549] User settings (Registry Key,
nothing done)
HKEY_USERS\S-1-5-21-3449885064-820364532-7064962291006\Software\BabSolution
Delta.Toolbar: [SBI $43010DDC] Class ID (Registry Key, nothing
done)
HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422345E8DC8A6DE}
Delta.Toolbar: [SBI $1E0125E9] Settings (Registry Key, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Delta
Delta.Toolbar: [SBI $C36E11F4] Settings (Registry Key, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extension
s\eooncjejnppfjjklapaamhcdmjbilmde
Delta.Toolbar: [SBI $14654384] Settings (Registry Key, nothing
done)
Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\escort.DLL
Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\escort.DLL
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Montera.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422345E8DC8A6DE}
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL
Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL
Wajam: [SBI $8F399DD1] Settings (Registry Key, nothing done)
HKEY_CLASSES_ROOT\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
If W32.QAKBOT Is Found On Your Computer:
You Have A HIPAA Breach
An aggressive worm known for stealing
sensitive information was found on the
computer network for the agencies handling
unemployment claims in Massachusetts.
W32.QAKBOT is a worm that spreads through network drives and
removable drives. After the initial infection, usually the result of
clicking on a malicious link on a Web page, it can download additional
files, steal information and open a back door on the compromised
machine. The worm also contains a rootkit that allows it to hide its
presence and it works slowly to avoid detection. “Its ultimate goal is
clearly theft of information,” said Shunichi Imano, a Symantec
researcher.
Qakbot is especially aggressive and normally targets online banking,
although it has the ability to mutate itself to switch targets and change
its methods. The cyber-criminals behind the infection could have
remotely instructed the virus to go after names, addresses and Social
Security numbers stored in the state systems instead of focusing on
banking sites.
“In a nutshell, if your computer is compromised, every bit of
information you type into your browser will be stolen,” according to
Patrick Fitzgerald, a senior security response manager at Symantec.
Where Are Employees Surfing On
YOUR Computers?
Do You Have An Employee Policy
For Acceptable Internet Use?
You Now Must Keep ALL Software
& Anti-Virus Up To Date
Data Backup & Disaster Recovery
Plans Are Now Mandatory
Is The Government Really Going To Check
To See If I Have A Disaster Recovery Plan?
Let Me Tell You The Tale Of
Marty Hahne
Marty Is A Magician From Ozark, Mo.
Marty produces Casey the rabbit In the finale of a show for children at
the Little Angles Learning Academy in Battlefield, Mo.
A badge Wielding Agent Of The USDA
Approached Marty After The Show
“Where Is Your Federal License For The Rabbit?” demanded the agent.
Marty had to pay a $100.00 USDA license for Casey
Now Marty & Casey Are In The System!
Now The USDA
Wants A WRITTEN
Disaster & Recovery
Plan For Casey The
Rabbit.
Marty Submitted A Proper Plan
The Moral Of “Casey’s” Tail?
No Entity Is Too Small To Escape
Government Enforcement.
&
It Really Is A Good Idea
To Backup & Have A
Disaster/Business -Continuity Plan.
Physical Safeguards
HIPAA Requires Reviews From Employees'
Badges To Alarm Systems
Physical Safeguards
No More “Servers Under Desks”.
HIPAA Wants
Controlled Access
To Servers. Audit
Controls Must Be In
Place On Servers.
Physical Safeguards
Physical Computers Are GOLD To Identity Thieves
Rather than Network Hacking, We are seeing an increase in physical “Smash & Grab”
Of computers, laptops & servers
Physical Safeguards
Workstation & Laptop Locks
Physical Security
A Quick Case Study
Olson & White Orthodontics A St. Louis
suburb-based orthodontist office is notifying
10,000 patients that their protected health
information and Social Security numbers have
been compromised following the recent
burglary of company computers and
hardware.
According to the Health Information Trust
Alliance, In 2011, it is estimated that the
average cost per record of a healthcare data
breach was $240.00
10,000 X $240.00 = $2,400,000.00
Estimated Cost Before Any Punitive Fines From HIPAA
Physical Safeguards
Disposal & Re-use
The Department of Health and Human Services (HHS)
announced a settlement on August 14, 2013, with Affinity
Health Plan (Affinity), which included a payment of
$1,215,780, for a HIPAA security violation caused by
Affinity’s failure to remove Electronic Protected Health
Information (EPHI) from the hard drive of a leased
photocopier that was returned to the leasing company.
Equipment With Similar Internal Hard Drives:
The $1,215,780 Fine
Does Not Include The
Cost Of Notification
To 344,579 Patients.
Fax machines
Desktop Copy Machines
All In One Scanner Copiers
Desktops-Laptops-Servers-Tablets-Smart Phones
Physical Safeguards
We Now Require BA Agreement To Repair Computers
Containing ePHI
Physical Safeguards
We Provide Verification Of Data Destruction
To NIST Standards
Technical Safeguards
The IT Nightmare
Technical Safeguards
HIPAA Requires Professional Risk Analysis
Technical Safeguards
Idaho State University’s $400,000 Firewall
The HHS Office for Civil Rights (OCR) opened an investigation
after ISU notified HHS of the breach in which the ePHI of
approximately 17,500 patients was unsecured for at least 10
months, due to the disabling of firewall protections at
servers maintained by ISU.
Idaho State University
(ISU) has agreed to pay
$400,000 to the U.S.
Department of Health
Human Services (HHS)
to settle alleged
violations of the Health
Insurance Portability
and Accountability Act
of 1996 (HIPAA)
Security Rule.
OCR’s investigation indicated that ISU’s risk
analyses and assessments of its clinics were
incomplete and inadequately identified
potential risks or vulnerabilities. ISU did not
have procedures for routine review of their
information system in place, which could
have detected the firewall breach much
sooner.
Technical Safeguards
Encryption
Advocate Health Care –
who in August reported the
second largest HIPAA data
breach to date after four
unencrypted laptops were
stolen from its facility,
compromising the protected
health information and
Social Security numbers of
more than 4 million people –
has now been slapped with a
class action lawsuit filed by
affected patients.
Technical Safeguards
Encryption
HIPAA fine for breach under 500 patients
OCR Director Leon Rodriguez states what seems to
be more and more clear everyday:
The HHS Office for Civil Rights
(OCR) fined the Hospice of North
Idaho $50,000 for a data breach.
The breach resulted from an
unencrypted laptop that was
stolen from an employee’s car.
The laptop contained electronic
protected health information
(ePHI) of 441 patients.
“This action sends a strong message to the
health care industry that, regardless of size,
covered entities must take action and will be
held accountable for safeguarding their
patients’ health information.” said OCR
Director Leon Rodriguez. “Encryption is an
easy method for making lost information
unusable, unreadable and undecipherable.”
Technical Safeguards
Encryption
Tabby May Help Prevent
Laptop Theft, But HIPAA Will
Still Want Accountability.
Encryption Is Almost A “Get Out
Of Jail Free” Card. Had The Four
Stolen Laptops Been Encrypted
To NIST Standards, HIPAA Would
Not Have Required Breach
Notification.
Technical Safeguards
Encryption Requires Discipline
1. Identifying What Is
Encrypted
2. Identifying Where Files
Are Encrypted
3. Maintaining “Keys”
4. Training Staff
5. Testing Data Recovery
Technical Safeguards
Secondary Liability “Right Of Private Action”
“Are You A victim Of the Advocate Health
Care HIPAA breach? If so, I know a guy
who knows a guy, who’s sister’s friend
made big bucks suing for a HIPAA
breach”
Two plaintiffs, representing
patients affected by the
breach, assert that Advocate
Health Care failed to take the
necessary precautions required
to safeguard patients'
protected health information.
The unencrypted laptops were
stolen from an "unmonitored"
room, one with "little or no
security to prevent
unauthorized access," the
lawsuit read.
HIPAA Audits & Breaches
Can You Be Selected For An Audit?
HIPAA Audits & Breaches
Can You Be Selected For An Audit?
Initial Period For Random Audits Has Ended. New Protocols Being
Developed.
HIPAA Audits & Breaches
Can You Be Selected For An Audit?
Complaints To The HSS Website Can Trigger An Audit
HIPAA Audits & Breaches
Can You Be Selected For An Audit?
A disgruntled employee or
patient can email OCR
complaining that your office has
not done a risk analysis or
implemented any HIPAA
protocols. OCR Will take notice.
HIPAA Audits & Breaches
A Reported Data
Breach Of ePHI Will
Trigger An Audit.
64% Of Breaches
Are Discovered
Externally.
Forty Percent of
2013 HIPAA
Breaches Involved
Business Associates
HIPAA Audits & Breaches
HIPAA Audits & Breaches
HIPAA Audits & Breaches
Can You Be Selected For An Audit?
HIPAA Audits & Breaches
What An Audit Looks Like
HIPAA Audits & Breaches
Don’t Show Up On The “Wall Of Shame”
Google “Search” Is The True “Wall Of Shame”
Know Your business Associates
Your In It With Them
HIPAA Now Requires Comprehensive
Business Associates Agreements
Billing Service
Collection Service
Lawyers
IT Vendor
Medical Record Disposal Co.
EHR Vendor
Answering Service
Transcriptionist
Labs
Imaging Centers
Private Payers
Medical Transport Co.
Cleaning Service
And The List Goes On
Basic Remedial Action
Performing a new risk assessment
Revising policies and procedures
Improving physical security by installing new security systems or by
relocating equipment or records to a more secure area
Training or retraining workforce members who handle protected
health information;
Adopting encryption technologies
Establish Acceptable Use Rules For Internet
REMEMBER
If It Is Not
Documented
It Did Not Happen.
HIPAA Will Want
It In Writing.
Imposing sanctions on workforce members who violated policies and
procedures primarily in response to serious employee errors, removing
protected health information from the facility against policy, and
unauthorized access
Changing passwords
Revising business associate contracts to more explicitly require
protection for confidential information.
In both
Contact Your Liability/Malpractice Insurance Company
Synergy Solutions
3200 Ridgelake Dr. Suite 203
Metairie LA 70002
Telephone (504) 834-9550
Facsimile (504) 834-5755
Toll Free 866-834-8030
[email protected]
John Daigle: 504-834-9550 Ext 115
[email protected]
Frank J Davis
[email protected]
504-834-9550 ext 116
www.GoToSynergyMSP.com
Legal Information Is Not Legal Advice
This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is
not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to
make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our
information, and your interpretation of it, is appropriate to your particular situation.