ASSISTED LIVING ASSOCIATION OF ALABAMA 2019 FALL CONFERNCE Samarria M. Dunson, J.D., CHC,CHPC
Topics of Discussion • HIPAA/HITECH • Alabama Data Breach Notification Act • State Confidentiality Statutes • High Priority Threats to the Health Care Industry • Insider Threats • Email, Texting & Personal Cell Phone Usage • Social Media
HIPAA/HITECH Privacy Security Breach Notification
Record Year for HIPAA Enforcement Date Covered Entity Amount Violation January Filefax, Inc. $100,000 Impermissible disclosures of paper records and insufficient physical safeguards January Fresenius Medical $3,500,000 Lack of adequate Risk Analysis, failure to utilize encryption, impermissible disclosures, inadequate policies Care June MD Anderson $4,348,000 Impermissible disclosures of electronic PHI and lack of encryption August Boston Medical $100,000 Filming patients without consent Center September Brigham and $384,000 Filming patients without consent Women’s Hospital September Massachusetts $515,000 Filming patients without consent General Hospital September Advanced Care $500,000 Impermissible disclosures and failure to attain Business Associate Agreements, failure to implement an adequate Hospital HIPAA compliance program October Allergy Ass. of $125,000 Impermissible disclosure and failure to sanction employee for HIPAA violation Hartford October Anthem, Inc. $16,000,000 Lack of adequate Risk Analysis, failure to monitor electronic PHI activities, failure to adequately respond to the breach, insufficient safeguards to prevent inappropriate disclosures November Pagosa Springs $111,400 Failure to terminate employee access and failure to attain Business Associate Agreements December Cottage Health $3,000,000 Lack of adequate Risk Analysis, failure to implement an adequate compliance program, failure to attain Business Associate Agreements
Protected Health Information (PHI) Individually identifiable health information about an individual’s past , present, or future medical or mental condition, transmitted or maintained in any form by a covered entity
Examples of Protected Health Information • Name • Medical Record Number • Address • Account Number • Date of Birth • Full Face Photo • Date of Service • Fingerprints • Diagnosis • License Number • Social Security Number • Vehicle Identifier Number • Telephone Number • Web URL • Fax Number • IP Address • E-mail Address • Other Identifiers Exception: Employment and Education Records
Who is Required to Follow HIPAA Regulations? • Health Care Providers • Health Care Clearinghouses • Health Plans • Business Associates *If they transmit any information in electronic form in connection with a transaction for which HHS has adopted standards
Examples Covered Entities Business Associates • Doctors • CPA/Law Firms That Access PHI to Provide Services • Clinics • Medical Transcriptionists • Psychologists • Record Storage Companies • Dentists • Record Disposal Companies • Chiropractors • Nursing Homes • Answering Services • Pharmacies • Medical Equipment Service Providers of Equipment • Home Health Agencies Holding PHI
Business Associate Agreements
Data Breach Cost Per Record 0 125 250 375 500 Health $408.00 Financial $206.00 Technology $170.00 Education $166.00
Alabama Breach Notification Act • History • PHI v. PII • Business Associate v. 3rd Party Agent • Notification • Alabama Deceptive Trade Practices Act
Alabama Confidentiality Statutes • Mental Health • Notifiable Diseases • Standard of Care*
Biggest Threats in the Health Care Industry • E-mail phishing attacks • Malware, ransomware and viruses • Attacks against connected medical devices that may affect patient safety • Weak or ineffective usernames and passwords to systems containing PHI/PII • Loss or theft of equipment with PHI/PII • Insider Threats
INSIDER THREATS
INSIDER THREATS • Works Odd Hours • Remotely Access Entity Systems at Odd Times • Interest in Matters Outside the Scope of Their Employment • Unexplained Affluence • Overwhelmed by Life or Career Circumstances • Unnecessarily Takes Proprietary Information Home
Inappropriate Disclosures
Risk Assessment
Risk Assessment • Protects the Confidentiality, Integrity and Availability of health data (CIA) • Ensures compliance with Administrative, Physical and Technical Safeguards • Identifies areas of weakness within an organization and requires appropriate remedies (Patches, Firewalls, etc.)
Termination Procedures
Termination Procedures • Terminate access to PHI, ePHI and PII • Collect keys to doors and filing cabinets • Change passwords and passcodes • Ensure that the workforce is aware of the departure
SOCIAL MEDIA
SOCIAL MEDIA
SOCIAL MEDIA
Breaches of PHI and ePHI A breach is defined as an impermissible use or disclosure that compromises the security or privacy of PHI or ePHI • Exception • Mitigation • Encryption Safe Harbor
Breach Notification • Timeline • Content of notification • What if there is a criminal investigation?
Civil Monetary Penalties for HIPAA Violations Amount Per Violations of VIOLATION Violation Identical Provision in a Calendar Year Did Not Know $114-$57,051 $28,525 Reasonable $1,141 - $57,051 $114,102 Cause Willful Neglect - $11,182 - $57,051 $285,255 Corrected Willful Neglect - $57,051 $1,711,533 Not Corrected
Civil Monetary Penalties for Alabama Breach Notification Act Violations • Attorney General • Not to exceed $500,000 per breach • For notification violations, civil monetary penalties not to exceed $5,000 per day
Criminal Penalties The American Recovery and Reinvestment Act of 2009 (ARRA) expanded HIPAA by providing that criminal penalties can be applied to employees and others who wrongfully disclose individually identifiable health information
Workstations • Automatic log out • Turn papers over when visitors are present • Computer monitor positioning/Office windows • Two (2) barrier protection for PHI
VOLUNTEERS & VISITORS
CONTACT INFORMATION: Samarria M. Dunson, J.D., CHC, CHPC Balch & Bingham, LLP 105 Tallapoosa St., Suite 200 Montgomery, Alabama 36104 (334) 834-6500 samarria@dunsongroup.com
Recommend
More recommend
