760 likes | 937 Views
PHI & HIPAA. Are You Ready For A HIPAA Audit?. Legal Information Is Not Legal Advice
E N D
PHI & HIPAA Are You Ready For A HIPAA Audit? Legal Information Is Not Legal Advice This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.
Who Has Business AssociateAgreements In Place? OCR/HSS Deadline was September 23, 2013
What Is PHI? • HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium" that • “is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and • “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
Electronic Protected Health InformationePHI • Physicians who conduct any of the below named transactions electronically are required to comply with HIPAA: • ASC2 X12 837 Health Care Claim: Professional • ASC X12 835 Health Care Claim Payment/Remittance Advice • ASC X12 276 Heath Care Claim Status Request • ASC X12 277 Health Care Claim Status Response • ASC X12 270 Health Care Eligibility Benefit Inquiry • ASC X12 271 Response • ASC X12 278 Health Care Services Review Information - Review • ASC X12 278 Health Care Services Review Information - Response • ASC X12 837 Health Care Claim: Professional • ASC X12 834 Benefit Enrollment and Maintenance • ASC X12 820 Payment Order and Remittance Advice3
De-identified: Information that has certain identifiers (see “identifiers” below) removed in accordance with 45 CFR 164.514; no longer considered to be Protected Health Information. Identifiers: Under the HIPAA Privacy Rule “identifiers” include the following: 1. Names 2. Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000). 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older) 4. Telephone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier).
Why Do Thieves Want PHI? Old School Theft Was For Credit ID Fraud & Issuing Credit Cards
New School Theft Is DeviousFraudulent Tax Returns Ringleader of $11.7M identity theft and tax fraud sentenced to more than 26 years Convicted woman begs for mercy, claims she paid taxes on the stolen money She filed most of the fraudulent returns – an estimated 1,400 of them – from her home in Fort Lauderdale, from her friends' houses in Broward County and a hotel in Charlotte, N.C., prosecutors said. Many of the victims' identities were obtained from a nurse who worked at a local hospital, prosecutors said.
New School Theft Is DeviousGang Members Want Your PHI Gang members are getting their girlfriends to get jobs at healthcare organizations with the sole purpose of stealing electronic patient information. “If you get a job as an administrator or data person, you have access to all of this information. And with medical it’s a double hit—it’s not only about the money, but also the health insurance. That is a valuable commodity in the marketplace—it’s big dollars.” Street Crimes Is For Chumps The girlfriends show up to work, steal a sizable amount of data and then never return. The larger the medical practice, the longer it will take for the company to realize. Detective Craig Catlin of the North Miami Beach Police Department Gang Unit goes so far as to call it an “epidemic” among the city’s street gangs. “Every gang member is doing this,” Catlin says. “It’s a business to them—they’re doing burglaries and then having other members commit the fraud.” Why sling dope on the corner of an apartment building, when you can rent a room at a hotel nearby and have a tax return party? You can make up to $40,000 or $50,000 in one night,” N. Miami Police
New School Theft Is Devious Thieves Steal The Insurance Policy Identity theft, has spawned a vicious new kind of crime: medical identity theft. Thieves steal your personal information to line their own pockets with fraudulent claims against your own health policy. Obtain free treatment. Medical ID thieves who don’t have their own health coverage often receive free medical treatment, courtesy of your policy. They assume your identity at a hospital or clinic, and your policy receives the bills. Buy addictive drugs. Medical personnel with access to your data may use your identity to obtain prescription drugs to sell, or feed their own addictions.
New School Theft Is DeviousHeisenberg Wants Your PHI Pam Dixon, founder and executive director of the World Privacy Forum, said data analysis her organization is currently performing on records from the Justice Department, the Federal Trade Commission and HHS’ Office for Civil Rights has revealed “a really weird pattern” of correlation between medical record breaches, medical identity theft and meth amphetamine trafficking.” “They’ll go in and by whatever means they can, they will acquire healthcare files and start getting prescriptions for meth amphetamine precursors. They’ll steal people’s identities, a lot of them, and they’ll write prescriptions for that. They would parse out these prescriptions over a long, long period of time and over a lot of people.”
PHI Theft Has Arrived In Louisiana The Dentist noticed money was missing, but it wasn't until one of her patients got a call from the FBI that she realized what was happening and contacted the FBI and state police."They came over and we found out that a patient list had been printed up from all the patients in my office. And there was also a handwritten list in her handwriting with her daughter's name and email at the bottom," said Wyatt. "It had specific patients that had been targeted and every one of those patients had been a victim of identity theft."Wyatt said patients' identities were used to set up credit card accounts and get fake IDs.
The FBI Is Investigating PHI Theft Locally A local Special Agent visited our office to discuss the audit tracking abilities of a particular billing software we sold. The Unprotected PHI Is Out There
Where Is Your PHI? Appointing A Security Officer and Performing A Risk Analysis Is The First Step In HIPAA Compliance.
If You Have PHI You Are Accountable To HIPAA Once a physician / practice has identified where PHI is stored and moved electronically, they must determine if any of these places are at risk for not having appropriate safeguards for protecting ePHI (aka “vulnerabilities”). Meaning, where are the places in your practice where ePHI could be vulnerable to access not allowed under HIPAA and what are you doing to ensure patient’s data is protected? The physician / practice should then turn their attention to addressing any identified vulnerabilities in order to reduce their risks of a breach.
Now The Headaches BeginCompliance Is Costly & Time Consuming If You have not performed an audit of PHI and addressed the items found in CFR 45: §164.308 to §165.530 You are guilty of “Willful Neglect” in the eyes of OCR & HSS and are susceptible to an Audit and fines.
HIPAA Standards Matrix The HIPAA Security Standards Matrix is a good synopsis of what standards must be implemented. They Fall into Three Sections or “Safeguards”: Administrative Safeguards Physical Safeguards Technical Safeguards
NIST Provides Resource GuideFor Implementing HIPAA NIST publishes a wide variety of publications on information security. These publications serve as a valuable resource for federal agencies, as well as public, nonfederal agencies and private organizations, seeking to address existing and new federal information security requirements.
NIST Standards Can QuicklyBecome Very Technical Computer & Network Security Standards Require Professional IT Services. Relying On One’s Nephew or Cousin Will Not Meet HIPAA Expectations. Part Of NIST Standard For Secure Passwords
Back To The Big ThreeComponents of the Security Standard "Administrative safeguards" focus on workforce training and contingency planning (45 CFR §164.308). The cornerstones, however, are risk analysis and risk management—both "required." Critical and thorough risk analysis must take place before any attempt at regulatory compliance is made. "Physical safeguards" are concerned with access both to the physical structures of a covered entity and its electronic equipment (45 CFR §164.310). ePHI and the computer systems upon which it resides must be protected from unauthorized access, in accordance with defined policies and procedures. Some of the requirements under the physical safeguards heading can be accomplished through the use of electronic security systems. "Technical safeguards" may be the most difficult part of the security regulations to comprehend and implement for those lacking technical savvy.
HIPAA Standards Which Can get You Into Trouble: Quick 164.308(a)(5) Protection From Malicious Software When Does Malicious Software Become A HIPAA Breach?
Dozens Of Problems FoundWhat Do They Mean? Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Montera.Toolbar: [SBI $C595B0E4] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\escort.DLL Montera.Toolbar: [SBI $2212EF94] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\escort.DLL Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 Montera.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE} Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1 Montera.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} Wajam: [SBI $70DA2562] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\priam_bho.DLL Wajam: [SBI $F5551A2E] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\priam_bho.DLL Wajam: [SBI $8F399DD1] Settings (Registry Key, nothing done) HKEY_CLASSES_ROOT\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} 8/13/2013 11:56:20 AM Scan took 00:35:47. 118 items found. Babylon.Toolbar: [SBI $DEB52F26] Program directory (Directory, nothing done) C:\ProgramData\Babylon\ Babylon.Toolbar: [SBI $C8B4B0BD] Program directory (Directory, nothing done) C:\Users\User\AppData\Roaming\BabSolution\ Delta.Toolbar: [SBI $85F92549] User settings (Registry Key, nothing done) HKEY_USERS\S-1-5-21-3449885064-820364532-706496229-1006\Software\BabSolution Delta.Toolbar: [SBI $43010DDC] Class ID (Registry Key, nothing done) HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE} Delta.Toolbar: [SBI $1E0125E9] Settings (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Delta Delta.Toolbar: [SBI $C36E11F4] Settings (Registry Key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmde Delta.Toolbar: [SBI $14654384] Settings (Registry Key, nothing done)
If W32.QAKBOT Is Found On Your Computer: You Have A HIPAA Breach An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts. W32.QAKBOT is a worm that spreads through network drives and removable drives. After the initial infection, usually the result of clicking on a malicious link on a Web page, it can download additional files, steal information and open a back door on the compromised machine. The worm also contains a rootkit that allows it to hide its presence and it works slowly to avoid detection. “Its ultimate goal is clearly theft of information,” said Shunichi Imano, a Symantec researcher. Qakbot is especially aggressive and normally targets online banking, although it has the ability to mutate itself to switch targets and change its methods. The cyber-criminals behind the infection could have remotely instructed the virus to go after names, addresses and Social Security numbers stored in the state systems instead of focusing on banking sites. Where Are Employees Surfing On YOUR Computers? Do You Have An Employee Policy For Acceptable Internet Use? “In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen,” according to Patrick Fitzgerald, a senior security response manager at Symantec.
Data Backup & Disaster Recovery Plans Are Now Mandatory Is The Government Really Going To Check To See If I Have A Disaster Recovery Plan?
Marty Is A Magician From Ozark, Mo. Marty produces Casey the rabbit In the finale of a show for children at the Little Angles Learning Academy in Battlefield, Mo.
A badge Wielding Agent Of The USDA Approached Marty After The Show “Where Is Your Federal License For The Rabbit?” demanded the agent. Marty had to pay a $100.00 USDA license for Casey
Now Marty & Casey Are In The System! Now The USDA Wants A WRITTEN Disaster & Recovery Plan For Casey The Rabbit.
The Moral Of “Casey’s” Tail? No Entity Is Too Small To Escape Government Enforcement. & It Really Is A Good Idea To Backup & Have A Disaster/Business -Continuity Plan.
Physical SafeguardsHIPAA Requires Reviews From Employees' Badges To Alarm Systems
Physical SafeguardsNo More “Servers Under Desks”. HIPAA Wants Controlled Access To Servers. Audit Controls Must Be In Place On Servers.
Physical SafeguardsPhysical Computers Are GOLD To Identity Thieves Rather than Network Hacking, We are seeing an increase in physical “Smash & Grab” Of computers, laptops & servers
Physical SecurityA Quick Case Study Olson & White Orthodontics A St. Louis suburb-based orthodontist office is notifying 10,000 patients that their protected health information and Social Security numbers have been compromised following the recent burglary of company computers and hardware. According to the Health Information Trust Alliance, In 2011, it is estimated that the average cost per record of a healthcare data breach was $240.00 10,000 X $240.00 = $2,400,000.00 Estimated Cost Before Any Punitive Fines From HIPAA
Physical SafeguardsDisposal & Re-use The Department of Health and Human Services (HHS) announced a settlement on August 14, 2013, with Affinity Health Plan (Affinity), which included a payment of $1,215,780, for a HIPAA security violation caused by Affinity’s failure to remove Electronic Protected Health Information (EPHI) from the hard drive of a leased photocopier that was returned to the leasing company. Equipment With Similar Internal Hard Drives: Fax machines Desktop Copy Machines All In One Scanner Copiers Desktops-Laptops-Servers-Tablets-Smart Phones The $1,215,780 Fine Does Not Include The Cost Of Notification To 344,579 Patients.