SlideShare ist ein Scribd-Unternehmen logo

HIPAA Threats and Breaches

Dexcomm
Dexcomm

HIPAA Threats and Breaches If you are entrusted with protected health information, you have the responsibility to protect that data from accidental or malicious exposure. Learn how and where to use resources to manage your risks in a cost-effective and efficient manner. This ebook will provide: •An easy-to-use risk assessment template •A security checklist •HIPAA required documentation forms for disclosures and breaches

1 von 10
Downloaden Sie, um offline zu lesen
HIPAA Threats & Breaches  2012  © 2012 Dexcomm  All Rights Reserved 
Contents  O ur passion is properly serving customers. Operating as a 24/7/365 Telephone Answering Service and Medical Exchange since November of 1954 we have developed skills and techniques               that allow us to delight a wide range of clients. As we have grown and prospered for over 50 years we feel now is a great time to give Why Perform a Risk Assessment?        3 something back to our customers, prospective customers and any- How to Perform a HIPAA Risk Assessment      4  one seeking to improve their business success. Included in this Security Checklist book are tips and tools that we hope will make your job a bit easier Easy Risk Assessment Template each day. One of the great learning tools we have employed is the HIPAA breaches can s ll happen        6  willingness to learn from our mistakes. Please take advantage of What If I’ve Discovered a Breach?        7  our many years of experience and avoid some of the pitfalls that    Accounting for Disclosures we have learned to overcome. Our hope is that you and your office Documentation for HIPAA Breaches can adopt some of these tools to make your life a bit less compli- Who to Contact and When          8  cated and allow you a bit more uninterrupted leisure time. The Dexcomm Difference          9  Thanks for listening, Jamey Hopper PLEASE NOTE - Our e-books are designed to provide information President about the subject matter covered. It is distributed with the under-        Dexcomm  standing that the authors and the publisher are not engaged in ren- dering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
Why Perform a Risk Assessment?  The best answer to this ques on may be obvious...but it’s the law!     Aside from that, there are several good reasons to performing a HIPAA Risk Assessment in your office. A risk  assessment can help you to iden fy where your Protected Health Informa on (PHI) lies in your organiza on.  From equipment to files, there is PHI being stored everywhere....so, protect yourself. Don’t let your office be  another case study. PHI for Personal Gain  Employees & Facebook  Fined $100K for Calendar  A licensed practical nurse (LPN) pled guilty A temporary employee at a California hospi- A five-physician practice became the first to wrongfully disclosing a patient’s health tal posted a picture of someone’s medical small practice to enter into a resolution 01 Case Study  02 Case Study  03 Case Study  information for personal gain. The woman record to his Facebook page and made fun agreement that included a civil money pen- faces a maximum of ten (10) years impris- of the patient’s condition. alty over charges that it violated the HIPAA onment, a $250,000 fine or both. Having Details of the health data breach indicate Privacy and Security Rules. A complaint shared the patient’s information with her that the temporary employee, who was pro- was filed alleging that the practice was post- husband, the husband contacted the patient vided by a staffing agency, shared a photo ing surgery and appointment schedules on and told the patient that he was going to on his Facebook page of a medical record an Internet-based calendar that was publicly use the information against him in an up- displaying a patient’s full name and date of accessible. coming legal proceeding. admission. How does this affect me? Techniques on preventing a breach  Are you are risk? HIPPA                  Share this e‐book! 
How to  Perform a HIPAA Risk Assessment  01 Take Inventory  02 Define Vulnerability  03 Iden fy Controls  04 Classify Impact  Take an inventory in your office of Vulnerability is a flow or weakness in Controls are security systems, fire- Each threat or vulnerability should be equipment like hardware, software, the system which could be exploited. walls or other regulators that are assessed in light of the impact the operating systems, operating envi- Ask yourself, “is this a threat?” For currently employed to protect PHI event would have on PHI and the IT ronment, remotes, removable me- example, “do vendors or consultants from threats. system: loss of confidentiality dia, mobile devices and backup create, receive, maintain transmit e- (unauthorized use or disclosure); loss media. Does it create, transmit or PHI on behalf of my office? If so, of integrity of the data (typos or miss- store e-PHI? If so, it falls under the what are the potential threats?” In ing information); or a loss of data HIPAA Security Rule and is rele- addition, ask yourself, “What are the availability (viruses and malware). vant to this risk assessment. human, natural and environmental Use numeric values, or “low”, threats to information systems that “medium”, “high”. contain PHI?” Guidance on Risk Analysis   Cer fied Health IT Product List  HIPAA—Security considera ons        Requirements under the HIPAA  45 C.F.R. § 164.306(b)(2)(iv).  Security Rule    HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
How to  Perform a HIPAA Risk Assessment   05 Iden fy Risk Level   06 Employ Controls   07 Priori ze   08 Manage  Compare the likelihood that the threat Consider whether the threat or its Assign a numeric value to designate Develop and implement a risk man- will be realized or become an event impact may be reduced or eliminat- level of priority. This will help you to agement plan from the Risk Assess- to the level of impact the risk, if real- ed by employing a control method, achieve risk management based on ment. Implement, maintain and con- ized, will have. Using the same value such as stronger passwords, secu- that level of threat, impact and the tinuously evaluate security measures system when classifying the impact rity patches, etc. This should also availability of controls to reduce or (controls). using numeric values, or “low”, include a cost benefit analysis. eliminate the risk. “medium”, “high”.     Dexcomm’s Security Checklist  Easy Risk Assessment Template    HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
HIPAA breaches can s ll happen.  What do HIPAA breaches look like?     An internal or external party reports a viola on   A review of server logs indicates unauthorized access   Equipment is reported lost or stolen  Costly Vendor Mistake  Unauthorized Access  Where is Your Laptop?  A recent example of this accountability is a In the spring of 2010, Huping Zhou, a Chi- A laptop computer containing patient rec- lawsuit filled by the Minnesota Attorney nese immigrant living in California, was ords went missing from a Louisiana hospi- 01 Case Study  02 Case Study  03 Case Study  General against Accretive Health, Inc., a fined $2,000 and sentenced to four months tal. Information on the laptop contained PHI debt collection agency that is part of a New in prison. He continued to access private (protected health information) for 17,130 York private equity fund conglomerate. The medical records through an electronic pass- patients, gathered for a study from 2000 to agency has a role in managing the revenue word-protected database. His previous su- 2008. A search was initiated as soon as the and health care delivery systems at two pervisor, former co-workers and other high- hospital learned of the disappearance of the Minnesota hospital systems. In 2011, an profile celebrity patients were among those missing device, which police are still investi- Accretive employee lost a laptop computer whose privacy Zhou violated over a three- gating. The missing laptop has not resur- containing unencrypted health data about week period in 2003. patients.  Do your vendors get HIPAA? How does this affect me? Learn about mobile device breaches HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
What if I discover a breach?  01 Gather Informa on  02 Make Contact  03 Define Resolu on  04 Document  Ask who, what, when, where, how. Relevant parties may include pa- In cases where breaches happen, Document each step you took to re- Who was it disclosed to, how was it tients, employees, authorities, me- the medical office must communi- solve the HIPAA breach. disclosed, when was it disclosed, etc. dia, Secretary of HHS. cate steps to prevent them from happening again. The HIPAA Secu- rity Rule also requires that you com- municate this information to the rel- evant parties. Accoun ng for Disclosures  Documenta on for HIPAA Breaches  HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
Who & When to contact for a breach  Who  When the breach is under 500 records  When the breach is 500 and over  No later than 60 days from the discovery of the breach, No later than 60 days from the discovery of the breach, you must notify affected individuals in written form by Individual  you must notify affected individuals in written form by first-class mail, phone or email first-class mail, phone or email No later than 60 days from the discovery of the breach, you must notify prominent media outlets serving your Media  Not applicable state or jurisdiction No later than 60 days from the discovery of the breach, On an annual basis, you must notify the Secretary of Secretary of HHS  you must notify the Secretary of Health and Human Health and Human Services Services If you are a Business Associate: If you are a Business Associate: Covered En ty  You must notify the Covered Entity no later than 60 You must notify the Covered Entity no later than 60 days days from the discovery of the breach from the discovery of the breach HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
The Dexcomm Difference  Since 1989, before the implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Dexcomm focused on and conducted confidentiality training because of our long history and understanding of the medical community we so proudly serve. We are committed to bring our award- winning service and in-depth knowledge of HIPAA to a new standard of excel- lence. Dexcomm experts have recently founded and instituted a national certifi- cation program for medical operators. This program is designed to develop a superior class of operators, who answer Administra ve Safeguards  for the medical community, which will Physical Safeguards  change the way our industry serves you.  Regular in-house training and instruction of  Password protected access to information HIPAA and HITECH Visit us at www.dexcomm.com to learn and facilities  Education provided by a legal HIPAA consult- more about the Dexcomm difference.  Proper destruction of documents and equip- ant and RN ment  Background checks and regular drug screen- ing of staff Technical Safeguards   An expert Security and Privacy Officer  All employees, visitors and contractors are  Multiple levels of encrypted data backup required to sign confidentiality agreements and security upon entering  Innovative secure messaging systems for mo- bile devices HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
Be er Business Associates by Design  Connec ng Your Prac ce to the Resources You Need  Conducting HIPAA Risk Assessments to protect your medical office is a must, but ongoing assessments and compliance is vital to en- suring protection. At Dexcomm, our business associates rely on our services to accurately take and deliver their messages while safeguarding their best interest legally as well as financially. Our Experts are continuously developing complimentary resources tools to assist you in your success. To find out go to: dexcomm.com  dexcomm.com/ resources  mybusinessheard.com  @sk the Expert  Interested in Dexcomm’s services? Get a Quote Dexcomm   877.339.2666  Corporate: 518 Pa n Rd. Carencro, LA 70520 

Empfohlen

Verizon - A Case Study
Verizon - A Case StudyVerizon - A Case Study
Verizon - A Case Study
Ajay Dhamija
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)
Advanced group of Institutions
 
Dexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm How to -Web OnCall
Dexcomm How to -Web OnCall
Dexcomm
 
Telephone Answering Service Considerations
Telephone Answering Service ConsiderationsTelephone Answering Service Considerations
Telephone Answering Service Considerations
Dexcomm
 
How to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesHow to Hire and Retain Superstar Employees
How to Hire and Retain Superstar Employees
Dexcomm
 
How to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleHow to motivate your staff and improve employee morale
How to motivate your staff and improve employee morale
Dexcomm
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Empfohlen

Verizon - A Case Study
Verizon - A Case StudyVerizon - A Case Study
Verizon - A Case Study
Ajay Dhamija
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)
Advanced group of Institutions
 
Dexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm How to -Web OnCall
Dexcomm How to -Web OnCall
Dexcomm
 
Telephone Answering Service Considerations
Telephone Answering Service ConsiderationsTelephone Answering Service Considerations
Telephone Answering Service Considerations
Dexcomm
 
How to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesHow to Hire and Retain Superstar Employees
How to Hire and Retain Superstar Employees
Dexcomm
 
How to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleHow to motivate your staff and improve employee morale
How to motivate your staff and improve employee morale
Dexcomm
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter
 

Weitere ähnliche Inhalte

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Empfohlen (20)

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 

HIPAA Threats and Breaches

  • 1. HIPAA Threats & Breaches  2012  © 2012 Dexcomm  All Rights Reserved 
  • 2. Contents  O ur passion is properly serving customers. Operating as a 24/7/365 Telephone Answering Service and Medical Exchange since November of 1954 we have developed skills and techniques               that allow us to delight a wide range of clients. As we have grown and prospered for over 50 years we feel now is a great time to give Why Perform a Risk Assessment?        3 something back to our customers, prospective customers and any- How to Perform a HIPAA Risk Assessment      4  one seeking to improve their business success. Included in this Security Checklist book are tips and tools that we hope will make your job a bit easier Easy Risk Assessment Template each day. One of the great learning tools we have employed is the HIPAA breaches can s ll happen        6  willingness to learn from our mistakes. Please take advantage of What If I’ve Discovered a Breach?        7  our many years of experience and avoid some of the pitfalls that    Accounting for Disclosures we have learned to overcome. Our hope is that you and your office Documentation for HIPAA Breaches can adopt some of these tools to make your life a bit less compli- Who to Contact and When          8  cated and allow you a bit more uninterrupted leisure time. The Dexcomm Difference          9  Thanks for listening, Jamey Hopper PLEASE NOTE - Our e-books are designed to provide information President about the subject matter covered. It is distributed with the under-        Dexcomm  standing that the authors and the publisher are not engaged in ren- dering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 3. Why Perform a Risk Assessment?  The best answer to this ques on may be obvious...but it’s the law!     Aside from that, there are several good reasons to performing a HIPAA Risk Assessment in your office. A risk  assessment can help you to iden fy where your Protected Health Informa on (PHI) lies in your organiza on.  From equipment to files, there is PHI being stored everywhere....so, protect yourself. Don’t let your office be  another case study. PHI for Personal Gain  Employees & Facebook  Fined $100K for Calendar  A licensed practical nurse (LPN) pled guilty A temporary employee at a California hospi- A five-physician practice became the first to wrongfully disclosing a patient’s health tal posted a picture of someone’s medical small practice to enter into a resolution 01 Case Study  02 Case Study  03 Case Study  information for personal gain. The woman record to his Facebook page and made fun agreement that included a civil money pen- faces a maximum of ten (10) years impris- of the patient’s condition. alty over charges that it violated the HIPAA onment, a $250,000 fine or both. Having Details of the health data breach indicate Privacy and Security Rules. A complaint shared the patient’s information with her that the temporary employee, who was pro- was filed alleging that the practice was post- husband, the husband contacted the patient vided by a staffing agency, shared a photo ing surgery and appointment schedules on and told the patient that he was going to on his Facebook page of a medical record an Internet-based calendar that was publicly use the information against him in an up- displaying a patient’s full name and date of accessible. coming legal proceeding. admission. How does this affect me? Techniques on preventing a breach  Are you are risk? HIPPA                  Share this e‐book! 
  • 4. How to  Perform a HIPAA Risk Assessment  01 Take Inventory  02 Define Vulnerability  03 Iden fy Controls  04 Classify Impact  Take an inventory in your office of Vulnerability is a flow or weakness in Controls are security systems, fire- Each threat or vulnerability should be equipment like hardware, software, the system which could be exploited. walls or other regulators that are assessed in light of the impact the operating systems, operating envi- Ask yourself, “is this a threat?” For currently employed to protect PHI event would have on PHI and the IT ronment, remotes, removable me- example, “do vendors or consultants from threats. system: loss of confidentiality dia, mobile devices and backup create, receive, maintain transmit e- (unauthorized use or disclosure); loss media. Does it create, transmit or PHI on behalf of my office? If so, of integrity of the data (typos or miss- store e-PHI? If so, it falls under the what are the potential threats?” In ing information); or a loss of data HIPAA Security Rule and is rele- addition, ask yourself, “What are the availability (viruses and malware). vant to this risk assessment. human, natural and environmental Use numeric values, or “low”, threats to information systems that “medium”, “high”. contain PHI?” Guidance on Risk Analysis   Cer fied Health IT Product List  HIPAA—Security considera ons        Requirements under the HIPAA  45 C.F.R. § 164.306(b)(2)(iv).  Security Rule    HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 5. How to  Perform a HIPAA Risk Assessment   05 Iden fy Risk Level   06 Employ Controls   07 Priori ze   08 Manage  Compare the likelihood that the threat Consider whether the threat or its Assign a numeric value to designate Develop and implement a risk man- will be realized or become an event impact may be reduced or eliminat- level of priority. This will help you to agement plan from the Risk Assess- to the level of impact the risk, if real- ed by employing a control method, achieve risk management based on ment. Implement, maintain and con- ized, will have. Using the same value such as stronger passwords, secu- that level of threat, impact and the tinuously evaluate security measures system when classifying the impact rity patches, etc. This should also availability of controls to reduce or (controls). using numeric values, or “low”, include a cost benefit analysis. eliminate the risk. “medium”, “high”.     Dexcomm’s Security Checklist  Easy Risk Assessment Template    HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 6. HIPAA breaches can s ll happen.  What do HIPAA breaches look like?     An internal or external party reports a viola on   A review of server logs indicates unauthorized access   Equipment is reported lost or stolen  Costly Vendor Mistake  Unauthorized Access  Where is Your Laptop?  A recent example of this accountability is a In the spring of 2010, Huping Zhou, a Chi- A laptop computer containing patient rec- lawsuit filled by the Minnesota Attorney nese immigrant living in California, was ords went missing from a Louisiana hospi- 01 Case Study  02 Case Study  03 Case Study  General against Accretive Health, Inc., a fined $2,000 and sentenced to four months tal. Information on the laptop contained PHI debt collection agency that is part of a New in prison. He continued to access private (protected health information) for 17,130 York private equity fund conglomerate. The medical records through an electronic pass- patients, gathered for a study from 2000 to agency has a role in managing the revenue word-protected database. His previous su- 2008. A search was initiated as soon as the and health care delivery systems at two pervisor, former co-workers and other high- hospital learned of the disappearance of the Minnesota hospital systems. In 2011, an profile celebrity patients were among those missing device, which police are still investi- Accretive employee lost a laptop computer whose privacy Zhou violated over a three- gating. The missing laptop has not resur- containing unencrypted health data about week period in 2003. patients.  Do your vendors get HIPAA? How does this affect me? Learn about mobile device breaches HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 7. What if I discover a breach?  01 Gather Informa on  02 Make Contact  03 Define Resolu on  04 Document  Ask who, what, when, where, how. Relevant parties may include pa- In cases where breaches happen, Document each step you took to re- Who was it disclosed to, how was it tients, employees, authorities, me- the medical office must communi- solve the HIPAA breach. disclosed, when was it disclosed, etc. dia, Secretary of HHS. cate steps to prevent them from happening again. The HIPAA Secu- rity Rule also requires that you com- municate this information to the rel- evant parties. Accoun ng for Disclosures  Documenta on for HIPAA Breaches  HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 8. Who & When to contact for a breach  Who  When the breach is under 500 records  When the breach is 500 and over  No later than 60 days from the discovery of the breach, No later than 60 days from the discovery of the breach, you must notify affected individuals in written form by Individual  you must notify affected individuals in written form by first-class mail, phone or email first-class mail, phone or email No later than 60 days from the discovery of the breach, you must notify prominent media outlets serving your Media  Not applicable state or jurisdiction No later than 60 days from the discovery of the breach, On an annual basis, you must notify the Secretary of Secretary of HHS  you must notify the Secretary of Health and Human Health and Human Services Services If you are a Business Associate: If you are a Business Associate: Covered En ty  You must notify the Covered Entity no later than 60 You must notify the Covered Entity no later than 60 days days from the discovery of the breach from the discovery of the breach HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 9. The Dexcomm Difference  Since 1989, before the implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Dexcomm focused on and conducted confidentiality training because of our long history and understanding of the medical community we so proudly serve. We are committed to bring our award- winning service and in-depth knowledge of HIPAA to a new standard of excel- lence. Dexcomm experts have recently founded and instituted a national certifi- cation program for medical operators. This program is designed to develop a superior class of operators, who answer Administra ve Safeguards  for the medical community, which will Physical Safeguards  change the way our industry serves you.  Regular in-house training and instruction of  Password protected access to information HIPAA and HITECH Visit us at www.dexcomm.com to learn and facilities  Education provided by a legal HIPAA consult- more about the Dexcomm difference.  Proper destruction of documents and equip- ant and RN ment  Background checks and regular drug screen- ing of staff Technical Safeguards   An expert Security and Privacy Officer  All employees, visitors and contractors are  Multiple levels of encrypted data backup required to sign confidentiality agreements and security upon entering  Innovative secure messaging systems for mo- bile devices HIPPA                   COMMUNICATION                 EXPERTS    Share this e‐book! 
  • 10. Be er Business Associates by Design  Connec ng Your Prac ce to the Resources You Need  Conducting HIPAA Risk Assessments to protect your medical office is a must, but ongoing assessments and compliance is vital to en- suring protection. At Dexcomm, our business associates rely on our services to accurately take and deliver their messages while safeguarding their best interest legally as well as financially. Our Experts are continuously developing complimentary resources tools to assist you in your success. To find out go to: dexcomm.com  dexcomm.com/ resources  mybusinessheard.com  @sk the Expert  Interested in Dexcomm’s services? Get a Quote Dexcomm   877.339.2666  Corporate: 518 Pa n Rd. Carencro, LA 70520