HIPAA Threats and Breaches
If you are entrusted with protected health information, you have the responsibility to protect that data from accidental or malicious exposure. Learn how and where to use resources to manage your risks in a cost-effective and efficient manner.
This ebook will provide:
•An easy-to-use risk assessment template
•A security checklist
•HIPAA required documentation forms for disclosures and breaches
2. Contents
O ur passion is properly serving customers. Operating as
a 24/7/365 Telephone Answering Service and Medical Exchange
since November of 1954 we have developed skills and techniques
that allow us to delight a wide range of clients. As we have grown
and prospered for over 50 years we feel now is a great time to give
Why Perform a Risk Assessment? 3
something back to our customers, prospective customers and any-
How to Perform a HIPAA Risk Assessment 4
one seeking to improve their business success. Included in this
Security Checklist
book are tips and tools that we hope will make your job a bit easier
Easy Risk Assessment Template
each day. One of the great learning tools we have employed is the
HIPAA breaches can s ll happen 6 willingness to learn from our mistakes. Please take advantage of
What If I’ve Discovered a Breach? 7 our many years of experience and avoid some of the pitfalls that
Accounting for Disclosures we have learned to overcome. Our hope is that you and your office
Documentation for HIPAA Breaches can adopt some of these tools to make your life a bit less compli-
Who to Contact and When 8 cated and allow you a bit more uninterrupted leisure time.
The Dexcomm Difference 9
Thanks for listening,
Jamey Hopper
PLEASE NOTE - Our e-books are designed to provide information
President
about the subject matter covered. It is distributed with the under- Dexcomm
standing that the authors and the publisher are not engaged in ren-
dering legal, accounting, or other professional services. If legal
advice or other professional assistance is required, the services of
a competent professional person should be sought.
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
3. Why Perform a Risk Assessment?
The best answer to this ques on may be obvious...but it’s the law!
Aside from that, there are several good reasons to performing a HIPAA Risk Assessment in your office. A risk
assessment can help you to iden fy where your Protected Health Informa on (PHI) lies in your organiza on.
From equipment to files, there is PHI being stored everywhere....so, protect yourself. Don’t let your office be
another case study.
PHI for Personal Gain Employees & Facebook Fined $100K for Calendar
A licensed practical nurse (LPN) pled guilty A temporary employee at a California hospi- A five-physician practice became the first
to wrongfully disclosing a patient’s health tal posted a picture of someone’s medical small practice to enter into a resolution
01 Case Study
02 Case Study
03 Case Study
information for personal gain. The woman record to his Facebook page and made fun agreement that included a civil money pen-
faces a maximum of ten (10) years impris- of the patient’s condition. alty over charges that it violated the HIPAA
onment, a $250,000 fine or both. Having Details of the health data breach indicate Privacy and Security Rules. A complaint
shared the patient’s information with her that the temporary employee, who was pro- was filed alleging that the practice was post-
husband, the husband contacted the patient vided by a staffing agency, shared a photo ing surgery and appointment schedules on
and told the patient that he was going to on his Facebook page of a medical record an Internet-based calendar that was publicly
use the information against him in an up- displaying a patient’s full name and date of accessible.
coming legal proceeding. admission.
How does this affect me? Techniques on preventing a breach Are you are risk?
HIPPA
Share this e‐book!
4. How to
Perform a HIPAA Risk Assessment
01 Take Inventory 02 Define Vulnerability 03 Iden fy Controls 04 Classify Impact
Take an inventory in your office of Vulnerability is a flow or weakness in Controls are security systems, fire- Each threat or vulnerability should be
equipment like hardware, software, the system which could be exploited. walls or other regulators that are assessed in light of the impact the
operating systems, operating envi- Ask yourself, “is this a threat?” For currently employed to protect PHI event would have on PHI and the IT
ronment, remotes, removable me- example, “do vendors or consultants from threats. system: loss of confidentiality
dia, mobile devices and backup create, receive, maintain transmit e- (unauthorized use or disclosure); loss
media. Does it create, transmit or PHI on behalf of my office? If so, of integrity of the data (typos or miss-
store e-PHI? If so, it falls under the what are the potential threats?” In ing information); or a loss of data
HIPAA Security Rule and is rele- addition, ask yourself, “What are the availability (viruses and malware).
vant to this risk assessment. human, natural and environmental Use numeric values, or “low”,
threats to information systems that “medium”, “high”.
contain PHI?”
Guidance on Risk Analysis Cer fied Health IT Product List HIPAA—Security considera ons
Requirements under the HIPAA 45 C.F.R. § 164.306(b)(2)(iv).
Security Rule
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
5. How to
Perform a HIPAA Risk Assessment
05 Iden fy Risk Level 06 Employ Controls 07 Priori ze 08 Manage
Compare the likelihood that the threat Consider whether the threat or its Assign a numeric value to designate Develop and implement a risk man-
will be realized or become an event impact may be reduced or eliminat- level of priority. This will help you to agement plan from the Risk Assess-
to the level of impact the risk, if real- ed by employing a control method, achieve risk management based on ment. Implement, maintain and con-
ized, will have. Using the same value such as stronger passwords, secu- that level of threat, impact and the tinuously evaluate security measures
system when classifying the impact rity patches, etc. This should also availability of controls to reduce or (controls).
using numeric values, or “low”, include a cost benefit analysis. eliminate the risk.
“medium”, “high”.
Dexcomm’s Security Checklist Easy Risk Assessment Template
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
6. HIPAA breaches can s ll happen.
What do HIPAA breaches look like?
An internal or external party reports a viola on
A review of server logs indicates unauthorized access
Equipment is reported lost or stolen
Costly Vendor Mistake Unauthorized Access Where is Your Laptop?
A recent example of this accountability is a In the spring of 2010, Huping Zhou, a Chi- A laptop computer containing patient rec-
lawsuit filled by the Minnesota Attorney nese immigrant living in California, was ords went missing from a Louisiana hospi-
01 Case Study
02 Case Study
03 Case Study
General against Accretive Health, Inc., a fined $2,000 and sentenced to four months tal. Information on the laptop contained PHI
debt collection agency that is part of a New in prison. He continued to access private (protected health information) for 17,130
York private equity fund conglomerate. The medical records through an electronic pass- patients, gathered for a study from 2000 to
agency has a role in managing the revenue word-protected database. His previous su- 2008. A search was initiated as soon as the
and health care delivery systems at two pervisor, former co-workers and other high- hospital learned of the disappearance of the
Minnesota hospital systems. In 2011, an profile celebrity patients were among those missing device, which police are still investi-
Accretive employee lost a laptop computer whose privacy Zhou violated over a three- gating. The missing laptop has not resur-
containing unencrypted health data about week period in 2003.
patients.
Do your vendors get HIPAA? How does this affect me? Learn about mobile device breaches
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
7. What if I discover a breach?
01 Gather Informa on 02 Make Contact 03 Define Resolu on 04 Document
Ask who, what, when, where, how. Relevant parties may include pa- In cases where breaches happen, Document each step you took to re-
Who was it disclosed to, how was it tients, employees, authorities, me- the medical office must communi- solve the HIPAA breach.
disclosed, when was it disclosed, etc. dia, Secretary of HHS. cate steps to prevent them from
happening again. The HIPAA Secu-
rity Rule also requires that you com-
municate this information to the rel-
evant parties.
Accoun ng for Disclosures Documenta on for HIPAA Breaches
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
8. Who & When to contact for a breach
Who When the breach is under 500 records When the breach is 500 and over
No later than 60 days from the discovery of the breach,
No later than 60 days from the discovery of the breach,
you must notify affected individuals in written form by
Individual you must notify affected individuals in written form by
first-class mail, phone or email
first-class mail, phone or email
No later than 60 days from the discovery of the breach,
you must notify prominent media outlets serving your
Media Not applicable
state or jurisdiction
No later than 60 days from the discovery of the breach,
On an annual basis, you must notify the Secretary of
Secretary of HHS you must notify the Secretary of Health and Human
Health and Human Services
Services
If you are a Business Associate: If you are a Business Associate:
Covered En ty You must notify the Covered Entity no later than 60 You must notify the Covered Entity no later than 60 days
days from the discovery of the breach from the discovery of the breach
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
9. The Dexcomm Difference
Since 1989, before the implementation
of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA),
Dexcomm focused on and conducted
confidentiality training because of our
long history and understanding of the
medical community we so proudly
serve.
We are committed to bring our award-
winning service and in-depth knowledge
of HIPAA to a new standard of excel-
lence. Dexcomm experts have recently
founded and instituted a national certifi-
cation program for medical operators.
This program is designed to develop a
superior class of operators, who answer
Administra ve Safeguards for the medical community, which will Physical Safeguards
change the way our industry serves you.
Regular in-house training and instruction of Password protected access to information
HIPAA and HITECH Visit us at www.dexcomm.com to learn and facilities
Education provided by a legal HIPAA consult- more about the Dexcomm difference. Proper destruction of documents and equip-
ant and RN ment
Background checks and regular drug screen-
ing of staff Technical Safeguards
An expert Security and Privacy Officer
All employees, visitors and contractors are Multiple levels of encrypted data backup
required to sign confidentiality agreements and security
upon entering Innovative secure messaging systems for mo-
bile devices
HIPPA COMMUNICATION EXPERTS
Share this e‐book!
10. Be er Business Associates by Design
Connec ng Your Prac ce to the Resources You Need
Conducting HIPAA Risk Assessments to protect your medical office is a must, but ongoing assessments and compliance is vital to en-
suring protection.
At Dexcomm, our business associates rely on our services to accurately take and deliver their messages while safeguarding their best
interest legally as well as financially. Our Experts are continuously developing complimentary resources tools to assist you in your
success.
To find out go to:
dexcomm.com dexcomm.com/
resources
mybusinessheard.com @sk the Expert
Interested in Dexcomm’s services?
Get a Quote
Dexcomm
877.339.2666
Corporate: 518 Pa n Rd. Carencro, LA 70520