Manyata Tech Park ( Call Girls ) Bangalore ✔ 6297143586 ✔ Hot Model With Sexy...
Your Home Health Care Agency is 5xs More Likely to Be Audited By OCR than the IRS
1. ❧
Your Home Health Care
Agency is 5xs More Likely to
Be Audited By OCR than by
the IRS
The Security Risk Analysis
Bryan Brothers – CHPS, CAHIMS
Copyright 2015 Brothers and Associates LLC
2. ❧“Consider what it will cost you if Office of Civil Rights (OCR) visits, even if
you get through the ordeal without a fine, or even an accusation. “
❧ Learn what they will ask before they make a determination.
❧ Learn what a Meaningful Use Objective is/means to you.
❧ Why Conduct a Security Risk Analysis?
❧ How Often Does a Breach Occur in Home Health Care?
❧ What Are the Fines, and Can You Afford It?
❧ Examples of Home Health Care Breaches Across the U.S.
❧ Myths and Misconceptions about Safety.
❧ Mistakes to Avoid
❧ Where Can You Turn for Help?
❧ QA
Agenda and Introductions
3. ❧
“This final omnibus rule marks the
most sweeping changes to the HIPAA
Privacy and Security Rules since they
were first implemented. These changes
not only greatly enhance a patient’s
privacy rights and protections, but also
strengthen the ability of my office to
vigorously enforce the HIPAA privacy
and security protections, regardless of
whether the information is being held
by a health plan, a health care provider,
or one of their business associates.”
Current Director Jocelyn Samuels
continues to support this philosophy.
HHS Office for Civil Rights
Former Director, Leon Rodriguez
4. ❧
Prior to HIPAA, there was no universally recognized
security standard for protected health information (PHI).
Brief History
HITECH, as part of American Recovery and Reinvestment Act of
2009, contains specific incentives designed to accelerate adoption
of electronic health records among providers.
It broadens the scope of privacy and security protections listed
under HIPAA and also increases the repercussions and
enforcement potential for non-compliance.
5. ❧Conduct or review a security risk
analysis in accordance with the
requirements under 45 CFR
164.308 (a) (1), including
addressing the encryption/security
of data at rest and implement
security updates as necessary and
correct identified security
deficiencies as part of the risk
management process.
Meaningful Use Objective
6. ❧
Why Conduct a Risk Analysis?
❧ The process of a Risk Analysis is an ongoing and
interactive part of your organizations security plan.
❧ The Purpose is to identify potential threats and
vulnerabilities to PHI, implement needed changes to
make PHI more secure, and monitor the results of
mitigation.
❧ Understanding the risk to Confidentiality, Integrity,
and Availability of ePHI is the key to your security!
7. • Identify Non-Compliance of HIPAA and
other rules and regulations
• Identify Threats and Vulnerabilities
• Identify Weaknesses that could result
in unauthorized disclosures or
breaches
• Improve processes when handling PHI
• Demonstration of good faith effort to
insure compliance with required
component of Meaningful Use and
HIPAA law.
What Information will a Risk Analysis
provide?
8. Procedure for Risk Analysis
The Risk Analysis is a Nine Step Process!
To correctly perform an analysis the guidelines set
forth by National Institute for Standards and
Technology must be used.
9. Procedure for Risk Analysis
Step 1:
● Scope the Assessment
● Identify where ePHI is created, received, maintained,
processed, or transmitted
● Take into account the remote work force and telecommuters,
and removable media and portable computing devices
10. Procedure for Risk Analysis
Step 2:
● Gather Information
● Identify the conditions under which EPHI is
created, received maintained, processed, or
transmitted by the covered entity
● Identify the security controls currently being
used to protect the EPHI
11. Procedure for Risk Analysis
Step 3: Identify Realistic Threats
● Identify and compile a list of potential threat
sources applicable to the organization
● Include realistic, probable human, and natural
incidents that can have a negative impact on an
organizations ability to protect EPHI
12. Step 4: Identify Potential Liabilities
● Develop a list of vulnerabilities
● Focus on areas where EPHI can be disclosed
without proper authorization, improperly modified,
or made unavailable when needed.
Procedure for Risk Analysis
13. Step 5: Assess Current Security Controls
● Determine if the implemented or planned security
controls will minimize or eliminate risks to EPHI
Procedure for Risk Analysis
14. Step 6: Determine Likelihood and Impact of Threat
● Likelihood: probability of a threat occurring that
can cause or trigger an adverse event
● Impact: effect that an adverse event would have
on an organization if a vulnerability was exploited
Procedure for Risk Analysis
15. Step 7: Determine Level of Risk
● Assess level of risk to the organization
● Risk is based off of values assigned to the
likelihood and impact of a threat occurrence
Procedure for Risk Analysis
16. Step 8: Recommend Security Controls
● Security controls that could mitigate the identified
risks
● Reduce the level of risk to the IT system and its
data to an acceptable level
Step 9: Document the Risk Results
Pause for excited audience to calm
down!!!
Procedure for Risk Analysis
17. Step 1: scope the
assessment
Step 2: gather
information
Step 3: identify
realistic threats
Step 4: identify
potential
vulnerabilities
Step 5: assess
current
security
controls
Step 6:
determine
likelihood and
impact of threat
Step 7:
determine level
of risk
Step 8:
recommend
security controls
Step 9:
document risk
results
ANOTHER LOOK AT THE PROCESS
18. ❧
THREE TIER APPROACH
❧ Audits, Audits and More Audits…
❧ Three separate entities are now performing audits of
medical facilities: Figliozzi &Company, a private
contractor, perform audits on behalf CMS and the
ONC for the Meaningful Use Program. The Office of
Civil Rights performs audits on behalf of the
Department of Health and Human Services. Lastly,
the Office of Attorney General performs audits for the
State.
19. ❧
❧ While audits are in progress, they may or may not
effect you. Many audits are a result of Breach
situations. How often does a Breach occur in Home
Health Care?
❧ A: Never, these rules do not apply to me!
❧ B: They happen, but no harm occurs…
❧ C: A Breach every 3.5 hours.
Overstated?
20. ❧
❧ Three Major Breaches in Florida in the last 24
months from Home Health Care Agencies.
❧ Over 14,000 records involved.
❧ Settlements still pending in some cases.
❧ PAPER RECORDS INVOLVED
Surprising Information
21. ❧
❧ Missouri – Home Care of Mid-Missouri – 4027 records
❧ Texas – Hope Hospice – 818 records
❧ Kansas – Complete Medical Homecare – 1700 records
❧ Kentucky – ReachOut Homecare – 4500 records
❧ New Jersey – Jersey City Medical Center – 36400 records
❧ Minnesota – In APRIL OF 2015 –Allina Health – 838 records
❧ Largest Breach last year – 179000 records from one California
based provider.
Across the Country
22. ❧
❧ Each audit program has a different penalty structure,
however they are similar in the penalty phases :
❧ For the EMR Program Audit: Notice of a failed audit
will result in a tentative notice of overpayment, and
incentive payment for audit year will be recouped.
❧ FRAUDULENT ATTESTATION PUNISHMENT MAY
INVOLVE IMPRISONMENT, SIGNIFICANT FINES,
LOSS OF LICENSE, AND EXCLUSION FROM
PARTICIPATION IN INCENTIVE PROGRAM.
Penalties Involved
23. OCR Audits have varied fines dependent
on severity of findings. The largest fines
are Civil Penalties up to $1.5 million per
occurrence!
Multiple violations due to willful neglect
not corrected of an identical requirement
or prohibition made during the same
calendar year
Other violations may result in lesser
penalties of $10,000 per occurrence not
to exceed $250,000:
Violation was due to willful neglect,
corrected, violation of an identical
requirement or prohibition during a
calendar year
24. Each Audit Program Can Result in Criminal Penalties!
Most Breaches Require The Provision of Credit / Identity
Protection Services. The Average cost of these services is
$230 per individual. As an Example the Breach mentioned in
Minnesota, 838 records, would then cost $192,740 to mitigate.
Added cost are also incurred due to loss of patients due to
“Bad Press”.
25. 2013 saw the first fine for a Breach of
Less Than 500 Records
•440 records
•Lost laptop
Hospice of North Idaho
No risk assessment therefore no appropriate measures to
address the risk or to maintain the appropriate security
measures.
$50,000 fine, Corrective Action Plan
CAP required employer to enforce policies and sanction policy
violations
26. ❧
From the Los Angeles Times
❧ UCLA pays $865,500 to settle celebrity medical record snooping case July 7, 2011 “Settlement with U.S.
regulators also call for UCLA to retrain staff and take steps to prevent future breaches. Some staff have
already been fired for viewing the records of Farrah Fawcett, Michael Jackson and others.”
❧ UCLA Health System has agreed to pay $865,500 as part of a settlement with federal regulators announced
Thursday after two celebrity patients alleged that hospital employees broke the law and reviewed their medical
records without authorization.
❧ Federal and hospital officials declined to identify the celebrities involved. The complaints cover 2005 to 2009, a time
during which hospital employees were repeatedly caught and fired for peeping at the medical records of dozens of
celebrities, including Britney Spears, Farrah Fawcett and then-California First Lady Maria Shriver.
❧ The employee was not named in the agreement, and the hospital spokeswoman declined to identify who it was. But
the timing and description of the alleged violations cited in the agreement suggest that it may have been Lawanda
Jackson, an administrative specialist at Ronald Reagan UCLA Medical Center who was fired in 2007 after she was
caught accessing Farrah Fawcett's medical records and allegedly selling information to the National Enquirer.
❧ Jackson later pleaded guilty to a felony charge of violating federal medical privacy laws for commercial purposes but
died of cancer before she could be sentenced. Fawcett died of cancer in 2009.
27. ❧
❧ Failure to pass an audit from any of the participating
organizations can result in more than just penalties
imposed:
❧ The Reputation of your organization can be effected
by published results.
❧ How many of you have experienced a breach ???
More Than Money!!!
28. In Florida From 2012 until
Now:
39 incidents Over 500 records
required reporting to HHS
0ver 170,000 Patient Records Affected!
29. ❧
Things To Consider
❧ Security Risk Analysis are sold in many forms, can
be purchased as a kit, and can be done with no help
at all.
❧ No analysis is perfect.
❧ There are some Myths: It doesn’t apply to me…,
❧ My EMR Vendor said I don’t need to they are
certified,
❧ Our IT manager says our system is safe…
30. ❧
Most findings in a risk analysis process relate to policy and procedure
deficiencies that tend to be overlooked as a business grows. The Analysis will
become the backbone of your security plan. Findings will indicate a need for
new policies, Business Associate Agreements that you have not needed before
this year, and updates of forms that have always been used and accepted.
DO NOT PANIC! The most important part of the Risk Analysis is the provision
of mediation! At conclusion you should know what you need to fix, replace, and
issue to be in compliance. Make sure your analysis will provide a plan for
corrective actions!
Mistakes to Avoid
31. ❧
❧ Audits come in different strengths and sizes. Like
everything else, preparation is the key. The benefit
of a completed risk analysis goes beyond knowing
WHAT deficiencies you can identify, it demonstrates
to an auditor you have performed your due diligence
and strive to be in compliance with ever changes
rules and regulations.
Prepare Now!
32. ❧
The guidelines we covered today demonstrate the
foundation of the Risk Analysis.
The Office of National Coordinator (ONC) recognizes
one certification:
Certified in Healthcare Privacy & Security (CHPS)
Issued by the American Health Information
Management Association.
Is There Help?