ASSISTED LIVING ASSOCIATION OF ALABAMA 2019 FALL CONFERNCE - - PowerPoint PPT Presentation

assisted living association of alabama
SMART_READER_LITE
LIVE PREVIEW

ASSISTED LIVING ASSOCIATION OF ALABAMA 2019 FALL CONFERNCE - - PowerPoint PPT Presentation

Nov 25, 2023 26 likes •341 views

ASSISTED LIVING ASSOCIATION OF ALABAMA 2019 FALL CONFERNCE Samarria M. Dunson, J.D., CHC,CHPC Topics of Discussion HIPAA/HITECH Alabama Data Breach Notification Act State Confidentiality Statutes High Priority Threats to the

slide-1
SLIDE 1

ASSISTED LIVING ASSOCIATION OF ALABAMA

2019 FALL CONFERNCE

Samarria M. Dunson, J.D., CHC,CHPC

slide-2
SLIDE 2

Topics of Discussion

  • HIPAA/HITECH
  • Alabama Data Breach Notification Act
  • State Confidentiality Statutes
  • High Priority Threats to the Health Care

Industry

  • Insider Threats
  • Email, Texting & Personal Cell Phone Usage
  • Social Media
slide-3
SLIDE 3

HIPAA/HITECH

Privacy Security Breach Notification

slide-4
SLIDE 4

Record Year for HIPAA Enforcement

Date Covered Entity Amount Violation January Filefax, Inc. $100,000

Impermissible disclosures of paper records and insufficient physical safeguards

January Fresenius Medical Care $3,500,000

Lack of adequate Risk Analysis, failure to utilize encryption, impermissible disclosures, inadequate policies

June MD Anderson $4,348,000

Impermissible disclosures of electronic PHI and lack of encryption

August Boston Medical Center $100,000

Filming patients without consent

September Brigham and Women’s Hospital $384,000

Filming patients without consent

September Massachusetts General Hospital $515,000

Filming patients without consent

September Advanced Care Hospital $500,000

Impermissible disclosures and failure to attain Business Associate Agreements, failure to implement an adequate HIPAA compliance program

October Allergy Ass. of Hartford $125,000

Impermissible disclosure and failure to sanction employee for HIPAA violation

October Anthem, Inc. $16,000,000 Lack of adequate Risk Analysis, failure to monitor

electronic PHI activities, failure to adequately respond to the breach, insufficient safeguards to prevent inappropriate disclosures

November Pagosa Springs $111,400

Failure to terminate employee access and failure to attain Business Associate Agreements

December Cottage Health $3,000,000

Lack of adequate Risk Analysis, failure to implement an adequate compliance program, failure to attain Business Associate Agreements

slide-5
SLIDE 5

Protected Health Information (PHI)

Individually identifiable health information about an individual’s past, present, or future medical or mental condition, transmitted or maintained in any form by a covered entity

slide-6
SLIDE 6

Examples of Protected Health Information

  • Name
  • Address
  • Date of Birth
  • Date of Service
  • Diagnosis
  • Social Security Number
  • Telephone Number
  • Fax Number
  • E-mail Address
  • Medical Record Number
  • Account Number
  • Full Face Photo
  • Fingerprints
  • License Number
  • Vehicle Identifier Number
  • Web URL
  • IP Address
  • Other Identifiers

Exception: Employment and Education Records

slide-7
SLIDE 7

Who is Required to Follow HIPAA Regulations?

  • Health Care Providers
  • Health Care Clearinghouses
  • Health Plans
  • Business Associates

*If they transmit any information in electronic form in connection with a transaction for which HHS has adopted standards

slide-8
SLIDE 8

Covered Entities

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Home Health Agencies

Business Associates

  • CPA/Law Firms That Access

PHI to Provide Services

  • Medical Transcriptionists
  • Record Storage Companies
  • Record Disposal Companies
  • Answering Services
  • Medical Equipment Service

Providers of Equipment Holding PHI

Examples

slide-9
SLIDE 9

Business Associate Agreements

slide-10
SLIDE 10

Data Breach Cost Per Record

125 250 375 500 Health Financial Technology Education $408.00 $206.00 $170.00 $166.00

slide-11
SLIDE 11

Alabama Breach Notification Act

  • History
  • PHI v. PII
  • Business Associate v. 3rd Party Agent
  • Notification
  • Alabama Deceptive Trade Practices Act
slide-12
SLIDE 12

Alabama Confidentiality Statutes

  • Mental Health
  • Notifiable Diseases
  • Standard of Care*
slide-13
SLIDE 13

Biggest Threats in the Health Care Industry

  • E-mail phishing attacks
  • Malware, ransomware and viruses
  • Attacks against connected medical

devices that may affect patient safety

  • Weak or ineffective usernames and

passwords to systems containing PHI/PII

  • Loss or theft of equipment with PHI/PII
  • Insider Threats
slide-14
SLIDE 14

INSIDER THREATS

slide-15
SLIDE 15

INSIDER THREATS

  • Works Odd Hours
  • Remotely Access Entity Systems at Odd

Times

  • Interest in Matters Outside the Scope of Their

Employment

  • Unexplained Affluence
  • Overwhelmed by Life or Career Circumstances
  • Unnecessarily Takes Proprietary Information

Home

slide-16
SLIDE 16

Inappropriate Disclosures

slide-17
SLIDE 17

Risk Assessment

slide-18
SLIDE 18

Risk Assessment

  • Protects the Confidentiality, Integrity

and Availability of health data (CIA)

  • Ensures compliance with

Administrative, Physical and Technical Safeguards

  • Identifies areas of weakness within an
  • rganization and requires appropriate

remedies (Patches, Firewalls, etc.)

slide-19
SLIDE 19

Termination Procedures

slide-20
SLIDE 20

Termination Procedures

  • Terminate access to PHI, ePHI and PII
  • Collect keys to doors and filing

cabinets

  • Change passwords and passcodes
  • Ensure that the workforce is aware of

the departure

slide-21
SLIDE 21

SOCIAL MEDIA

slide-22
SLIDE 22

SOCIAL MEDIA

slide-23
SLIDE 23

SOCIAL MEDIA

slide-24
SLIDE 24

Breaches of PHI and ePHI

A breach is defined as an impermissible use or disclosure that compromises the security or privacy of PHI or ePHI

  • Exception
  • Mitigation
  • Encryption Safe Harbor
slide-25
SLIDE 25

Breach Notification

  • Timeline
  • Content of notification
  • What if there is a criminal

investigation?

slide-26
SLIDE 26

Civil Monetary Penalties for HIPAA Violations

VIOLATION Amount Per Violation Violations of Identical Provision in a Calendar Year Did Not Know

$114-$57,051 $28,525

Reasonable Cause

$1,141 - $57,051 $114,102

Willful Neglect - Corrected

$11,182 - $57,051 $285,255

Willful Neglect - Not Corrected

$57,051 $1,711,533

slide-27
SLIDE 27

Civil Monetary Penalties for Alabama Breach Notification Act Violations

  • Attorney General
  • Not to exceed $500,000 per breach
  • For notification violations, civil

monetary penalties not to exceed $5,000 per day

slide-28
SLIDE 28

Criminal Penalties

The American Recovery and Reinvestment Act of 2009 (ARRA) expanded HIPAA by providing that criminal penalties can be applied to employees and

  • thers

who wrongfully disclose individually identifiable health information

slide-29
SLIDE 29

Workstations

  • Automatic log out
  • Turn papers over when visitors are

present

  • Computer monitor positioning/Office

windows

  • Two (2) barrier protection for PHI
slide-30
SLIDE 30

VOLUNTEERS & VISITORS

slide-31
SLIDE 31

CONTACT INFORMATION:

Samarria M. Dunson, J.D., CHC, CHPC Balch & Bingham, LLP 105 Tallapoosa St., Suite 200 Montgomery, Alabama 36104 (334) 834-6500 samarria@dunsongroup.com