Headline News: Anatomy of a VIP Records Breach

Similar documents
Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

HIPAA Training

Advanced HIPAA Communications and University Relations

Compliance Program Updated August 2017

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

MCCP Online Orientation

HCCA Institute Privacy Officer Round Table Discussion

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

PRIVACY BREACH GUIDELINES

Chapter 9 Legal Aspects of Health Information Management

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

HIPAA THE PRIVACY RULE

A general review of HIPAA standards and privacy practices 2016

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

Thank you, and enjoy the webinar.

Compliance Program, Code of Conduct, and HIPAA

2012 Medicare Compliance Plan

Getting Started with OIG Compliance

Last Chance to Review Your Security Risk Analysis

Reporting a Privacy Breach to the Commissioner

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

PREA AUDIT REPORT INTERIM FINAL COMMUNITY CONFINEMENT FACILITIES. Community treatment center Halfway house Alcohol or drug rehabilitation center

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Interim Final COMMUNITY CONFINEMENT FACILITIES-City of Faith- Little Rock, Ark. Date of report: July 11, 2015

BOARD OF COOPERATIVE EDUCATIONAL SERVICES SOLE SUPERVISORY DISTRICT FRANKLIN-ESSEX-HAMILTON COUNTIES MEDICAID COMPLIANCE PROGRAM CODE OF CONDUCT

PREA AUDIT REPORT INTERIM FINAL ADULT PRISONS & JAILS

Big Brother Meets Joe Friday. Sutter Health Facts

Title: HIPAA PRIVACY ADMINISTRATIVE

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

MEANINGFUL USE & RISK ASSESSMENT

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

HIPAA Privacy Training for Non-Clinical Workforce

2018 Employee HIPAA Orientation (EHO) Handbook

Medical Privacy and Business Process Design

Notice of Privacy Practices for Protected Health Information (PHI)

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

PREA AUDIT: AUDITOR S SUMMARY REPORT 1 COMMUNITY CONFINEMENT FACILITIES

FCSRMC 2017 HIPAA PRESENTATION

Date of Review: N/A Original Date: September 30, Subject: Policy Protecting Competitively Sensitive Information

SUMMARY OF NOTICE OF PRIVACY PRACTICES

A Deep Dive into the Privacy Landscape

ALABAMA DEPARTMENT OF MENTAL HEALTH BEHAVIOR ANALYST LICENSING BOARD DIVISION OF DEVELOPMENTAL DISABILITIES ADMINISTRATIVE CODE

A self-assessment for GxP and HIPAA concerns

Protecting Health Information: Health Data Security Training

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Specialized Training: Investigating Sexual Abuse in Correctional Settings Notification of Curriculum Utilization December 2013

Compliance Plan. Table of Contents. Introduction... 3

Mandatory Reporting A process

NOTICE OF PRIVACY PRACTICES FOR MAYO CLINIC ARIZONA

Southwest Acupuncture College /PWFNCFS

Health Information Privacy Policies and Procedures

The Board s position applies to all nurse license holders and applicants for licensure.

JOHNS HOPKINS HEALTHCARE

EMPOWERING THE NEW HEATHCARE ERA

Compliance Round-Up. March 11, 2014

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Your Role in Protecting Patient Privacy 2018

HIT Usability and Data Breaches. Ritu Agarwal University of Maryland

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

Security and Privacy Practices for Electronic Health Records. Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT

Code of Conduct Effective October 19, 2017

EXAMINATION OF BRITISH COLUMBIA HEALTH AUTHORITY PRIVACY BREACH MANAGEMENT

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Session Number G24 Responding to a Data Breach and Its Impact. Karen Johnson Chief Deputy Director California Department of Health Care Services

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

The Joint Legislative Audit Committee requested that we

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

COMPLIANCE ROUND-UP. December 13, Aegis Compliance & Ethics Center, LLP 1

The Intersection of Health Care Fraud and Patient Safety

FINANCIAL PLANNING STANDARDS COUNCIL 2017 ENFORCEMENT AND DISCIPLINARY REVIEW REPORT

What is Social Networking?

What is Social Networking?

Proposed Fraud & Abuse Rule Implementing ACA Provisions. Ivy Baer October 26, 2010

Appendix E Checklist for Campus Safety and Security Compliance

Privacy & Security: What You Need to Know

HIPAA Health Insurance Portability and Accountability Act of 1996

Current Status: Active PolicyStat ID: COPY CONTRACTOR, MEDICAL STAFF, REFERRAL SOURCE AND EMPLOYEE SCREENING POLICY

Status Check On Health IT

ALLINA HOSPITALS & CLINICS IDENTITY THEFT INVESTIGATION PROTOCOL CHECKLIST

Visiting Celebrities, VIPs and other Official Visitors

A 12-Step Program to Better Compliance: A Practical Approach

Learning Objectives. The EMTALA Framework. EMTALA Update: Challenges in Community and Specialty Hospitals. Originally known as Anti-Dumping Law

Anti-Fraud Plan Scripps Health Plan Services, Inc.

National Policy Library Document

SEXUAL ABUSE PREVENTION PROGRAM

Kentucky National Background Check Program Webinar for BHDID

Transcription:

Watch the Replay Headline News: Anatomy of a VIP Records Breach Executive Series Webinar September 24, 2014

Today s Panel Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org Kurt Long Founder FairWarning, Inc. Kurt@FairWarning.com Mike Nessen Customer Community Manager FairWarning, Inc. Mike@FairWarning.com

Agenda Sparrow Health System Introduction VIP Records Breach Scenario Corrective Action Plan Lessons Learned Escalating Threats to Data Patient Employee Physician Industry News: OCR Audit Update Next Steps Q&A

Anatomy of a VIP Records Breach Kim Roberts, MS, RHIA, CHP

Background Information» Location and Background» Visit from a VIP Government Official» State of Michigan Inquiry» OCR Letter of Inquiry

VIP Admitted using alias Sequence of Events VIP Discharged (Four Day Stay) VIP stay released to media by VIP staff CPO & CISO meeting re: Access Audit Plan Department Directors review of access of identified staff Human Resources investigation Hospital issued news release re: disciplinary actions taken for privacy policy violations Full audit of VIPs records in all systems Human Resources notified of inappropriate access Sanctions imposed

OCR and State Inquires & Responses OCR Inquiry Received (3 weeks) OCR Response Formally closed ( 7 months) Response sent State Inquiry Received (1 week) Second Formal Response and meeting Response to the State of Closed with follow up actions (6 months)

OCR Questions» Did caregivers impermissibly access medical records as alleged?» If the impermissible access occurred, when did it occur?» How did Sparrow discover the alleged occurrences?» What did Sparrow do as a result of its findings?

Response to the Event» Position Statement» Actions Taken to Monitor and Investigate» Corrective Action Plans Outcome Objectives» Corrective Action Plan Monitoring

Position Statement» Chronological Statement of Events» List Events surrounding the Breach»Dates of Admission»Alias Name Identification» Actions Taken to Monitor the Investigation»Routine Manual Review of Access Logs

Manual Review of Access Logs» Prior to Implementing FairWarning Concurrent Access Audit Plan» Manual Review of Audit Files twice daily» Concurrent monitoring of email communications based on name and title Retrospective Access Audit Post Discharge» Review of 281 caregivers» 50 to 60 hours reviewing the MR to Access Logs

VIP Review Workflow» Email notification were sent to the Directors»Access to account or record necessary to do their job»more than the minimum necessary»inappropriate review for the role

Dear Colleague: There was a recent visit of a high profile individual in the and the individual had a subsequent. A high level review was conducted by correlating care giver access results to the medical record. A more detailed assessment is needed to determine appropriate access for individuals under your purview. If you determine that access is inappropriate, please contact LCR to assist in the disciplinary investigation. Audit results concerning care giver(s) working in your area are attached for your review and are highlighted. Please complete a User Access Form for each care giver and return the form electronically to me at: Please complete your review within 1 week of the date of this e-mail. Please consider the following questions as you review: 1) Did the individual access only those accounts or records necessary to do his/her job? 2) Did the individual access only the information contained in the account or record needed to do his/her job (Minimum Necessary)? 3) Was the access appropriate if so, indicate reason for access? Please contact me if I can answer questions or offer assistance.

Corrective Actions Outcome Objectives Sanctions Applied» 31 Caregivers were referred to the Department Directors» 21 Caregivers were Sanctioned»17 Caregivers were Terminated»5 were Suspended and given a Level 3 Discipline

Corrective Actions Outcome Objectives» Action Plan Alias Name» Policy Review for VIPs» Overview of all Privacy Training» Remedial Training via E-mail»10 privacy reminders

Corrective Actions Outcome Objectives» Response to the Media Communications» Response to Caregivers regarding Sanctions» Sent Privacy Email Reminders as Training to Caregivers» News Release pertaining to Disciplinary Action» Used focus of public attention on policies as an opportunity

Corrective Actions Outcome Objectives Communications» Email to the Board of Directors» Informing them of the Detroit Free Press inquiry and the anticipated news article» Conducted a Privacy Summit»Learning and Planning Objectives

Corrective Actions Outcome Objectives Compliance Actions and Follow Up Centralized Electronic Access Monitoring and Reporting» Description: System Selection, Purchase Decision and Implementation Timeline» Description: Proactive alert of our designated VIPs» examples: VIP record access or user access to the record of a patient, who has requested Total Privacy Average of 800 per month» Audit Plan to review 8 patients per month

Corrective Action Plan Monitoring» The results of the corrective action plan will be monitored in the following ways:» Using the FairWarning System to conduct routine, random reviews of employee access to patient records under the following circumstances:» Patient is a high profile individual (VIP) known to many» Caregiver access of the record of a patient with a surname similar to that of the caregiver» Access of his/her own record» Patient has requested Total Privacy upon registration for services» Random review of patient discharges by application

Corrective Action Plan Monitoring continued» Evidence of Privacy related training:» Orientation training rosters» Completion of annual Privacy Test» HIPAA Privacy Complaint Investigation Process» Reporting Structure

Lessons Learned» Sent Privacy Email Reminders as Training» Proficiency training to include acknowledgement of the requirement to report any alleged violations» Audit Plan equaled 1% of Total Privacy Patients (including VIPs)» Final Audit Plan 22% of Total Users 8,000

July Audit Totals by System 2009 Audit Totals by System Self-exams Random Audits 700 600 500 Number of Audits 400 300 200 100 0 Tsystem Impax OB tracevue Dolbey Horizon IRHIS Syngo Star System Audited 23

Escalating Threats to Patient, Employee & Physician Data 45% of all identity theft relates back to the Healthcare Industry Source: ID Theft Center July 15, 2014 http://www.idtheftcenter.org/idtheft/data-breaches.html 60 Minutes Report: Biggest IRS Scam Around: Identity Source: http://www.cbsnews.com/news/irs-scam-identity-taxrefund-fraud-60-minutes/ Sale of Patient Data to Crime Rings Sale of Employee Data to Crime Rings IRS Tax Fraud Sale of Physician Data to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints Pre-2010 2010 2011 2012 2013 2014

Scaling a Criminal Enterprise Organized Crime: Taking advantage of healthcare vulnerabilities IRS Tax Fraud Financial Identity Theft

Healthcare Fraud and Organized Crime HHS OIG Fraud Fugitive List, Estimated $ 100 B of Fraud / Year 25% use Identity Theft of Patient, Physicians in Fraud Operations OIG Fugitive Profiles at hhs.oig.gov, http://goo.gl/fygwk1 Stolen Identity with insurance info $20; credit card info $1-2 (Dell SecureWorks), http://tinyurl.com/khq2yex IRS Tax Fraud Identity Theft #1 of Dirty Dozen Dirty Dozen Tax Scams, irs.gov, http://goo.gl/lyhf7m Healthcare Specific Alerts, irs.gov, http://goo.gl/pqiivv

In The News - Today HIPAA Audits: A Revised Game Plan More On-site Audits Planned, But All Audits on Hold for Now What it means to you: Anticipate more comprehensive on-site audits Take advantage of delay by closing gaps Customers tell us that FairWarning streamlines your preparation http://www.careersinfosecurity.com/hipaa-audits-revised-game-plan-a-7296

In The News - Today Meaningful Use Auditors Retract $900K Hospital fails to perform mandatory HIPAA Risk Assessment What it means to you: Meaningful Use funds are at risk Zero-tolerance policy for failing to document your security risk assessment This is a clear opportunity to improve your own information security risk posture, but the window is closing http://ehrintelligence.com/2014/09/19/meaningful-use-audit-leaves-arkansas-hospital-owing-900000/

OCR HIPAA Audit Findings: Security Area Total Audit Findings and Observations by Area of Focus and Entity Type Contingency Planning & Backups Audit Controls & Monitoring Access Management Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013, http://abouthipaa.com/wp-content/uploads/lessons-learned-from-ocr-privacy-and-security-audits-sanches_rinker_03-07-2013.pdf

Escalating Expertise Required Pre-2009 (HITECH) Global Investigations Partial FTE Expertise Gap -Removal of Harm Standard -New Reporting & Notification Requirements 2013/2014 (Post-HIPAA Omnibus) Security Incident Management Advanced Analytics, Filtering Proactive Alerts Global Investigations Security, Forensics & Compliance Expertise OCR Audit Experience Clinical Data & Workflow Expertise Investigations & Security Skills

Collaboration for Patients Sake FairWarning and our customers envision a healthcare industry in which patients confidently share their sensitive medical details to receive the best care possible without regard to privacy concerns.

Next Steps ONC Security Risk Assessment Tool For more information, please email Solutions@FairWarning.com Managed Privacy Services Advanced Demonstration October 28, 2014 Register Now Are You Ready for Round Two (of HIPAA Compliance Audits)? http://www.natlawreview.com/article/are-you-ready-round-twohipaa-compliance-audits A pdf copy of this presentation and the embedded links will be distributed after the event

Questions? Please submit via the Webex Q&A or Chat windows to the right side of your screen

Questions and Answers Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org Kurt Long Founder FairWarning, Inc. Kurt@FairWarning.com Mike Nessen Customer Community Manager FairWarning, Inc. Mike@FairWarning.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback