Watch the Replay Headline News: Anatomy of a VIP Records Breach Executive Series Webinar September 24, 2014
Today s Panel Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org Kurt Long Founder FairWarning, Inc. Kurt@FairWarning.com Mike Nessen Customer Community Manager FairWarning, Inc. Mike@FairWarning.com
Agenda Sparrow Health System Introduction VIP Records Breach Scenario Corrective Action Plan Lessons Learned Escalating Threats to Data Patient Employee Physician Industry News: OCR Audit Update Next Steps Q&A
Anatomy of a VIP Records Breach Kim Roberts, MS, RHIA, CHP
Background Information» Location and Background» Visit from a VIP Government Official» State of Michigan Inquiry» OCR Letter of Inquiry
VIP Admitted using alias Sequence of Events VIP Discharged (Four Day Stay) VIP stay released to media by VIP staff CPO & CISO meeting re: Access Audit Plan Department Directors review of access of identified staff Human Resources investigation Hospital issued news release re: disciplinary actions taken for privacy policy violations Full audit of VIPs records in all systems Human Resources notified of inappropriate access Sanctions imposed
OCR and State Inquires & Responses OCR Inquiry Received (3 weeks) OCR Response Formally closed ( 7 months) Response sent State Inquiry Received (1 week) Second Formal Response and meeting Response to the State of Closed with follow up actions (6 months)
OCR Questions» Did caregivers impermissibly access medical records as alleged?» If the impermissible access occurred, when did it occur?» How did Sparrow discover the alleged occurrences?» What did Sparrow do as a result of its findings?
Response to the Event» Position Statement» Actions Taken to Monitor and Investigate» Corrective Action Plans Outcome Objectives» Corrective Action Plan Monitoring
Position Statement» Chronological Statement of Events» List Events surrounding the Breach»Dates of Admission»Alias Name Identification» Actions Taken to Monitor the Investigation»Routine Manual Review of Access Logs
Manual Review of Access Logs» Prior to Implementing FairWarning Concurrent Access Audit Plan» Manual Review of Audit Files twice daily» Concurrent monitoring of email communications based on name and title Retrospective Access Audit Post Discharge» Review of 281 caregivers» 50 to 60 hours reviewing the MR to Access Logs
VIP Review Workflow» Email notification were sent to the Directors»Access to account or record necessary to do their job»more than the minimum necessary»inappropriate review for the role
Dear Colleague: There was a recent visit of a high profile individual in the and the individual had a subsequent. A high level review was conducted by correlating care giver access results to the medical record. A more detailed assessment is needed to determine appropriate access for individuals under your purview. If you determine that access is inappropriate, please contact LCR to assist in the disciplinary investigation. Audit results concerning care giver(s) working in your area are attached for your review and are highlighted. Please complete a User Access Form for each care giver and return the form electronically to me at: Please complete your review within 1 week of the date of this e-mail. Please consider the following questions as you review: 1) Did the individual access only those accounts or records necessary to do his/her job? 2) Did the individual access only the information contained in the account or record needed to do his/her job (Minimum Necessary)? 3) Was the access appropriate if so, indicate reason for access? Please contact me if I can answer questions or offer assistance.
Corrective Actions Outcome Objectives Sanctions Applied» 31 Caregivers were referred to the Department Directors» 21 Caregivers were Sanctioned»17 Caregivers were Terminated»5 were Suspended and given a Level 3 Discipline
Corrective Actions Outcome Objectives» Action Plan Alias Name» Policy Review for VIPs» Overview of all Privacy Training» Remedial Training via E-mail»10 privacy reminders
Corrective Actions Outcome Objectives» Response to the Media Communications» Response to Caregivers regarding Sanctions» Sent Privacy Email Reminders as Training to Caregivers» News Release pertaining to Disciplinary Action» Used focus of public attention on policies as an opportunity
Corrective Actions Outcome Objectives Communications» Email to the Board of Directors» Informing them of the Detroit Free Press inquiry and the anticipated news article» Conducted a Privacy Summit»Learning and Planning Objectives
Corrective Actions Outcome Objectives Compliance Actions and Follow Up Centralized Electronic Access Monitoring and Reporting» Description: System Selection, Purchase Decision and Implementation Timeline» Description: Proactive alert of our designated VIPs» examples: VIP record access or user access to the record of a patient, who has requested Total Privacy Average of 800 per month» Audit Plan to review 8 patients per month
Corrective Action Plan Monitoring» The results of the corrective action plan will be monitored in the following ways:» Using the FairWarning System to conduct routine, random reviews of employee access to patient records under the following circumstances:» Patient is a high profile individual (VIP) known to many» Caregiver access of the record of a patient with a surname similar to that of the caregiver» Access of his/her own record» Patient has requested Total Privacy upon registration for services» Random review of patient discharges by application
Corrective Action Plan Monitoring continued» Evidence of Privacy related training:» Orientation training rosters» Completion of annual Privacy Test» HIPAA Privacy Complaint Investigation Process» Reporting Structure
Lessons Learned» Sent Privacy Email Reminders as Training» Proficiency training to include acknowledgement of the requirement to report any alleged violations» Audit Plan equaled 1% of Total Privacy Patients (including VIPs)» Final Audit Plan 22% of Total Users 8,000
July Audit Totals by System 2009 Audit Totals by System Self-exams Random Audits 700 600 500 Number of Audits 400 300 200 100 0 Tsystem Impax OB tracevue Dolbey Horizon IRHIS Syngo Star System Audited 23
Escalating Threats to Patient, Employee & Physician Data 45% of all identity theft relates back to the Healthcare Industry Source: ID Theft Center July 15, 2014 http://www.idtheftcenter.org/idtheft/data-breaches.html 60 Minutes Report: Biggest IRS Scam Around: Identity Source: http://www.cbsnews.com/news/irs-scam-identity-taxrefund-fraud-60-minutes/ Sale of Patient Data to Crime Rings Sale of Employee Data to Crime Rings IRS Tax Fraud Sale of Physician Data to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints Pre-2010 2010 2011 2012 2013 2014
Scaling a Criminal Enterprise Organized Crime: Taking advantage of healthcare vulnerabilities IRS Tax Fraud Financial Identity Theft
Healthcare Fraud and Organized Crime HHS OIG Fraud Fugitive List, Estimated $ 100 B of Fraud / Year 25% use Identity Theft of Patient, Physicians in Fraud Operations OIG Fugitive Profiles at hhs.oig.gov, http://goo.gl/fygwk1 Stolen Identity with insurance info $20; credit card info $1-2 (Dell SecureWorks), http://tinyurl.com/khq2yex IRS Tax Fraud Identity Theft #1 of Dirty Dozen Dirty Dozen Tax Scams, irs.gov, http://goo.gl/lyhf7m Healthcare Specific Alerts, irs.gov, http://goo.gl/pqiivv
In The News - Today HIPAA Audits: A Revised Game Plan More On-site Audits Planned, But All Audits on Hold for Now What it means to you: Anticipate more comprehensive on-site audits Take advantage of delay by closing gaps Customers tell us that FairWarning streamlines your preparation http://www.careersinfosecurity.com/hipaa-audits-revised-game-plan-a-7296
In The News - Today Meaningful Use Auditors Retract $900K Hospital fails to perform mandatory HIPAA Risk Assessment What it means to you: Meaningful Use funds are at risk Zero-tolerance policy for failing to document your security risk assessment This is a clear opportunity to improve your own information security risk posture, but the window is closing http://ehrintelligence.com/2014/09/19/meaningful-use-audit-leaves-arkansas-hospital-owing-900000/
OCR HIPAA Audit Findings: Security Area Total Audit Findings and Observations by Area of Focus and Entity Type Contingency Planning & Backups Audit Controls & Monitoring Access Management Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013, http://abouthipaa.com/wp-content/uploads/lessons-learned-from-ocr-privacy-and-security-audits-sanches_rinker_03-07-2013.pdf
Escalating Expertise Required Pre-2009 (HITECH) Global Investigations Partial FTE Expertise Gap -Removal of Harm Standard -New Reporting & Notification Requirements 2013/2014 (Post-HIPAA Omnibus) Security Incident Management Advanced Analytics, Filtering Proactive Alerts Global Investigations Security, Forensics & Compliance Expertise OCR Audit Experience Clinical Data & Workflow Expertise Investigations & Security Skills
Collaboration for Patients Sake FairWarning and our customers envision a healthcare industry in which patients confidently share their sensitive medical details to receive the best care possible without regard to privacy concerns.
Next Steps ONC Security Risk Assessment Tool For more information, please email Solutions@FairWarning.com Managed Privacy Services Advanced Demonstration October 28, 2014 Register Now Are You Ready for Round Two (of HIPAA Compliance Audits)? http://www.natlawreview.com/article/are-you-ready-round-twohipaa-compliance-audits A pdf copy of this presentation and the embedded links will be distributed after the event
Questions? Please submit via the Webex Q&A or Chat windows to the right side of your screen
Questions and Answers Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org Kurt Long Founder FairWarning, Inc. Kurt@FairWarning.com Mike Nessen Customer Community Manager FairWarning, Inc. Mike@FairWarning.com