hipaa/hitech checks & test suite€¦ · hipaa is the acronym for the health insurance...

Accessible content is available upon request.

HIPAA/HITECH Checks & Test SuitePresented by Esad Ismailov October 2016

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:• Provides the ability to transfer and continue health insurance coverage for millions of American workers and

their families when they change or lose their jobs;• Reduces health care fraud and abuse;• Mandates industry-wide standards for health care information on electronic billing and other processes; and• Requires the protection and confidential handling of protected health information

The HIPAA Privacy Rule was created to limit the release of a patient's protected health information without authorization. The privacy rule restricts any "covered entity" from releasing protected health information to third parties unless there is a valid authorization signed by the patient or the release of information fits within one of the regulatory exceptions.

In general, protected health information is information that identifies a patient, or can be used to identify a patient, and relates to (1) a person's past, present or future health condition, (2) the provision of healthcare, or (3) the payment for the provision of healthcare. Protected information can include such things as names, addresses, birthdates, Social Security numbers and the records from a patient's visit to a provider.


The Department of Health and Human Services can only enforce HIPAA-related penalties against "covered entities" as they are defined by the regulations. The regulations define covered entities as healthcare providers, health plans and healthcare clearinghouses who engage in any number of electronic transactions.

A healthcare provider under HIPAA is a person or company that furnishes, bills or is paid for health care. This definition is fairly broad and encompasses not only hospitals and physicians, but also includes chiropractors, dentists, optometrists, hospitals, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, the true scope of parties that are affected by HIPAA does not end there.

A number of employers have also found that they are covered entities under HIPAA because of their activities running a group health plan for their employees. Typically, these employers are electing to be treated as "hybrid entities" to limit the effect of HIPAA's restrictions to the specific section of their organization that runs the health plan. However, even as a hybrid entity, these employers must undergo all of the typical HIPAA preparation activities, and this can be an expensive proposition.

Finally, there are many companies or individuals that provide services to covered entities that require the use of protected health information. These companies or individuals are called business associates. While they are not liable for penalties under HIPAA, they will find that many business contracts will have to be renegotiated and business practices changed to reflect the privacy requirements.


The most common types of covered entities that are required to take corrective actions to achieve voluntary compliance are:

• Private Practices• General Hospitals• Outpatient Facilities• Pharmacies and• Health Plans (group health plans and health insurance issuers)


According to the US Department of Health and Human Services Office for Civil Rights, between April 2003 and January 2013 they received 91,000 complaints of HIPAA violations, in which 22,000 led to enforcement actions of varying kinds (from settlements to fines) and 521 led to referrals to the US Dept of Justice (criminal actions).

Examples of significant breaches of protected information and other HIPAA violations include:

• the largest loss of data that affected 4.9 million people by Tricare Management of Virginia in 2011• the largest fines of $4.3 million levied against Cignet Health of Maryland in 2010 for ignoring patients'

requests to obtain copies of their own records and repeated ignoring of federal officials' inquiries• the first criminal indictment was lodged in 2011 against a Virginia physician who shared information with a

patient's employer "under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.“

• In February 2015, health insurance company Anthem suffered a data breach that compromised an estimated 78 million people. Privacy Analytics crunches the numbers in their infographic, estimating a company will spend $208 per person after a breach. This is a potential cost of more than $16 billion for Anthem, even before fines from OCR. Some other breaches that occurred last year include several BlueCross BlueShield companies such as Premera, CareFirst, and Excellus. With another 20 million or so affected in these breaches, the costs will be extraordinary.

http://www.privacy-analytics.com/files/HIPAA-Breaches-2009-2015.jpg


Ransomware• Another form of data breach is becoming increasingly prevalent and has already struck several healthcare

organizations this year. Ransomware is a type of malware which limits or prevents users access to their system.

• In February 2016, Hollywood Presbyterian Medical Center in Los Angeles was paralyzed by hackers when they took over its computer systems and demanded millions of dollars in Bitcoin in exchange for its return, although in the end they settled for much less. Needless to say, this represents a very serious situation affecting many lives and sensitive information.

• A large computer network of Medstar Health in Washington DC was brought to a screeching halt due to a cyber attack, forcing their personnel to perform functions manually and, ultimately, having to turn away some patients, of which MedStar has hundreds of thousands. This breach is currently being investigated by the FBI.

• In addition to what it costs to handle the people affected by a data breach, healthcare systems are subject to fines from OCR. In 2014, New York Presbyterian Hospital and Columbia University settled with OCR at a combined $4.8 million for a joint breach. This is an extreme example, but Cancer Care Group, Inc. recently settled for $750,000 and St. Elizabeth's Medical Center is paying approximately $218,000 for their HIPAA breach. The penalties for HIPAA violations add up very quickly.


What is this?

• Client records• Employee records• Previous project files

Challenge: Collecting Data

What you use…

What you need to keep…

• Current project files• Current reference docs

Dark Data


[Most collected] data is garbage… 80% of data collected has no meaning whatsoever*

Only 28% of data stored today represents any value to day-to-day business*

Average cost of Data Management is 3.5% of revenue**

*IDC Advisory & Research Services**Forbes


Privacy and Information Security ConcernsMobile access to content a security risk“Social” software can expose data more easily

Information Governance ChallengeAccountability for regulated data Audits for security and controls Scalability


HIPAA Compliance Compliance GuardianRisk Assessment Perform Data Discovery using the OOTB HIPAA/HITECT, PII and PHI Test

Suites (templates)Policies and Procedures From the “Data Discovery” – understand how well your policies and

procedures are in place and apply corrective measures where necessary.Also, translate your existing policies and procedures into an automated “privacy and security control” solution.Automatically Tag, Classify and Apply Security Controls to data at rest and in motion.

Training Maintain indirect user awareness raising program with Compliance Guardian’s Violation Alerts and Incident Management System (IMS)

Audit See Who Did What and When with a centralized IMS view of all violations. Be HIPAA/HITECH “Audit Ready” for both internal and external audits.


1) Compliance Guardian HIPAA/HITECH Test Suite2) Support Vector Machine*3) Identify Exact Matches – Fingerprint Check


Compliance Guardian HIPAA Checks Overview A check is an XML file that defines the logic that Compliance Guardian uses to check files. Checks identify the purpose for the check (the type of check to run, such as a pattern of characters), the condition for the check (such as a social security number pattern), and the possible result of the check (true or false). Users can change the values in the checks to determine the check conditions, but the elements’ specific format defined by Compliance Guardian in the checks must stay the same.

HIPAA/HITECH Checks

1


Compliance Guardian HIPAA Test Suite Overview A test suite is a logical grouping of test definition files, or a set of checks, that define how to present the scanned data. Test suites allow you to build scan plans for your specific regulations and requirements. These collections are the basis of Compliance Guardian scans. A test suite contains one or more checks and a configuration file that is used to define how to combine these checks and set risk levels for scan results.

SVM

Health Forms

Insurance Forms

Medical Reports

Clinical Results

2

Step 1 Step 2

hipaa/hitech checks & test suite€¦ · hipaa is the acronym for the health insurance...

Documents