Having issues accessing the video above? Watch the video here.
HIPAA Compliance Basics
In this webinar, Sam Roden, Director of SMB Merchant Compliance, covers:
- What it means to be HIPAA compliant
- The benefits of complying with HIPAA standards
- What your organization can do to improve your HIPAA efforts
This webinar was hosted on July 11th, 2018.
Learn more about HIPAA solutions from SecurityMetrics.
0:00 Alright everyone. So we're going to get started. Welcome to our HIPAA Basics webinar, the what, why and how. My name is Andrew and I work in marketing here at SecurityMetrics. Our presenter today will be Sam Roden, who is the director of SMB Merchant compliance here at SecurityMetrics. Sam has over seven years of experience helping small healthcare practices and covered entities improve their HIPAA compliance efforts and helping them to strengthen their data security as well. So we're looking forward to hearing from him. He's going to give us some good advice about how you can improve your security posture at your organization.
So just a couple of housekeeping items before we get started. First of all, we are recording this webinar. So as we finish this webinar today, if you'd like to share it with others in your organization, or if you'd like to go back and review it, we will be sending out the recording as well as the slide deck and we'll send that to the email address that you used to register for this webinar. So stay tuned for that in the next couple of days.
1:19 Also at the conclusion of this webinar today, we will have a Q&A session. So if you have any questions that arise during the webinar, feel free to chat those in using your gotowebinar control panel. We will address as many of those questions as we can and if we don't get to your specific question today, we will have someone reach out to you on an individual basis to make sure that you get the answers that you need. All right. Well, thanks again everyone for joining us. I'm going to go ahead and turn the time over to Sam. Thanks.
1:58 Thanks, Andrew and thanks again for everyone who's attending today. Hopefully you’ll find some of this information to be really helpful. We will go over some of the basics, give you some background about HIPAA, help you understand what HIPAA compliance really is, what it accomplishes and then some tools and resources and some things that can help you along your path to HIPAA compliance.
Regardless of how well educated an organization is or how experienced people are there are gaps that need to be filled with HIPAA compliance. There are always ways to improve and to better understand what needs to happen. So if you do have questions let us know because we won't be diving too deep into specific requirements or your specific circumstances. If there are specifics that you'd like to discuss would be happy to schedule a call and discuss those with you individually as well.
2:57 The whole purpose of HIPAA is to protect you from any kind of attempted breach or from somebody that's trying to access the secure information. And so even though we hope that never happens to you or your organization, It's always important to be prepared and to prevent those attempts from happening in the first place. Breaches within the healthcare industry are not going away. It's a pretty targeted industry right now. And a lot of expensive mistakes have been made by organizations in this regard. Here are a couple of recent headlines that you may be familiar with. Here there were 36,000 people notified of potential data breach with this Ransomware attack on Urology center in Austin. There was a Hospital in Florida, as you can see, they had to pay 5.5 million to settle a patient record breach. So it's very expensive and it's not going away. They're happening more and more frequently. Just to help you understand that because you're in this industry, unfortunately, there are a lot of people that are targeting this sensitive information.
4:21 Here is another one, 550 thousand customers at risk because of a data breach. So not only is your organization at risk, but all of your patient and customer information is at risk and it is important that we take care of that. In 2017 24% of all data breaches were healthcare-related. If you think about the number of different industries that are out there in the world 24% of breaches is a very high proportion. This is not necessarily to scare you but just for information purposes. This is an industry that's being targeted pretty heavily and has been for the last couple of years. How are they doing it? Here are the leading causes of data breaches over the last several years.
5:13 The blue line on the chart that continues to go higher and higher is hacking attempts. As we get better at addressing those issues and understanding what we can do to prevent those attacks, that number is going to go down. The second highest cause of data breaches in the last few years, that green bar, is employee error or negligence which. This is a lack of understanding of the risks involved and what we can do to protect them from happening.
When HIPAA is taken seriously these are the three main wins for you as an organization. You're going to decrease your liability, increase your overall security within the organization and prevent potentially very costly HIPAA fines and fees. There are categories of violations in the HIPAA world. The most severe is where you knew you were not meeting HIPAA regulations and you weren't doing anything about it. This is a term that the HIPAA standards refer to as willful neglect and the fees can be up to $50,000 per violation. There are smaller fines for those that are that are doing their best and have a game plan in place or could not have reasonably avoided one of these breaches from happening, those are about $100 per violation.
6:55 So there's huge value in understanding HIPAA, having a game plan and starting to move towards that end goal of meeting all of these standards. HIPAA stands for the Health Insurance Portability and Accountability Act and this is a federal regulation that was designed to provide privacy standards to protect information and also to give patients rights to their personal information in regards to health care related data. It is separated out into these three main rules.
7:49 The Privacy Rule is the rule most familiar to our customers. Having your notice of privacy practices posted and keeping information confidential between patients and doctors is what the Privacy Rule addresses. The Security Rule addresses the technical aspect of your business including firewalls and encryption. Its to secure that information, to ensure that the systems, the connections and the way that you're storing information is secure. And finally the Breach Notification Rule requires covered entities to have a policy and procedures in place so that if a breach does take place there's a plan.
8:51 So who's required to become HIPAA compliant? If you're attending today, hopefully you already know that you need to be HIPAA compliant. The majority of organizations that we work with on HIPAA compliance are listed as Covered Entities.
9:07 These are organizations have a direct relationship with patients or they have a direct relationship with the patient's information. Health plans, health care clearinghouses and health care providers are the three main categories of covered entities. Even if you are not a healthcare organization and don't directly work with patients, if you are a business associate, which is an organization that works with a covered entity and has some amount of access to that PHI, Protected Health Information, you may also be required to become HIPAA compliant.
9:53 This is one of the more recent standards and regulations that have been released by HIPAA to ensure that everyone that's handling that information is doing it securely. As a covered entity, if you work with other organizations that have access to PII, your HIPAA compliance requires that you have business associate agreements with those organizations in place and that they validate for you that they're meeting the HIPAA standards.
Here are a couple of common misconceptions. A lot of the smaller organizations we work with feel like HIPAA is not it's not a big deal for them. They say, “We're we're just little, nobody's going to care what we're doing. We don't need to worry about HIPAA compliance.” Or some of them feel like because they are so small. It's not required for them. Unfortunately. Both of those things are are misconceptions.
11:03 In fact, sometimes the smaller organizations are ones that are the easiest targets for hackers because they know that there aren’t as many resources to protect your business. If you are handling patient information, regardless of the size of your organization, you are required to meet HIPAA standards.
11:22 This one I actually heard this week speaking with an organization. They said, “We go to a seminar a couple of weekends a year where we're getting some of our CE credits and they talk about HIPAA. So yeah, we're good. We're HIPAA compliant. We fulfilled that requirement.” The training piece is an important part of HIPAA compliance, but there's a lot more that goes into it.
Some of you are familiar with the HIPAA compliance process. We'll talk through it in just a few slides. There's a portion of this called a Risk Analysis. We have a number of organizations who say, “We did our preliminary risk analysis. So we're taken care of.” But there are some additional things that need to happen after that risk analysis takes place to become compliant. We do have some organizations that feel like, “Hey, we kind of understand HIPAA, we feel like we can do this on our own. We don't have a lot of background or legal or IT expertise but we feel like we can figure it out now.”
Unfortunately, for most of the organizations that go down that road, it becomes overwhelming very quickly. When you start to realize all of the knowledge you have to have and the amount of implementation that needs to take place to become HIPAA compliant there's a huge benefit in using some resources to help you along that path. HIPAA can seem very complicated but as you work with an organization and use the resources that are available to you, you can start to break it down into bite-sized pieces and understand that this is something that you can do. It might not happen overnight but there are resources that will allow you to meet the requirements outlined by HIPAA.
13:10 The Privacy Rule is an important piece of HIPAA. Many organizations feel like that is all HIPAA entails. “We've got our notice of privacy practices posted, we're good, we've completed all of this.” And many of those organizations just don't realize that there are additional requirements, especially those addressed in the Security Rule. So how can SecurityMetrics help and what does the compliance process look like? We'll discuss that right now. We've broken it down into four easy steps. Step one is Breech Protection Consulting, step two is a Guided Risk Analysis, step three is the Risk Management Plan Implementation and then fourth is Ongoing Compliance Efforts to ensure that you continue to meet HIPAA compliance moving forward.
Breach Protection Consulting is not mandated by the Office for Civil Rights and the office of Health and Human Services. It is something that we've done with our experience in data security and our experience in the industry to help prioritize some of the big risk issues right up front. We analyze the top risks to your organization. We look to see if there is something you don’t have in place that could increase your overall security before you go through the rest of the HIPAA requirements. Here is our list of some of the things that we found are vital to protecting your business. Many organizations aren't doing all of these things to protect their business.
14:49 The first step for HIPAA is to complete a risk analysis. This is it's a systems inventory. It allows you to document and track the systems that you're using, how the patient information is being handled and stored as well as understanding what risks needs to be addressed as you meet these HIPAA compliance standards. So you can see the categories in the systems inventory including software, hardware and any mobile devices. We will generate a report for you that lists the potential risks involved with using the software or hardware that you are using. This allows you to have an at-a-glance view of what needs to take place and some of the risks that are involved.
16:02 Once that analysis has been done and once you understand what those risks are, the next step is to fix them. So with this risk management, we go through the entire set of HIPAA requirements and some best practice items with you. Between the requirements and the best practice regulations, there are about 136 implementation specifications or requirements that have to be met to be HIPAA compliant. This includes some policy and procedure documents that have to be in place. To help out with that we provide unlimited support with our HIPAA team.
So that you can see what this looks like, we've broken it down into milestones and provided a progress chart.
It’s not expected that you’ll do this overnight. For some organizations it can be several months or a year or two depending on where you currently are with HIPAA. As far as the documentation is concerned though, that piece of HIPAA compliance is extremely vital. This portal allows you to document your plan and if you can show that you have a plan in place you're going to be a lot better off as far as the fees and fines are concerned.
17:50 Each of these requirements addressed within this portal allows you to assign a person within your organization to take care of it, set a target date and put in notes. That provides a really good framework as you start working through through HIPAA compliance.
18:09 So once that's done, once you've worked through and verified that you're meeting those regulations, the next step is to maintain HIPAA compliance throughout your organization. Becoming HIPAA compliant is not a single event. It's not something that you can check the box to and never worry about again. It's an ongoing process. And so having a place to store your progress, to track what's done and to document your policies and procedures is extremely helpful. Part of this ongoing compliance includes training your employees to make sure that these policies and procedures are being followed. We can provide that training. We have online courses to ensure that the staff is staying educated on HIPAA.
19:19 Small organizations don't always have a bunch of money lying around to put towards something like this. Let's talk a little bit about pricing options. We start out at about $500 you can have access to the portal and you can have access to a lot of our resources. Then moving up all the way up into the tens of thousands of dollars if you want a full on-site assessment. There are plenty of options for you and many are affordable. These options are on an annual basis and they provide you with robust tools to not only document and track your progress through HIPAA compliance but also to provide you with experienced HIPAA advisors that can walk you through the process and provide clarification.
20:10 So hopefully that gives you a big picture look at HIPAA compliance, what it is, why it's important, what resources are available to you and what the HIPAA compliance process looks like. It's more than just training. It's more than just doing your notice of privacy practices. There are about 136 specific regulations that that we address in our in our process that will help you become HIPAA compliant.
So a little pop quiz you can answer on your own to see if you learned something today. A covered entity is: A) A patient who has consented to keeping his or her information completely public. B) Any healthcare organization that has direct patient relationships. Or C) A person or entity that receives or maintains PHI to perform non-health care related functions? The answer is B). Any healthcare organization that has direct patient relationships or handles that information directly.
21:20 Second question, What percentage of data breaches in 2017 were healthcare related? A) 24% B) 35% or C) 46%? So in 2017, that number was A), 24%. So again about a quarter of all of the data breaches were we're healthcare related.
And then finally, What was the leading cause of data breaches in 2017? This is going back to that graph that we looked at. The answer here is B) Hackers. The number two cause of data breaches was employee error/negligence. The Security Rule and dealing with the technical side of your organization is extremely important in order to protect that information.
21:59 Unfortunately you are a target but by doing a little bit each day, by making this a priority, there's a way for you to have a big impact. So that's it for our portion of the presentation today. We're going to allow you a couple minutes to chat in any questions.
22:35 All right, so a couple quick questions. Hopefully this will provide some additional clarification. We talked a little bit about an on-site assessment for HIPAA compliance and the question is, “Is this a requirement?” With HIPAA compliance unlike PCI compliance, which is also something the SecurityMetrics helps with, there is no specific requirement for an on-site assessment from a HIPAA auditor. That being said, for larger organizations and organizations that do have the budget for it, there is a huge benefit to completing an on-site assessment.
23:17 We have a team of certified HIPAA Auditors that come on site and go through the exact same process that the office for civil rights would come on if you were if you were either selected for a random audit or if you were breached and audited after that breach to How the information was taken so they go through that exact same process but rather than hitting you with a bunch of fees and fines at the end of the process, they provide a report for you and help you implement some of the missing issues so that you can become HIPAA compliant
To answer your question, no, there's no specific requirement for an on-site assessment but it is something that's available. If you have the budget it can be a valuable process for you.
Here is another question, “I’d like to better understand the options that SecurityMetrics provides.” If you are interested in learning a little bit more about that we would be happy to provide a demo of what that portal looks like, what the resources are and how it is all taken care of.
And then finally here is a question in regards to policies and procedures, “What do those look like and what information needs to be documented?” As you go through the risk management plan, the specific 136 regulations that need to be met, many of those reference specific policies and procedures that need to be in place to become compliant. So as you go through the risk management plan, you will see what actually needs to be documented. And again we can provide templates to simplify the process. Without a legal background it can be hard to know what the policy should say, what best practices are and so we can provide those as part of these packages.
So that's it for the questions and the presentation today. Thanks again for your attendance. Hopefully this information was helpful. We’ll be sending out a slide deck and a recording of this. So if you want to look at it when you have a little bit more time or forward it onto others within your organization or others that you know may be struggling with similar questions, feel free to do so. And again, if you have additional questions or want additional help, please reach out. We'd be happy to schedule a time with one of our compliance consultants to help you. So thanks again. Enjoy the rest of your day and the rest of your week, and we look forward to hearing from you.