Demystifying HIPAA: Texting, Emailing, and BYOD - PowerPoint PPT Presentation

About This Presentation
Title:

Demystifying HIPAA: Texting, Emailing, and BYOD

Description:

This 90-minute webinar will detail your practice (or business) information technology and how it relates to the HIPAA/HITECH Security Rule and securing PHI in transmission – what is required and what is myth…Areas covered will be texting, email, encryption, medical messaging, voice data, personal devices, and risk factors. Don't always believe what you read online about HIPAA, especially regarding encryption and IT; many groups sell more than necessary. – PowerPoint PPT presentation

Number of Views:3
Slides: 21
Provided by: confpanel5
Category: Other
Tags:

less

Transcript and Presenter's Notes

Title: Demystifying HIPAA: Texting, Emailing, and BYOD


1
HIPAA Texting/Emailing/BYODMyths vs
Realities
  • Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
    CCNA, Net

www.hipaa-consulting.com
2
Again, the HIPAA Privacy Rule vs. HIPAA Security
Rule whats the difference?
  • HIPAA Privacy Rule - defined as the right of an
    individual to keep his/her individual health
    information from being disclosed. Privacy
    encompasses controlling who is authorized to
    access patient information and under what
    conditions patient information may be accessed,
    used and/or disclosed to a third party. The
    HIPAA Privacy Rule applies to ALL protected
    health information.
  • HIPAA Security Rule - mechanisms in place to
    protect the privacy of electronic health
    information - includes the ability to control
    access to patient information, as well as to
    safeguard patient information from unauthorized
    disclosure, alteration, loss or destruction.
    Security is typically accomplished through
    operational and technical controls. Since so
    much PHI is now stored and/or transmitted by
    computer systems, the HIPAA Security Rule was
    created to specifically address ELECTRONIC
    protected health information.

3
PRIVACY RULE
  • The Privacy Rule covers all Protected Health
    Information(PHI)
  • This is information that can identify the patient
    to the health record
  • De-identified Information does not have to be
    protected by HIPAA
  • Privacy Rule is concerned with guarding the
    confidentiality of PHI in ALL formats paper,
    oral or electronic.

4
Security Rule
  • Enforcement began on April 21, 2006
  • The Security Rule complements the Privacy Rule.
  • While the Privacy Rule pertains to all Protected
    Health Information (PHI) including paper and
    electronic, the Security Rule deals specifically
    with Electronic Protected Health Information
    (EPHI).
  • It lays out three types of security safeguards
    required for compliance
  • Administrative
  • Physical
  • Technical
  • The Rule identifies various security standards,
    and for each standard, it names both required and
    addressable implementation specifications.
    Required specifications must be adopted and
    administered as dictated by the Rule. Covered
    entities and business associates can evaluate
    their own situation and determine the best way to
    implement addressable specifications.
  • RISK ASSESSMENT FOR HIPAA SECURITY MUST BE DONE

5
Business Associate (Definition)
  • Business Associates (BAs) are individuals or
    entities who create, receive, maintain, or store
    private health information on behalf of a covered
    entity.
  • Example Answering Services, Medical
    Transcription, IT groups, Billing companies,
    shredding services are clearly under the auspices
    of Business Associate

6
COMMON HIPAA VIOLATIONS
  • Clinical documentation causing HIPAA violations
  • Selecting the wrong person to CC on an e-mail
    containing PHI
  • Selecting the wrong patient name
  • Selecting the wrong account number, medical
    record number, or subject ID
  • Entering the wrong supervising or attending
    physician
  • Sharing information about a patient with others
    when there is no reasonfor them to know
  • Failure to immediately report any potential
    breach or security incident to the compliance
    officer or your supervisor
  • Improper disposal of materials containing PHI

7
TELEMEDICINE
  • Quote from Roger Severino (former OCR Director)
  • We are empowering medical providers to serve
    patients wherever they are during this national
    public health emergency. We are especially
    concerned about reaching those most at risk,
    including older persons and persons with
    disabilities. Roger Severino, OCR Director.

8
FISHING OR PHISHING
  • E-mail phishing is often identified as the origin
    of the breach
  • Phishing is a fake e-mail or Website that
    attempts to gather your personal information for
    identity theft or fraud
  • Phishing scams usually use a spoofed Website that
    looks very much likethe real Website

9
What is Ransomware?
  • Type of malware that prevents or limits users
    from accessing their system, either by locking
    the system's screen or by locking the users'
    files unless a ransom is paid.
  • More modern ransomware families, collectively
    categorized as crypto-ransomware, encrypt certain
    file types on infected systems and forces users
    to pay the ransom through certain online payment
    methods to get a decrypt key

10
BYOD
11
Positives
  • Provide flexibility
  • Streamlines communications
  • Increases productivity due to familiarity with
    the device
  • Can save the practice or business money (i.e.
    equipment, data plans, etc.)
  • Allows for easier tele-working
  • Preferred by most staff members
  • Employees can use apps which they prefer for
    productivity

12
Negatives
  • Who is responsible for support or repair?
  • Audit devices for security may be considered
    intrusive and troublesome
  • Device compatibility problems
  • Problems with monitoring how and where PHI is
    stored
  • Encryption?
  • Are non-authorized individuals using the device?
    (i.e. kids playing games on phone)
  • Theft?
  • Weak passwords?

13
DO NOT
  • Allow PHI to be written to the mobile device
  • Permit integration with insecure file sharing or
    hosting services
  • Set it and forget it (always include BYOD in risk
    assessments)

14
Best Practices
  • Ensure security updates on the phone are done
  • Use multi-factor authentication (i.e. passwords
    and biometrics)
  • Encrypt the device using whole disk encryption
    (P.S. a lost or stolen encrypted device is not
    a reportable breach under HIPAA)
  • Train staff on appropriate apps and software as
    well as cyber threats
  • Force complexity in the passwords
  • Perform risk assessments annually to identify
    threats

15
2024 Mobile Devices
  • HHS issued guidance addressing the extent to
    which PHI is protected on mobile devices.
    Although the HIPAA Privacy Rule and Security Rule
    (protecting PHI when maintained or transmitted
    electronically) provide protections for the use
    and disclosure of PHI held or maintained by
    covered entities and their business associates,
    they do not address PHI accessed through or
    stored on personal devices owned by individual
    patients.
  • Example although PHI maintained on electronic
    devices owned by a covered entity would be
    protected from disclosure by HIPAA, once a
    patient downloads that information to a personal
    device, HIPAA would no longer protect it.
  • The guidance does provide tips to help
    individuals protect their own PHI, such as
  • Avoiding downloads of unnecessary or random apps
    to personal devices and
  • Avoiding (or turning off) permissions for apps to
    access an individual's location data. (This
    reduces information about a person's activities
    that can be used by the app or sold to third
    parties, such as the name and address of health
    care providers a person visits.)

16
TEXTING and HIPAA
  • Almost 90 of mobile phone users send SMS text
    messages
  • Texting has become entrenched in medical care too
  • Many physicians and medical professionals are
    sending identifiable health information via
    non-secure texting

17
TEXTING Positives in Healthcare
  • Texting CAN provide great advantages in health
    care
  • Fast
  • Easy
  • Loud background noise problems are mitigated
  • Bad signal issues mitigated
  • Device neutral

18
TEXTING Negatives in Healthcare
  • DO NOT TEXT APPOINTMENT REMINDERS WITHOUT CONSENT
    IF SUBSTANCE ABUSE OR MENTAL HEALTH
  • Reside on device and not deleted
  • Very easily accessed
  • Not typically centrally monitored by IT
  • Can be compromised in transmission relatively
    easy
  • HIPAA Privacy Rule requires disclosure of PHI to
    patient (i.e. text message is used to make a
    judgement in patient care)
  • Patient Orders via Text Must Be Encrypted

19
Include Texting in Policies
  • Administrative policy on workforce training (i.e.
    minimum necessary)
  • Appropriate use of texting
  • Password protections and encryption
  • Mobile device inventory
  • Retention period (require immediate deletion of
    PHI texts)
  • Use of secure texting applications

20
THE END
  • QA
  • www.hipaa-consulting.com

Register Now
Write a Comment
User Comments (0)
About PowerShow.com