HIPAA 2015: Wrath of the Audits

Wrath of the audits uh Hudson Harris is a JD MBA Ma and Esq r s Tu u v WX Y and Z who began his it career in 1997 in network Administration moved on to tech support for Microsoft and then finally settled into University it after leaving the East Coast Hudson obtained his master's degree in law degree ultimately opening his own law practice in San Diego in 2010 Hudson just moved back to St Louis in 2014 to take his current position as a chicken farmer and also privacy officer and Associate general counsel for adaptive America uh he now writes on technology and hipa centered issues at legal levy.com and at legal levity on Twitter uh which does not appear to contain even

a single list of lawyer jokes uh also he is apparently barred in California so please don't let the twitters know that he's here we might have to hide him from the police uh ladies and gentlemen Jason

Hudson hi um as uh the gracious introduction um I started in it about 10 years ago um doing grunt work uh turning screws and uh opening up networks um went on to do my uh MBA Ma and JD and now I work as a privacy officer and general counsel um I'm here today to talk to you about why why Hippa matters uh Hippa Hippa was passed in 1996 Without Really any means of enforcement or funding and the offices were woefully under staffed uh what we've seen is a real dramatic shift in what we can expect uh out of the OCR the office of civil rights uh coming up in the next few years the office of civil rights

announced that 10% of all covered entities that's hospitals doctors clinics urgent care centers uh insurance companies are going to be audited this year and 5% of all business associates which probably applies to a lot more people in this room that's people who are handling data data processing it if you're touching Phi odds are you are either a business associate and have a business associate agreement in place or you should have a business associate agreement in place to protect you and protect the data that you're handling so the audits are the first thing that's really going to shift um funding for next year looks to be even bigger um there's a real shift in how the OCR is

approaching this and they've stopped this reactive approach where things are going bad so they investigate and they're actively going out and finding people and doing document audits uh in-person Audits and even social engineering um the OCR is sending people dressed as bug guys cable guys it guys Plumbing guys and they're trying to get into offices with flash drives uh get to computers that have not been locked down and they are doing this on a constant basis there are offices around the country where they are going in and social engineering to get people to mess up uh breaches um how many people got the Anthem letter did anybody get the Anthem letter that their information was

breached a lot of hands in the room uh 80 million individuals had their uh information initially breached through Anthem um in the past six months that number has gone up to 100 million almost one out of three people in the United States have had their Phi breached in the past six months um it's kind of crazy and as we all know the more something is in the news the more likely Congress pays attention to it the more they fund it the more they're going to go after it already we're seeing bills come out that are wanting uh encryption to become something that's standard operating procedure as many of you may know Anthem didn't encrypt their data at

rest so once the hackers were in they got it um the other thing that's starting to change the landscape of HIPPA is enforcement um enforcement traditionally has been fines um there was a cap of $1.5 million uh for each statutory violation what is changing is states are getting a little more hardcore about it California uh had an incident down in La where a clinician was fired from their job it did not cut off their access so they got a bottle of wine and some Chinese food and decided to peruse the medical records of the Rich and Famous in La um that individual got jail time six months jail time for viewing the records not downloading not sharing not

exposing just looking at them several hundred, fine and permanent lifetime disbarment from his medical profession so they're getting a lot more intense uh we're also seeing personal rights of action which really hits home in the trainings I've done the personal right of action usually shocks people because what that means is that if if you are in control of someone's Phi with a thumb drive or locking down a network or a piece of paper and you lose it that individual can sue you personally they'll also go to the company upstairs but they can sue you as an individual and that's a c change so a lot of states are starting to pass laws that will let

them do that California is one of them by the way um the the real cost of HIPPA that we're seeing is not necessarily in the in the f which frankly $1.5 million to a company like Anthem is peanuts what does cost a lot is the $100 per person for five years of notification and credit monitoring all told the hundred million the 100 million individuals who have had their information breached will cost about a trillion dollars that's just to monitor their credit for five years and provide notifications to them so these are real company ending catastrophic consequences to something that could at least in theory be prevented so here's kind of a quick run through we're going to talk about a nuts and

bolts approach to hipa documentation which is what everybody should have in place if you haven't seen your Hippa documentation you should ask to see it it matters what you do and how you do it should be in compliance with what your company's documentation States uh then we're going to do a security risk assessment just do a Bare Bones this is how to do a security risk assessment I strongly encourage individuals who have individual departments individual products whatever you're doing you should do one of these to see where you fall uh and then lastly we're going to talk about hippoc compliant theories of application development these are kind of the the four biggies that we'll we'll

talk about of how to start your programs and your applications from a hippoc conscious standpoint so what is the goal the goal of all of this is to shift and pivot to a culture of compliance um in too many trainings and too many times I've heard people say all right well we're going to start to ease our people into this and shift our people through this and honestly that's a fail move it has to be a pivot it can't be a shift so the culture of compliance is everybody thinking about Hippa everybody working to get things going in the same direction and every single time I've done a HIPPA training somebody comes up afterwards sometimes two or three people

like hey I do this one thing where I download everything to a flash drive then I take it home then I print it off and I let my kid color on it and all these processes that are totally broken that nobody knows we going on to change how people think to get people to a place that the culture of how you operate is this hippoc compliant mentality and yes that's jarar Binks catching the elbow to the face so episode one we're going to talk first about the three big categories of documents the first category are your breach policies these are how you react in the event of a breach so if somebody in your organization says Hey something

hinky just happened who do they call what do they say when do they call and this document should be in everybody's hands everybody in your organization should have a copy of this either in their desk or on their computer to know what to call the reason this is so important is that there has been a real shift the state of Texas now has a requirement for 60 Minute notification from breach 60 Minutes not days not a month 60 minutes so all the providers who work through dishes uh Department of Health and Human Services in Texas if you get a breach you have 60 Minutes to tell them and then you have a series of steps after that so these

types of things are critical because when that incident is discovered is when that clock starts ticking that that yes it's it is outrageous and frankly it's completely unworkable um the truth is is that they they they literally give you an email address hey if you've got a breach let us know and then you're supposed to investigate it and do all this stuff and work through it yes

Sid that's a it's a really good question I think that's a big part of it um I think that it's it's part of it is getting the lawyers out of the way and part of it is getting people that right now you have 60 days under Hippa the federal statute to report a breach and what's happening is is companies like Anthem are waiting the full 60 days I mean how many people in here could wreak havoc with a person's identity in 60 days I mean you can go nuts I could buy a house in that time frame so I think what we're seeing is a combination of getting the lawyers out of the way and

getting the desire to have people uh notified the the the hipa breach that happened with Anthem it turned out they had 10 million records of an entirely different company called Blue Cross Blue Shield on their servers and then a couple weeks after that it turns out they had 13 million partial insurance applications also on that same server for their company so stuff that was just I mean everything you needed to open up any type of account buy a house do whatever you wanted um breach assessment is something that you would work with to basically look at an incident and see how it filtered down what happened when did it happen what was exposed what's the risk

to the individual and then you basically come down the ultimate goal is you come down to make a determination was this a breach or was it an incident and if it's a breach you kick down to breach notification that's where you tell the person within a certain amount of time you've got to offer credit monitoring if there's a severe risk of harm if there's not you don't they have to have a number to contact there's a whole list of requirements but all of this has to just be wrote Because with this Texas policy coming out it's going to completely change the game and what we're starting to see is Medicare centers for Medicaid services has now put up the 60-minute

requirement for all programs that are using research under Medicare and Medicaid so it's it's not just Texas it's starting to spread and quite frankly it's a little terrifying um The Next Step are the Privacy policies these are kind of the policies for your Frontline people uh these are the people who are interacting with patients these are people that are interacting with clients um how do we Safeguard it am I walking out of the office with a big uh paper file that I just kind of hold with me and I open I read places then I'll just toss it in the Hardy's trash can no it's how do we handle this stuff stem to Le Soup To

Nuts life cycle of this Phi so that the people who are using it on a daily basis don't use it in a way that unnecessarily exposes people uh to risk the the the disclosure of Phi is where a lot of the violations come up if I want you to give my information to somebody how many times has anybody in this room gotten that I can't do that because of HIPPA yeah call a doctor's office say hey can you do this oh I can't do that because of HIPPA which frankly is complete and total because it's your file it's your record what they need is an authorization they need a consent they just don't want to because

Hippa is not about safety it's about privacy it's about how does this information get shared with the people who need it and the the problem is is that a lot of entities across the country have just decided Well Hippa is really hard let's just lock everything down and that's the people that loser are us not the big entities it's it's it's the it's the patients it's the users the individual individuals the other thing that privacy policies cover is how to use Phi which is becoming a really big issue because of Big Data Predictive Analytics how do you take these Monumental data sets and figure out what happens when someone does this what's the most likely cause

of a heart attack this is all information that's kind of at our fingertips but you've got to do it in a way that's hit a compliant and there's Safe Harbor Provisions to work through for that the last one is security policies which is probably the most important for people in this room this is the the info security so it starts off with workforce management and access this is hire fire uh how do we suspend how do we Grant access to somebody to get into our system do we do background checks how deep are the background checks that we do disaster recovery and business continuity big word it's really just another way of saying that we're going

to figure out what happens if our company burned to the ground how do we keep our clients with their data how do we give them everything that they need I mean it's it's really that's where like who's gotten the oh everything's broken at night call about the server everything's stopped my email doesn't work the business continuity and Disaster Recovery should be a document where if that happens that individual can open up the document say I need to I need to spin Up This Server I need to shift us over I need to fire up our Colo whatever the case may be to get things running the last one is use uh workstation and email um literally how

does someone sit down and type out how they log in again is it a two-factor authentication like the raffle earlier is it a one factor authentication of just a name um it's that type of those types of issues and questions are really addressed here and email what's appropriate to send in an email um what do you when do you encrypt an email when don't you encrypt an email um the the the real thing that's important to keep in mind about Phi is that bad people want them you know the average full client record cost about $65 to buy online you can buy bulk you can buy a thousand at a time you can buy 10,000 at a time but there are people

out there who do nothing but try and grab this Phi and then sell it because you can do a whole lot with it um there's also companies that are being blackmailed hey we got 10,000 records of your clients if you give us this money we'll give it back to you I mean those types of things are common and these people can't help themselves so the last step of the documentation is really kind of getting your hip Ty a calendar rolling you should have a 12 Monon cycle where you've got regular trainings uh trainings need to be whenever there's a big policy shift or a big change or the Law changes annual is usually a pretty

good bet if you train everybody annually and then get everybody else spun up as they come onto the company you're probably okay a lot of States California Missouri Illinois Texas have requirements that your people have to be trained in Hippa within a certain time before they're granted access uh I think Texas is a weak uh Illinois is a little bit shorter so these are states that are passing laws that are more restrictive than hipa that if you don't train this person and they go off half coocked and give out a bunch of information you're going to be liable uh persistent alerts these are also called the nag emails um you know sending out sending out an alert saying

hey by the way we've had five breaches in the past month where somebody didn't type an email address correctly For the Love of All that's good and holy check the two line you know those types of things demonstrate in an audit you're persistently following up with your staff and your and your and your it people and your clinicians um disaster recovery and business continuity we talked about that but that's really you do that on a yearly basis do a cold run on a tabletop then do a warm run where you bring down one one one Colo and bring up another one and then lastly is a security risk assessment which we're going to talk about next the security

risk assessment should be done whenever you've got a new product whenever you open a new Department if you open a new office any of those things you should run a a security risk assessment um the I kind of want everybody to shift how they think about security risk assessments and kind of think of this as Dungeons and Dragons Advanced Hippa Edition super fun you get everybody that matters in your company around the table HR legal exact and it you usually a few people from it because they know the threats a lot better and then what you do is create the worst possible case scenario of what could go wrong with our system everything you can imagine you

use all of these different items to do what's called a base to start the Baseline of your system and the Baseline of your system it starts with the life cycle of Phi from birth to death Cradle to grave the first time a clinician enters it into a computer or writes it down all the way through when you throw the hard drive onto the sh truck and it disappears so you need to track everywhere you have Phi and this is not just like my own Theory this is actually the nist guidelines for how you should do this and if you get audited they will ask you when was the last time you did a security risk analysis when was last

time you could you could actually tell me affirmatively where all of your Phi was stored that's what the Baseline is the next step is you ID your threats that's really where the the the meat of the tabletop exercise comes in you've got all of these different ways that someone can mess with your Phi or attack it and you have the job of literally creating a list an Excel spreadsheet and a topic so you've got two different ways that this works you've got intentional and unintentional Bad actors and inadvertent actors and then you've got non-technical and Technical so non-technical threats fire flood and blood it burned down it flooded out riots in the streets and there's blood

everywhere um and then you've also got technical hacks attacks technical attacks people coming in trying to steal stuff people trying to uh Rob your employees of their laptops or walking in and taking laptops all of those things that you can figure out creates a threatcon sheet then what you do is you take the threats and you create another column where you do your vulnerabilities this is the hard part of the exercise because everybody at the table has to say this is what's wrong with our organization this is where we're vulnerable we have a server that's not patched because we can't patch it because our vendor won't let us patch it to work with our billing

software or we have a procedure that sometimes a random person will just walk in through the office and nobody stopped them so everybody has to really walk through and say where could we improve what are where our gaps in our vulnerabilities um look at patches policies procedures software and Equipment um the number one cause of of technical breaches last year was unpatched software unpatched meaning you could run it but you don't or you can't and you didn't isolate so you've got a system that you can't patch but you didn't isolate it from the rest the next step is to run through your current controls so okay we did we're doing all this we got all these

vulnerabilities what are we doing to lock these down what are we doing to make these better these can be as much as I'm working to uh ensure that every person that walks in the door is is is double checked for ID or we're using two- Factor authentication or we're doing a key fob login to a computer um the next step is where it gets a little mathy but it's important the likelihood you take the likelihood of an attack and you say low medium or high and you just assign that and then you give that the number of 0.1.5 or one low medium and high then you go through impact so let's say this particular vulnerability got hit

how bad would it be because there there's this sense in business that if someone says well everything's important my server is important everything on my server is important everything has to be the most secured it can possibly be well frankly that's not true I mean who like HR policies they're gone oh damn we've got paper versions like that doesn't really matter if you lost your client database well holy crap that's that's company ending so you really need to like actually look at what's important and what's not important to ensure that it's not just this 100% all the time uh and then you do a magnitude of impact if we lost this it would be low

medium or high and you give that a number 10 50 or 100 and on the next slide I'll show you guys how this math works and then you do the risk determination which is where you plug it all in together and then it's likelihood times impact equals your risk level and that creates a nice pretty little chart that'll order all of your vulnerabilities and how at risk they are then you know where to spend money then you know where the problems really are and then you know when when uh OCR comes in and says well how did they get in through this well had a really really low risk determination and we just didn't prioritize it the the important thing to

keep in mind is is that the OCR when they come in they are not these Draconian I mean they are a little bit but if you've addressed something and you've looked at something and you've really thought about something that goes a long way towards them going let's put in a remediation plan as opposed to well let's find the crap out out of you um the the hypo client database so let's say the identified threat is Hackers Target the system fairly basic something like the anthem we've got an unsecured Windows 2012 server say it's not patched completely nonh hardened firewall so stock settings but it's password protected so we'll give it a likelihood of 0.5 that it's going to be attacked

it's not tremendously high it's not completely open it's not web facing but we'll give it a 0 five the impact if we lost that would be high if we lost all of our client data it was destroyed or disclosed that would be bad so that gives us a risk determination of 50 0.5 time 100 equals 50 and so what you'll do is you'll create this spreadsheet of all of your assets and what that risk determination is and there are tools out there we'll talk at the end to help you put this all together so that you don't have to do all the grunt work so the next we'll do one more more hypo and let's say it's a social media

site for cat lovers and I just want everybody to know Mrs Bigglesworth is very happy she's loved and she's not at all sick in this picture this is as intended through genetic breeding so let's say we've got an unsecured HTTP web server it's password protected un uh password protected but that's the only security from a web facing uh idea web facing uh security purpose so the likelihood of that being hack is pretty high the impact would be low let's be honest if you're a cat lover you've got more than one picture of your cat and you probably got them backed up to the iCloud it's not a huge hit so the risk determination on something like that would be low that

would mean that it wouldn't really be a humongous impact if that happened but it's still something that you should address so once you've gone through all of these and you get your 30 or 40 different vulnerabilities you do the postmortem you have the controlled Improvement is the first step so we've realized that all of this is going on and everything that's happening how do we make it better and a lot of times it's as simple as well we've got an HTTP server we need it to be an https server we got to secure it we need to harden that firewall we need to add these controls to give us a better sense of security for what's going on uh and then

you have your documentation of risk analysis this is where you button everything up into a nice pretty little PDF bound package that says here OCR this is everything we did and why we were aware of what was about to happen and why we're not at fault you shouldn't find us for anything and this is the dog TX since I showed a cat so the last episode this is hippoc compliant application development these are kind of my four big theories of when you're developing a product or you're opening an office or you're uh rolling out a new app anything like that the the concept here is that we work to ingrain privacy at a core level like a really

hard level so the first one is of these is privacy by Design This is where everything that you do is automatically clicked over to private so in Europe this is really common in Europe you have an opt-in option on almost every single email every single privacy setting websites uh notifications from from uh vendors all of that stuff you opt in who here has opted out of a privacy setting on Facebook Twitter LinkedIn for Square Yelp you name it I don't want you to tweet where my location is I don't want you to post that I'm in this place I don't want any of that information the the opt-in opt out method is is that in order to share that

you have to say you want to because the Privacy changes constantly the policies change constantly the Privacy by default means that when you log on to Facebook for the first time everything's locked down and nobody sees anything and then you say I want these people to see it I want this to be shared as opposed to oh my God here's everything I've ever done okay let's lock ET in and try and grab and Wrangle in all these pieces of information uh the other one is just taking a proactive stance about this too many of the too many of the security apps out there and too many of the apps do privacy by privacy by reaction we

realize there's a gap and then we fix it and it's having people identified in your organization like a Chief privacy officer a uh a primary privacy officer the PO the CPO CIO that work to find these vulnerabilities first and then close them down um soup to security is kind of what I call a Security application to the life cycle of Phi from start to finish so a suuts application really looks at and follows one piece of Phi or one file from the time it's created through the time it dies so this seems like a simple idea but what I usually find are is there's usually four people involved you have the person who developed the app or

the EMR that you put the information into you've got the clinician who uses it you've got the doctor who views it you've got the IT person who manages it and then you've got the admin person who shreds it whether that's digital shred or paper shred those five people should really talk you should really know what's going on with this throughout the entire life cycle because there's too many times where you've got this data that's way old if you don't need it why are you keeping it there is no desire to maintain data that you don't have a legal obligation to have or a business business reason to have because if you've got it under Hippa even if you

don't have a duty to have it anymore you have to provide it so if you've got a seven-year uh seven-year statute limitations on destroying data and it's year eight you've got this humongous file on someone and they want it you have to give it to them if they become your client again you have to keep it so there's a real cost associated with just this policy of let's just hold on to everything for as long as we possibly can if you really want to keep it de identify it and make it something that no one can recognize but you can still use later to do Predictive Analytics or get data processing on uh F shreds is kind of the way I look

at what everybody who has one of one of these or an iPad or an iPhone that goes out in the field should think about the the the F shreds mentality is basically this if you have internet everything's hunky door you've got a remote desktop nothing is stored locally everything's pulled off as soon as you disconnect that session if it's even on there you have no problems if that laptop is stolen because encryption while very very good is not bulletproof most encryption levels can be broken at a certain point um the way the F shads work is that if you have a clinician who goes out in the field has 10 appointments those 10 client records are

on their laptop obviously encrypted they hit that first client they type whatever notes they're in or concurrently documenting when they hit the internet again that client's ripped off and there's only nine left so there's only the smallest shred possible on that machine at any given time because you know what if you don't log out of your computer and someone walks up and grabs it they'll just take it you know there's ways that people get into these machines that we just have to start thinking about in a way that says well if there's the littlest possible on here that makes my clients safer um third-party tools I've done a lot of reviews and a lot of working with

a lot of different tools and I've seen the the Spectrum I've seen free and I've seen 100 to20 to $300,000 for hippoc compliance Consulting so these are people that will come in and say this is why your program isn't working and they'll say well here's brand new policies or here we'll rewrite all of your policies there are some companies out there that are exceedingly good at what they do but look out find what people are doing and really price it out um there are companies out there now and this industry is still fledgling that are doing online dashboard management of HIPPA compliance issues there's a company called hippot Trek that does this all of your policies in one place

all of your alerts in one place training modules all of your individuals everything registered and when if OCR comes to audit you you can hit a print button and it prints everything into one report at the drop of a hat it's a really cool feature there's other companies that'll come in and will do uh third-party analysis they'll do penetration testing white box Black Box they'll look through all of your policies and say this is where your gaps are they will hack your system with a white hat on and say this is where you need to improve and those types of things are critical to what we do because internal audits fail no matter how self uh like no matter how much we

want to be honest with ourselves we will almost always gloss over a few things a third-party analyst will not do that um the company I'm with did one and we just didn't hear from them for a few months and all of a sudden they're like okay we're ready to talk and they had been hacking and trying to get poked through our system and find stuff and had had a box in our rack and was trying to hack from within the system if they had gotten in and those types of things can be really reasonable I've seen some around the ,000 range I've seen some in the 7 to 10,000 and then all the way up

into the $100,000 range those things are worth their weight in gold because it it lets you know on a yearly basis if that's when you're doing it how vulnerable you are to attack and when the Auditors come and they are coming it lets you be ahead of the game because if you can just hand them that stack of paper and just say here that looks so much better to an auditor because all they want to do is run through their checklist and if you want to see their checklist it's online it's the nist sp800 checklist and this is one of the most amazing free tools that nobody knows about it's this 827 question questionnaire from stem to

stern every single aspect of your security policy in a stepbystep statute section by Statute section and it says do you have a policy for this if not what do you have in place what Threat Level is this how important is this for you to fix if you do have it upload your policy here this is the tool the Auditors are using this is an inside game book for what they're doing and as you go through all these questions and believe me it is a beast to go through it gives you a report at the end of it to say this is how compliant you are with documentation this is where this is this is where this is this is what you

need to focus on and it's $0 totally free works on a Mac and a PC and I think they're working on a Linux version the other one that's really amazing yes it's it's the nist uh Hippa toolkit if you hit my website I've got a there's a link to it on there nist uh toolkit um HHS Health and Human Services also developed uh also developed an app for security risk analysis so that that big n seven step process we went through they'll do that all in a really handy dandy app it's on the iPad and windows that will let you create a product or an office or a company and then walks you through the security risk analysis step

by step and then generates a report for you at the end so these tools are out there and they're free these don't cost any money at all the uh office of national controller of technology is working with healthit.gov nist and HHS to create these tools and create these um guides that are completely free to get people ahead of the game because at last check only about 38 to 40% of covered entities had an EMR everybody else was paper which is just an absolutely crazy amount of Phi just out there and the thing is is that these risks are not sometimes they're not even stuff that we can account for there was a breach last year where an individual

walked into a doctor's office he looked down at the at the secretary he said how are you doing she said I'm doing great and then he ripped her desktop completely off of her desk and ran and that that one desktop had a fully local client database on it of over a million client records OCR aside those people are settling for 1.2 to$ 1.6 billion right now these are company things the the concept of data silos which is also a part of the the the the hippoc compliant theories of application development while data silos are really common in this room does your CEO know about it does the people running your company know about it because at Anthem

you had one company had 80 million of their own clients and on top of that every employee they had had since 2002 name date of birth social security number home address mother's maiden name and salary income also stored in a client database unencrypted clear text there is no reason that ever should have been stored on the same database much less the same server and then you add to that the fact they had uh Blue Cross Blue Shields data on there as well and then another 13 million records from an entirely different situation and it begs the question why aren't some of these basic core security Concepts really sticking out there so just just take away from this that there are

really four really three primary steps that you've got to hit to get yourself to a hipa compliance state document document document get these documentation policies in place there are free policies there are paid policies get them and start to work through them because having something is better than nothing it's a process it's not just this event you achieve also start to bang out your security risk analysis the the the iPad app is so clean and pretty and easy to use that sometimes I'll get a task I'll get a task or a question hey what if we did something like this and I'll just run it through security risk analysis because it's that easy to use the NIS tool not

very pretty it's a very barebones utilitarian almost Linux interface with how it looks um and the other thing is to start to think about privacy by Design how do we create that culture of compliance within our organization to really get that privacy in everything we do because the people who deal with your pH and deal with your data on a daily basis are really the ones who can give you a tremendous amount of feedback on how to build privacy and at a ground level are there any questions so everything that happens is a security incident not every security incident is a breach you do the security assessment uh the breach assessment and depending upon the likelihood of harm

and what was given out determines whether or not it's a breach if it's not a breach you you log it in the security incident file if it is a breach it goes in the breach file and then you have to report you can report throughout the year but you have to report um at the end of the year by February uh 14th every year so it's zero to 500 or 500 and above um if you have one record then that's that's a security incident and you still have to log it um if it's uh 500 or less than 500 you don't necessarily have to notify the secret of Health uh right away if it's more you do

but it's every single one no matter how little um I dealt with one where uh someone had switched envelopes so someone's Labs went to someone else and their Labs went to the other person that was technically a security incident but if you retrieve the records if you go through the breach assessment work you can keep it from being a breach by being proactive because you've got those policy steps in place of what you got to do yeah one more time so he asked how much time you get for the audit and the answer is it depends um they will do site audits where they'll give you 48 hours notice and then they will come and they will

audit a site if there's social engineering you get no notice they will just send people in to try and get into your office um if you get a paper audit what will usually happen is is they will say hello I'm with OCR and we're going to audit you you have this much time to put together the documentation that window it varies you don't we don't have control over that but what I do know is is that you have to prove it was all there beforehand so creating documentation is great but it's putting a Band-Aid on the jugular wound after it's already happen so the truth is it varies um The Anthem audit uh is still

going on um Anthem actually told the OCR that it was not going to cooperate with their Auditors until they got the formal court order so you can also just say no no I wouldn't really recommend that any other questions

yeah yeah yeah so right those are the four big categories the security policies if you go through the N tool it will actually give you a list of what every policy has to address those are really the big four categories um at the company I work with we have 57 distinct policies um I've seen them as much is 70 or 80 um breach is usually three privacy is 12 to 15 security is a lot more because you know you you have like everything from transmission protocols to encryption to you know workstation use there's a lot more granular information there but yeah those are kind of the four big categories of what you have to have

yeah

right right so under under Hippa for all of the different statutes there's there's implementation specifications the implementation specifications are either addressable or required if they're required you have to do them so you have to have transmission protocols so that your data isn't transmitted clear text uh with no protections encryption oddly enough is addressable so add addressable doesn't mean you can ignore it addressable means you have to write a policy that says why you aren't going to do it and the irony behind that is is that in 2009 Anthem had a 700,000 person hipa breach for guess what unencrypted data at rest and then six years later it's the same thing so when they get audited they're going to have

to demonstrate you don't have to encrypt but they're going to have to have a tremendous level of documentation to show why they still decided not to even after they'd already had that vulnerability exposed once so there's really two the addressable and required and the tool points those out any other questions

yeah it's not really clear um they haven't laid out the sanctions for that but in theory it could be anything they could do under dishes for violation of hipa and that's one of the weird things about Hippa is is that Hippa doesn't preempt state law um Hippa allows States if they're more restrictive to do more there is a bipartisan Bill uh in Congress right now to create a national breach standard for Hippa Congress doesn't really do much of anything ever at all so it's not really sure if it's going to go through but the policies could be fines they could be penalties they could be loss of license I mean the the the expansion of

punishments has gotten so crazy that pretty much anything's on the table yeah

it's going to be where the client is located generally but there has been yeah there has been there have been some issues where if the data is stored in one state but it's you so like if Kaiser Permanente stores their data in Utah they could in theory be subject to data restriction laws in both States um it just depends upon where they sue that's a venue question for the client and which laws are more favorable but they can be held under either

yeah say that

again if you don't hold any data that you still are bound by Hippa in terms of sharing information disclosing information talking about a patient in public but if you have nothing on a person and they have all their data that's theirs that's their responsibility that's a big question um I we can talk offline about that there's a few different I mean there's a few different methods but yeah let's talk about there's a lot of different ways we can skin that cat

yes um with the acception of California which gave 6 months jail time there hasn't been a whole lot of criminal sanction um most of the criminal sanctions that are allowed under Hipp are misdemeanors which are kind of slaps on the wrist um The Hope is is that the anthem breach will create a much different legal scheme because the IT company they had in 2009 was fired the new IT company decided to make the same decision and the CIO was the same across that so decisions were made that exposed 80 million people's information and granted it's all anecdotal but I know several people who got those Anthem letters who when they went to file their taxes had

fraudulent tax filings people trying to open credit card information so I mean it's people are using this data anything else

yes the big thing that Hightech added on was the liability of business associates um so if anybody touches your Phi almost in any capacity birth to death so if you've got somebody who's currying your Phi from one office to another or somebody who's shredding hard drives or hard files or you've got a FLOTUS that goes to someone's house that isn't on staff all of those people are covered under Hippa as business associates that was the big thing that Hightech added Hightech also added a few things to do with the EMR um but the the primary shift from 1996 to now has been funding and the additional addition of business associates um what's scary about business associates is that business

associate Agreements are so uncommon right now for most doctors that the auditing mechanism for that I think is going to tear a lot of people up because if you've thought about do I have an agreement with every single person who touches my data or my client's Phi most people won't say yes because if anybody touches it you have to have a business associate agreement stem to stern that says you're bound by this I'm Bound by this this is the notification period and that's where things get really tricky so you as a covered entity if you operated in Texas had a 60-minute notification for breach if your contract with a business associate said 48 hours or 2 weeks or a

month or whatever you're going to be liable for breaking that 60-minute because your ba your business associate had to follow that as

well they're covered and in fact just last year um we saw the 1 Point 6 million flash drive Alaska had the dubious honor of being the first state to get a hip of violation someone uh had a flash drive that slipped out of their laptop bag someone smashed it grabbed it and it had 20 or 30,000 client records on it um unencrypted clear text and then weirdly enough about six months ago Alaska was the second state to get fined by OCR for a similar violation um but no states are liable they can be held liable they just aren't usually because usually they're passing the buck

yeah yeah right so if a lot of these big companies that have been around for years and years and years have created these amazing stores of information um I know of one entity took deidentified data and then predicted what was the most likely cause of a heart attack from that data by the way it was loss of housing within 48 hours which is not something you would ever connect but was really interesting so what people are doing is they de identify this data and there's two ways to do it you can get a safe harbor provision where you basically remove everything from name and counter dates uh family name uh family numbers family members sorry uh phone numbers

there's a list of 12 or 15 different items that give you Safe Harbor and then you can pretty much do whatever you want or you can do the IRB method the internal review board where you get scientists or statisticians that will sit on a board and say the Privacy protocols and practices that this company has in place are sufficient to guarantee that this information is secure the safest way is the Safe Harbor the uh less safe way but much more useful way is the IRB um if you're going to sell it and it's identifiable or re-identifiable you have to have authorization that's one of the requirements of an authorization from the from the client if if someone's individual is going to

have that their information sold there has to be an authorization in place any other questions all right thank you

everybody