The Top 6 HIPAA Security Issues: Minimizing Risks Related to Portable Devices, Remote Access, Disaster Recovery, Policies and Procedures, Training, and Documentation

Why Should You Attend:

Many organizations are taking a serious look at their HIPAA compliance status now that HHS HIPAA compliance audits are taking place, and there are several security risk issues that most health care providers are wrestling with. This session presents the top six issues found in HIPAA security compliance: encryption and mobile devices, remote access, disaster recovery, policies and procedures, documentation and training.

The session will include an explanation of why HIPAA Security Rule compliance is of interest today, what can happen when compliance is not in place, identification of the top six risk issues, a discussion of staff-related issues, and identification of strategies for risk mitigation. Dealing with the risks means new policies and procedures, new documentation, and new training, but it can't be postponed any longer, as fines have been increased, including a new minimum $10,000 mandatory fine for willful neglect of compliance. Find out what are the biggest risks facing every manager of health information and health information systems, and what can be done about them.

Learning Objectives:

• Learn about the typical risk issues and how they are related.
• Find out how to deal with risks associated with portable data.
• Learn about how to consider a variety of levels of disaster recovery.
• Learn what goes into good policies and how to organize them.
• Provide a process to follow when incidents occur that may be breaches.
• Find out about security awareness and training strategies that work.
• Learn how self-audits and drills can increase your ability to survive surprises like breaches and HHS audits.
• Learn about good documentation practices that make compliance easier.

Areas Covered in the Seminar:

• Why HIPAA Security Rule Compliance is Of Interest Today
  • HIPAA Security Rule Requirements.
  • Meaningful Use Requirements.
  • Breach Notification Requirements.
  • HIPAA Audits Resulting from Complaints and Breaches.
  • Random HIPAA Audits.
• The Top Six HIPAA Security Issues
  • Managing PHI on Portable Devices.
  • Remote Access by Staff and Vendors.
  • Preparing for Recovery from a Variety of Events.
  • Creating Coherent Policies and Procedures.
  • Training in Security Awareness and Policies.
  • Documenting HIPAA Security Compliance.
• Managing Issues Related To Staff
  • Technology Adoption.
  • Training Strategies.
• Planning for Risk Mitigation
  • HIPAA Security Compliance as a Project.
  • Cooperative Strategies.

Who Will Benefit:

• Information Security Officers
• Risk Managers
• Compliance Officers
• Privacy Officers
• Health Information Managers
• Information Technology Managers
• Medical Office Managers
• Chief Financial Officers
• Systems Managers
• Legal Counsel
• Operations Directors

Medical offices, practice groups, hospitals, academic medical centers, insurers and business associates (shredding, data storage, systems vendors, billing services, etc.) will also benefit.

Instructor Profile:

Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a variety of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans, and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the 2011 WEDI Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national and regional conventions and WEDI national conferences, and before regional HFMA chapter meetings and state hospital associations.

Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Topic Background:

Even though every health care organization is different and has different problems and different needs, most organizations face similar sets of security risks that must be mitigated. In fact, information from the US Department of Health and Human Services based on breaches and audits shows that the top issues they find are similar to the ones voiced by the chief information officers of health care institutions.

The issues involve controlling access through technical and physical policy and procedure, training staff to properly follow the policies and procedures, and having a solid incident handling process in place to follow when things go wrong.

The issues most often encountered include:

• Security of portable devices
• Remote access by staff and vendors
• Survival of adverse events such as breaches and disasters
• Lack of adequate security awareness and training programs
• Incoherent, overlapping policies and procedures
• Incomplete or nonexistent compliance documentation

In order to mitigate the risks, some of the issues require staff-related policy adjustments and training, particularly in the areas of portable devices that carry or access PHI, and remote access. Not only staff, but also vendors are looking for remote access to systems that may not be as secure as it should be.

Issues of event response also are prevalent, from an inability to adequately respond to incidents that may be reportable security breaches, to an inability to adequately recover from some levels of disaster. Thorough, documented planning is required to respond properly under a number of stressful circumstances, and such planning is often incomplete. Policies need to comprehensively address information security issues without unnecessary duplication and overlap, and HIPAA Security compliance documentation needs to be conveniently stored and made available for routine use as well as in support of events and exceptional circumstances.

In order to mitigate the risks identified, compliance must be planned as an organized project. Not approaching security compliance as a managed, long-term project often results in an incomplete effort, started in more than one direction, with inconsistent, unfinished policies and no real staff training.