Hidden HIPAA Weaknesses:
How to Tackle Them and
Prevent a Breach
Montez Fitzpatrick
Keystone IT
Margaret Scavotto, JD, CHC
Management Performance Associates
LeadingAge Missouri Annual Meeting
September 13, 2016
1
The Lay of the Land
2016
2015
10 settlements (so far)
5 settlements
Total: $20,825,000
Total: $5,443,400
Average: $2,082,500
Average: $1,088,680
…and now the OCR will
investigate small breaches too.
2
Game #1: Is it PHI?
“Sad day at work today ”
3
Game #1: Is it PHI?
“Sad day at work treating a
resident in the dementia unit
today ”
4
Game #1: Is it PHI?
“Sad day at work treating
someone so young in the
dementia unit today ”
5
Game #1: Is it PHI?
“Sad day at work treating my
third grade teacher in the
dementia unit today  vY”
6
Game #2: Should I?
Think of your organization’s newest, or youngest CNA.
For the purpose of this game, put yourself in this
person’s shoes.
7
Game #3: Find the Workaround
You work in the business office at Maple Hill Nursing
Home. You have to get a project done today, using a
spreadsheet with patient information, but you also
have to leave at 4 for a doctor’s appointment and will
need to work on it tonight.
Maple Hill does not allow PHI on flash drives, laptops,
or smartphones.
What do you do?
8
Problem #1:
A health care provider backed up all of its e-PHI on a
cloud-based server.
The provider did NOT have a Business Associate
Agreement (BAA) with the cloud.
The provider did NOT conduct a comprehensive
HIPAA Security risk assessment.
9
How do we remove
the workaround?
?
10
How do we help
employees get it
right?
?
11
Problem #2:
A clinic gave X-Rays to a media company.
The media company put the X-Rays onto electronic
media in exchange for harvesting the silver.
The clinic did NOT have a BAA with the media
company.
12
How do we remove
the workaround?
?
13
How do we help
employees get it
right?
?
14
Problem #3:
A PT company posted patient testimonials with
names and pictures to its website.
The PT company did NOT get HIPAA authorizations
from the patients.
15
How do we remove
the workaround?
?
16
How do we help
employees get it
right?
?
17
Problem #4:
A laptop was stolen from an unlocked treatment
room overnight.
The laptop was not encrypted.
18
How do we remove
the workaround?
?
19
How do we help
employees get it
right?
?
20
Problem #5:
A password-protected laptop was stolen, likely by a
visitor who had inquired about borrowing a laptop.
ePHI on the network drive was accessible by a generic
username and password.
21
How do we remove
the workaround?
?
22
How do we help
employees get it
right?
?
23
Problem #6:
A hospital allowed a TV film crew to film two patients
without a HIPAA authorization.
One patient was in distress; the other was dying.
The footage aired on television.
24
How do we remove
the workaround?
?
25
How do we help
employees get it
right?
?
26
Problem #7:
An employee clicked on and downloaded an email
attachment with malware.
The malware infected the employee’s computer and
compromised the ePHI of 90,000 individuals.
27
How do we remove
the workaround?
?
28
How do we help
employees get it
right?
?
29
Problem #8:
Two hospital employees leaked a medical record to
ESPN, who put the record on twitter.
30
How do we remove
the workaround?
?
31
How do we help
employees get it
right?
?
32
Problem #9:
Two paramedics engaged in a selfie war by text.
They competed to take the most shocking pictures of
themselves with patients.
They were arrested and now face criminal charges.
33
How do we remove
the workaround?
?
34
How do we help
employees get it
right?
?
35
Questions?
Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates
314.434.4227 ext. 24
[email protected]
© 2016 Management Performance Associates. Because MPA is a consulting company and not a law firm, neither MPA nor
any of its employees provide legal advice or legal services. Nothing contained in this PowerPoint constitutes legal advice. It
is strongly recommended that all providers consult with competent legal counsel versed in HIPAA as they address HIPAA
compliance and develop and implement HIPAA and social media policies and procedures.
36
Montez Fitzpatrick
Director of Information Security and Compliance
Keystone Technologies
314-621-9500
[email protected]
37