Avoiding Common Security Breaches & HIPAA Violations

TheNetworkofChristianCounselors13February2017

Copyright©2017.HarryMorgan.AllRightsReservedPermissiongrantedtoreproducewithattribution&citationofwww.http://networkofchristiancounselors.com/

OnAugust30,2016theOfficeofCivilRights(“OCR”—HIPAA)announcedthattheirregionalofficeswillstartactivelyinvestigatingsmallsecuritybreaches.

2

Part III

They seem especially interested in situations where breaches happen because cloud services got hacked, or because equipment got lost or stolen.

3

Introduced to HIPAA “breach notification” which means that when a security “breach” happens — such as a laptop with health records on it being stolen or lost — the affected clients need to be notified as does the federal government.

4

Ø Any cloud service provider who “maintains” your information —even if they “don’t look at it” —must be a Business Associate.

Ø As “cloud”-based paperless offices have become more popular, several services that use this encrypt-before-you-send scheme have popped up, including Carbonite’s self-managed key service, Swiss Disk, and Sookasa.

January, 2013Final Rule forHIPAA and HITECH

5

As of September 1, 2016, 47 states and all US territories have their own breach notification rules. (Mintz Levin, 2016)

https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf

DATA SECURITY BREACH NOTIFICATION LAWS

6

DATA SECURITY BREACH NOTIFICATION LAWS

The 2016 Florida Statutes501.171 Security of confidential personal information

• The Department of Legal Affairs must be contacted within 30 days

Ifa“securitybreach”occurs:

• Each individual must be contacted within 30days

7

Ø Privacy?

Ø Confidentiality?

What is . . .

Ø Security?

Clientchoicesaboutinformation

Dutytoupholdprivacychoices

Logisticsofconfidentiality

8

According to guidelines put out by the National Institutes of Standards and Technology (NIST), a “risk” is defined by:

A Vulnerability + A Threat

What is . . .

9

Risk 1Email Service (your resource):“Emails are sent across the Internet without anything to hide their contents from prying eyes”

(vulnerability) + Hacking (threat) =

Risk 2Laptop Computer (your resource):“Laptop computer with confidential information gets carried out of the office regularly”

(vulnerability) + Theft (threat) =

10

Wecanreducerisksbyusing securitymeasures.HIPAAdefinesthreekindsofsecuritymeasures:1. Technicalmeasures:Usingsoftwareandhardwareto

reducesecurityrisks.Thismeansusingpasswords,encryptinginformation,etc.

2. Physicalmeasures:Puttingthingsintoplacethatrestrictphysicalaccesstoinformation.Thismeansputtinglocksondoorsandcabinets,storingcomputersinlockedrooms,etc.

3. Administrativemeasures:Creatingpoliciesandproceduresthatreducesecurityrisks.Thismeansmakingapolicyforwhenandhowyouandclientsexchangetextmessages,makingaprocedurethatlaysouthowoftenyoubackupyourcomputer,etc.⇒ Neverunderestimatethepowerandnecessityofadministrativesecuritymeasures.

11

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

45 CFR §164.308 (a)(1)(ii)(A)

Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

45 CFR §164.308 (a)(1)(ii)(B) (emphasis mine)

12

Email addresses can be used to identify people very easily, and email addresses are on the list of 18 identifiers that HIPAA defines as without-a-doubt personally identifying.Personally identifying information combined with health information makes what HIPAA calls “protected health information.” Ethically, we would consider it “confidential information.”

13

The EncryptingFileSystem (EFS)onMicrosoftWindowsisafeatureintroducedinversion3.0ofNTFSthatprovides filesystem-level encryption.Thetechnologyenables files tobetransparentlyencrypted toprotectconfidentialdatafromattackerswithphysicalaccesstothecomputer.

14

1. “I look good”2. “I like cats”3. “A lite card”4. I have no idea what it says

https://personcenteredtech.com

15

01=M 02=N 03=O 04=P 05=Q 06=R 07=S

08=T 09=U 10=V 11=W 12=X 13=Y 14=Z

15=A 16=B 17=C 18=D 19=E 20=F 21=G

22=H 23=I 24=J 25=K 26=L

How about if I show you this code key?

If we use the code key, we can see that the secret message is “I like cats.”

https://personcenteredtech.com

16

ENCRYPTION

Mac – FileVault2

Windows – Bitlocker

iPhone – set a strong passcode

https://personcenteredtech.com/courses/investigation-repellent-self-study/

HIGHLY RECOMMENDED:For on-line training: Roy Huggins, LPC NCC

17

Ø Encrypt your computer, phone, or tabletØ Encrypt external stuff like USB thumb

drives and external hard drivesØ Set stronger passwords on your phones and

tabletsØ Activate the antivirus on your deviceØ Activate the firewall on your deviceØ Know when a WiFi network is safe and

when it isn’t

18

FaceTimeEnd-to-Endencryption- guaranteessecurecall

GoogleHangoutsandSkypeNotechnicalsafeguards– callscanbewiretapped

19

TransitEncryption

UnreadableEncryption

ContactIdentifying

SecureCommunications

Open toIndependent

Review

SecurityDocumentation

AuditedCode

FaceTime yes yes no yes no yes yesGoogleHangouts yes no no no no no yesHushmail yes no no no no no noiMessage yes yes no yes no yes yes

20

SecurityinRegardtoConfidentiality

NotingAPAcommentsaboutSkype:Resultingfromlackofencryptionandsecurity,Skypeisnotaconfidentialformofcommunicationandisdeemed“illadvised”forprovidingtelepsychology.

21

MentalHealthCounselorsmust:Ø Checkwiththeirmalpracticecarriertoseeif

SkypeiscoveredØ Checkwiththepatient’sinsurancetodetermine

coverageØ UseonlywithestablishedpatientsØ AvoidusingwithhighriskpatientsØ ObtainwrittenconsentbeforeusingSkypeØ EnsurepatientsfullyunderstandthatSkypeisnot

thesameasconversation,andanythingsaidonSkypecanbepublished,use,broadcast,etc.

22

23

Business Associates are people and organizations who, in the normal course of business, handle sensitive information on your behalf. Examples:

• Billing services• Collection agencies• Record storage companies• Practice Management Systems• Electronic Health Record systems• Email providers• Attorneys• Accountants

24

Getting an updated NPP (“HIPAA Form”):

1. Free models supplied by the federal government: http://www.healthit.gov/providers-professionals/model-notices-privacy-practices

2. Roy and Ofer Zur’s 1-Hour CE course on the compliance deadline includes Dr. Zur’supdated NPP Form: http://zurinstitute.com/hipaa_compliance13_course.html

25

q Collie,K.,Cubranic,D.,&Long,B.(2002).Audiographic CommunicationforDistanceCounselling:AFeasibilityStudy.BritishJournalofGuidance&Counseling,30(3),269-284.

q Gregory,KimL.(2010,Jan10)CamarilloFuneralHomeUnplugsOnlineGriefCounseling.Ventura CountyStar:Ventura,California.

q Heinlen,K.,Welfel,E.,Richmond,E.,&O'Donnell,M.(2003).Thenature,scope,andethicsofpsychologists'e-therapyWebsites:WhatconsumersfindwhensurfingtheWeb.Psychotherapy:Theory,Research,Practice,Training,40(1),112-124.

q Heinlen,K.,Welfel,E.,Richmond,E.,&Rak,C.(2003).ThescopeofWeb-Counseling:AsurveyofservicesandcompliancewithNBCCStandardsfortheethicalpracticeofWebCounseling.JournalofCounseling&Development,81(1),61-69.

q “InternationalOnlineTherapy:WhatToKnowBeforeYouGo."Person-CenteredTechnology.N.p.,2016.Web.29Dec.2016.

q Kaplan,D.(2005).EthicalUseofTechnologyonCounseling.CounselingToday.AmericanCounselingAssociation:Alexandria,Virginia.

q "MilitaryPatients:RecommendationsforTreatingServiceMembers.“NationalRegister.N.p.,2016.Web.27Dec.2016.

26

q NetCE.ContinuingEducationforFloridaMentalHealthProfessionals.5thed.Vol.142.Sacramento,CA:NetCE,2017.Print.ContinuingEducation.

q Ritchie,Rene."Apple'sFaceTimeIsEnd-to-endEncrypted.GoogleHangouts...Isn't.”iMore.MobileNations,13May2015.Web.27Dec.2016.

q Scharff,JillSavege.PsychoanalysisOnline2:ImpactofTechnologyonDevelopment,Training,andTherapy.London:Karnac,2015.Print.

q Shaw,H.,&Shaw,S.(2006).Criticalethicalissuesinonlinecounseling:Assessingcurrentpracticeswithanethicalintentchecklist.JournalofCounseling&Development,84(1),41-53.

q "SocialWorkersandE-Therapy."N.p.,Web.27Dec.2016.

27

YoucancontactHarryat:BiblicalCounselingCenter8254th StreetWestPalmetto,FL34221941-729-6600

[email protected]