HIPAA Enforcement Rule

00:00

Welcome back, you cyber Keystone cops to the implementing a HIPPA compliance program for leadership less than 1.3 the hip enforcement rule. So if you and the rest of the squad already let's load up into our armed response vehicle, which for us is our horse because, Well, we're from Canada, actually from the U. S. But we really like hockey.

00:17

Where was I? Oh, yeah, There's been a 10 7 Niner

00:20

Delta Bravo, and we need to investigate. And don't forget the battering ram.

00:25

So in today's lecture, we will review the hippo enforcement rule and its governing bodies. And we're going to start calling our bail bondsman because we're stacking up fines and penalties and we haven't even had our day in court yet. We're gonna look at the provisions and the entities the enforcement rule applies to, and we introduce one of my favorite people, the winner of the hip of police ball and Dancing contest,

00:45

the privacy officer.

00:46

And we look at how the privacy rule effects are business associates.

00:51

So when there's a violation of the hippo security and privacy rules, those laws are enforced by the U. S. Department of Health and Human Services HHS Office for Civil Rights. OCR OCR enforces the privacy and security rules in several ways by investigating complaints filed with it. Conducting compliance reviews to determine have covered entities Aaron Compliance,

01:10

even performing education and outreach to foster compliance

01:12

through security program improvements. OCR reviews the information that it gathers, and in some cases, it's found that covered entities did not violate the requirements of the privacy and security rules. And there are several steps to compliance to corrective actions ever before criminal penalties. Air filed. If it's decided criminal penalties there to be pursued.

01:30

The cases referred toe either the U S Department of Justice

01:34

or to Civil Court, where civil violations like class action lawsuits across multiple states could be filed and where the state's attorneys, generals air, called to action.

01:44

I want to give a shout out to my friend Catherine MacGyver CyberRays, manager of curriculum development, a cyber instructor herself with two courses on six Sigma management principles who was a health care professional for many years. Catherine pointed out to me a great example that she reviewed when she was learning about HIPPA for her health care professional growth. Catherine shared

02:01

in 2003 about a researcher

02:05

and the surgeon who in the last three weeks of his dismissal accessed hundreds of medical records, including numerous celebrities and movie stars. The surgeon had no medical reason to access these records. And so OCR forded the case to the U. S. Department of Justice and the surgeon, after being found guilty in federal court, served three months in jail.

02:22

So by simply accessing and reading medical records, without reason

02:25

or patient consent could put you in what the sheriff calls the pokey, the big house, the slammer. You know the clink.

02:32

So the hip, a complaint process has a very in depth check and balances system. Once a hip, a complaint has been filed. That complaint ultimately lands on the office of the Secretary of Health and Human Services, HHS, on the Office of Civil Rights for in Taken Review. If, after initial review, the complaint is considered a possible criminal violation, it's forwarded to the Department of Justice.

02:52

If the complaint is deemed egregious enough, it is accepted by the DOJ for criminal prosecution.

02:57

Otherwise, it to push back to the OCR and treated like all privacy and security rule violation complaints where an investigation by the OCR in the Office of Inspector General O. I. G. Ensues, the result of the investigation by the Office of Civil Rights and the Office of the Inspector General can have several different outcomes from no violation being found

03:15

to voluntary compliance by the covered entity.

03:17

Corrective actions imposed by the OCR and the covered entity. And then the OCR will publish its formal findings of the covered entities violations.

03:27

All resolutions of civil complaints Have a Time window writer for resolution. You will fix your firewall that your firm failed to keep upgraded that the hacker took advantage of and still protected health records. Well, you've got six months to fix that. You didn't intentionally run old code on your firewall, so it's not deemed willful. Neglect your just a small network with a small staff that's overburdened.

03:45

So the OCR is going to find $20 for the first unknowing violation. But if it happens again,

03:51

let's call it 18 months. Your next violation will be deemed willful neglect and you're fine will be 100,000. And you agree that within six months of remediating your firewall software, you're gonna have a third party run. Vulnerability scans and pin testing against your network perimeter. The civil money penalties

04:05

see MPs can be classified from the OCR and O I G investigation, ranging from an unknowing violation.

04:12

You couldn't have known about the root cause of the violation, but you still could have prevented it. Or the cause was found to be reasonable yet still a violation or you're wilfully neglectful. The remediation to prevent the violation was considered by you too expensive, too hard, or you simply were willing to roll the dice and hope you weren't going to get caught

04:29

or if the violation was performed under knowing knowingly false pretenses, like the surgeon who access the records before he was dismissed.

04:34

To try to gain some kind of personal or financial advantage while you're finds could be substantial with up to 10 years in the gray bar hotel and stony lonesome.

04:45

So if your partner or affiliate was the cause of the violation, and you can prove that that in most cases your organization is off the hook. But know that when it comes to criminal violations, the hip of security and privacy rules individuals of the covered entity like the director of the covered agency, or the Sisa, whose job it was to manage the security program to protect the clients. Protected health information

05:03

can be criminally prosecuted

05:05

if you knowingly and willfully disregarded the vulnerabilities in your firewall. And you were the manager of the I T team whose job it was to harden the firmware on the firewall device and a breach occurs, causing loss of money, privacy or even the loss of life. Will it happened under your watch? So it's important to know that for criminal prosecution by the Department of Justice,

05:24

it's enough for an individual to know of the acts

05:26

or neglect that led to the data breach. You didn't have to know about the specific law that was broken, so just knowing that the firewall was vulnerable and you did nothing about it, well, that might be viewed by the D. O. J. As a crime.

05:39

The Hippo security rule mandates that every practice their health care organization that creates stores or transmits E p. H. I must designate a privacy compliance officer, regardless of their size and larger firms. There will typically be a dedicated HIPPA privacy officer.

05:51

However, this might fall in smaller organizations to someone with administrative or I t responsibilities and will be their second day job.

05:59

These talented people and their privacy programs, they manage, are incredibly important to the covered entities so that they stay HIPPA compliant and one of the most important rules is there oversight of business associate agreements.

06:11

A business associate agreement or Be A is a written agreement between a covered entity and a business associate, which states that both sides will do all they can to maintain the safety and integrity of Ph. I. Along with provision that determine which kinds of Ph. I will be handled by the business associate,

06:26

it's the HIPPA compliance privacy officers responsibility to keep the A's thorough and up to date.

06:30

If you want to do business with my firm, you will protect our clients and their P H. I and agree to comply or adopt our privacy rules into your own organization, adopt them into your culture and make them part of your core values. Otherwise, we can't do business.

06:46

Oh no, it's time for that Sai Buri quiz. Nothing near is hard is making you get out of your car and performing a road test by saying the alphabet backwards while juggling bowling pins. But so for now, so what are two types of hip of violations and what RCMP so hit? Pause. Stop reciting the alphabet backwards because, well, you stink at it

07:02

and pick up your bowling pins that you dropped and explained to the officer that you haven't been drinking anything stronger than coffee.

07:08

And when you're done, it resume and we will review your answers

07:12

when it comes to enforcing the hippo security rule on privacy rules or criminal violations and civil violations. Criminal violations are enforced by the US Department of Justice and Civil Violations air enforced by the HHS Office of Civil Rights, Theo CR and, if found in violation, that may invoke a civil money penalty or CMP

07:29

and depending on severity, a fine or multiple semesters and the away from home school. Because we know a lot of you folks out there want to travel and see the world

07:36

an extended say where you have lots of time to read a con college and your con college education includes three hot meals and a job in the laundry mat. Now that is in the accreditation that will look great on your resume.

07:48

So in this video, we identify the enforcement bodies of the enforcement rule, the HHS Office of Civil Rights and the Department of Justice. We looked at the checks and balances of the hip, a complaint intake process and various resolutions like voluntary compliance all the way to three hearts and a cotton sing sing.

08:05

And we learned that it's about time we get a chief privacy officer to help us with a very crucial job of maintaining our business associate agreements.

08:11

And in our next lecture in our HIPPA for leadership, Siri's we'll review the omnibus rule.

08:16

So thanks for attending this third lecture of the Cyber A course implementing a HIPPA compliance program for leadership. You now know some of the foundational elements of the hippo enforcement rules, some of the penalties and lots of slang terms for that place called jail. The Who Scout the joint, you know, club fed. So on behalf of all of us cyber criminals, we want to say thank you so much for joining.

08:35

We want you to take care.

08:37

We hope you're having a little bit of fun as well