AHIMA kicked off the 88th Annual Convention and Exhibit on Saturday with the Privacy and Security Institute—which this year celebrates its 10th anniversary.
The institute opened with Lucia Savage, chief privacy officer at the Office of the National Coordinator for Health IT (ONC), providing an update about what’s in the pipeline for her organization. Some of the highlights from Savage’s presentation included a reminder that by January 1, 2018 all certified electronic health records (EHRs) must publish engineering specification to a read-only application program interface (API). In collaboration with that mandate, the Centers for Medicare and Medicaid Services (CMS) rules require that individuals be able to use their app of choice to access their personal health information (PHI) from the read-only API prescribed by ONC.
Highlighting ONC’s recent push to dust the cobwebs off HIPAA and ensure providers and patients know the rules and rights granted by the law, Savage reviewed the “HIPAA Basics” resources available to educate professionals and consumers. “These are fact sheets taken directly from the rule and turned into easy-to-understand tools,” she said. Phase I of HIPAA Basics included videos, documents, and an infographic on treatment, healthcare operations, and patients’ right to access. Phase II focuses on information exchange for public health activities and health oversight (i.e., Medicaid, health insurance).
Savage also mentioned the updated security risk assessment tool released last month. “The tool lets you assess your security environment and where you need to remediate. It is not meant to do the remediating for you,” she said. Savage concluded her talk by discussing a project near and dear to her heart—“computable privacy.” “Computable privacy brings more tools to the space where computers meet privacy requirements and gets rid of paper where it’s really not needed,” she said.
Following Savage, Mark Hinely, JD, GLEG, with KirkpatrickPrice, LLC and a current Office for Civil Rights HIPAA Audit Phase 2 auditor, opened his session with a laugh, saying, “I can’t talk about OCR Phase 2 audits. I won’t talk about OCR Phase 2 audits. I can’t talk about Phase 2 audits.” Hinely provided tips on how to prepare for and survive a HIPAA audit in his appropriately titled session, “The Top 257 Strategies for Surviving HIPAA Audits.” Hinely’s four key tips: prepare, prioritize, communicate, and take inventory (of your assets). “The risk analysis kills multiple birds with one stone,” he responded, when asked what the one key thing to have for an audit would be.
David Finn, CISA, CISM, CRISC, the health IT officer at Symantec Corporation, closed the first day of the Institute presenting the findings of the 2016 Healthcare Internet Security Report, stating that the total number of identities exposed in 2015 spiked 30 percent compared to 2014. Mac McMillan, CISM, CEO at Cynergistek, picked up where Finn left off, opening day two of the Institute with his presentation “Cybersecurity: The Super 4.” Those super four things to watch out for are: financial crime, espionage, hacktivism, and advanced persistent threats. “Over 90 percent of phishing e-mail today has some version of ransomware attached to it, and 80 percent of that is targeted specifically at healthcare,” McMillian said.