Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


WHCA WICAL Spring 10


Brian Purtell

on 19 June 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of WHCA WICAL Spring 10

While generating new risks, technology advances has and will yield
Improved Efficiency
Improved Documentation
Performance Improvement
Cost-effective and current marketing, public and media relations
Enhanced communications for employees, staff, residents and families
Customer demands and improved quality of life Technology Risks for LTC Providers and Counsel Privacy and Confidentiality Information Security
Data Breaches
Identity Theft Facility Reputation Employee Privacy and Morale Use of Devices While "on the clock" But, not without added risks...

We can't cover all, but we hope to stimulate thoughts on certain issues that providers should consider. Talking/Texting while Driving Sabotage/Alteration of E-Records Workplace Harassment Internet/Computer Access at Facility Wage & Hour Steps Providers Can Take to
Minimize Risks Associated with Technology Learn and Understand Technology You cannot train or develop policies about what you do not understand Where and how to learn? Review and Revise Policies Personnel Policies and Handbooks Cell Phone/Handheld/Camera Policy Driving/Transport Policies Privacy/Confidentiality Policies and Training! quick training diversion... Re-train
Make it relevant
Understand your topic
Recognize different learning styles
Provide concrete examples
Use technology to discuss technology Facility Internet Usage Policy Review and Revise Resident and Family Policies Camera, Handheld device, Cell Phone Policies Resident and Visitor Internet Usage Policy Monitor Activity Who is saying what about facility staff Set up alerts
Search on regular basis Encourage Formation of Technology Committee Multi-disciplinary Internal or External Experts Conduct Risk Analysis Explore Benefits as well as risks Minimizing Risk in a Wireless World
Visit http://drop.io/whcawical_minimize_risk
for resources, tools, and additional documents Storage
Wireless networks
Laptop & smartphone security
Employee access or use of data at home
Destruction Business Associates, including counsel
Notice requirements (who, when, and how)
Red Flag Rules Social media has increased opportunities for violations
Camera phones and recording devices
Video calls
Surveillance to protect/security, but cautions
Employee actions as well as resident and families e=risk While good news can travel fast, bad news travels
faster Upset family can now take their grievances to the world
Videos on Youtube
Anyone can set up a website or blog
Shelf-life of "news" much longer
"water cooler gossip" Broadcast gossip (or worse) Malicious campaigns
Hi-tech smear
Labor disputes/actions
Impact of negative "ratings" or news on workforce Phones and handhelds everywhere:
Twitter and Facebook updates, texting friends Whose time is it?
If staff are distracted, at minimum, they are not productive, worse yet, such distractions put residents at risk Risk Analysis

§ 164.308 Administrative safeguards.

(a) A covered entity must, in
accordance with § 164.306:

(1)(i) Standard: Security management
process. Implement policies and
procedures to prevent, detect, contain,
and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct
an accurate and thorough assessment of
the potential risks and vulnerabilities to
the confidentiality, integrity, and
availability of electronic protected
health information held by the covered

(B) Risk management (Required).
Implement security measures sufficient
to reduce risks and vulnerabilities to a
reasonable and appropriate level to
comply with § 164.306(a). Good time to review if ALFs meets definition of
HIPAA "Covered Entity" Steady stream of research demonstrating risks of inattentive driving
Employees transporting residents
Contractors transporting residents "they should have known not to be texting
while driving" probably won't cut it Safeguards on eRecords, "covered entity" or not Internal and external threats New twists on traditional risks
sexual harassment
hostile work environment
retaliation By its very nature, e-mail invites abuse -- it is informal, easy to distribute...and discoverable. Productivity
Illegal activities (porn, music, copywrite)
Software piracy
Instant and constant access to employees when they are not "on the clock",
particularly problematic in ALF setting where few employees are Exempt Exempt v Non-exempt
Technology and off the clock work
Examples: hourly employees texting, calling, or using social media to conduct work/communicate with their supervisor during non-work time
Suffered or permitted to work/compensable
Remote access to "just finish up a few things at home"
On-line training
DOL Continues to Focus on LTC Field Wage & Hour Policy Considerations:

Address compliance and potential employee morale concerns
Train exempt employees/supervisors regarding the wage and hour issues associated with off the clock work
Reevaluate wage and hour policies to determine whether update is necessary or whether this is primarily a training issue that fits w/in your existing policy
Remind supervisors to monitor and enforce the above expectations
Hold supervisors accountable Policy Considerations
Basic provisions should include a statement regarding privacy/confidentiality; broad definitions of devices covered anticipate advancements in technology; reasonable restrictions on use with bypass procedures; and broad definition of users to include employees, volunteers, and/or visitors
Careful of unintended consequences of “zero tolerance” policy (consider first offense warning for possession in anticipation of true “mistakes”)
Clearly address restrictions on possession and use
Careful to include right to search employee belongings and person to ensure compliance with policy
Address consequences for violations of policy, including disciplinary action and right to confiscation
Recognize benefits of certain devices and prepare for explanation of “exceptions”
Policy Considerations:
Review state and local laws, mindful that localities within travel area may have stricter limitations
Written rules on restrictions while driving to protect residents, facility and staff
Discipline provisions
Policy Considerations:
Review Federal and State Laws
Review restrictions regarding resident privacy and confidentiality, orientation, training programs, and policies addressing these issues
Review/update to address social media, handheld devices, resident rights and reporting obligations
Updated to reflect the additional risks that exist, particularly with the explosion of social media and technology.
Policy Considerations
Step One: Have one
Instructions on appropriate usage, i.e., usage limited to designated purposes rather than trying to enumerate all the things that are prohibited.
Limit access to work related usage only
Discipline for violations

Additional Considerations
Access controls: filters or blocks
Depending on prevalence within facility, may consider limiting some computer to only access specific sites
Restrict access to "visible" areas
Software protections
User profiles
Security and virus protection
Monitor usage, review histories, search for images
Email policy and training Policy Considerations
Review relevant state laws
Include policy and explanation in admission process
Address appropriate and inappropriate usage of phones and cameras, for both privacy/confidentiality, but also for courtesy.
If not restricted by state law, consider prohibition on hidden cameras without facility authorization.
Consequences for violations, including where appropriate, discharge.

Access controls
Network Security
Capacity issues Policy Considerations
Will depend on facility provided vs. resident provided
Will depend on access capacity, i.e. may have to restrict streaming video/audio to allow adequate access for all.
Reasonable restrictions as to location and content
Webcams: Similar restrictions as to other cameras, instructions should explain significance of capturing images of other residents and staff.
Advise supervisors to discourage off the clock work by pointing out to their employees that:

Employee(s) willingness to help the organization is appreciated.
Our organization encourages healthy work life balance and it is generally not necessary to text, email or address work matters during non work hours. Risk analysis and risk management are important to covered entities since these processes will “form the foundation upon which an entity’snecessary security activities are built.” (68 Fed. Reg. 8346.) EXAMPLE RISK ANALYSIS STEPS 1. Identify the scope of the analysis. 2. Gather data. 3. Identify and document potential
threats and vulnerabilities.
4. Assess current security measures. 5. Determine the likelihood of threat occurrence.
6. Determine the potential impact
of threat occurrence. 7. Determine the level of risk. 8. Identify security measures and finalize documentation. For Example: The risk analysis scopethat the Security Rule requires is the potential risks and vulnerabilities to the confidentiality, availability and integrity of all EPHI that a covered entity creates,receives, maintains, or transmits. What are your sources of vulnerabilities
What data do you store and where
Who is using what. Vulnerability=“[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a
violation of the system’s security policy.” Threat=“[t]he potential for a person or
thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Analyze current security measures implemented to minimize or eliminate risks
Security measures can be both technical and nontechnical.
Review current policies “Likelihood of occurrence” is the probability that a threat will trigger or exploit a specific vulnerability.
Consider each potential threat and vulnerability combination and rate them by likelihood (or probability) that the combination would occur.
High, medium, low rating Loss of information
Unauthorized access
Regulatory exposure
Financial loss
Harm to reputation
Others Risk is a function determined by the likelihood of a given threat triggering or exploiting a specific vulnerability and the resulting impact
Full transcript