New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Transcription

1 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010

2 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act (HITECH) on February 17, Among other provisions, HITECH makes several changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

3 Previously, HIPAA did not require covered entities to notify individuals or the Department of Health and Human Services (HHS) when their Protected Health Information (PHI) was improperly disclosed, although notification was sometimes part of a covered entity's effort to mitigate harm to an individual caused by a wrongful disclosure. HITECH significantly changes HIPAA in this regard because it will require notification of certain breaches to unsecured PHI.

4 Effective Date The HHS interim final regulations were effective September 23, HHS has begun imposing penalties for failures to provide notification for breaches discovered before February 22, Example, CVS

5 Among other issues, the reviews by OCR and the FTC indicated that: CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan. The plan requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal; employee training; and employee sanctions for noncompliance.

6 New Breach Notification Rule Under the new rule, covered entities will be required to notify individuals of unsecured PHI that has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach. Business associates will be required to notify the covered entity of such breaches.

7 Unsecured PHI HITECH defines the term unsecured PHI as PHI that is not secured by a technology or methodology specified by HHS through guidance that renders PHI to be unusable, unreadable, or indecipherable to unauthorized individuals.

8 Unsecured PHI (cont ) HHS on April 17, 2009 issued guidance that established the following technologies/methodologies: Encryption of electronic data at rest per National Institute of Standards and Technology (NIST) standards Encryption of electronic data in motion per NIST standards Shredding or destruction of paper, film or other hard copy media Destruction of electronic media per NIST standards

9 Breach Notification Methods The methods for breach notification depend in part on the size of the group of individuals affected: Written notice through first class mail to individuals (or via if specified as preferred by the individual), regardless of the size of the group affected. For groups of 10 or more individuals, post notification on the covered entity s website or a notice published in major print or broadcast media.

10 Breach Notification Methods (cont ) Notice published in prominent media outlets, if 500 or more residents of a state are affected. Notice to HHS, if 500 or more individuals are affected. Annual log to HHS of all breaches involving less than 500 individuals.

11 When to Notify? All notifications must be given without unreasonable delay, but no later than 60 days after discovery. Immediate notice to HHS must be given if 500 or more individuals are affected.

12 Breach Notification - Exceptions The following instances will not be considered a breach requiring notification: Unintentional access of PHI by a workforce member while performing his/her duties and the information was not further used or disclosed. Inadvertent disclosure of PHI by one workforce member to another at the same facility and the PHI was not further used or disclosed.

13 Still Need to Comply with Other Rules Even if the new breach notification requirement is not triggered, organizations may still be required to take the following actions in the case of a breach or other wrongful use or disclosure: Mitigate harm for improper use or disclosure. Log the wrongful disclosure on record.

14 Breach Notification Action Items Organizations are required to complete the following steps: Adopt new, or revise existing, policies and procedures regarding identifying and responding to breaches.

15 Breach Notification Action Items (cont ) Review e-security for all PHI. Create a process for breach response to ensure all breaches are appropriately handled. For example Call to 3 rd party Call to individual (patient) Meet with staff / office responsible for breach Complete incident report Letter to patient