HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Transcription

1 1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014

2 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan, administered by We Got You Covered Insurance, conducts an audit every three years of the claims paid by We Got You Covered Insurance to make sure that claims are being paid properly. MMGA retains the services of the accounting and consulting firm of Winow, Yo Numbers PC. A consultant from the firm obtained the claims information from the insurance company / TPA. This information was provided on a CD which was encrypted. The CD was then opened and the information was downloaded onto the accounting firm s server. An employee of Winow, Yo Numbers, Ina Cloud, downloaded the information to her laptop to take on a long weekend trip to Atlantic City. When she parked her car at the casino she unwittingly left the laptop in the back seat. When she picked the car up at 1:00 a.m., she was not looking at the back seat; and failed to notice that the laptop had been removed. The next day when she decided to fire up her laptop and do some work she realized she no longer had it. Ina Cloud called her supervisor to notify her of the situation. The supervisor contacted you for advice.

3 3 HEALTH INSURANCE PORTABILITY ACT (HIPAA) The Privacy Rule standards address the use and disclosure of individuals protected health information (PHI) by covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used The Security Rule establishes a standards for protecting certain health information that is held or transferred in electronic form. It operationalizes the protections of the Privacy Rule by addressing the safeguards that covered entities must put in place to secure individuals electronic protected health information (EPHI)

4 4 HIPAA IMPORTANT DATES Privacy Rule: Effective April 14, 2003 Security Rule: Effective April 20, 2005 Health Information Technology for Economic and Clinical Health Act (HITECH) Signed: February 17, 2009

5 5 The Omnibus Rule IMPORTANT DATES Release Date: January 25, Fed. Reg Effective Date: March 26, 2013 General Compliance Date: Sept. 23, 2013

6 Omnibus Rule Breach Notification

7 7 POST-HITECH In the case of a breach that results in an unauthorized release of UPHI, written notice is required: To the individuals affected by first class mail or if imminent misuse possible, may be by phone If more than 500 individuals involved, notice to prominent media outlets

8 8 POST-HITECH To HHS annually if less than 500 individual residents of a single state involved in any particular Breach To HHS immediately where in excess of 500 residents of a single state involved HHS is required to post on its website CEs involved in Breaches of more than 500 individuals UPHI

9 9 UNSECURED PROTECTED HEALTH INFORMATION ( UPHI ) UPHI is PHI that is not protected by technologies and methodologies that render it unusable, unreadable or indecipherable by unauthorized individuals

10 10 UNSECURED PROTECTED HEALTH INFORMATION ( UPHI ) HHS issued preliminary Guidance on the manner in which to secure PHI so that it is not UPHI (April 17, 2009) Use of a specified technology or method creates a safe harbor Data Stages Data in Motion Data at Rest Data in Use Data Disposed

11 11 2 METHODS TO SECURE DATA 1. Encryption Data at Rest NIST Pub Data in Motion FIPS Standard NIST Pub or Destruction Hard Copy shredding or destruction so cannot be read or reconstructed Electronic cleared, purged or destroyed per NIST Pub See

12 12 WHAT IS A BREACH? Any unauthorized acquisition, access, use or disclosure of UPHI, which compromises the security or privacy of the UPHI Generally the acquisition, access, use or disclosure must result from a violation of the Privacy Rule

13 13 EXCEPTIONS TO BREACH 1. Unintentional acquisition, access or use by an employee or person under authority of the CE if: Made in good faith within the course and scope of employment; and Information not further acquired, accessed, used or disclosed; or

14 14 EXCEPTIONS TO BREACH 2. Inadvertent disclosure by an individual otherwise authorized to access PHI to similarly situated individual at the same entity if not further acquired, accessed, used or disclosed

15 15 EXCEPTIONS TO BREACH 3. The unauthorized disclosure of PHI to an unauthorized person who would not reasonably be able to retain the information

16 16 RISK ANALYSIS Under Interim Final Rule (Before Sept. 23, 2013): Breach means use or disclosure that poses significant risk of financial, reputational, or other harm to the individual i.e.: The Risk of Harm Test

17 17 RISK ANALYSIS CE had to institute reasonable systems to discover breaches, conduct a risk of harm analysis upon a breach, and document the assessment Risk of harm analysis may, however, have justified no notification

18 18 RISK ANALYSIS Omnibus FINAL Rule September 23, 2013 forward Major Changes Creates Presumption of Breach Risk Assessment still required Notice is required unless CE demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment May no longer use risk of harm test from Interim Final Rule

19 19 RISK ANALYSIS Elements To Consider: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; The unauthorized person who used the PHI or to whom the disclosure was made;

20 20 RISK ANALYSIS Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated

21 21 RISK ASSESSMENT Notice is NOT required if CE or BA demonstrates through the Risk Assessment that there is a low probability that the PHI has been compromised.

22 22 OTHER NOTICE REQUIREMENTS Notice to be given without undue delay but not later than 60 days after discovery Breach is discovered on the 1 st day it is known by an employee, officer, or agent, OR reasonably should have been known

23 23 REMEMBER To have a Breach: Must be PHI Must be a Breach Information is Unsecured (i.e., unencrypted) Must violate Privacy Rule Exceptions to Breach don t apply Risk Assessment reveals more than a low probability of compromise

24 Virginia Requirements Jonathan M. Joseph July 25, 2014

25 (Virginia) Personal Info Breach Personal Info is defined as the first name/initial and last name and Five or more digits of Social Security number More than last four digits of driver s license/id card number Last four digits of financial account number or credit card number with security code

26 (Virginia) Medical Info Breach Medical info includes individuals names with Insurance policy or subscriber number More than four digits of any individual s health insurance policy number or subscriber ID Information in an individual s application or claims history, including appeals records

27 (Virginia) Notification Required Personal information--if reasonably believed to have been acquired by unauthorized person, and will cause identity theft or fraud to resident of Virginia Health information--unauthorized access requires notification (lower threshold)

28 Notification Not Required Information is redacted or encrypted and access does not involve individual with encryption key

29 Redaction FOR PERSONAL INFORMATION it means limiting information to five digits of Social Security number or four digits of driver s license or state ID number FOR HEALTH INFORMATION it means no information regarding an individual can be identified, or no more than four digits of a health insurance policy or subscriber number can be identified

30 Applicable Entities Entities covered by Medical Information statute include all forms of governmental entities as well as entities that are funded principally or wholly by governmental entities

31 Applicable Entities Entities covered by Personal Information statute include governmental entities and instrumentalities

32 The Notice

33 (State & Federal) Notice Content General description of breach Type of information accessed Actions to prevent further access Contact information for assistance Statement of need for vigilant review of account statement and free credit reports

34 (Virginia) Timing of Notice Without unreasonable delay Sensitive to needs of law enforcement Consistent with internal investigation needs and restoration of system integrity

35 Additional State Notices Office of Attorney General Commissioner of Health for health information Consumer reporting agencies in certain circumstances

36 Content of Additional Notices Cover letter on entity s letterhead Approximate date of breach Breach discovery Cause of breach Number of Virginia residents affected

37 Content of Additional Notices Outline steps taken to remedy breach Provide sample of notification that affected individuals will receive

38 Other Considerations

39 State laws beyond where business primarily operates Identify advisors Insurance policy protection for losses and damages Regularly review applicable laws and regulations for changes

40 Scenario for VBA Summer Meeting The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan, administered by We Got You Covered Insurance, conducts an audit every three years of the claims paid by We Got You Covered Insurance to make sure that claims are being paid properly. MMGA retains the services of the accounting and consulting firm of Winow, Yo Numbers PC. A consultant from the firm obtained the claims information from the insurance company / TPA. This information was provided on a CD which was encrypted. The CD was then opened and the information was downloaded onto the accounting firm s server. An employee of Winow, Yo Numbers, Ina Cloud, downloaded the information to her laptop to take on a long weekend trip to Atlantic City. When she parked her car at the casino she unwittingly left the laptop in the back seat. When she picked the car up at 1:00 a.m., she was not looking at the back seat; and failed to notice that the laptop had been removed. The next day when she decided to fire up her laptop and do some work she realized she no longer had it. Ina Cloud called her supervisor to notify her of the situation. The supervisor contacted you for advice.

41 Questions