The ReHabilitation Center Buffalo Street. Olean. NY

Transcription

1 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach notification as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act and to extend notification requirements under HITECH to all business associates of The ReHabilitation Center. Additionally, it is The ReHabilitation Center s intent to protect the privacy and security of health information as required by federal HIPAA regulations and any other applicable NYS laws/regulations. If a breach of protected health information (PHI) occurs, The ReHabilitation Center is required to provide notification to certain individuals and entities pursuant to Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH) and any regulations promulgated under the act. This policy sets for the procedures The ReHabilitation Center will follow to assess known and potential breaches of PHI and to provide notification to affected individuals as necessary. Detailed Procedure(s): The ReHabilitation Center will investigate and document all reported or suspected breaches of PHI, and if necessary, notify the affected individuals, the Secretary of Health and Human Services, and in certain cases, the media, as required under HITECH. The ReHabilitation Center will amend its Business Associates Agreements to require that all business associates notify The ReHabilitation Center; without reasonable delay and as defined within each individual contract, but no later than 60 days from the date of discovery of any breach or suspected breach so that The ReHabilitation Center can investigate and fulfill its mandatory breach notification requirements; if necessary. Definitions: HITECH incorporates the definitions found in The ReHabilitation Center s HIPAA policy and procedure. Other terms are defined below. PHI (Protected Health Information): For the purposes of this policy, the term PHI means any program participant information, including very basic information such as their name or address, that (1) relates to the past, present, or future physical or mental health or condition of an individual, the provisions of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (2) either identifies the individual or could reasonable be used to identify the individual. BREACH: A breach is defined in the HITECH Act as the unauthorized acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, except where the unauthorized person would not reasonably have been able to retain such information, or in the case where one of three exceptions apply.

2 The breach must also pose a significant risk of financial, reputational or other harm to the affected individual. The HITECH Act requires formal investigations of potential breaches. The ReHabilitation Center has 60 days from the date of discovery of the breach or potential breach to make notifications, if required. It is imperative that any member of The ReHabilitation Center workforce (as defined by HIPAA) or any business associate, who knows, believes or suspects that a breach of protected health information has occurred, reports the breach to the Privacy Officer immediately. After a potential breach is reported, The ReHabilitation Center will conduct a thorough investigation and document its conclusions. The purpose of the investigation is to determine whether the breach triggers mandatory notification under HITECH, and if so, what notifications are required. The agency s Privacy and Corporate Compliance Officer: Susan A. Cross General Manager for Quality Management ext 610 scross@rehabcenter.org INVESTIGATION PROCEDURE: Any workforce member, who knows, believes or suspects that a breach of protected health information has occurred must report the breach to the Privacy Officer or designee immediately. After a potential breach is reported, the Privacy Officer will work with other staff and departments, including the HIPAA Security Officer, the information technology department, and in-house or outside legal counsel, if necessary, to determine if a breach requiring notification has occurred. As part of the investigation, the Privacy Officer will take all necessary steps to mitigate any known harm. The Privacy Officer/designee during and upon conclusion of the investigation, is responsible for documentation supporting the conclusion of the investigation. The details of the investigation will be documented in an investigation report that is kept on file by the Privacy Officer. Information regarding breaches or potential breaches; including internal/external reports of a breach, risk assessments as to possible harm, the investigation report, letters of notification to individuals, notice to media outlets, and the log of breaches to be reported to HHS, must be retained for a period of at least six (6) years. After a potential breach is reported, the Privacy Officer will conduct a thorough investigation to determine whether a breach of unsecured PHI requiring notification under HITECH has occurred. The ReHabilitation Center has 60 days from the date of discovery of the breach to make notifications, if required. If a breach under HITECH has occurred and notifications are required, the time period by which notifications must be sent to the affected individuals, HHS, and if necessary, the media is measured from when the breach is first discovered, not when the Privacy Officer completed his/her investigation into whether a breach has occurred. Not every report of a potential breach of PHI will result in the need to provide notification / or rises to the notification level of HITECH. Within the Privacy Officer s investigation, the following will be determined and documented in within:

3 (1) Determine whether there has been an impermissible acquisition, access, use, or disclosure of protected health information under the HIPAA Privacy Rule (2) Determine whether the PHI was secure or unsecure (3) Determine whether an exception applies (4) Determine whether the impermissible acquisition, access, use or disclosure compromises the security or privacy of the protected health information. Step 1: Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI under the HIPAA privacy regulations. An impermissible acquisition, access, use or disclosure under the HIPAA Privacy Rule, is one in which one or more elements of the Privacy Rule have been violated. The ReHabilitation Center will investigate and determine what provision of the Privacy Rule has been violated. HITECH requires that PHI be limited, when possible, to a limited date set where direct identifiers of an individual have been de-identified. Where this is not possible or practical, then the HIPAA Privacy Regulations require a minimum necessary standard. The ReHabilitation Center s workforce and business associates are generally expected to limit their uses and disclosures of PHI to the minimum amount of information necessary to perform their duties for The ReHabilitation Center. If The ReHabilitation Center determines that the acquisition, access, use or disclosure was permissible under the Privacy Rule, no further investigation is required. If, however, The ReHabilitation Center determines that an impermissible acquisition, access, use or disclosure has occurred, the investigation proceeds to step #2 below. Step 2: Determine whether the PHI is secured PHI or unsecured PHI : The breach notification requirements under HITECH are required only when a breach occurs that is related to Unsecured PHI. PHI will only be considered secured when the PHI has been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS secretary. HHS gui8dance on this issue states that PHI will not be considered secure unless it has either been (1) destroyed or (2) encrypted with specific standards approved by the National Institute of Standards and Technology (NIST). Following an approved method, a breach of secured PHI is exempt from mandatory breach notification. Unsecured PHI can potentially be used, read or deciphered either because there are not protections placed on it or because the protections are insufficient. The PHI has not been made unusable, unreadable or indecipherable to unauthorized individuals. While The Rehabilitation Center s use of firewalls, password protections/access controls and redacting meet the HIPAA Security Rule requirements, these methods do not adequately secure the PHI for HITECH purposes and they do not exempt The ReHabilitation Center from mandatory breach notification.

4 In most cases, The ReHabilitation Center s paper records containing PHI would be considered unsecured PHI and most of The ReHabilitation Center s electronic records would also be considered unsecure PHI. Impermissible use or disclosure of these records would trigger the notification requirements under HITECH. If the PHI in question is determined to be secured PHI, then The ReHabilitation Center does not need to make notifications. If the PHI is determined to be unsecured PHI, then the investigation proceeds to Step #3 below. Step #3: Determine whether the breach falls under one of the exceptions defined in HITECH The ReHabilitation Center may not have to make notifications if the breach falls under one of three exceptions defined in HITECH: EXCEPTIONS: 1) The acquisition, access, or use of PHI was made by a workforce member, in good faith and within the course and scope of employment, or other professional relationship, and it does not result in further disclosure or use not permitted under HIPAA; 2) There was an inadvertent disclosure by an authorized individual to another authorized individual at the same covered entity or business associate, and there was no further disclosure or use not permitted under HIPAA; and 3) There is a good faith belief that the unauthorized person to whom disclosure of PHI was made would not reasonable have been able to retain the information. If an exception applies, then The ReHabilitation Center will document its conclusions and end the investigation. If however, none of the exceptions apply to the impermissible acquisition, access, or use of PHI at hand, then the investigation, then a reportable breach has occurred, and The ReHabilitation Center will make the necessary notifications as required under HITECH. The investigation will subsequently proceed to Step #4. Step #4: Conduct a risk assessment to determine whether there is significant risk of financial, reputational or other harm to the individual. The guidance to HITECH adds a harm element to the definition of breach: a breach occurs when unsecured PHI is acquired, accessed, used or disclosed AND there is a significant risk of financial, reputational, or other harm to the individual. To determine whether there is significant risk of harm, The ReHabilitation Center is required to perform a fact-specific risk assessment. To access the likely risk of harm, The ReHabilitation Center will weight the following: 1. Who impermissibly used the information and to whom the information was impermissibly disclosed (there may be less risk if disclosed to another entity covered by HIPAA) 2. Whether any immediate steps have been taken to mitigate an impermissible use or disclosure 3. Whether the PHI disclosed was returned prior to being accessed 4. The type and amount of PHI involved in the disclosure 5. The risk of re-identification of PHI contained in a limited date set

5 Other considerations include: 1. The nature of the date elements breached and the context of the breach 2. The likelihood the information is accessible and usable. If the information can be easily used it would be high risk. If the information is encrypted the likelihood of use is significantly decreased. 3. The likelihood an unauthorized individual will know the value of the information and either use the information or sell it to others 4. The ability of The ReHabilitation Center to mitigate the risk of harm and whether The ReHabilitation Center was able to stop further disclosure and/or contain the breach. If The ReHabilitation Center concludes after its risk assessment that there was not a significant risk of harm, then no breach notification is required, and the investigation stops. However, the Privacy Officer is responsible for determining if an accounting of the breach must be made in the records of the individuals affected and for determining if the breach notification provisions of any other state or federal law apply. If the Privacy Officer concludes that a reportable breach has occurred, notification to the affected individuals, the Secretary of HHS and, if applicable, the media is required. NOTIFICATIONS: The ReHabilitation Center is required to provide notice to the affected individuals whose unsecured PHI has been, or is reasonably believed to have been acquired, accessed, used or disclosed as a result of the breach without unreasonable delay and no later than 60 calendar days from the date of discovery of the breach by either the business associate or workforce. The only exception to this is if law enforcement determines that a notification would impede a criminal investigation. Notification will be made as follows: 1) The ReHabilitation Center will notify the affected individual(s) via written first class mail. The ReHabilitation Center will continually update the affected individual(s) through the mail as more information becomes known. 2) If The ReHabilitation Center does not have updated address information on an affected individual, a substitute method of notification is acceptable. In cases where there are 10 or more individuals for whom there is insufficient or out-of-date contact information, then The ReHabilitation Center will make a conspicuous posting on its agency web site. 3) In an urgent case where there is reason to believe an imminent misuse of the unsecured PHI, The ReHabilitation Center will make telephone and notifications and follow up with mail notifications to the affected individual(s). 4) If the breach involves 500 or more individuals, The ReHabilitation Center will notify prominent media outlet serving the Western New Your area. 5) In addition to the above, in the event of a breach affecting over 500 persons, The ReHabilitation Center will immediately notify the Secretary of Health and Human Services. 6) On an ongoing basis, The ReHabilitation Center will log all breaches and submit the log annually to the Secretary of HHS. 7) The Secretary of HHS may post on the Department of Health and Human Services website any breaches of unsecured PHI involving more than 500 individuals.

6 Content of the Notification: 1) A brief description of what happened, including the dates of the breach and of its discovery. 2) A description of the types of unsecured PHI that were involved in the breach (I.e. full name, Social Security Number, date of birth, home address, account number, CPT code, diagnosis, treatment, etc.) 3) What steps the individuals should take to protect themselves from potential harm. 4) What The ReHabilitation Center is doing to investigate the breach, mitigate losses, and protect against further breaches. 5) Contact information at The ReHabilitation Center in the event the affected individual(s) want more information about the specific breach. 6) Any sanctions The ReHabilitation Center has imposed on any work force members involved in the breach Annual Report: Beginning January 1, 2011; The ReHabilitation Center will submit an annual breach notification report to the Secretary of Health and Human Services with information on any breaches of unsecured PHI involving less than 500 persons. All such reports must be submitted no later than 60 days after the end of the calendar year. Alternatively, The ReHabilitation Center may choose to file a report with the Secretary of HHS after the conclusion of each breach investigation rather than waiting until the end of the calendar year. Business Associates: Under HITECH, many privacy and security requirements under HIPAA and the penalties for non-compliance have been expressly extended to business associates. This means that a breach of business agreement s terms can subject the business associate to civil and criminal penalties. The ReHabilitation Center requires its business associates to notify The ReHabilitation Center within 48 hours of any known or suspected breaches of PHI so that The ReHabilitation Center may begin an investigation and meet its notification requirements within the 60 day period. The business associates notification must include the identity of each individual affected by the breach and any other information The ReHabilitation Center is required to include in it breach notification. Training: The ReHabilitation Center will train all members of the workforce on their respective responsibilities under HIPAA and HITECH on an annual basis and whenever there are any changes to the law. Workforce members will also be trained in how to identify and report breaches within the agency. The ReHabilitation Center will apply appropriate disciplinary action against members of its workforce who fail to comply with this policy and procedure. Disciplinary Action: The ReHabilitation Center will apply appropriate disciplinary action against members of its workforce who fail to comply with this policy and procedure up to and including termination. Any workforce member who knows or has reason to believe that another person has violated this policy is responsible for reporting the matter promptly to his/her supervisor or the Corporate Compliance Officer.

7 Check Applicable Corporation(s): CI ARC Foundation R&A J & D Category: Corporate Compliance Origination Date: October 2009 Revision Date(s): 11/10/10 sac; 6/1/11 sac; 8/15/11 sac;10/28/11sac; 5/14/13sac Responsible Staff: All agency staff Authored by: Susan A. Cross, General Manager of Quality Management & Corporate Compliance Officer