1/17/2012. Data Breach & Breach Notification. Data Breach and Notification for HR/Benefits. January 19, 2012

Transcription

1 Data Breach and Notification for HR/Benefits January 19, 2012 Data Breach & Breach Notification for HR/Benefits January 19, 2012 Welcome to today s webinar we will begin at Noon Eastern You can listen to the audio portion through your computer speakers or by calling into the phone conference number provided in your invitation There will be no sound until we begin the webinar You will be able to submit questions during the webinar by using the questions box located on your webinar control panel Data Breach & Breach Notification for HR/Benefits Assurex Global Partners January 19, 2012 Brower Insurance Agency Catto & Catto Engle Hambright & Davies Frenkel & Co. Gillis, Ellis & Baker The HDH Group The Horton Group Kapnick Insurance Group LaMair Mulock Condon Co. Lipscomb & Pitts Insurance Lyons Companies The Mahoney Group The McCart Group MJ Insurance Parker, Smith & Feek R&R/The Knowledge Brokers Riggs, Counselman, Michaels & Downes The Rowley Agency Schiff, Kreidler Shell Senn Dunn John L. Wortham & Son 1

2 Agenda What is a Data Breach? HIPAA Breach of Unsecured PHI State Breach Laws Others What notifications must be made What are the most common source What you can do to prevent a breach Other protections Copies of Audio this presentation, trouble? the Dial Q&A and a recorded version Access are available Code through your broker. Introduction HIPAA Breach notification law effective Sept Impacts all covered entities Fines for non compliance Most states have breach laws Cover specific data elements such as SSN, drivers license and credit card numbers Prevention Organizations can often protect themselves by implementing simple safeguards. More complex safeguards can also be implemented but may take a little more time, effort or money. Introduction State Security Breach Laws The National Conference of State Legislatures reports that 46 states have security breach laws List of states (with statute references) and information on pending and recently passed legislation in each state can be found at Alabama, Kentucky, New Mexico, and South Dakota are the only states without state security breach laws Copies of Audio this presentation, trouble? the Dial Q&A and a recorded version Access are available Code through your broker. 2

3 Introduction Covered Entities HIPAA Health Care Providers and Clearinghouses Health Plans HMOs, Insurance Companies Employer Sponsored Health Plans State laws any entity that collects or on behalf of another entity collects non public information Definitions Protected Health Information (PHI) Any individually identifiable information, electronic, written or oral Related to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual Created, received or maintained by a covered entity (i.e. the health plan) Copies of Audio this presentation, trouble? the Dial Q&A and a recorded version Access are available Code through your broker. Definitions Breach of unsecured PHI is: Unauthorized access or acquisition of unsecured PHI In violation of HIPAA Privacy or Security Has led to or could lead to financial or reputational harm to the individual Non public Information (State Breach Laws) Any form of name, first initial/last name, etc. with any: SSN DL number Credit card number with security code Some states include health information (PHI) 3

4 Notification HIPAA Breach Notification Within 60 days of discovery: Notify individuals effected by breach of What happened Type of data What actions you are taking to mitigate What actions individual can take to mitigate Contact information if they have more questions Copies of Audio this presentation, trouble? the Dial Q&A and a recorded version Access are available Code through your broker. Notification HIPAA Breach Notification If greater than 500 impacted and all within one state Notify local prominent media TV, print media, etc. Notify Secretary of Health and Human Services Over 500 within 60 days Under 500 within 60 days after end of calendar year Notification on your public website Copies of Audio this presentation, trouble? the Dial Q&A and a recorded version Access are available Code through your broker. Notification State Laws notification, type of notification, media requirements, government entity notification and fines vary from state to state. Must: Notify individual Some allowances made for very large groups impacted Includes alternate notification , media, etc. Media notification if certain thresholds met Notify state contact such as Attorney General Fines for failure to comply 4

5 Burden of Proof HIPAA Requires in the event of a suspected breach or an actual breach that the events, actions, etc. are documented. This means if not a breach you document what happened and how you reached the conclusion that no breach occurred. If a breach, all actions, i.e., notification actions, must be documented. State law documentation requirements vary but are similar to what HIPAA requires. Common Sources for Breaches HIPAA Breaches over 500 Theft Loss of electronic media or paper records Unauthorized access Human error Improper disposal Breaches under 500 Most common misdirected communications State Law Not reported or information not publically available Prevention There are many different safeguards your organization can have in place that will minimize your risk of a breach. Safeguards are divided between administrative, physical and technical. Many are easy to implement although may not be popular with your workforce. Let s start with the easy and least costly (time or $$) 5

6 Prevention Easy to Do Administrative Designated Security Official Workforce authorizations Terminations Information access Prevention Easy to Do Physical Facility access controls Work station use Technical Unique user identification Automatic logoff Prevention Harder (Time & $$) Administrative Information system activity review Security training Password management Login monitoring Contingency plans 6

7 Prevention Harder (Time & $$) Physical Disposal and media re use Accountability Maintenance records Technical Encryption and transmission security Audit controls State Laws and Other Considerations Generally, state laws do not require specific safeguards but do expect safeguards to be in place and documented. HIPAA requires documentation of all safeguards according to the HIPAA Security Standards. Prevention Recap Make sure workforce, contractors or vendors are well aware of what are the acceptable and unacceptable uses of your computer technology. Give access to only those that need access to both your facilities and sensitive areas within your facilities and the data stored in your information systems. Those with access to data must have unique user id s and have passwords that are complex and change frequently. 7

8 Prevention Recap Your IT department should: Monitor both successful and unsuccessful access to your data Conduct periodic audits to ensure only authorized workforce have access to data Provide secure remote access such as VPN and others Have complete inventories of hardware and software Hardware should be tractable to the individual or location Prevention Recap If you have remote access to either PHI or nonpublic information via a laptop or other portable device (smart phone, tablet, etc.), do not store this information on the device unless the data is stored encrypted. Accessing the data through a secure remote connection okay, but again do not store information on the un protected device. What if it happens to you? First and foremost conduct a Risk Assessment. Was the data lost, stolen or accessed by unauthorized person? Was the data PHI or other non public information? Is there a risk of financial or reputational harm? Can the potential breach be mitigated or contained? If a breach, do we have all the contact information for those involved? Don t forget to document all decisions and actions! 8

9 What if it happens to you? Who can I turn to for help? Attorneys Consultants Law enforcement Remember no action can lead to significant fines from either Federal or State agencies and in some cases the individual may also seek damages directly. Other Options Data breach insurance Is it for you? What does is cover? Remember data breach insurance does not absolve you of complying with state and federal laws. Individual Identify Theft Insurance Lifelock Identify Guard, etc. Resources HHS website targeted for Covered Entities veredentities/index.html CMS HIPAA Security Whitepapers urityrule/securityruleguidance.html HHS HIPAA Frequently Asked Questions 9

10 Data Breach & Breach Notification for HR/Benefits Assurex Global Partners January 19, 2012 Brower Insurance Agency Catto & Catto Engle Hambright & Davies Frenkel & Co. Gillis, Ellis & Baker The HDH Group The Horton Group Kapnick Insurance Group LaMair Mulock Condon Co. Lipscomb & Pitts Insurance Lyons Companies The Mahoney Group The McCart Group MJ Insurance Parker, Smith & Feek R&R/The Knowledge Brokers Riggs, Counselman, Michaels & Downes The Rowley Agency Schiff, Kreidler Shell Senn Dunn John L. Wortham & Son 10