Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Transcription

1 Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A., UC Health v1 Examples from the News Review of HIPAA Breach Regulations Walk-Through of an Actual HIPAA Crisis Strategies and Lessons Learned Q&A 2 1

2 3 4 2

3 5 A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. Under Omnibus Final Rule, a use or disclosure of PHI in a manner not permitted under the Rules is now presumed to be a breach. 6 3

4 Unintentional acquisition, access, or use of PHI by a workforce member, if such acquisition, access, or use was made in good faith and within the scope of authority. Inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate. Impermissible disclosure, but the covered entity has a good faith belief that the unauthorized person to whom the disclosure was made would not have been able to retain the information. 7 Not all breaches are reportable. If a breach is reportable, a Covered Entity must notify the patient and HHS of the breach. If the breach involved 500 or more patients, the Covered Entity must also notify local media. 8 4

5 Covered entities and business associates must only provide the required notifications if the breach involved unsecured PHI. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS. A breach of secured PHI is not reportable. 9 A breach of unsecured PHI is not reportable if the covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment including at least the four factors established by HHS. 10 5

6 1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; 2) The unauthorized person who used the PHI or to whom the disclosure was made; 3) Whether the PHI was actually acquired or viewed; and 4) The extent to which the risk to the PHI has been mitigated. 11 Fewer than 500 Affected Individuals 500 or More Affected Individuals Individual Notice Within 60 Days of Discovery Within 60 Days of Discovery Media Notice N/A Within 60 Days of Discovery HHS Notice Within 60 Days of the End of the Calendar Year of Discovery Within 60 Days of Discovery 12 6

7 Dear We are writing to notify you that some of your health information maintained by [Insert Name of Organization] has been improperly disclosed or accessed. [Insert Name of Organization] is committed to maintaining health information in a secure and confidential manner in accordance with federal and state law, and we regret that these standards were not met in this instance. What happened. We believe the breach of your health information occurred on [Insert date of breach]. On that date [Insert a brief description of what happened]. We discovered that this breach occurred on [Insert date of discovery of breach]. 13 What information was breached. The information that was breached was your [Insert a brief description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code)]. What should you do. We believe that you may wish to take the following actions to help protect yourself from potential effects of this breach: [Insert recommended mitigating steps]. 14 7

8 What we are doing. We are taking this incident very seriously. We are conducting an investigation into how this occurred. We are taking steps to prevent any further breaches of health information. Further, we are: [Insert mitigation actions]. Finally, we will be notifying the HHS of this incident Who you can contact for more information. If you have any questions or desire additional information you may contact [Insert name of person to contact] at [Insert at least one of the following for the contact: (1) toll-free telephone number, (2) an address, (3) website, or (4) postal address]. Sincerely, [Name and Title] 15 Required Notifications Employee Disciplinary Action Professional Reputation/Licensure Organizational Reputation Government Investigation Government Corrective Actions/Fines Substantial Financial and Time Expense 16 8

9 HHS investigates and imposes fines/corrective action for self-reported breaches. HHS also learns of breaches through complaints, which may be filed by anyone. Fines vary; up to $1.5 million per year. Associated costs can surpass $15 million. Patients affected will soon receive part of the fine/settlement (Regulations forthcoming)

10 Individual alleged that employees of UCMC accessed her electronic protected health information and posted a screen shot of her electronic medical record to a Facebook group called Team No Hoes. According to the reports, the screen shot was also disseminated in an that was sent to the approximately 2,200 members of the Facebook group Reports indicated the PHI depicted in the screen shot allegedly included her name and information about her syphilis diagnosis. Story picked up by multiple TV channels and local newspaper

11 Complaint Received Within a week - Response team formed Within a week- Investigation Completed Shortly after Breach Notification to HHS 21 Compliance Privacy/Security Officer(s) Legal IT/Medical Records Human Resources Public Relations Patient Relations Risk Management Quality/Safety Contract Management (if BA) 11

12 June 5, Media coverage of lawsuit filed June 5, 2014 OCR became aware of news reports July 25, 2014 OCR sent notification letter to Privacy Officer of opened compliance review Response due within 21 days

13 Carefully craft media notice Ensure Public Relations staff are aware of potential for media inquiries Prepare responses to likely questions in advance Distribute talking points to other stakeholders Avoid additional breaches in media responses Detailed description of the event Risk analysis report Evidence of security measures Evidence of sanction policies and procedures Evidence of authorization and/or supervision of workforce members who work with ephi Evidence that workforce access to ephi is appropriate 26 13

14 Evidence of workforce security awareness training Copy of policies and procedures to address security incidents Copy of incident report in response to the theft and any correction actions taken Documentation that organization had implemented mechanisms that record and examine activity information systems and an audit of the medical record at issue Copy of the letter sent to the affected individual Copy of the Breach Notification to the Secretary Copy of policies and procedures related to the permissible use and disclosure and documentation that there are processes in place to prevent the impermissible uses and disclosures Documentation of training Evidence of mitigation 28 14

15 Data request submitted Additional information requested and sent by encrypted Additional information sent via certified mail 29 Detailed position statement Policies and procedures Training Evidence of mitigation Breach notification letter Notification to Secretary 15

16 Be proactive Get familiar with your EMR and all the ways data can be accessed keep in mind that the traditional audit trail function may not show all accesses Manage the message Clearly define roles and responsibilities Document, Document, Document! 32 16