This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in



Similar documents
New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

POLICY AND PROCEDURE MANUAL

The ReHabilitation Center Buffalo Street. Olean. NY

COMPLIANCE ALERT 10-12

Data Breach, Electronic Health Records and Healthcare Reform

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

M E M O R A N D U M. Definitions

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

STANDARD ADMINISTRATIVE PROCEDURE

HIPAA Privacy Breach Notification Regulations

Community First Health Plans Breach Notification for Unsecured PHI

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA BREACH RESPONSE POLICY

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

HIPAA Update Focus on Breach Prevention

Breach Notification Policy

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Information Privacy and Security Program. Title: EC.PS.01.02

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Breach Notification Decision Process 1/1/2014

How To Notify Of A Security Breach In Health Care Records

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA 101. March 18, 2015 Webinar

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Checklist for HITECH Breach Readiness

Model Business Associate Agreement

HIPAA Breach Notification Policy

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

New HIPAA Rules and EHRs: ARRA & Breach Notification

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

SaaS. Business Associate Agreement

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Business Associate Agreement Involving the Access to Protected Health Information

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Table of Contents INTRODUCTION AND PURPOSE 1

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Implementation Business Associates and Breach Notification

Business Associates Agreement

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Overview of the HIPAA Security Rule

HIPAA Business Associate Agreement

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Business Associate Agreement

My Docs Online HIPAA Compliance

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Violation Become a Privacy Breach? Agenda

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Use & Disclosure of Protected Health Information by Business Associates

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Partners HIPAA Business Associate Agreement

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

University Healthcare Physicians Compliance and Privacy Policy

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

HIPAA & HITECH AND THE DISCOVERY PROCESS

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Can Your Diocese Afford to Fail a HIPAA Audit?

When HHS Calls, Will Your Plan Be HIPAA Compliant?

BUSINESS ASSOCIATE AGREEMENT

what your business needs to do about the new HIPAA rules

New HIPAA regulations require action. Are you in compliance?

Iowa Health Information Network (IHIN) Security Incident Response Plan

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

HIPAA Compliance Manual

What s New with HIPAA? Policy and Enforcement Update

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Transcription:

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013.

As part of the American Recovery and Reinvestment Act s HITECH requirements, a new requirement was created known as breach notification. When the HIPAA Omnibus Rule was published in 2013, it included the final rule for breach notification. This was the first nation wide breach notification rule. It requires a covered entity or business associate to conduct an investigation and complete a risk assessment on all potential breaches within an organization. If it is determined that a breach happened, it must be communicated to the affected individual, the department of HHS, and local media within 60 days from the date of discovery. It is important to understand what is meant by date of discovery. The date of discovery should be treated as the first day a potential breach was known to any entity or associate, such as a workforce member, within a covered entity or business associate or should reasonably have been known to such entity or individual. A covered entity and business associate should have a clearly defined policy and procedure for breach notification within their organization.

The final definition of a breach was published in the HIPAA Omnibus Rule of 2013. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. At this time there is not a clear definition for what compromised means from the Department of Health and Human Services. A covered entity should define a process for risk assessment and determination of low probability that the PHI was compromised.

A breach occurs when unsecured PHI is used or disclosed improperly. The HIPAA Omnibus Rule amended the definition of unsecured PHI to protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology. There are technologies and methodologies to make PHI unusable, unreadable or indecipherable through encryption and destruction. Specifically the 4 areas where information is deemed to be secure are: Valid Encryption for data at rest Valid encryption for data in motion Shredding of paper, film, or other hard copy media has been shredded or destroyed and PHI cannot be read or reconstructed Redaction is excluded as a means of data destruction

Purging of electronic media (media sanitization) NIST guidelines should be followed for encryption requirements as well as media sanitization.

Here you will see some examples of potential breaches. Each of these would required an investigation and risk assessment to determine the risk to the PHI. An Employee inappropriately accesses a co-workers chart A fax is sent to the incorrect fax number A release of information is sent to the incorrect recipient An employee blogs about their work day which included specific patient diagnosis that can link to a patient Someone has hacked into your EHR and obtained SSN for multiple patients A physician/employee inappropriately access a chart of a celebrity An e-mail with PHI in the context was sent to the incorrect e-mail recipient

The risk assessment of the potential breach becomes the focal point of the entire process. Covered entities and business associates are required to conduct an investigation and risk assessment on every potential breach within the organization. They may opt to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised. In this case, the covered entity or business associate would need to document the outcome and notification process. When conducting the risk analysis, the following 4 items need to be collected at a minimum. 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated When documenting the outcome of the investigation, the outcomes of these four factors should be documented for every case.

Maintaining documentation for all breach investigations is an administrative requirement under the breach notification rule. Covered entities must provide documentation to support burden of proof with breach notifications. Documentation for burden of proof should include one of the following: 1. All required parties were notified of the breach OR 2. The use or disclosure did not constitute a breach Breach risk assessment showing low probability OR Application of any of the exceptions to the breach definition

There are three exceptions to the definition of a breach: Unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. Inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. Good faith by the covered entity or business associate that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. When conducting the risk assessment on a potential breach, a covered entity or business associate needs to evaluate these and determine if the potential breach falls into one of these categories. If it does, covered entities or business associates should clearly document which exception and the reasoning behind the decision.

When a covered entity or business associate determine that a breach has occurred, notification must be done to the appropriate parties. Every time that a breach happens, notification must be sent to the impacted individuals and the Secretary of HHS. If the breach impacts more than 500 people, a prominent media outlet in the area must be contacted and informed of the breach. It is important to remember that all notification must be done and completed within 60 days from the date of discovery. If the breach is less than 500 people, a covered entity or business associate has 60 days past the end of the year when the breach occurred to notify HHS.

Under the Omnibus Rule, law enforcement has the right to request a delay in the notification, notice, or posting of a breach. A delay can be requested if notification would impede a criminal investigation or cause damage to national security. The request for delay can be done in writing or orally. If request is done through a written request, the covered entity or business associate should delay notification, notice, or posting of the breach until the specified date in the official request for delay. If the request for the delay is done orally, the covered entity or business associate should document the statement, including the date of the statement, and delay the notification, notice, or posting of breach no later than 30 days from the date of the oral statement.

Notification needs to occur to each of the affected individuals. The notice shall be made in writing, except under circumstances where the covered entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the 5 items listed here, at minimum. 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity.

There is also an alternative notification process for a covered entity if they have insufficient or out-of-date contact information.

Each time a covered entity or business associate determines that a breach occurs, notification to the Secretary of HHS must occur. The notification is completed through an online website. The key components of the notification report are listed here: Date(s) of Breach Date(s) of Discovery Approximate Number of People Impacted Type of Breach (Theft, Loss, Improper Disposal, Hacking, Unauthorized Access/Disclosure) Location of Breached Information (Laptop, Desktop, Network Server, e-mail, other portable device, other) Type of Breach Type of PHI involved (Demographic, Financial, Clinical, Other Brief Description of Breach Safeguards in Place Prior to Breach (firewalls, encrypted wireless, etc.)

Individual Notice of Breach If Media Notice was required Actions taken in response to breach (security and/or privacy safeguards, mitigation, sanctions, policies and procedures, other)

In cases where the breach is more than 500 residents of a State of jurisdiction, a Covered Entity must provide notice to a prominent media outlet. It is best practice for the covered entity to designated a communications coordinator within their organization. Some areas to take into consideration when working with the media outlet are: Ensure that the communications coordinator has a clear understanding of the technical issues behind the incident so that he or she may communicate effectively and accurately with the media. Communicate accurate and concise information; avoid communicating misleading information, which may result in damage to the organization s reputation. Consult with legal counsel regarding the extent of information to be disclosed. Avoid communicating technical details that may entice hackers.

Consult with investigative agencies to ensure that any details about the incident that may be used as evidence are not disclosed without approval.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information