DATA BREACHES: HOW TO AVOID THEM AND WHAT TO DO IF IT HAPPENS. Emory IRB Webinar January 8, 2015



Similar documents
Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

My Docs Online HIPAA Compliance

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA 101. March 18, 2015 Webinar

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Protecting Privacy & Security in the Health Care Setting

The Basics of HIPAA Privacy and Security and HITECH

2014 Core Training 1

STANDARD ADMINISTRATIVE PROCEDURE

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

Business Associates Agreement

HIPAA Update Focus on Breach Prevention

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Statement of Policy. Reason for Policy

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

What is Covered by HIPAA at VCU?

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HIPAA and Privacy Policy Training

Business Associate Agreement

Health Information Privacy Refresher Training. March 2013

HIPAA Compliance for Students

HIPAA COMPLIANCE. What is HIPAA?

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Privacy and Security and Research

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Alliance for Clinical Education (ACE) Student HIPAA Training

HIPAA Privacy Breach Notification Regulations

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Business Associate Management Methodology

Breach Notification Policy

The ReHabilitation Center Buffalo Street. Olean. NY

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

PHI- Protected Health Information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Breach Notification Decision Process 1/1/2014

What do you need to know?

New HIPAA Rules and EHRs: ARRA & Breach Notification

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

MCCP Online Orientation

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

Memorandum. Factual Background

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA and You The Basics

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

How To Notify Of A Security Breach In Health Care Records

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

HIPAA In The Workplace. What Every Employee Should Know and Remember

Table of Contents INTRODUCTION AND PURPOSE 1

The HITECH Act: Protect Patients and Your Reputation

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

The HIPAA privacy rule and long-term care : a quick guide for researchers

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA Basics for Clinical Research

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

HIPAA Final Rule Changes

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Overview of the HIPAA Security Rule

IAPP Practical Privacy Series. Data Breach Hypothetical

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

Community First Health Plans Breach Notification for Unsecured PHI

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law

COMPLIANCE ALERT 10-12

Information Privacy and Security Program. Title: EC.PS.01.02

HIPAA ephi Security Guidance for Researchers

SaaS. Business Associate Agreement

M E M O R A N D U M. Definitions

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA Orientation. Health Insurance Portability and Accountability Act

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA Privacy & Security Training for Clinicians

How To Protect Your Health Information Under Hiopaa

POLICY AND PROCEDURE MANUAL

HIPAA Privacy Keys to Success Updated January 2010

PREP Course #23: Privacy and IT Security for Researchers

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

HIPAA Compliance Review

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

Transcription:

DATA BREACHES: HOW TO AVOID THEM AND WHAT TO DO IF IT HAPPENS Emory IRB Webinar January 8, 2015

ACKNOWLEDGMENTS Thanks to Kris West for the information provided for this webinar

DEFINITIONS Protected Health Information (PHI) Information about Health, Health Care, Payment for Health Care Identifiers Covered Entity (3 elements) Example: Patient diagnosis MRN Used by Emory nurse in EUH Covered Entity = Health Care Provider, Health Care payer, Health Care Clearinghouse Covered Entity at Emory: Emory Clinic, all hospitals, SOM, SOPH, SON, psychological counseling centers.

DEFINITIONS Identifiers Names, Dates, Full face image/photo, Phone & Fax #, Address, Health Plan #, SSNs, Certificate/License #, Acct. #, License Plate #, Vehicle ID/Serial #, URL & IP #, Biometric Identifiers, Any other unique identifying item/code. De identified health information data stripped of identifiers does not constitute PHI. Another method of de identification is to show, using statistical methods, that a data piece cannot be linked with a patients Remember: Despite appearing de identified, if you or your team members have the code to identified the data again, the IRB will not actually consider data as de identified

DEFINITIONS HIPAA: Privacy Rule Essentially allows disclosure of PHI only for Treatment, Payment or healthcare Operations (TPO). Otherwise, there must be an Authorization or Waiver of Authorization (*) Key Point: Research is NOT part of TPO Security Rule Supplements Privacy Rule (subpart C) Applies to electronic PHI (ephi) Goals: Protect CIA (Confidentiality, Integrity, and Availability) of PHI HIPAA Authorizations are reviewed and granted by the IRB: they should contain certain elements such as information of data to be used or disclosed, purposes, dates of expiration (or events). (*) The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

WHAT IS A DATA BREACH? An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Exceptions to the definition of breach Unintentional acquisition, access or use of data by a person under the covered entity, made in good faith and within the scope of authority. Inadvertent disclosure of PHI by authorized person to another authorized person. Data cannot be used or disclosed in a way not allowed by the Privacy Rule. Data disclosed to an unauthorized person but the covered entity has a good faith belief that the person would not be able to retain the information. (*) From: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

EXAMPLES OF DATA BREACHES (FROM REAL REPORTS RECEIVED BY IRB) Data entry person took subjects binders home to finish work later. Took bus to go home and forgot to take them. Binders contained patients names, dates and diagnoses. Research staff was entering data at a coffee shop and left they computer at the table to get more coffee. Coming back to the seat, the computer was gone. The computer was not encrypted and the data contained subjects names, MRN and SSN. Doctor took medical records home to complete dictations. When shopping at a local grocery store, someone broke into the car and stole the computer and the bag with patient records. Coordinator sent email to all study participants instead of one, and the email included the date of study visit. The study is on HIV and the email contained the patient names and email addresses.

DATA BREACHES AND UNANTICIPATED PROBLEMS An Unanticipated Event is an event which meets all of the following: 1. Unanticipated 2. related to study participation, and 3. involving risk to participants or others. If criteria are met, the event is reportable in 10 business days to the IRB. So is a data breach an unanticipated problem? Presumptively yes, since it would likely meet all three criteria.

WHAT TO DO IF THIS HAPPENS TO ME? 1. Have an account of what happened, and the data that has been compromised. 2. Contact Office of Research Compliance to report the information to the Privacy Officer (Kris West). 3. Contact the IRB office (if research related), and report it as an event at an Emory facility. 4. If information was sent via email, ask recipient to delete the email, including from the trash folder. Document if recipient saw information, and make sure the data is not kept by unauthorized people. 5. If information was lost (hardcopies), take every step to try to retrieve it. Document your efforts. 6. Determine what went wrong and how can you avoid it in the future.

WHAT ORC DOES WITH THIS INFO? 1. Breach Notification Required if unauthorized disclosure, use, acquisition, or access compromises the security or privacy of the PHI by posing a significant risk of financial, reputational or other harm to the individual. Timetable for Notice No later than 60 days following discovery of a breach 2. Privacy Officer determines how breach occurred, who was affected, information affected, steps necessary to mitigate damage and reduce/eliminate risk. 3. Breach analyzed by Emory Breach Notification Team. Team composed of Emory s Chief Information Officer, Security Officer, Privacy Officer for University and EHC, Associate General Counsel, and the Director of Risk Management.

WHAT THE IRB DOES WITH MY REPORT? Review as a possible UP: First sending to the Compliance Review Team, then to a full board meeting. IRB will require a plan to fix (if possible) and avoid issue in the future. After issue is reviewed, IRB may recommend contacting subjects or reconsenting. If the breach is considered an unanticipated problem, notifications are sent to: Department chairs and institutional officials FDA (if involving a drug, device or biologic, approved or not) OHRP (if funded by federal money) Study sponsor or funding agency, if required per contract.

OTHER COMMON HIPAA ISSUES (These may not represent UPs or data breaches but may be noncompliance) Retrospective chart reviews that did not stay between the IRB approved dates. May require breach notification in some cases. Subject did not sign HIPAA document. Remember: cannot use subject s data for research! HIPAA form did not contain all required elements. HIPAA form had an expired date or event.

HOW TO AVOID BREACHES Work inside VPN Do not use personal email to send information for work If emails are sent outside Emory (e.g. to sponsor), make sure you are not including any PHI with the email Do not take records home, under any circumstance Make sure your laptop is encrypted (and other electronic storage devices for that matter!) Retrospective chart review: collect data for research within the dates approved by IRB.

QUESTIONS? IRB Contacts on the QA and Education team: Maria G. Davila (404)712-0724 or maria.davila@emory.edu Shara Karlebach (404)712-0727 or shara.karlebach@emory.edu Kevin Wack (404)712-5220 or kwack@emory.edu Sean Kiskel (404)712-0766 or skiskel@emory.edu Heather Smith (404) 712-8689 or heather.smith@emory.edu 14

THANK YOU! Please consider taking a moment to complete our survey, link located on the webinars page of the website.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information