New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010



Similar documents
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

COMPLIANCE ALERT 10-12

The ReHabilitation Center Buffalo Street. Olean. NY

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Data Breach, Electronic Health Records and Healthcare Reform

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

How To Notify Of A Security Breach In Health Care Records

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

M E M O R A N D U M. Definitions

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

STANDARD ADMINISTRATIVE PROCEDURE

POLICY AND PROCEDURE MANUAL

Breach Notification Policy

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Business Associate Agreement

What do you need to know?

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Business Associates and HIPAA

HIPAA Privacy and Security

Use & Disclosure of Protected Health Information by Business Associates

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Model Business Associate Agreement

Overview of the HIPAA Security Rule

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

University Healthcare Physicians Compliance and Privacy Policy

HIPAA Breach Notification Policy

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Breach Notification Decision Process 1/1/2014

BUSINESS ASSOCIATE AGREEMENT

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

FirstCarolinaCare Insurance Company Business Associate Agreement

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

HIPAA BREACH RESPONSE POLICY

what your business needs to do about the new HIPAA rules

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

My Docs Online HIPAA Compliance

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

The Institute of Professional Practice, Inc. Business Associate Agreement

HIPAA/HITECH: A Guide for IT Service Providers

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Transcription:

New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010

Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act (HITECH) on February 17, 2009. Among other provisions, HITECH makes several changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Previously, HIPAA did not require covered entities to notify individuals or the Department of Health and Human Services (HHS) when their Protected Health Information (PHI) was improperly disclosed, although notification was sometimes part of a covered entity's effort to mitigate harm to an individual caused by a wrongful disclosure. HITECH significantly changes HIPAA in this regard because it will require notification of certain breaches to unsecured PHI.

Effective Date The HHS interim final regulations were effective September 23, 2009. HHS has begun imposing penalties for failures to provide notification for breaches discovered before February 22, 2010. Example, CVS

Among other issues, the reviews by OCR and the FTC indicated that: CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan. The plan requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal; employee training; and employee sanctions for noncompliance.

New Breach Notification Rule Under the new rule, covered entities will be required to notify individuals of unsecured PHI that has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach. Business associates will be required to notify the covered entity of such breaches.

Unsecured PHI HITECH defines the term unsecured PHI as PHI that is not secured by a technology or methodology specified by HHS through guidance that renders PHI to be unusable, unreadable, or indecipherable to unauthorized individuals.

Unsecured PHI (cont ) HHS on April 17, 2009 issued guidance that established the following technologies/methodologies: Encryption of electronic data at rest per National Institute of Standards and Technology (NIST) standards Encryption of electronic data in motion per NIST standards Shredding or destruction of paper, film or other hard copy media Destruction of electronic media per NIST standards

Breach Notification Methods The methods for breach notification depend in part on the size of the group of individuals affected: Written notice through first class mail to individuals (or via email if specified as preferred by the individual), regardless of the size of the group affected. For groups of 10 or more individuals, post notification on the covered entity s website or a notice published in major print or broadcast media.

Breach Notification Methods (cont ) Notice published in prominent media outlets, if 500 or more residents of a state are affected. Notice to HHS, if 500 or more individuals are affected. Annual log to HHS of all breaches involving less than 500 individuals.

When to Notify? All notifications must be given without unreasonable delay, but no later than 60 days after discovery. Immediate notice to HHS must be given if 500 or more individuals are affected.

Breach Notification - Exceptions The following instances will not be considered a breach requiring notification: Unintentional access of PHI by a workforce member while performing his/her duties and the information was not further used or disclosed. Inadvertent disclosure of PHI by one workforce member to another at the same facility and the PHI was not further used or disclosed.

Still Need to Comply with Other Rules Even if the new breach notification requirement is not triggered, organizations may still be required to take the following actions in the case of a breach or other wrongful use or disclosure: Mitigate harm for improper use or disclosure. Log the wrongful disclosure on record.

Breach Notification Action Items Organizations are required to complete the following steps: Adopt new, or revise existing, policies and procedures regarding identifying and responding to breaches.

Breach Notification Action Items (cont ) Review e-security for all PHI. Create a process for breach response to ensure all breaches are appropriately handled. For example Call to 3 rd party Call to individual (patient) Meet with staff / office responsible for breach Complete incident report Letter to patient

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information