Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches)

Similar documents
Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Community First Health Plans Breach Notification for Unsecured PHI

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

COMPLIANCE ALERT 10-12

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

SaaS. Business Associate Agreement

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

STANDARD ADMINISTRATIVE PROCEDURE

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Information Privacy and Security Program. Title: EC.PS.01.02

The ReHabilitation Center Buffalo Street. Olean. NY

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT

HIPAA 101. March 18, 2015 Webinar

Business Associate Agreement Involving the Access to Protected Health Information

What do you need to know?

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

BUSINESS ASSOCIATE AGREEMENT

M E M O R A N D U M. Definitions

Overview of the HIPAA Security Rule

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

POLICY AND PROCEDURE MANUAL

Iowa Health Information Network (IHIN) Security Incident Response Plan

Breach Notification Decision Process 1/1/2014

FirstCarolinaCare Insurance Company Business Associate Agreement

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Business Associate Agreement

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

Model Business Associate Agreement

University Healthcare Physicians Compliance and Privacy Policy

Health Partners HIPAA Business Associate Agreement

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Business Associates Agreement

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Breach Notification Policy

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

My Docs Online HIPAA Compliance

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

This form may not be modified without prior approval from the Department of Justice.

BUSINESS ASSOCIATE AGREEMENT. Recitals

Business Associate Agreement

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Use & Disclosure of Protected Health Information by Business Associates

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA Privacy Breach Notification Regulations

HIPAA BREACH RESPONSE POLICY

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

HIPAA Business Associate Addendum

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

BUSINESS ASSOCIATE AGREEMENT

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA Update Focus on Breach Prevention

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

New Privacy Laws Impacting the Health Care Work Place

what your business needs to do about the new HIPAA rules

BUSINESS ASSOCIATE AGREEMENT

Business Associate and Data Use Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

BUSINESS ASSOCIATE ADDENDUM

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Sample Business Associate Agreement Provisions

Business Associate Agreement

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA/HITECH: A Guide for IT Service Providers

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Transcription:

Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches) Presented by: Allyson Jones Labban, Esq. 300 N. Greene Street, Ste. 1400 Greensboro, NC 27401 T: 336.378.5200 E: allyson.labban@smithmoorelaw.com

HEALTH CARE DATA BREACHES EQUALED 44% OF ALL BREACHES IN 2013 Source: Identity Theft Resource Center, courtesy of ClearData.com

This is the 1 st time the health care sector topped this list. Source: Identity Theft Resource Center, courtesy of ClearData.com

Personal health information (PHI) is worth roughly 50x more than credit card or Social Security numbers. Source: Identity Theft Resource Center, courtesy of ClearData.com

Annual Cost of Health Data Breaches is estimated at $5.6 Billion Source: Identity Theft Resource Center, courtesy of ClearData.com

To date, approximately 945 data-breach incidents have been reported where PHI was compromised. Source: ClearData.com

Overview Definitions To Be or Not to Be A Breach HITECH Exceptions Reality Check: Different Breaches Get Different Treatment Q&A

DEFINITIONS

Definitions Unsecured PHI : PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by HHS Approved technologies/destruction methods: 74 Fed. Reg. 42742

Definitions Breach : The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R. 164.500, et seq.) That compromises the security or privacy of the PHI

TO BE OR NOT TO BE A BREACH

Breach or Not? Don t assume every use/disclosure is a breach Use/disclosure is not a breach: PHI is properly encrypted/destroyed; Use/disclosure is permitted by HIPAA; HITECH exception applies; Privacy/security of the data is not compromised

BREACH = HIPAA VIOLATION BUT HIPAA VIOLATION = BREACH

HITECH EXCEPTIONS

HITECH Exceptions Three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA NOTE: This is a departure from the order set forth in the regulation

Mark Strozier (Creative Commons license), www.flickr.com/photos/r80o/1583552/

HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or BA Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further impermissible use or disclosure

HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

HITECH Exceptions Exception 3: Unauthorized disclosure to an unauthorized person of PHI: Where there is a reasonable good faith belief That the unauthorized recipient would not reasonably have been able to retain the information

REALITY CHECK: DIFFERENT BREACHES GET DIFFERENT TREATMENT

Responses to Breaches Private Lawsuit Government Investigation Even Worse

Private Lawsuit No private cause of action under HIPAA HIPAA as standard of care In the alternative, negligent infliction of emotional distress, violation of state medical confidentiality, etc.

OCR Investigation Must be able to answer (and provide documentation in support) these eight questions: 1) Do you have appropriate safeguards in place? Provide internal HIPAA policies 2) Any prior complaints re: failure to safeguard PHI? Provide dates of complaints and how resolved 3) Was your staff trained properly? Provide documentation/evidence of training

OCR Investigation 4) Did you make an effort to mitigate? Provide evidence of mitigation 5) What is your detailed response to the complaint? 6) List evidence, including contact information for witnesses, to support response to #5

OCR Investigation 7) Additional points or suggestions to resolve the matter. 8) Number of patients served this year and, if applicable, number of inpatient beds at facility.

It Could Be Worse

Much Worse

Much, Much Worse

Dear Patient, We are writing to inform you of a recent incident involving disclosure of your personal information from XXXXXXXXXXXXXXXX. This letter is to advise you of the incident and the steps we have taken in response to the discovery. At this time, we are not aware of any misuse or further disclosure of your information. Description of the Incident and Information Involved On March 26, 2013, an email was sent to a magazine publisher, who was a business partner, relating to referral sources for XXXXXXXX. The email contained an attached spreadsheet that inadvertently contained additional worksheets with limited patient information. At the time, the sender requested, and was given what we believed to be, a reasonable assurance that the information was deleted and never accessed or used by the recipient. On December 13, 2013, we learned of the disclosure via a news article discussing a pending lawsuit with the same business partner. The article mentioned that this publisher had patient information. It appeared that the information was not deleted, despite what the publisher told us in March. The information did not include social security number, date of birth, credit card information, address or phone number. It did, however, include the date you first visited XXXXXXXXXX, your first and last name, and a column for HIV status that noted P or N for some patients and was left blank for others. We are obligated to tell you about this unfortunate incident, but we would like you to know that we are doing everything possible to make sure that your information is not made available to any other parties. Our Investigation and How We Are Responding to the Incident We take privacy and security of your personal health information very seriously. Upon discovery of this incident, we initiated an internal investigation. We have concluded from our internal investigation that although the information was inadvertently disclosed, we do not believe it was further used or disclosed for inappropriate purposes. The lawsuit is still pending, but destruction and non-disclosure of the patient names involved will be an essential requirement in any resolution of the civil action. We are also taking every action allowed through the courts to prevent any use or disclosure of the information during the negotiations of the settlement.

In response to the original incident, we had already taken the following actions based on the belief that the data was destroyed: Reviewed and updated all email policies to specifically address the actions that should be taken to obtain reasonable assurances in the event of an inadvertent disclosure of protected health information (PHI). Implemented a new practice management system that tracks the referral information directly in the application, thereby removing the need to keep any data on referrals in a spreadsheet application. In response to the discovery, we have taken the following actions: Provided additional training to our staff on acceptable uses and disclosure of patient information. Added a policy specifically defining very limited situations that would be considered reasonable assurances of destruction in any future inadvertent disclosures of PHI, even from trusted business partners. Added processes and training for staff members to check spreadsheets for hidden data and additional worksheets within a file before sharing with anyone. Terminated our relationship with the publisher involved. Notified the appropriate federal agencies about the situation. What Steps You Can Take to Protect Yourself Due to the limited nature of the data involved, we do not believe you are at risk for identity theft. As soon as we have more information about the destruction of the data, we will let you know. We deeply regret that this incident has occurred and apologize for the concern that this incident may have caused you. If you have any questions, please contact our privacy official, YYYYYYYYYYY, at ZZZZZZZZ. Sincerely,

Q&A

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information