IAPP Practical Privacy Series. Data Breach Hypothetical



Similar documents
Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Statement of Policy. Reason for Policy

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA OVERVIEW ETSU 1

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Am I a Business Associate?

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

STANDARD ADMINISTRATIVE PROCEDURE

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Information Privacy and Security Program. Title: EC.PS.01.02

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Privacy Breach Notification Regulations

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Presented by Jack Kolk President ACR 2 Solutions, Inc.

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA COMPLIANCE. What is HIPAA?

HIPAA Compliance for Students

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Community First Health Plans Breach Notification for Unsecured PHI

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

My Docs Online HIPAA Compliance

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

HIPAA Breach Notification Policy

COMPLIANCE ALERT 10-12

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HIPAA Privacy Rule Policies

The ReHabilitation Center Buffalo Street. Olean. NY

Overview of the HIPAA Security Rule

University of Cincinnati Limited HIPAA Glossary

what your business needs to do about the new HIPAA rules

Administrative Services

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA 101: Privacy and Security Basics

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

OCR UPDATE Breach Notification Rule & Business Associates (BA)

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HIPAA Privacy Keys to Success Updated January 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Virginia Commonwealth University Information Security Standard

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Breach Notification Decision Process 1/1/2014

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

HIPAA and You The Basics

How To Notify Of A Security Breach In Health Care Records

Data Breach, Electronic Health Records and Healthcare Reform

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Business Associate Agreement

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HIPAA 101. March 18, 2015 Webinar

M E M O R A N D U M. Definitions

POLICY AND PROCEDURE MANUAL

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Patient Privacy and HIPAA/HITECH

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

OCR/HHS HIPAA/HITECH Audit Preparation

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Implementation Business Associates and Breach Notification

Violation Become a Privacy Breach? Agenda

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Breach Notification Policy

What do you need to know?

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Iowa Health Information Network (IHIN) Security Incident Response Plan

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Data Breach and Senior Living Communities May 29, 2015

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Checklist for HITECH Breach Readiness

Why Lawyers? Why Now?

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Transcription:

IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc. Session Overview and Description: This session will provide participants with practical tools to evaluate and respond to data breaches. We will begin with a short data breach response overview. We will then provide three data breach scenarios of increasing complexity. We will offer participants an opportunity to explore responses to those scenarios in small group and large group discussions using checklists and other tools provided in the session. A question and answer opportunity will conclude the session, offering participants an opportunity to share ideas from the session or innovative solutions to data breach problems that they have encountered.

SCENARIO #1 Health Care Provider Company learns that a consultant auditing financial data accessed a server that stores health care data (including names, personal e-mails, social security numbers). Company also learns that the consultant downloaded this information to its laptop. The initial investigation finds the consultant accessed and downloaded the data accidently when performing services for the Company. The data was accessed several times over the course of 2 days. When the issue is brought to the attention of the consultant, the data was deleted from the laptop. Approximately 1000 individuals may be compromised. States impacted include California and Texas. SCENARIO #2 Company learns that 2 of its servers containing its employees (and their dependents ) information (i.e., health insurance benefit elections, FMLA information, occupational health records, and health plan claims data) and financial data (bank account information), have been inappropriately accessed by an unauthorized third party. The servers are located at a hosting facility which provides a private cloud computing arrangement. The initial investigation finds the servers are infected with malware. The servers contain data for 5,000 individuals living across the US. SCENARIO #3 Investigation has continued on Scenario #2 and Company learns that one of the infected servers contains name, personal address, limited health information (health insurance benefit elections) and financial data (bank account information) for 10 EU residents who are on assignment in the U.S. from Germany. ~ 2 ~

Worksheet for Data Breach For Scenario #1 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 3 ~

Worksheet for Data Breach For Scenario #2 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 4 ~

Worksheet for Data Breach For Scenario #3 Affected Entities and Data Elements at Issue State Laws at Issue HIPAA Issues (if any) Simple Description of Root Cause and Mitigation Efforts Decision to Notify or Not to Notify If decision is to notify, when? ~ 5 ~

BREACH RESPONSE & INVESTIGATION CHECKLIST Action Step Description of Incident Incident Received and Documented Reported By (and contact information) Date and Time Report Received Date and Time of Incident Date and Time Incident Discovered Location/Department/Building Source/Media (e.g., EHR, Paper, Fax, etc.) Detail Data Elements Potentially at Risk (e.g. name, address, account information, SSN, medical information) Does any data at issue potentially include: o Protected Health Information? (see Attachment B (HIPAA/HITECH Requirements) o Financial Data? o EU data or data from other foreign jurisdictions? Vendor Involvement Description of Incident Privacy Breach Investigation Record Initiated Request Originals/Media to be Returned or Destroyed with Written Verification of Such If Applicable, Security Incident Initiated Review Applicable Laws Where do potentially affected individuals reside? What State laws apply? What are State requirements? See Attachment A. Based on data subject to exposure, what other laws may apply (e.g., HIPAA/HITECH Requirements -see Attachment B, EU Data Protection Laws - see Attachment C)? Internal Notification (as Appropriate) IT Leadership Risk Management, Compliance Officer, Human Resources, Leadership, etc. Internal Legal Counsel Line of Business Head Publication Relations & Communications/ Customer Service Building Services/Facilities External Notification (as Appropriate) External Legal Counsel Law Enforcement Officials Responsible Contact Security Officer To be Notified by or Risk Management ~ 6 ~

Action Step Responsible Contact Date/Time Agency Officer Insurance Carrier (e.g., Facility, Cyber, Malpractice, etc.) Date/Time Agency Agent Office for Civil Rights (see Attachment B (HIPAA/HITECH Requirements) Individuals Media Outlets State and/or Federal Agency, if Required (e.g., Health Plans with Medicare Plans Contact CMS) Investigation Components Complete Risk Assessment to Determine Potential for Significant Risk of Financial, Reputational, or Other Harm (for state breach requirements - see Attachment A, for HIPAA/HITECH Security Requirements - see Attachment B) Assess/Engage Need for Forensics Assess/Engage Need for Private Investigator (e.g., research Craigslist, E- Bay, etc. for stolen equipment) Mitigation/Follow-Up Activities Vendor/Business Associate (as Applicable): Request a document from the Vendor outlining the mitigation plan, Vendor responsibilities for breach management, and documentation of steps on how the Vendor will ensure the event does not reoccur. Consideration of External Vendor Specializing in Breach Notification Consideration of External Vendor Specializing in Credit Monitoring Prepare Communication Plan to Cover Oral, Electronic and Written Communications to Victims as Well as Information to Assist with Personal Needs; Include Organizational Contact Information. Report to Senior Leadership/BOD Completion of Investigation Report Completion of Workforce Member Sanctions Root Cause Analysis (when warranted) Implement Additional Controls (if needed) Communication to Staff Learning Opportunity (e.g., newsletter article, meeting presentation, etc.) If HIPAA/HITECH is Applicable, Record Disclosure Information in Accounting of Disclosures Records as Required. Completed Checklist Retained with Supporting Documentation for six years To be Notified by or Risk Management Oversight Public Relations Chief Information Officer and or other Legal Counsel or Risk Management /Public Relations Leader Director of Human Resources ; Director of HIM/MR Department ~ 7 ~

Key Contacts/Information Sources Name Title Location Office Cell Phone # E-Mail Address Internal Resources Security Officer Compliance Leader Legal Counsel Director, Human Resources Director, Health Information Mgmt Director, Risk Management Chief Information Officer Director, Facility Management List Relevant Internal Policies and Procedures and Web Sites - Provide Web Links External Resources FTC website - http://www.ftc.gov/ OCR website - http://www.hhs.gov/ocr/privacy/ HIPAA Collaborative of Wisconsin ( HIPAA COW ) - http://www.hipaacow.org ~ 8 ~

Attachment A State Breach Requirements STEP 1: Is Company governed by state breach law (e.g., is Company an entity that owns or licenses data or is a service provider or other entity that maintains data)? STEP 2: Is the data at issue governed under state law? STEP 3: Has a breach occurred? Does an exception to notification apply (e.g., harm threshold, good faith acquisition)? ~ 9 ~

Attachment B HIPAA/HITECH Security Breach Requirements STEP 1: Is Company governed by HIPAA/HITECH? STEP 2: Is Protected Health Information (PHI) involved? Name Geographic Subdivision Smaller than a State (Except for Initial 3 Digits of Zip Codes in Certain Instances) All Elements of Dates (Except Year) Related to Individual (Birth, Death, Adm, Discharge) and all Ages over 89 and all Elements of Dates Indicative of Such Age Including Year (Except for Aggregation into a Single Category of Age 90 or Older) Telephone Numbers Fax Numbers Electronic Mail Addresses Social Security Number Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certification/License Numbers Vehicle Identifiers and Serial Numbers Including License Plates Device Identifiers and Serial Numbers Web URLs Internet Protocol Addresses Biometric Identifiers, Including Finger and Voice Prints Full Face Photos and Comparable Images Any Unique Identifying Number, Characteristic or Code STEP 3: Determine whether there has been an impermissible, acquisition, access, use or disclosure of PHI in violation of the HIPAA Privacy Rule. STEP 4: Determine if the PHI is unsecured (meaning not secured in accordance with the DHHS Guidance). STEP 5: Evaluate whether the incident falls under one of the exceptions to the notification obligations. STEP 6: Resist the urge to automatically assume notification is required until risk assessment is conducted. STEP 7: Conduct a risk assessment to determine whether the impermissible use or disclosure poses a significant risk of financial, reputational or other harm to the individual. Specifically, use the following factors DHHS set forth in the Breach Notification for Unsecured Protected Health Information; Interim Final Rule: Who impermissibly used the PHI: To whom the PHI was impermissibly disclosed The type and amount of PHI involved Whether the immediate steps to mitigate the harm rendered the risk of harm to the individual to be less than significant Whether the impermissibly disclosed PHI was returned prior to it being accessed for an improper purpose STEP 8: As required, notify Individuals, OCR and Media (if greater than 500 Individuals). STEP 9: Mitigation/Accounting of Disclosures ~ 10 ~

Attachment C EU Data Protection Law Current Analysis STEP 1: In which country do the EU residents reside? STEP 2: Does that country currently have a data breach reporting requirement? Germany currently has a reporting obligation for special categories of data such as health information as well as obligations for bank account information STEP 3: What are the requirements of that law? Future Analysis Must Include the Data Directive Reform The current draft states: Personal data breach is a breach of security leading to the accidental or unlawful unauthorized access to personal data transmitted, stored or otherwise processed Notification to supervisory authority required within 24 hours of becoming aware of an issue More to come on the EU issues in the next session today. ~ 11 ~

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information