HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com

Similar documents
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

POLICY AND PROCEDURE MANUAL

COMPLIANCE ALERT 10-12

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Community First Health Plans Breach Notification for Unsecured PHI

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

The ReHabilitation Center Buffalo Street. Olean. NY

HIPAA Update Focus on Breach Prevention

HIPAA Privacy Breach Notification Regulations

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Data Breach, Electronic Health Records and Healthcare Reform

New HIPAA Rules and EHRs: ARRA & Breach Notification

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

Use & Disclosure of Protected Health Information by Business Associates

STANDARD ADMINISTRATIVE PROCEDURE

Business Associate Liability Under HIPAA/HITECH

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

HIPAA 101. March 18, 2015 Webinar

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA BREACH RESPONSE POLICY

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Breach Notification Policy

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Checklist for HITECH Breach Readiness

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

How To Notify Of A Security Breach In Health Care Records

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

H. R Subtitle D Privacy

Violation Become a Privacy Breach? Agenda

Breach Notification Decision Process 1/1/2014

Information Privacy and Security Program. Title: EC.PS.01.02

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

October 22, CFR PARTS 160 and 164

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

M E M O R A N D U M. Definitions

Am I a Business Associate?

Regulatory Update: HITECH s HHS and FTC Security Breach Notification Requirements

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HIPAA In The Workplace. What Every Employee Should Know and Remember

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Overview of the HIPAA Security Rule

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

My Docs Online HIPAA Compliance

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

What do you need to know?

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Healthcare Practice. HIPAA/HITECH Act vs. the Washington Data Breach Notification Act. November 2009

what your business needs to do about the new HIPAA rules

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

Healthcare Horizons Webinar Series:

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

The HITECH Act: Protect Patients and Your Reputation

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

HIPAA for Business Associates

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HIPAA Breach Notification Policy

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Appendix : Business Associate Agreement

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

Disclaimer: Template Business Associate Agreement (45 C.F.R )

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

HIPAA BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

Covered Entities and Business Associates: An Evolving Relationship

The Basics of HIPAA Privacy and Security and HITECH

Dissecting New HIPAA Rules and What Compliance Means For You

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

HIPAA BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

I n its new omnibus final rule governing health data

Transcription:

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com

Presenters David Schoolcraft, Member, Ogden Murphy Wallace, PLLC Taya Briley, General Legal Counsel, WSHA

HITECH Health Reform 3

OBJECTIVES 1. Review Breach Notification Rule 2. Incident Analysis Examples 3. Compliance Action Plan Effective Date: September 23, 2009 4

Breach Notification Rule A covered entity shall, following discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach. - 45 CFR 164.404(a)(1) 5

A. Is There a Breach? 6

Significant Risk of Harm Harm Threshold Incident must impose a significant risk of financial, reputational or other harm to the individual. Fact Specific Analysis What is the nature of the information? To whom was the information disclosed? Mitigation efforts matter. 7

B. Was PHI unsecured? Was data unusable, unreadable, or indecipherable to unauthorized individuals? Safe Harbor Standards: National Institute of Standards and Technology (NIST) publications: 800-111 (Encryption) 800-52 (Transport Layer Security) 800-77 and 800-113(VPNs) 800-88 (Guidelines for Media Sanitation) NIST publications available at www.csrc.nist.gov 8

Incident Analysis Examples Stolen laptop-- What if data is encrypted? What if laptop is password protected? What if data limited to basic directory information? What if laptop is recovered? Data sent to wrong recipient-- Other healthcare provider? Employer? Incidental disclosure Technical security breach. 9

Timeliness of Notice 60 day shot-clock from date of discovery Without unreasonable delay Laptop is stolen Stolen laptop becomes known to CE Notification Deadline Oct. 1 60 days Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd Failure to provide notification within 60 days may lead to violation 10

Timeliness of Notice What if a business associate is involved? Laptop is stolen from BA Stolen laptop becomes known to BA BA notifies CE Notification Deadline (if BA is independent contractor) 60 days Oct. Oct. 1st 1 Oct. 3rd Nov. 1st Dec. 2nd Dec. 30th 60 days Notification Deadline (if BA is agent) Failure to provide notification within 60 days may lead to violation 11

Content of Notice to Individuals Brief description of what happened Date of breach Date of discovery of breach Description of the types of PHI disclosed Steps individual should take to protect him/herself Description of what covered entity is doing to: Investigate breach Mitigate harm to individuals - i.e. provide fraud insurance, suggest that individual contact credit bureau or credit care company Protect from further breaches Contact procedures--toll free number, Website or postal address 12

Additional Notice Recipients Media Notice - Required if Over 500 Individuals Supplemental to written notice; must still provide individual notice Prominent media outlets serving a State or jurisdiction Contains the same content as written notice Notice to HHS Over 500 individuals - notice required within 60 days Less than 500 then CE maintains a log and reports all breaches within 60 days after calendar year using HHS form 13

Administrative Requirements Effective September 23, 2009 Enforcement discretion to February 22, 2010 Covered Entity has the burden of proof Must maintain documentation evidencing that all notifications were made in accordance with these rules If no notification then evidence as to why it was not necessary Training Implementation of Policies & Procedures Maintenance of breach log for end of year report to HHS 14

Increased Civil Penalties HHS shall base the penalty determination on the nature & extent of the violation and the nature & extent of the resulting harm. Effective for all violations after Feb. 17, 2009 but not enforced until Feb. 17, 2010 15

Compliance Action Plan What CEs Must Do Now Develop policies & procedures. Create a checklist of requirements in case of breach Train workforce members. Identify key individuals for incident analysis and response. 16

Compliance Action Plan What CEs Should Do Now Analyze data posing high risk Ex: Mobile Data Encryption if possible/practical Analyze Business Associate Agreements Independent Contract vs. Agent Requirements to notify covered entity if breach Review insurance policies 17

Compliance Action Plan What to do if an Incident Occurs Perform incident analysis Was there a breach? Violation of HIPAA Privacy Rule? Significant risk of harm? Statutory exceptions? Was data encrypted? If necessary, report breach under notification rule: 60 day requirement. Notice to individual. Notice to media and HHS? 18

APPENDIX 19

Breach Definition Statutory Exceptions HITECH Act contains additional statutory exceptions to definition of breach. Unintentional use or disclosure to workforce member if use or disclosure was made in good faith and did not result in further use or disclosure Inadvertent disclosure from an individual authorized to access the records to another similarly situated individual Unauthorized person could not have reasonably retained the information. Limited data set excluding Date of Birth and Zip Codes 20

David G. Schoolcraft dschoolcraft@omwlaw.com 206.447.7211 Health Law Blog: www.omwhealthlaw.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information