1/17/2012. Data Breach & Breach Notification. Data Breach and Notification for HR/Benefits. January 19, 2012



Similar documents
Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

COMPLIANCE ALERT 10-12

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Overview of the HIPAA Security Rule

New HIPAA regulations require action. Are you in compliance?

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

The Basics of HIPAA Privacy and Security and HITECH

OCR UPDATE Breach Notification Rule & Business Associates (BA)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

CSR Breach Reporting Service Frequently Asked Questions

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Security Alert

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA and Mental Health Privacy:

HIPAA Security and HITECH Compliance Checklist

VMware vcloud Air HIPAA Matrix

SECURITY RISK ASSESSMENT SUMMARY

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

STANDARD ADMINISTRATIVE PROCEDURE

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

M E M O R A N D U M. Definitions

C.T. Hellmuth & Associates, Inc.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

POLICY AND PROCEDURE MANUAL

My Docs Online HIPAA Compliance

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HIPAA PRIVACY AND SECURITY AWARENESS

You Probably Don t Even Know

HIPAA Information Security Overview

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA for Business Associates

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA Privacy and Security

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA Security Rule Compliance

Managing Cyber & Privacy Risks

HIPAA BUSINESS ASSOCIATE AGREEMENT

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

What do you need to know?

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Policies and Compliance Guide

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Transcription:

Data Breach and Notification for HR/Benefits January 19, 2012 Data Breach & Breach Notification for HR/Benefits January 19, 2012 Welcome to today s webinar we will begin at Noon Eastern You can listen to the audio portion through your computer speakers or by calling into the phone conference number provided in your invitation email There will be no sound until we begin the webinar You will be able to submit questions during the webinar by using the questions box located on your webinar control panel Data Breach & Breach Notification for HR/Benefits Assurex Global Partners January 19, 2012 Brower Insurance Agency Catto & Catto Engle Hambright & Davies Frenkel & Co. Gillis, Ellis & Baker The HDH Group The Horton Group Kapnick Insurance Group LaMair Mulock Condon Co. Lipscomb & Pitts Insurance Lyons Companies The Mahoney Group The McCart Group MJ Insurance Parker, Smith & Feek R&R/The Knowledge Brokers Riggs, Counselman, Michaels & Downes The Rowley Agency Schiff, Kreidler Shell Senn Dunn John L. Wortham & Son 1

Agenda What is a Data Breach? HIPAA Breach of Unsecured PHI State Breach Laws Others What notifications must be made What are the most common source What you can do to prevent a breach Other protections Copies of Audio this presentation, trouble? the Dial Q&A 1 719 867 1571 and a recorded version Access are available Code through 265313 your broker. Introduction HIPAA Breach notification law effective Sept. 2009 Impacts all covered entities Fines for non compliance Most states have breach laws Cover specific data elements such as SSN, drivers license and credit card numbers Prevention Organizations can often protect themselves by implementing simple safeguards. More complex safeguards can also be implemented but may take a little more time, effort or money. Introduction State Security Breach Laws The National Conference of State Legislatures reports that 46 states have security breach laws List of states (with statute references) and information on pending and recently passed legislation in each state can be found at http://www.ncsl.org/default.aspx?tabid=13481 Alabama, Kentucky, New Mexico, and South Dakota are the only states without state security breach laws Copies of Audio this presentation, trouble? the Dial Q&A 1 719 867 1571 and a recorded version Access are available Code through 265313 your broker. 2

Introduction Covered Entities HIPAA Health Care Providers and Clearinghouses Health Plans HMOs, Insurance Companies Employer Sponsored Health Plans State laws any entity that collects or on behalf of another entity collects non public information Definitions Protected Health Information (PHI) Any individually identifiable information, electronic, written or oral Related to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual Created, received or maintained by a covered entity (i.e. the health plan) Copies of Audio this presentation, trouble? the Dial Q&A 1 719 867 1571 and a recorded version Access are available Code through 265313 your broker. Definitions Breach of unsecured PHI is: Unauthorized access or acquisition of unsecured PHI In violation of HIPAA Privacy or Security Has led to or could lead to financial or reputational harm to the individual Non public Information (State Breach Laws) Any form of name, first initial/last name, etc. with any: SSN DL number Credit card number with security code Some states include health information (PHI) 3

Notification HIPAA Breach Notification Within 60 days of discovery: Notify individuals effected by breach of What happened Type of data What actions you are taking to mitigate What actions individual can take to mitigate Contact information if they have more questions Copies of Audio this presentation, trouble? the Dial Q&A 1 719 867 1571 and a recorded version Access are available Code through 265313 your broker. Notification HIPAA Breach Notification If greater than 500 impacted and all within one state Notify local prominent media TV, print media, etc. Notify Secretary of Health and Human Services Over 500 within 60 days Under 500 within 60 days after end of calendar year Notification on your public website Copies of Audio this presentation, trouble? the Dial Q&A 1 719 867 1571 and a recorded version Access are available Code through 265313 your broker. Notification State Laws notification, type of notification, media requirements, government entity notification and fines vary from state to state. Must: Notify individual Some allowances made for very large groups impacted Includes alternate notification email, media, etc. Media notification if certain thresholds met Notify state contact such as Attorney General Fines for failure to comply 4

Burden of Proof HIPAA Requires in the event of a suspected breach or an actual breach that the events, actions, etc. are documented. This means if not a breach you document what happened and how you reached the conclusion that no breach occurred. If a breach, all actions, i.e., notification actions, must be documented. State law documentation requirements vary but are similar to what HIPAA requires. Common Sources for Breaches HIPAA Breaches over 500 Theft Loss of electronic media or paper records Unauthorized access Human error Improper disposal Breaches under 500 Most common misdirected communications State Law Not reported or information not publically available Prevention There are many different safeguards your organization can have in place that will minimize your risk of a breach. Safeguards are divided between administrative, physical and technical. Many are easy to implement although may not be popular with your workforce. Let s start with the easy and least costly (time or $$) 5

Prevention Easy to Do Administrative Designated Security Official Workforce authorizations Terminations Information access Prevention Easy to Do Physical Facility access controls Work station use Technical Unique user identification Automatic logoff Prevention Harder (Time & $$) Administrative Information system activity review Security training Password management Login monitoring Contingency plans 6

Prevention Harder (Time & $$) Physical Disposal and media re use Accountability Maintenance records Technical Encryption and transmission security Audit controls State Laws and Other Considerations Generally, state laws do not require specific safeguards but do expect safeguards to be in place and documented. HIPAA requires documentation of all safeguards according to the HIPAA Security Standards. Prevention Recap Make sure workforce, contractors or vendors are well aware of what are the acceptable and unacceptable uses of your computer technology. Give access to only those that need access to both your facilities and sensitive areas within your facilities and the data stored in your information systems. Those with access to data must have unique user id s and have passwords that are complex and change frequently. 7

Prevention Recap Your IT department should: Monitor both successful and unsuccessful access to your data Conduct periodic audits to ensure only authorized workforce have access to data Provide secure remote access such as VPN and others Have complete inventories of hardware and software Hardware should be tractable to the individual or location Prevention Recap If you have remote access to either PHI or nonpublic information via a laptop or other portable device (smart phone, tablet, etc.), do not store this information on the device unless the data is stored encrypted. Accessing the data through a secure remote connection okay, but again do not store information on the un protected device. What if it happens to you? First and foremost conduct a Risk Assessment. Was the data lost, stolen or accessed by unauthorized person? Was the data PHI or other non public information? Is there a risk of financial or reputational harm? Can the potential breach be mitigated or contained? If a breach, do we have all the contact information for those involved? Don t forget to document all decisions and actions! 8

What if it happens to you? Who can I turn to for help? Attorneys Consultants Law enforcement Remember no action can lead to significant fines from either Federal or State agencies and in some cases the individual may also seek damages directly. Other Options Data breach insurance Is it for you? What does is cover? Remember data breach insurance does not absolve you of complying with state and federal laws. Individual Identify Theft Insurance Lifelock Identify Guard, etc. Resources HHS website targeted for Covered Entities http://www.hhs.gov/ocr/privacy/hipaa/understanding/co veredentities/index.html CMS HIPAA Security Whitepapers http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/securityruleguidance.html HHS HIPAA Frequently Asked Questions http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html 9

Data Breach & Breach Notification for HR/Benefits Assurex Global Partners January 19, 2012 Brower Insurance Agency Catto & Catto Engle Hambright & Davies Frenkel & Co. Gillis, Ellis & Baker The HDH Group The Horton Group Kapnick Insurance Group LaMair Mulock Condon Co. Lipscomb & Pitts Insurance Lyons Companies The Mahoney Group The McCart Group MJ Insurance Parker, Smith & Feek R&R/The Knowledge Brokers Riggs, Counselman, Michaels & Downes The Rowley Agency Schiff, Kreidler Shell Senn Dunn John L. Wortham & Son 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information