UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Similar documents
POLICY AND PROCEDURE MANUAL

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

COMPLIANCE ALERT 10-12

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

The ReHabilitation Center Buffalo Street. Olean. NY

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Breach Notification Policy

STANDARD ADMINISTRATIVE PROCEDURE

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Checklist for HITECH Breach Readiness

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

How To Notify Of A Security Breach In Health Care Records

Data Breach, Electronic Health Records and Healthcare Reform

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Breach Notification Decision Process 1/1/2014

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA BREACH RESPONSE POLICY

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

M E M O R A N D U M. Definitions

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

what your business needs to do about the new HIPAA rules

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

HIPAA for Business Associates

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

SaaS. Business Associate Agreement

HIPAA and Privacy Policy Training

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Health Information Privacy Refresher Training. March 2013

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

You Probably Don t Even Know

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Business Associate Agreement Involving the Access to Protected Health Information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

FACT SHEET: Ransomware and HIPAA

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA Breach Notification Policy

What do you need to know?

New Privacy Laws Impacting the Health Care Work Place

Disclaimer: Template Business Associate Agreement (45 C.F.R )

My Docs Online HIPAA Compliance

Use & Disclosure of Protected Health Information by Business Associates

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

Transcription:

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within 60 days. Further notification requirements of media and HHS if > 500 individuals. Requires Business Associates to notify Covered Entities of breach.

Why? Prior to the HITECH Act, this Rule did not exist. HITECH removed the harm threshold and replaced it with a more objective standard. The Rule strengthened the privacy and security protections for health information established under HIPAA.

What? Notification is required to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured protected health information (PHI). It establishes a uniform requirement to inform individuals and HHS when a breach of unsecured protected health information occurs.

What is a Breach? Generally, it is an impermissible use or disclosure that compromises the security or privacy of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

Responsibilities of the Covered Entity and Business Associate Both must have: Documented policies and procedures regarding breach notification; A training and awareness program for the workforce staff; A security incident response, reporting and management system; A risk assessment system to determine probability of breach and breach notification; and A sanction policy for those who do not comply with the policies/procedures.

Breach Excludes #1 The unintentional acquisition, access or use of PHI by a workforce member acting under the authority of the CE or BA, if the acquisition, access or use was made in good faith and within the scope of their authority and does not result in further use or disclosure in a manner permitted by the Privacy Rule. This does not include snooping employees as this would be intentional and not in good faith.

#2 Exception The inadvertent disclosure of PHI from a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

#3 Exception If the CE or BA has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Examples of Exceptions A fax with PHI is misdirected to the wrong physician, and upon receipt, the receiving physician calls to say it was received in error and has been destroyed. A risk assessment may be able to determine a low risk that the information was compromised and would not constitute a breach. A lab report was mistakenly sent to the patient s brother with the same last name as the patient. Determining if this is a reportable breach will depend upon the relationship of the brother and patient, and whether the patient s brother actually viewed any of the patient s PHI.

Examples - Continued A letter was sent to the wrong address. The letter was returned unopened, as undeliverable. It can be concluded that the improper address could not reasonably have retained the information. A nurse hands discharge papers to the wrong patient and immediately recognizes the error and retrieves them. This would not constitute a breach as the person could not have retained the information.

Remember, notification is required if the breach involved unsecured PHI. Definition: PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized persons through the use of technology or methodology. Unsecured PHI Encryption and destruction are the technologies and methodologies that meet this definition.

Discovery of a Breach A breach of unsecured PHI shall be treated as discovered by a CE: On the first day the breach is known to the CE; At the time the workforce member or other agent has knowledge of the breach; By exercising reasonable diligence and would have been known to the CE; Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Breach Investigation The practice shall name an individual to act as the investigator (Privacy Officer, Security Officer, Risk Manager). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, documentation and coordinating with others in the organization. The investigator shall be the key facilitator for all breach notification processes to the appropriate entities. (e.g., HHS, patient, media, law enforcement, etc.)

Risk Assessment To determine if there is a low probability that the PHI has been compromised, a risk assessment needs to be performed. The assessment is to be fact specific and must address four factors: The nature and extent of the PHI involved including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the PHI was disclosed; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.

Factor One: Nature and Extent of the PHI Evaluate the types of identifiers and likelihood of re-identification of the PHI: Social security numbers, credit cards, financial data (risk of identity theft or financial fraud) Clinical data, diagnosis, treatment, medications Mental health, substance abuse, sexually transmitted diseases, pregnancy

Factor Two: Who Used the PHI and to Whom Was It Disclosed To Consider who the unauthorized person was who used the PHI and to whom the impermissible disclosure was made. Does the unauthorized person who received the information have obligations to protect its privacy and security? Does the unauthorized person who received the PHI have the ability to re-identify it?

Factor Three: Was the PHI Actually Acquired or Viewed Determine if the PHI was actually acquired or viewed or if only the opportunity existed for the information to be acquired or viewed. E.g., laptop was stolen and later recovered. IT analysis shows that the PHI was never accessed, viewed, acquired or transferred or compromised. The entity could determine the PHI was not actually acquired although the opportunity existed.

Factor Four: What Extent was the Risk to the PHI Mitigated? Consider the extent to which the risk to the PHI has been mitigated. E.g. Obtain the recipient s satisfactory assurance that the information will not be further used or disclosed (can use a confidentialigy agreement, etc.) or will be destroyed (shredded).

Assessment Conclusion Evaluate the overall possibility that the PHI has been compromised. If your evaluation of the factors fail to demonstrate that a low probability of the PHI has been compromised, breach notification is required. If your PHI was encrypted, no breach notification is required.

Timeliness of Notification Covered Entities must notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach (not when the investigation is complete). This allows the CE to take a reasonable amount of time to investigate the circumstances around the breach in order to collect and develop the information required to be included in the notice to the individual.

Delay of Notification If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed. The law enforcement official must provide a written statement citing the reason for the delay and specify the time for which a delay is required.

Content of Notice The notice must be written in plain language and must contain the following information, to the extent possible: A brief description of what happened, including the date of the breach and the date of discovery, if known; A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved);

Content of Notice - Continued Any steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the CE involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information which shall include a toll-free telephone number, an e-mail address, Web site or postal address.

Content of Notification - Continued The breach notice must be: Written in plain language and at an appropriate reading level using clear language without extra material that would diminish the message. Written in a language the individual who is not English proficient understands. E.g., Spanish Written in accordance with the Disabilities Act of 1990 to ensure effective communication with disable individuals in such formats as Braille, large print or audio.

Methods of Notification Mail: First class to individual s last known address. Minors/Incapacitated Individuals: Notice may be provided to parents or personal representative of the individual. Deceased Individual: If the CE knows individual is deceased, notification can be sent to next of kin or personal representative. If the CE had no contact information or has out-of-date contact information for the next of kin/personal representative, the CE is not required to provide substitute notice.

Substitute Forms of Notice These are substitute notices that are reasonably calculated to reach the individual: E-mail: must have individual s consent to send. Telephone: if urgent notification is necessary due to potential for imminent misuse of unsecured PHI or individual refuses to accept written notice.

Notification Using Media If there is insufficient information for 10 or more individuals use as substitute form of notice. If breach has affected > 500 individuals: Notification within 60 calendar days to media. Notice must contain same information as individual notification. Must be in geographic area where affected individuals likely reside. This is in addition to, not a substitute for individual notice. Posting must be for 90 days.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ brinstruction.html - HHS breach notification site. Immediate notification if breaches affect > 500 individuals. Immediate: same time as individual notification Notification to HHS < 500 individuals: No later than 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. E.g., 2013 unsecured PHI breaches would have to be reported by March 1, 2014.

Breach Log The practice shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be logged: A description of what happened; date of breach; date of discovery, and # of individuals affected. A description of the type of PHI involved (such as name, SSN, DOB, address, etc.) A description of the action taken with regard to notification of patients.

Business Associate Responsibilities BA must notify the Covered Entity after the discovery of a breach. A breach is discovered on the day the BA, its employees, officer or agent knew or would have known of the breach by exercising reasonable diligence. Notice to CE must be provided without unreasonable delay and in no case later than 60 days after the breach notification obligations. Notification to CE automatically triggers CE s breach notification obligations. CE may delegate obligations to BA.

Burden of Proof After an impermissible use or disclosure of unsecured PHI, the CE and BA have the burden of demonstrating that all required notifications were made and that an impermissible use or disclosure did not constitute a breach. The CE has to show a low probability that the PHI was compromised with a risk assessment. The focus of the assessment is not on the patient s harm, but whether the information has been compromised. If it cannot be clearly determined there is a low probability, it has to be treated as a breach.

Civil Monetary Penalties Prior to 2/18/09 $100/violation with a maximum of $25,000 in a calendar year for the same violation. After 2/18/09 HITECH Act increased penalties up to $50,000/violation with a maximum of $1.5 million in a calendar year for the same violation.

Civil Monetary Penalties - Continued Now a 4 tiered liability structure: Tier 1: The offender did not know: $100 - $50,000/violation Tier 2: Violation due to reasonable cause, not willful neglect: $1,000 - $50,000/violation Tier 3: Violation was due to willful neglect and corrected: $10,000 - $50,000/violation Tier 4: Violation was due to willful neglect and NOT corrected: $50,000/violation

Factors in Determining Penalty The nature and extent of the violation, including the # of individuals affected. The nature and extent of the harms to the individual(s): physical, financial, reputation, ability to continue their healthcare. History of prior compliance and previous violations. The financial condition of the CE or BA.

Other Penalties State Attorney Generals may also pursue civil actions for a HIPAA breach. HIPAA establishes a criminal penalty of up to $50,000 and/or imprisonment for up to one year for any person who knowingly : Uses or causes to be used a unique health identifier; Obtains individually identifiable health information relating to an individual; or

Other Penalties - Continued Discloses individually identifiable health information to another person. If such offenses are committed under false pretenses, the penalty may be increased up to $100,000 and/or imprisonment up to 5 years. If the offense is committed with the intent of personal gain, the penalty is a fine up to $250,000 and/or imprisonment for up to 10 years. For criminal prosecution, the person charged had to have acted knowingly.

Further Information Arkansas Mutual Website All Things HIPAA: Omnibus Rule: Breach Notification http://arkansasmutual.com/ HHS website: Breach Notification Rule http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/breachnotificationrule/ Rebecca.Tutton@arkansasmutual.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information