Violation Become a Privacy Breach? Agenda



Similar documents
POLICY AND PROCEDURE MANUAL

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

STANDARD ADMINISTRATIVE PROCEDURE

HIPAA Privacy and Security

Breach Notification Policy

HIPAA Breach Notification Policy

Community First Health Plans Breach Notification for Unsecured PHI

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Information Privacy and Security Program. Title: EC.PS.01.02

COMPLIANCE ALERT 10-12

Checklist for HITECH Breach Readiness

HIPAA Update Focus on Breach Prevention

The ReHabilitation Center Buffalo Street. Olean. NY

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HIPAA Privacy Breach Notification Regulations

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Can Your Diocese Afford to Fail a HIPAA Audit?

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

What do you need to know?

Implementation Business Associates and Breach Notification

New HIPAA Rules and EHRs: ARRA & Breach Notification

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

Data Breach, Electronic Health Records and Healthcare Reform

How To Notify Of A Security Breach In Health Care Records

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Breach Notification Decision Process 1/1/2014

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA BREACH RESPONSE POLICY

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

OCR UPDATE Breach Notification Rule & Business Associates (BA)

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Reproductive Medicine Associates of New Jersey, LLC

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Breaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Appendix : Business Associate Agreement

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA 101. March 18, 2015 Webinar

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

Healthcare Horizons Webinar Series:

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

The Impact of HIPAA and HITECH

Am I a Business Associate?

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

Healthcare Practice. HIPAA/HITECH Act vs. the Washington Data Breach Notification Act. November 2009

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Business Associates and HIPAA

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Notice of Privacy Practices

Latham & Watkins Health Care Practice

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

University Healthcare Physicians Compliance and Privacy Policy

H. R Subtitle D Privacy

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

New Privacy Laws Impacting the Health Care Work Place

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1)

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

The Basics of HIPAA Privacy and Security and HITECH

Overview of the HIPAA Security Rule

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

2016 OCR AUDIT E-BOOK

Iowa Health Information Network (IHIN) Security Incident Response Plan

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Transcription:

How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices for documenting HIPAA violations and reportable breaches Notification requirements for violations and breaches When should legal counsel be involved? Examples of HIPAA violations versus reportable breaches 2

When Does HIPAA Incident Become a Breach? Under the Omnibus Rule of 2013 (the Final Rule ), a HIPAA incident must ALWAYS be considered a reportable breach UNLESS a four-factor risk assessment is completed which determines that the protected health information ( PHI ) involved has been compromised *See policy and risk assessment templates 3 What Should a Four Factor Breach Risk Assessment Include? The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification: Analyze the types of PHI involved o Credit card numbers, SS#, or other info that might result in identity theft o Nature of services, such as mental health or substance abuse information o the amount of detailed clinical information exposed o if the PHI involves only limited identifiers, can the PHI be re-identified? 4

Why Is It Important to Consider Who the Unauthorized Person Is? If the recipient is another entity constrained by regulations, the risk is lower (example fax to wrong physician or other covered entity) If the PHI is used by, or disclosed to, a known identity thief or ex-husband risk much higher 5 Why Does It Matter if the PHI Was Actually Acquired or Viewed? There is a difference between actually acquiring or viewing PHI and only having an opportunity for the information to be acquired or viewed. Example - if a laptop is lost or stolen and later recovered, and a forensic analysis shows that the PHI on it was never accessed lower probability that PHI was compromised. 6

How Did You Mitigate the Risk to the PHI? If you mitigate the risk to PHI improperly used or disclosed, you can lower the risk that the use or disclosure will be determined to be a breach E x a m p l e Requiring the recipient that received the PHI in error to provide assurances, such as in a confidentiality agreement, that the PHI was or will be destroyed or will not be further used or disclosed 7 What are Some Best Practices for Documentation? 8

Are You Keeping a Breach Log? Important elements to include in your breach log: Date of breach Date of discovery # of Individuals affected by breach Type of breach Location of breached information Type of protected health information (e.g., demographic, financial, clinical) 9 What Else Should Be in Your Breach Log? Brief description of the breach include location of breach, a description of how the breach occurred, and any additional information regarding the type of breach, type of media, and type of protected health information involved in the breach Safeguards in place prior to breach e.g., encryption, physical securities, logical l access control, anti-virus software, intrusion detection, biometrics 10

What About Notification and Other Actions Taken? Dates notice provided If provided substitute or media notice, and, if so, who, what, when, where, how Actions taken in response to the breach e.g., security and/or privacy safeguards, mitigation, sanctions, policies and procedures A description of any other actions taken 11 How Do You Notify an Individual of a Breach of His/ Her Protected Health Information (PHI)? Breach notification requirements: Individual notice o Written form - first-class mail OR e-mail if individual agreed to receive email If insufficient or out-of-date contact information for 10 or more individuals: Post the notice on the web site home page or provide the notice in major print or broadcast media where the affected individuals likely reside If fewer than 10 individuals, may provide substitute notice by an alternative form of written, telephone, or other means Must include a toll-free number for individuals to contact the covered entity to determine if the individual s PHI was involved in the breach o Provide notice no later than 60 days following discovery o Include a description of the breach, types of information involved, steps individuals should take, description of the investigation, what is being done to mitigate harm and prevent further breaches, as well as contact information for the covered entity 12

What if Breach Is Discovered by a Business Associate? The business associate must notify the covered entity no later than 60 days from the discovery of the breach and provide the identification of each individual affected as well as any information required to be provided by the covered entity in its notification to affected individuals NOTE the time clock for notification by the covered entity starts ticking when the business associate discovers the breach (not reports it) 13 What if Breach Affects 500+ in a State or Jurisdiction? Media notice In addition to notifying the affected individuals, you must provide notice to prominent media outlets serving the state or jurisdiction no later than 60 days following the discovery of a breach and must include the same information required for the individual notice o This notice can be in the form of a press release to appropriate media outlets serving the affected area 14

Do You Know How to Submit Your Breach Log to the Secretary? http://www.hhs.gov/ocr/privacy/hipaa/administrative/b reachnotificationrule/brinstruction.html 15 When Do You Notify the OCR? If >500, no less than 60 days following discovery of breach If < 500, notification no later than 60 days after the end of the calendar year in which the breach(es) occurred 16

When Should You Involve Legal Counsel? Best practice? If, after an investigation, you are still not sure Prior to notifying the patient Prior to notifying the media Prior to reporting a breach to the government Bottom line it may be expensive, but counsel can best mitigate your risk of audit or lawsuit in such situations! 17 Who Has the Burden of Proof? Covered entities and business associates! You must be able to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach You must also have in place written policies and procedures regarding g breach notification; you must train employees on these policies and procedures; and you must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures 18

Example #1 of a Non Reportable Incident PHI is faxed to the wrong physician, and the receiving physician immediately contacts the covered entity to inform it of the error and confirms that the information was destroyed. Low probability exists that information was compromised, and disclosure would not be reportable Check your state laws Should still be included on an accounting of disclosures 19 Example #2 of a Non Reportable Event Nurse accidentally accesses the wrong patient s information. Patient accessed has the same name and gender as the patient the nurse is assigned to on the floor. When the nurse realizes she has accessed the wrong patient s information, she immediately exits the information and does not further access or disclose the information accidentally accessed Action can easily be confirmed by running an access audit 20

Examples of Reportable Events Employee accesses medical and financial information of various patients and sells the information to known identity thieves Ex-wife accesses former husband s medical information without permission in order to use information for pending divorce Employee accesses famous individual s information in order to provide information to the media 21 What are Your HIPAA Conundrums and Quandaries? NANCY, I M NOT SURE THAT S WHAT HIPAA HAD IN MIND. 22

23 Thanks for Attending! Intended for internal guidance only, and not as recommendations for specific situations. Readers should consult a qualified attorney for specific legal guidance. 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information