PRESENTER HIPAA BREACH: It s not a Matter of If, but WHEN Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA Senior Health Solutions Consultant & Privacy Officer clemery@avastonetech.com Telephone: 608 449 7207 OBJECTIVES HIPAA Definition of HIPAA Breach Identification of a Breach Notification of Breach Consequences of a Breach Other considerations Protected Health Information Health Plan Administrative Safeguards Heath Plan ID number Business Associate Security Rule Risk Breach Notification Privacy Rule Policies & Procedures Physical Safeguards Technical Safeguards CIA 3 BREACH DEFINITION PROTECTED HEALTH INFORMATION Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of protected health information (PHI). 45 CFR Part 164.402, Subpart D NAME FAX SOCIAL SECURITY ACCOUNT DIAGNOSIS TELEPHONE CODE ZIP CODE BIRTHDATE AGE E MAIL ADDRESS DATE OF SERVICE MEDICAL RECORD DEVICE IDENTIFIERS & SERIAL S 1
EXAMPLES OF BREACHES Faxing a patient document to the wrong fax number Mailing a patient document to the wrong address Misdirecting an e mail to the wrong person/s Giving the patient someone else s information in error Leaving another patient s medications or supplies at the wrong address Losing patient paperwork (e.g., clipboard with documents left on roof of car) Discussing patient visits with neighbors, friends, and family members BREACH EXAMPLE SOCIAL MEDIA It is not appropriate to discuss your patients or patient care activities which may potentially disclose an individual s identify on Facebook or any other social media site. 7 8 BREACH EXAMPLE EHR Snooping in Electronic Health Record (EHR) Systems by Accessing Records of Individuals for Personal Reasons Define your organization s policy: include employeeaccessingtheirown own record, orrecordsrecords of family members HOW DO BREACHES OCCUR Lack of Knowledge of Organizational Policies Curiosity Malicious Intent Medical Identity Theft Fraudulent Submission of Claims Selling to Criminals/News Organizations Due to common human errors, such as the following: Guarantor identification errors Same name errors, junior vs senior Misdirected mailings, faxes, e mails Misfiled information in the wrong patient s record 9 WAYS TO IDENTIFY A BREACH Auditing of EHR for Inappropriate Access Audit triggers High risk/high profile Same name Patient complaint Staff member complaint Loss of Mobile Devices and Media USB drives, laptop, smartphone, etc. Workforce Performing job duties BREACH EXCLUSIONS Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy rule. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. 2
BREACH EXCLUSIONS A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Examples of Exclusions: A medical assistant is entering vitals in a patient s record and identifies ifi the patient is the employee s aunt by viewing i the patient s maiden name. A laboratory technician shares with a nurse lab results of a patient who is not seen by the physician employed by the nurse. A clinic employee speaks to another physician s office about a patient to learn at the conclusion of the phone call that the patient isn t going to be seen by the physician s office. BREACH IDENTIFICATION Unless the acquisition, access, use, disclosure involves the exclusions, a breach is presumed unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromisedbasedona on a risk assessment REPORTING AND INVESTIGATION Document and inform workforce of the reporting and investigation procedure for a breach: Define the responsibilities of the workforce Report any event that employee suspects compromises the privacy and security of patient information Contact Supervisor?Privacy Officer? Security Officer? Respond to the questions asked by the investigator Document how the investigation is performed and by whom Interview workforce involved in the breach Define who internally needs to be notified Owner, CEO, others in management INVESTIGATION Complete a documented breach risk assessment Was the PHI unsecure no encryption What PHI is involved What is the likelihood that the PHI could be re identified based on the context and the ability to link the information with other available information Who used the PHI or Who received dthe information Was PHI viewed or acquired followed by destruction Were the risks mitigated for assurances regarding PHI No further use/disclosure or destroyed Breach identified NO maintain documentation YES perform breach notification BREACH NOTIFICATION Notification must occur following the discovery of a breach of unsecured protected health information that has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. Unsecured PHI means PHI that is not rendered unusable, unreadable, indecipherable to unauthorized persons through the use of technology or methodology specified by Health and Human Services. BREACH NOTIFICATION Timeliness No later than 60 calendar days after the discovery of the breach by the organization involved Recipients Each Individual receives first class mail unless individual has requested electronic communication Secretary of HHS via website If breach involves less than 500, within 60 days at the end of each calendar year If breach involves more than 500, within 60 calendar days of the breach discovery Media newspapers, TV stations If breach involves more than 500, within 60 calendar days of the breach discovery 3
CONTENT OF NOTIFICATION The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured PHI that were involved in the breach (such as whether full name, Social Security number, date of birth, address, account number, diagnosis, or other types of information were involved). Any steps the individual should take to protect themselves from potential harm resulting from the breach. CONTENT OF NOTIFICATION The notice shall be written in plain language and must contain the following information: A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Contact procedures for individuals to ask questions or learn additional information, which includes a toll free telephone number, an e mail address, Web site, or postal address. ORGANIZATIONAL REQUIREMENTS Document a policy and procedure addressing breach identification and notification Content Considerations Create a notice letter template Investigate credit monitoring and document how decision will be made to offer credit monitoring Document media outlets and contact information Identify organization s spokesperson for media inquiries Determine contact number for inquiries from individuals ORGANIZATIONAL REQUIREMENTS Maintain a log of breaches involving under 500 individuals Consider information to record in log: name of individual, department involved in the breach, date of discovery, date individual notified, high level category of type of breach, etc. Consider maintaining a log for all breaches Maintain the documentation of each investigation stating the mitigation, sanctions, and the content of the notification Train all workforce members of your policy and procedure Administer appropriate sanctions to the workforce according to the documented sanction policy Business Associate Agreement must address breach identification and notification ORGANIZATIONAL REQUIREMENTS Burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach is upon the organization. CONSEQUENCES OF NON COMPLIANCE Organization Harm to reputation Lose customer s trust Investigations by government agencies (e.g., WI attorney general, WI DHS, etc.) OCR investigations, audits, and enforcement penalties Employee Loss of license, credential OCR investigation and enforcement penalty Patient Financial or medical identity theft Loss of patient safety 4
HIPAA OVERSIGHT & PENALTIES U.S. Department of Health and Human Services, Office For Civil Rights (OCR) Provides guidance, monitors compliance, and enforces the privacy and security regulations. Issues resolution agreements to covered entities and imposes civil monetary penalties for non compliance Department of Justice (DOJ) Investigates and issues fines, penalties and imprisonment to offenders for criminal privacy violations 45 CFR 160, Subpart D ENFORCEMENT PENALTIES Tier A If the offender did not know exercising reasonable diligence; $100 to $50,000 for each violation. Tier B Violation due to reasonable cause/general failure to comply, not willful neglect; $1,000 to $50,000 for each violation. Tier C Violation due to willful neglect, but was corrected in a 30 day period $10,000 000 to $50,000 000 for each violation. Tier D Violation due to willful neglect, but was NOT corrected in 30 days; $50,000 for each violation. Total for all violations of an identical requirement during a calendar year cannot exceed $1.5 million 26 EXAMPLES OF IMPOSED PENALTIES $1.7 million Concentra Health Services, Springfield, MO Unencrypted laptop stolen from physical therapy center $150,000 Adult & Pediatric Dermatology, Concord, MA Unencrypted USB and no breach notification policies and procedures $50,000 Hospice of North Idaho, Hayden, ID Theft of laptop with no risk analysis performed http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ RESOURCES HIPAA Collaborative of Wisconsin http://www.hipaacow.org Breach policy document with a checklist, risk assessment, and example letters American Health Information Management Association (AHIMA) http://www.ahima.org/resources/ Breach Management Toolkit HHS Health Information Privacy http://www.hhs.gov/ocr/privacy/index.html HHS Frequently Asked Questions: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html HHS Office for Civil Rights http://www.hhs.gov/ocr/office/index.html 27 Who is Avastone Health Solutions? A Heartland Technology Group company Joined by Heartland Business Systems and Avastone Technologies, LLC Heartland Business Systems founded in 1990 A Wisconsin i Based dcompany Midwestern Presence: Offices in WI, IL, MN, IA Home office in Little Chute, WI Hired employee 500 in May, 2014 Annual revenue over $160 Million What is Avastone Health Solutions? Strategic and operational consultants with an average of 18 years of broad health care experience Areas of Expertise: Privacy, security and data governance Revenue cycle in an evolving landscape Business intelligence Complianceand and regulatory implementation Strategy and leadership Understanding each health care organization is unique, our team of experienced consultants work collaboratively with clients using a customized approach. Adopting best practice methodologies, the team identifies improvement and optimization opportunities across a widespectrum of operational areas. Synergy occurs when operations is integrated with strategy and financial performance driving rapid, sustainable results. 29 30 5
Why Avastone Health Solutions? Our experienced consulting team is emerged in the industry AHIMA, HIMSS, MGMA, HFMA, HCCA, AAPC and more Through partnership with Heartland Business Systems and Avastone Technologies, offers Full circle operational, strategic and IT solutions Flexible to meet your unique needs clemery@avastonetech.com Telephone: 608 449 7207 31 6