11/5/2014 PRESENTER HIPAA OBJECTIVES PROTECTED HEALTH INFORMATION BREACH DEFINITION

Similar documents
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Community First Health Plans Breach Notification for Unsecured PHI

COMPLIANCE ALERT 10-12

POLICY AND PROCEDURE MANUAL

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

HIPAA Update Focus on Breach Prevention

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

The ReHabilitation Center Buffalo Street. Olean. NY

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

HIPAA Privacy Breach Notification Regulations

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Violation Become a Privacy Breach? Agenda

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

STANDARD ADMINISTRATIVE PROCEDURE

What do you need to know?

Iowa Health Information Network (IHIN) Security Incident Response Plan

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Information Privacy and Security Program. Title: EC.PS.01.02

New HIPAA Rules and EHRs: ARRA & Breach Notification

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

HIPAA In The Workplace. What Every Employee Should Know and Remember

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Why Lawyers? Why Now?

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

HIPAA 101. March 18, 2015 Webinar

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

M E M O R A N D U M. Definitions

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

H. R Subtitle D Privacy

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Checklist for HITECH Breach Readiness

Health Information Privacy Refresher Training. March 2013

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA Privacy and Security

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

HIPAA and Privacy Policy Training

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

The HITECH Act: Protect Patients and Your Reputation

How To Notify Of A Security Breach In Health Care Records

Data Breach, Electronic Health Records and Healthcare Reform

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Security Is Everyone s Concern:

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

what your business needs to do about the new HIPAA rules

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Healthcare Practice. HIPAA/HITECH Act vs. the Washington Data Breach Notification Act. November 2009

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

New Privacy Laws Impacting the Health Care Work Place

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches)

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

SaaS. Business Associate Agreement

Am I a Business Associate?

HIPAA for Business Associates

Business Associate Agreement

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

HIPAA BREACH RESPONSE POLICY

The Basics of HIPAA Privacy and Security and HITECH

Transcription:

PRESENTER HIPAA BREACH: It s not a Matter of If, but WHEN Chrisann Lemery, MSE, RHIA, CHPS, FAHIMA Senior Health Solutions Consultant & Privacy Officer clemery@avastonetech.com Telephone: 608 449 7207 OBJECTIVES HIPAA Definition of HIPAA Breach Identification of a Breach Notification of Breach Consequences of a Breach Other considerations Protected Health Information Health Plan Administrative Safeguards Heath Plan ID number Business Associate Security Rule Risk Breach Notification Privacy Rule Policies & Procedures Physical Safeguards Technical Safeguards CIA 3 BREACH DEFINITION PROTECTED HEALTH INFORMATION Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of protected health information (PHI). 45 CFR Part 164.402, Subpart D NAME FAX SOCIAL SECURITY ACCOUNT DIAGNOSIS TELEPHONE CODE ZIP CODE BIRTHDATE AGE E MAIL ADDRESS DATE OF SERVICE MEDICAL RECORD DEVICE IDENTIFIERS & SERIAL S 1

EXAMPLES OF BREACHES Faxing a patient document to the wrong fax number Mailing a patient document to the wrong address Misdirecting an e mail to the wrong person/s Giving the patient someone else s information in error Leaving another patient s medications or supplies at the wrong address Losing patient paperwork (e.g., clipboard with documents left on roof of car) Discussing patient visits with neighbors, friends, and family members BREACH EXAMPLE SOCIAL MEDIA It is not appropriate to discuss your patients or patient care activities which may potentially disclose an individual s identify on Facebook or any other social media site. 7 8 BREACH EXAMPLE EHR Snooping in Electronic Health Record (EHR) Systems by Accessing Records of Individuals for Personal Reasons Define your organization s policy: include employeeaccessingtheirown own record, orrecordsrecords of family members HOW DO BREACHES OCCUR Lack of Knowledge of Organizational Policies Curiosity Malicious Intent Medical Identity Theft Fraudulent Submission of Claims Selling to Criminals/News Organizations Due to common human errors, such as the following: Guarantor identification errors Same name errors, junior vs senior Misdirected mailings, faxes, e mails Misfiled information in the wrong patient s record 9 WAYS TO IDENTIFY A BREACH Auditing of EHR for Inappropriate Access Audit triggers High risk/high profile Same name Patient complaint Staff member complaint Loss of Mobile Devices and Media USB drives, laptop, smartphone, etc. Workforce Performing job duties BREACH EXCLUSIONS Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy rule. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. 2

BREACH EXCLUSIONS A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Examples of Exclusions: A medical assistant is entering vitals in a patient s record and identifies ifi the patient is the employee s aunt by viewing i the patient s maiden name. A laboratory technician shares with a nurse lab results of a patient who is not seen by the physician employed by the nurse. A clinic employee speaks to another physician s office about a patient to learn at the conclusion of the phone call that the patient isn t going to be seen by the physician s office. BREACH IDENTIFICATION Unless the acquisition, access, use, disclosure involves the exclusions, a breach is presumed unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromisedbasedona on a risk assessment REPORTING AND INVESTIGATION Document and inform workforce of the reporting and investigation procedure for a breach: Define the responsibilities of the workforce Report any event that employee suspects compromises the privacy and security of patient information Contact Supervisor?Privacy Officer? Security Officer? Respond to the questions asked by the investigator Document how the investigation is performed and by whom Interview workforce involved in the breach Define who internally needs to be notified Owner, CEO, others in management INVESTIGATION Complete a documented breach risk assessment Was the PHI unsecure no encryption What PHI is involved What is the likelihood that the PHI could be re identified based on the context and the ability to link the information with other available information Who used the PHI or Who received dthe information Was PHI viewed or acquired followed by destruction Were the risks mitigated for assurances regarding PHI No further use/disclosure or destroyed Breach identified NO maintain documentation YES perform breach notification BREACH NOTIFICATION Notification must occur following the discovery of a breach of unsecured protected health information that has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. Unsecured PHI means PHI that is not rendered unusable, unreadable, indecipherable to unauthorized persons through the use of technology or methodology specified by Health and Human Services. BREACH NOTIFICATION Timeliness No later than 60 calendar days after the discovery of the breach by the organization involved Recipients Each Individual receives first class mail unless individual has requested electronic communication Secretary of HHS via website If breach involves less than 500, within 60 days at the end of each calendar year If breach involves more than 500, within 60 calendar days of the breach discovery Media newspapers, TV stations If breach involves more than 500, within 60 calendar days of the breach discovery 3

CONTENT OF NOTIFICATION The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured PHI that were involved in the breach (such as whether full name, Social Security number, date of birth, address, account number, diagnosis, or other types of information were involved). Any steps the individual should take to protect themselves from potential harm resulting from the breach. CONTENT OF NOTIFICATION The notice shall be written in plain language and must contain the following information: A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Contact procedures for individuals to ask questions or learn additional information, which includes a toll free telephone number, an e mail address, Web site, or postal address. ORGANIZATIONAL REQUIREMENTS Document a policy and procedure addressing breach identification and notification Content Considerations Create a notice letter template Investigate credit monitoring and document how decision will be made to offer credit monitoring Document media outlets and contact information Identify organization s spokesperson for media inquiries Determine contact number for inquiries from individuals ORGANIZATIONAL REQUIREMENTS Maintain a log of breaches involving under 500 individuals Consider information to record in log: name of individual, department involved in the breach, date of discovery, date individual notified, high level category of type of breach, etc. Consider maintaining a log for all breaches Maintain the documentation of each investigation stating the mitigation, sanctions, and the content of the notification Train all workforce members of your policy and procedure Administer appropriate sanctions to the workforce according to the documented sanction policy Business Associate Agreement must address breach identification and notification ORGANIZATIONAL REQUIREMENTS Burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach is upon the organization. CONSEQUENCES OF NON COMPLIANCE Organization Harm to reputation Lose customer s trust Investigations by government agencies (e.g., WI attorney general, WI DHS, etc.) OCR investigations, audits, and enforcement penalties Employee Loss of license, credential OCR investigation and enforcement penalty Patient Financial or medical identity theft Loss of patient safety 4

HIPAA OVERSIGHT & PENALTIES U.S. Department of Health and Human Services, Office For Civil Rights (OCR) Provides guidance, monitors compliance, and enforces the privacy and security regulations. Issues resolution agreements to covered entities and imposes civil monetary penalties for non compliance Department of Justice (DOJ) Investigates and issues fines, penalties and imprisonment to offenders for criminal privacy violations 45 CFR 160, Subpart D ENFORCEMENT PENALTIES Tier A If the offender did not know exercising reasonable diligence; $100 to $50,000 for each violation. Tier B Violation due to reasonable cause/general failure to comply, not willful neglect; $1,000 to $50,000 for each violation. Tier C Violation due to willful neglect, but was corrected in a 30 day period $10,000 000 to $50,000 000 for each violation. Tier D Violation due to willful neglect, but was NOT corrected in 30 days; $50,000 for each violation. Total for all violations of an identical requirement during a calendar year cannot exceed $1.5 million 26 EXAMPLES OF IMPOSED PENALTIES $1.7 million Concentra Health Services, Springfield, MO Unencrypted laptop stolen from physical therapy center $150,000 Adult & Pediatric Dermatology, Concord, MA Unencrypted USB and no breach notification policies and procedures $50,000 Hospice of North Idaho, Hayden, ID Theft of laptop with no risk analysis performed http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ RESOURCES HIPAA Collaborative of Wisconsin http://www.hipaacow.org Breach policy document with a checklist, risk assessment, and example letters American Health Information Management Association (AHIMA) http://www.ahima.org/resources/ Breach Management Toolkit HHS Health Information Privacy http://www.hhs.gov/ocr/privacy/index.html HHS Frequently Asked Questions: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html HHS Office for Civil Rights http://www.hhs.gov/ocr/office/index.html 27 Who is Avastone Health Solutions? A Heartland Technology Group company Joined by Heartland Business Systems and Avastone Technologies, LLC Heartland Business Systems founded in 1990 A Wisconsin i Based dcompany Midwestern Presence: Offices in WI, IL, MN, IA Home office in Little Chute, WI Hired employee 500 in May, 2014 Annual revenue over $160 Million What is Avastone Health Solutions? Strategic and operational consultants with an average of 18 years of broad health care experience Areas of Expertise: Privacy, security and data governance Revenue cycle in an evolving landscape Business intelligence Complianceand and regulatory implementation Strategy and leadership Understanding each health care organization is unique, our team of experienced consultants work collaboratively with clients using a customized approach. Adopting best practice methodologies, the team identifies improvement and optimization opportunities across a widespectrum of operational areas. Synergy occurs when operations is integrated with strategy and financial performance driving rapid, sustainable results. 29 30 5

Why Avastone Health Solutions? Our experienced consulting team is emerged in the industry AHIMA, HIMSS, MGMA, HFMA, HCCA, AAPC and more Through partnership with Heartland Business Systems and Avastone Technologies, offers Full circle operational, strategic and IT solutions Flexible to meet your unique needs clemery@avastonetech.com Telephone: 608 449 7207 31 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information