HIPAA Breach Notification Case Studies on What to Do and When to Report

Similar documents
H E A L T H C A R E L A W U P D A T E

Interim Date: July 21, 2015 Revised: July 1, 2015

AFTER THE OMNIBUS RULE

HIPAA OMNIBUS FINAL RULE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

OMNIBUS RULE ARRIVES

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Changes to HIPAA Privacy and Security Rules

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Management Alert Final HIPAA Regulations Issued

Compliance Steps for the Final HIPAA Rule

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

BREACH NOTIFICATION POLICY

503 SURVIVING A HIPAA BREACH INVESTIGATION

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HITECH and Stimulus Payment Update

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Highlights of the Omnibus HIPAA/HITECH Final Rule

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Compliance Steps for the Final HIPAA Rule

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Business Associate Agreement

Fifth National HIPAA Summit West

LEGAL ISSUES IN HEALTH IT SECURITY

x Major revision of existing policy Reaffirmation of existing policy

HIPAA Omnibus Final Rule and Research

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Privacy and Security Breaches 10 Things To Know

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Effective Date: 4/3/17

HIPAA Privacy Overview

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA, HITECH & Meaningful Use

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

To: Our Clients and Friends January 25, 2013

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA STUDENT ASSOCIATE AGREEMENT

Changes to HIPAA Under the Omnibus Final Rule

Interpreters Associates Inc. Division of Intérpretes Brasil

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

ALERT. November 20, 2009

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

The HHS Breach Final Rule Is Out What s Next?

The HIPAA Omnibus Rule

Getting a Grip on HIPAA

RISK TRACK. Privacy and Data Protection

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

HITECH Breach Notification for Unsecured Protected Health Information Rulemaking

Texas Tech University Health Sciences Center HIPAA Privacy Policies

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA Omnibus Rule Compliance

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

FACT Business Associate Agreement

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Business Associate Agreement

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA Compliance Under the Magnifying Glass

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Business Associate Risk

Transcription:

HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey, Associate General Counsel University of Michigan, Health System Legal Office Elizabeth Callahan-Morris, Shareholder Hall Render HIPAA Breach Notification Rule OCR Interim Final Rule published Aug 24, 2009, effective Sept 23, 2009 Covered Entities (CEs) are required to notify individuals and HHS of breaches of unsecured protected health information (PHI). Business Associates (BAs) causing such breaches are required to notify CE of such breaches. Sanctions for failure to notify began Feb 22, 2010 Final Rule pending 2 1

Recent Breach Enforcement Actions Health System - $865,500 settlement for employees snooping into celebrity patients EMRs (July 2011) Hospital and affiliated physician organization - $1M settlement for failure to safeguard when employee left PHI containing SSNs and HIV/AIDS inform on subway train (Feb 2011) Recent Breach Enforcement Actions Pharmacy chain - $1M OCR settlement for improper disposal of PHI (July 2010) Health plan - $250,000 State of CT settlement for lost/stolen hard drive and notification delay; 1 st state AG enforcement case (July 2010) Multiple criminal prosecutions against individuals for HIPAA violations 2

Required Breach Notifications Breach notification is required when there is an acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule of PHI that is unsecured, no exception applies, and it poses significant risk of financial, reputational, financial or other harm. 5 Step 1: Violation? Determine if acquisition, access, use or disclosure of PHI was in violation of HIPAA Privacy Rule. 6 3

Step 2: Unsecured PHI? Determine if PHI was "unsecured." Unsecured PHI is PHI not secured through use of technology or methodology that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals, per HHS guidance. HHS guidance: encrypted or destroyed PHI per NIST standards is considered secured, and not subject to the breach notification rule. 7 Step 3: Exception? Determine if exception applies: Unintentional acquisition, access, or use of PHI by workforce member or other person under authority of CE or BA, if in good faith, within scope of authority, and PHI not further used or disclosed. Inadvertent disclosure of PHI by person authorized to access PHI to another such person at same CE, BA, or OHCA, and PHI not further used or disclosed. Disclosure of PHI to person not reasonably able to retain such information. 8 4

Step 4: Compromises the Security or Privacy? Determine if breach "compromises the security or privacy" of PHI. Determine whether it "poses a significant risk of financial, reputational, or other harm to the individual," per risk assessment. Note: If PHI contained no identifiers (none of the 16 direct identifiers per limited data set rule, plus no dates of birth or zips codes), then it automatically does not "compromise the security or privacy" of PHI. 9 Risk Assessment Factors Risk assessment should consider: Who impermissibly used PHI or to whom was PHI impermissibly disclosed What immediate steps were taken to mitigate impermissible use or disclosure? Whether PHI was returned before accessed for improper use. Type and amount of PHI Sensitivity of information contained in PHI 10 5

Breach Notification Rule Preamble on Risk Assessments For example, if a CE improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program 8), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. 11 OMB Memorandum M 07 16 Substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. The effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. 12 6

Next Steps Devise a plan Appoint a project manager Determine applicable state and federal law requirements Submit notice of claim to insurance company Engage outside resources as needed for call center, breach notification mailings, and credit monitoring services 13 Next Steps Prepare breach notification letters in English and other languages as needed Prepare press release Update website Submit breach report to state and federal agencies Create or review call center scripts Train internal staff and external call center staff as needed 14 7

Case Studies Social media postings Lost thumb-drives Patient criminal background checks Newborn adoption solicitations Misdirected faxes and letters Business associate breaches 15 OCR Breach Report OCR breach report summaries http://www.hhs.gov/ocr/privacy/hipaa/administrative /breachnotificationrule/breachtool.html 16 8

Comments and Questions Colleen M. McClorey University of Michigan cmcclore@med.umich.edu Elizabeth Callahan-Morris Hall Render ecallahan@hallrender.com 248.457.7854 9

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback