HEALTHCARE BREACH TRIAGE

Similar documents
ARE YOU HIP WITH HIPAA?

AFTER THE OMNIBUS RULE

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Determining Whether You Are a Business Associate

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Business Associate Risk

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA Compliance Guide

Be Careful What You Wish For: The Final Rule Is Out

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

503 SURVIVING A HIPAA BREACH INVESTIGATION

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

OMNIBUS RULE ARRIVES

HIPAA Compliance Under the Magnifying Glass

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA: Impact on Corporate Compliance

H E A L T H C A R E L A W U P D A T E

Highlights of the Omnibus HIPAA/HITECH Final Rule

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA, Privacy, and Security Oh My!

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA and Lawyers: Your stakes have just been raised

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HHS, Office for Civil Rights. IAPP October 11, 2012

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Omnibus Rule Compliance

The Privacy Rule. Health insurance Portability & Accountability Act

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

H 7789 S T A T E O F R H O D E I S L A N D

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Data Breach ITPC

Getting a Grip on HIPAA

Health Law Diagnosis

HIPAA OMNIBUS FINAL RULE

To: Our Clients and Friends January 25, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Final Omnibus Rule Playbook

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

"HIPAA RULES AND COMPLIANCE"

Management Alert Final HIPAA Regulations Issued

Business Associate Agreement

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Healthcare Data Breaches: Handle with Care.

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

MEMORANDUM. Kirk J. Nahra, or

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Negotiating Business Associate Agreements

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Interpreters Associates Inc. Division of Intérpretes Brasil

How to Cut Down on Security Risks:

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

HIPAA Background and History

It s as AWESOME as You Think It Is!

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Transcription:

IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP

Agenda 1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach 2. Forensic Challenges specific to Breaches involving PHI 3. Other Issues of Interest to Healthcare Providers and BAs 4. Triage Tips for Healthcare Breaches 2

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach Sources of Healthcare Data Breach Obligations Health Insurance Protection and Accountability Act of 1996 (HIPAA) Regulatory authority and enforcement by Department of Health and Human Services (HHS) Privacy, Security and Breach Notification requirements Privacy Rule Security Rule Applies to Protected Health Information (PHI) and Covered Entities (CEs) 3

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Amended HIPAA and extends the Privacy and Security Rules to Business Associates (BAs) Before HITECH, BAs were contractually liable to CEs but had no primary statutory liability to federal government. Imposes breach notification requirements on CEs and BAs Increases enforcement of, and penalties for, violations of privacy and security of PHI Granted enforcement power over HIPAA violations to state Attorneys General Tiered approach to civil monetary penalties for violations 4

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule Final Regulations implementing HITECH, effective March 26, 2013 with compliance date of September 23, 2013. Changed Harm Threshold for breach notification Under Interim Rule, there is a simple harm threshold: a reportable breach involves the compromise of privacy or security of PHI that presents significant risk of financial, reputational, or other harm. Under this subjective rule, no reportable breach unless there is a determination of significant risk. The Final Omnibus Rule turns this threshold around... 5

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule (cont.) The Final Omnibus Rule presumes breaches are reportable without an affirmative determination of low probability of PHI compromise after considering (and documenting) four specific factors: nature and extent of the PHI involved; the person who obtained the unauthorized access and whether under independent obligation to protect confidentiality; after forensic analysis, whether PHI actually acquired or accessed; and extent to which risk has been mitigated, such as confidentiality agreement signed by the recipient. 6

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule (cont.) Increase potential penalties to maximum $1.5 million per violation Other provisions increase patient rights to privacy Confirms CEs ability to delegate notification to BAs But, also makes CEs liable for BAs acting as CEs agents 7

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) State Law Requires state-by-state analysis Some states (e.g., CA) include medical or health information in their breach notification requirements Additional requirements for licensees Even bigger challenges are present when both PHI and PI are part of the same incident multiple versions of notification letters, including to present different offers of remediation, may be required to meet differing state and HIPAA breach notice requirements 8

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) US Enforcement Trends -- 2012 June 2012 - $1.7M settlement with Alaska Department of Health and Social Services Loss of unencrypted hard drive Lack of policies and procedures September 2012 - $1.5M settlement with healthcare provider Theft of unencrypted laptop January 2013: First HIPAA breach settlement where unencrypted laptop stolen from hospice lacking policies and procedures impacted fewer than 500 patients 9

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) US Enforcement Trends -- 2013 May 2013 - $400,000 settlement with Idaho State University for 2011 breach of ephi of 17,500 individuals treated at ISU clinic. Alleged lack of security assessment and measures due to disabled firewall. July 2013 - WellPoint pays $1.7M settlement for exposing ephi on Internet. OCR cited deficiencies in web-based application that resulted in exposure of over 600,000 individuals. OCR press release referenced future liability of BAs as well. August 2013 Affinity Health Plan pays $1.2M for exposing PHI of approximately 344,000 individuals when returning leased copiers without erasing hard drives. 10

1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) State-Level Enforcement Trends New York on May 28, 2013 -- NY DFS sent 308 Letters to over 30 of the largest insurers in NY, including numerous health insurers. Requires production of: Information on any cyber attacks the company has been subject to in the past three years The cyber security safeguards the company has put in place The company s information technology management policies The amount of funds and other resources dedicated to cyber security at the company The company s governance and internal control policies related to cyber security 11

2. Forensic Challenges specific to Breaches involving PHI Control over Location of Data -- In addition to issues related to authorized Cloud and Outsourcing... Challenges in developing and enforcing policies Cultural issues Restricting and securing: Equipment Cloud usage Access to data Access Logging Especially important for shared access facilities 12

2. Forensic Challenges specific to Breaches involving PHI (cont.) Photographic and Videographic Media Determining scope of compromised PHI in any form or medium Limitations on search tools and capabilities for PHI Cloud and other Outsourcing Considerations Security Verification Location control Investigations 13

3. Other Issues of Interest to Healthcare Providers and BAs What happens when there s a breach involving Health Insurance Exchanges (HIX)? Proposed Rule published June 19 Breach would be defined broadly Per applicable agreements, Federally-Facilitated Exchange (FFEs) (including associated non-exchange entities) and State Exchanges would have to report breaches to HHS within one hour The proposed rule states that an 'incident' would mean the act of violating an explicit or implied security policy, which includes attempts [either failed or successful] to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. 14

3. Other Issues of Interest to Healthcare Providers and BAs (cont.) More about Business Associates Perform functions or activities on behalf of Covered Entities Includes claims processors, legal, accounting, actuarial, etc. if they receive PHI BA Agreements required of CE to contractually extend privacy and security standards to BAs Standard provisions of BA Agreements Obligations and activities of BA uses and disclosures of PHI, reporting, access, etc. Permitted uses and disclosures Return or destruction of PHI upon termination Before HITECH, BAs were contractually liable to CEs but had no primary statutory liability to federal government. Penalty for violation of contractual obligations was damages resulting from contractual breach. 15

3. Other Issues of Interest to Healthcare Providers and BAs (cont.) Sub-BAs HITECH extended security obligations to sub-bas, as well as direct Increased pressure on contractual provisions related to sub- BAs, including required reps, warranties, indemnifications, inspection and audit rights, and notice requirements. 16

4. Triage Tips for Healthcare Breaches Preparedness -- Keep a Full cart In the ER and surgical theaters, all the potentially necessary drugs are kept in the cart at all times. Equipment is assembled, maintained and ready. Staff is organized, trained and on call. Approach your potential, future Breach the same way. Do No Harm Get the full team up to speed Stat! Don t Over-react React too Quickly Make decisions with all necessary information Follow Procedures and Protocol 17

4. Triage Tips for Healthcare Breaches (cont.) Next Steps for Advance Preparation Assess your Data What is it? Where is it? Who has access? Do you have more than you need? Assess your Policies, Procedures and Safeguards Can t Set it and Forget it Review Vendor Management Process and Vendors Due Diligence BA Agreements Sub-BA Freshen Incident Response Plan and Preparedness Consider a table top Do more Training AM 23437175v2 18

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback