New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Similar documents
OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

BREACH NOTIFICATION POLICY

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

x Major revision of existing policy Reaffirmation of existing policy

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

H E A L T H C A R E L A W U P D A T E

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Changes to HIPAA Privacy and Security Rules

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

AFTER THE OMNIBUS RULE

Patient Breach Letter Content Requirements

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA Privacy & Security Plan October 2016

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Basic Training for Health & Welfare Plan Administrators

Compliance Steps for the Final HIPAA Rule

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

ARRA s Amendments to HIPAA Privacy & Security Rules

OMNIBUS RULE ARRIVES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Privacy Overview

HITECH Poses Important Challenges... Are You Compliant?

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Interpreters Associates Inc. Division of Intérpretes Brasil

EXCERPT. Do the Right Thing R1112 P1112

The HHS Breach Final Rule Is Out What s Next?

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

BUSINESS POLICY AND PROCEDURE MANUAL

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

ALERT. November 20, 2009

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Compliance Steps for the Final HIPAA Rule

HIPAA & The Medical Practice

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy and Security Rules

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

UCLA Policy 420: Breaches of Computerized Personal Information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

NOTICE OF PRIVACY PRACTICES

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Business Associate Agreement

Fifth National HIPAA Summit West

Management Alert Final HIPAA Regulations Issued

HITECH and Stimulus Payment Update

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

ARTICLE 1. Terms { ;1}

March 1. HIPAA Privacy Policy

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA OMNIBUS FINAL RULE

Effective Date: 4/3/17

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Compliance Under the Magnifying Glass

HIPAA Data Breach ITPC

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

FACT Business Associate Agreement

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

MANITOBA OMBUDSMAN PRACTICE NOTE

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA: Impact on Corporate Compliance

To: Our Clients and Friends January 25, 2013

HIPAA BUSINESS ASSOCIATE ADDENDUM

Transcription:

Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy Number: New Date: 8/22/2013 X Revised Reviewed Policy Owner: System Director, Integrity, Compliance and Privacy Implementation Date: August 1, 2010 Scope: This policy applies to Providence Health and Services and its Affiliates 1 and their employees, volunteers and others who are in the direct control of Providence (collectively referred to as workforce members) with access to Providence information and information systems. This is a management level policy recommended by Leadership Council, approved and signed by the President/CEO. Purpose: The purpose of this policy is to describe steps that must be taken in the event of a Suspected or Actual Breach of Unsecured Protected Health Information ( Breach ) and, when appropriate, to report the Breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) or its implementing regulations. Policy: Providence will provide notification of any Breaches of Unsecured PHI in accordance with the requirements of the federal HITECH Act or its implementing regulations and any other relevant laws. This policy establishes minimum HIPAA requirements. State law may impose more stringent requirements which will be addressed in regional level policies. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Definitions: For the definition of terms not specifically defined below, please refer to INHS-1805, Privacy Glossary. Breach or Actual Breach means an unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information. Examples of a Breach may include: a) Lost or stolen laptops, computers, servers, tapes, CD ROMs, flash drives, phones, PDAs and any other mobile data-storage medium containing PHI; b) Lost or stolen papers containing PHI; c) E-mails or papers containing PHI sent to an unauthorized party;) Electronic transmissions of PHI sent outside the Providence network in unencrypted format that are accessed without authorization; e) Unauthorized or unnecessary access of PHI; f) An intentional violation of the physical access controls to facilities where PHI is kept; 1 For purposes of this policy, Affiliates is defined as any entity that is wholly owned or controlled by Providence Health & Services or Western HealthConnect (for example, Swedish Health Services, Swedish Edmonds, Kadlec Regional Medical Center, PacMed Clinics and Inland Northwest Health Services). Page 1 of 7

g) Deficient application or other information security controls allowing unauthorized access to PHI. h) Saving Electronic Protected Health Information (ephi) in a location that grants access to people without a need to know; and i) Notification from a business associate, law enforcement authority, government agency or other authority of a confirmed Breach of the computing environment where PHI is maintained or processed. If there is a concern that there has been unauthorized or unnecessary access to PHI and the circumstances do not fit into the examples above, consult with your regional Privacy Officer or the Department of Legal Affairs. Exceptions - Breach does not include: a) Any good faith unintentional acquisition, access or use of PHI by a workforce member or business associate acting within the scope of employment where the PHI is not further used or disclosed. An example would be a nurse opening the medical record of the wrong John Smith and closing out of the record immediately without further using or disclosing the PHI; b) An inadvertent disclosure of PHI by one person authorized to access PHI to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement if the PHI is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule. This exception applies even if the workforce members at issue are not authorized to access the same type of PHI. For example, a patient s information is accidentally sent to a doctor within the same covered entity who otherwise would have access to the record system and the doctor does not further use or disclose the information. c) A disclosure of PHI where Providence has a good faith belief that the unauthorized recipient would not reasonably have been able to retain the PHI. For example, a covered entity may send an explanation of benefits to the wrong individual. This inadvertent disclosure would typically trigger the Breach notification requirements. However, if the explanation of benefits is returned to the covered entity unopened, the exception applies and there is no Breach. Suspected Breach means an incident where there is a reasonable likelihood that PHI was inappropriately acquired, accessed, used or disclosed. Incident Response Team is the Providence team assembled to work through incidents, including Breaches and Suspected Breaches. The Team is generally comprised of representatives from Enterprise Risk Management Services (Privacy, Enterprise Security), Risk Claims and Insurance, Department of Legal Affairs and Communications. Unsecured PHI means PHI that is not encrypted or destroyed in a manner that makes the PHI unreadable to unauthorized individuals. Workforce member means employees, volunteers, trainees, medical staff and other persons under the direct control of Providence whether or not they are paid by Providence. This may also include independent contractors, depending upon the arrangement. Page 2 of 7

Procedures Responding to a Suspected or Actual Breach 1. Suspected and Actual Breaches will be reported within 48 hours to local, regional or system Privacy or their designees, Enterprise Security or their designees, the Providence Integrity Line at (888) 294-8455 or the Information Services (EIS) Operations Center at 1-877-512-7119. 2. The Incident Manager, in conjunction with the entity where the Suspected or Actual Breach occurred and the applicable region privacy and security representatives, will determine required actions. 3. Where incident management is deemed necessary, the Incident Manager will convene the Incident Response Team (IRT) to participate in the investigation and mitigation of the Suspected or Actual Breach. 4. Where appropriate, the IRT will be convened as soon as practicable following the report of a Suspected or Actual Breach. 5. If a Breach occurred, the entity and the IRT will take appropriate action as described in this policy. 6. If a Breach did not occur, the IRT or its designee will document how this conclusion was reached. Determining if a Reportable Breach has Occurred 1. Upon notice of a Suspected Breach, the entity, in conjunction with the IRT, will determine if: a) The Suspected Breach involved Unsecured PHI; b) The Suspected Breach involved an impermissible use or disclosure of PHI under the HIPAA Privacy Rule; and c) If any other breach notification laws or expectations for handling confidential information of any type, including but not limited to financial, business and workforce member information, apply. If the answer to either question a) or b) is no, then no HITECH breach has occurred and no HITECH breach notification is required. If the answer to either question a) or b) is yes, the entity and the IRT will determine if the Suspected Breach falls into one of the exceptions to the definition of Breach set out in the Definitions section above. If it does, no Breach has occurred and no notification is required. 2. Risk Assessment. If the Suspected Breach does not fall into one of the exceptions to the definition of Breach, the entity, in conjunction with the IRT, will conduct a risk assessment to determine if the Breach compromises the security or privacy of the information. The region or system privacy officer or his/her designee shall document the outcome from the risk assessment for inclusion into the appropriate reporting system. This documentation is required even if the risk assessment determines that no notification is required. Page 3 of 7

Actions if a reportable Breach has Occurred 1. Notification to individuals. If, after conducting the risk assessment, the entity and the IRT cannot determine that there is a low probability of compromise to the Unsecured PHI, a letter will be drafted notifying the individual(s) of the Breach (Note that it must be adapted for individual state law.) The letter shall be reviewed by the IRT and next steps determined. 2. Timing of notification. Except for cases in which a law enforcement official requests a delay in notification (see below), the region or system privacy officer or his/her designee shall provide notification to the individual without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach by the entity or after being informed of a breach by a business associate. 3. Written request by law enforcement for delay in notification. If a law enforcement official provides the covered entity with a written statement that a notification described in this policy would 1) impede a criminal investigation or cause damage to national security, and 2) specifies the amount of time for which law enforcement is requesting a suspension of the notice requirement, the region or system privacy officer or his/her designee shall temporarily suspend the notice for the time specified by the law enforcement official. If a law enforcement official makes a statement orally, the region or system privacy officer or his/her designee must document the statement, including the identity of the official making it, and temporarily suspend the notice requirement for no longer than 30 days from the date of the oral statement unless a written statement is submitted during that time. The region or system privacy officer will notify the entity privacy representative of the suspension. 4. The date a Breach is discovered. A Breach is considered discovered on the first day the Breach is known to the covered entity. The covered entity is deemed to have knowledge of a breach when any workforce member other than the person committing the breach, becomes aware of the Breach. For example, a nurse discovers a Breach of PHI on October 15, but does not report the Breach until October 23. The Breach is considered discovered on October 15. 5. Content of notification. Breach notifications shall be written in plain language. At a minimum, the following elements shall be included in the Breach notification to the extent possible: a) A brief description of what happened, including the date of the Breach and the date the Breach was discovered, if known; b) A description of the types of Unsecured PHI that were involved (name, social security number, date of birth, diagnosis, etc.); c) Any steps individuals are advised to take to protect themselves from potential harm resulting from the Breach; d) A brief description of what the covered entity is doing to investigate the Breach, mitigate harm to individuals and to protect against any further Breaches; and e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free number, an e-mail address, web site, or postal address. 6. Methods of notifying individuals. The region or system privacy officer or his/her designee, as Page 4 of 7

appropriate, shall: a) Provide notification in writing by first-class mail to the individual(s) at the last known address. E-mail may be used if the individual has agreed to electronic notice and has not withdrawn this agreement. b) If the individual affected by a Breach is a minor or lacks legal capacity due to a physical or mental condition, provide notice in writing by first-class mail to the parent or personal representative of the individual; c) If the region, entity or facility where the Breach occurred knows the individual is deceased and has the address of the next of kin or personal representative of the individual, provide written notice by first-class mail to the next of kin or personal representative. d) Provide information to individuals by telephone or other appropriate means, in addition to written notice by first class mail or e-mail, in any case which the region/facility determines is urgent because of possible imminent misuse of Unsecured PHI. 7. Substitute notice. In cases where there is insufficient or out-of-date contact information to allow for written notice by first-class mail, The region or system privacy officer or his/her designee shall provide a substitute form of notice as soon as reasonably possible that is reasonably calculated to reach the individual as follows: a) In cases where mailing address information is insufficient or out-of-date for nine or less individuals, provide substitute notice by an alternative form of written notice (e-mail, for example), telephone, or other means; b) In cases where contact information is insufficient or out-of-date for 10 or more individuals, provide substitute notice in the form of either a conspicuous posting for 90 days on the home page of the facility s web site, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the Breach likely reside. Either option must include a toll-free phone number that remains active for 90 days where an individual can learn whether his/her Unsecured PHI may have been included in the Breach; c) Substitute notice is not required in the case of a deceased individual; 8. Notification to the Media. If a Breach of Unsecured PHI involves more than 500 residents of a state or jurisdiction, the entity and the IRT will work with region and system Communications to provide notice to prominent media outlets serving the state or jurisdiction. The notification must include the same content that is required in the notice to the individuals affected by the Breach. Except for cases in which law enforcement officials request a delay in notification, such notice shall be provided to the media without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach. Notification to the media should be provided at approximately the same time, but not before, notification to the individual. 9. Notification to the Secretary of Health & Human Services of a Breach involving more than 500 individuals. The appropriate region or system privacy officer or his/her designee will report Breaches involving more than 500 individuals to the Secretary of Health & Human Services by entering the required fields of information into the HHS data portal. Such notice shall be provided to the Secretary at approximately the same time that notice is provided to the individuals affected by the Breach. Page 5 of 7

10. Notification to the Secretary of Health & Human Services of a Breach involving 500 or less individuals. The appropriate region or system privacy officer or his/her designee will report Breaches involving 500 or less individuals to the Secretary of Health & Human Services by entering the required fields of information into the HHS data portal. Such notice shall be entered no later than 60 days after the end of each calendar year for breaches occurring during the preceding calendar year. 11. Providence record keeping. All official documentation pertaining to Breaches and Suspected Breaches shall be maintained by Enterprise Risk Management Services in the Integrity Line database. 12. Notification from a business associate. All Providence regions, service areas, facilities or ministries who contract with a business associate on Providence s behalf shall contractually require business associates to report Suspected or Actual Breaches to Providence as soon as practicable and in no case more than 30 days from the first day on which the Actual or Suspected Breach is known, to the business associate. Reports of Suspected or Actual Breaches should be made to the Business Associate Breach Reporting Hotline at 1-877- 512-7119. 13. Content of business associate notice. The report of a Suspected or Actual Breach from a business associate to Providence shall include, to the extent possible, the following elements: a) The identification of each individual who s Unsecured PHI has been or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the Breach. b) A brief description of what happened, including the date of the Breach (if known) and the date of the discovery of the Breach; c) A description of the types of Unsecured PHI that were involved (name, social security number, date of birth, diagnosis, etc.); and d) A brief description of what the business associate is doing to investigate the Breach, mitigate harm to individuals and to protect against any further Breaches. Administrative Requirements For the purposes of Breach notification, Providence must comply with the following administrative requirements: a) Train existing and new workforce members on any Breach notification policies and procedures. All training must be documented. b) Provide a process for individuals to make complaints concerning Providence s Breach notification policies and procedures, or an entity's compliance with said policies and procedures. All complaints and their disposition must be documented. c) Have and apply appropriate sanctions against workforce members who fail to comply with the Breach notification policies and procedures. Workforce members who do not report a Suspected Breach will be subject to sanctions. d) Providence may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of rights under the HIPAA Privacy Rule, including the filing of complaints relating to Breach Page 6 of 7

References: notification policies and procedures. e) Providence cannot require individuals to waive their right to appeal to the Secretary of Health & Human Services as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. f) The breach notification process does not preclude the requirement to enter relevant events into the appropriate Accounting for Disclosures database. Disclosures should continue to be logged as required by law. 45 CFR 164 Privacy and Security Policies Page 7 of 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback