Do You Know How To Handle A HIPAA Breach?

Similar documents
OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

BREACH NOTIFICATION POLICY

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Interim Date: July 21, 2015 Revised: July 1, 2015

Changes to HIPAA Privacy and Security Rules

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

AFTER THE OMNIBUS RULE

H E A L T H C A R E L A W U P D A T E

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

x Major revision of existing policy Reaffirmation of existing policy

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Patient Breach Letter Content Requirements

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

OMNIBUS RULE ARRIVES

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and Stimulus Payment Update

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA OMNIBUS FINAL RULE

Compliance Steps for the Final HIPAA Rule

HIPAA Privacy Overview

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

NOTICE OF PRIVACY PRACTICES

2016 Business Associate Workforce Member HIPAA Training Handbook

ALERT. November 20, 2009

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Management Alert Final HIPAA Regulations Issued

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Compliance Steps for the Final HIPAA Rule

Effective Date: March 23, 2016

Interpreters Associates Inc. Division of Intérpretes Brasil

HEALTHCARE BREACH TRIAGE

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

HIPAA Breach Notification Case Studies on What to Do and When to Report

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

The Revised FATF Standards

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Compliance Under the Magnifying Glass

Changes to HIPAA Under the Omnibus Final Rule

Determining Whether You Are a Business Associate

HIPAA The Health Insurance Portability and Accountability Act of 1996

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

LEGAL ISSUES IN HEALTH IT SECURITY

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

ARE YOU HIP WITH HIPAA?

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

The HHS Breach Final Rule Is Out What s Next?

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA Privacy, Breach, & Security Rules

NOTICE OF PRIVACY PRACTICES

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

RISK TRACK. Privacy and Data Protection

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HITECH Poses Important Challenges... Are You Compliant?

HIPAA: Impact on Corporate Compliance

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA Business Associate Agreement

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA & The Medical Practice

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

The Impact of the Stimulus Act on HIPAA Privacy and Security

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Basic Training for Health & Welfare Plan Administrators

HHS, Office for Civil Rights. IAPP October 11, 2012

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

ARTICLE 1. Terms { ;1}

PEDRO J. MORALES, M.D. & TIM P. CARLSON, M.D., P.A. NOTICE OF PRIVACY PRACTICES UPDATED 01/01/2014

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Omnibus Rule Compliance

It s as AWESOME as You Think It Is!

Transcription:

Do You Know How To Handle A HIPAA Breach? Claudia A. Hinrichsen, Esq. The Greenberg, Dresevic, Hinrichsen, Iwrey, Kalmowitz, Lebow & Pendleton Law Group (516) 492-3390 chinrichsen@thehlp.com

Industry leading Education Certified Partner Program Please ask questions For todays Slides http://compliancy- group.com/slides023/ Todays & Past webinars go to: http://compliancy- group.com/webinar/ Join our chat on Twitter #cgwebinar

Agenda I. DefiniSon of Breach and Risk Assessment II. NoSficaSon obligasons in event of HIPAA breach III. GeYng you own house in order IV. What to do when social security numbers are disclosed V. Credit monitoring for impacted pasents VI. Insurance for HIPAA breaches VII. QuesSons?

I HIPAA Omnibus Rule New HIPAA regulasons became effecsve on September 23, 2013 Significant modificasons made to HIPAA rules, including breach nosficason, among other things Harm standard removed Four factors must be considered in risk assessment

Determine Whether a Breach I Occurred Impermissible use or disclosure of protected health informason (PHI) is presumed to be a breach unless the Covered EnSty is able to demonstrate that there is low probability that PHI has been compromised. Applies to unsecured PHI which is not rendered unusable, unreadable, or indecipherable

Determine Whether a Breach I Occurred At least the four following factors must be assessed: 1) The nature and extent of the PHI involved, including the types of idensfiers and the likelihood of re- idensficason; 2) The unauthorized person who used the PHI or to whom the disclosure was made; 3) whether the PHI was actually acquired or viewed; and 4) The extent to which the risk to the PHI has been mi;gated.

I Results of Risk Assessment If evaluason of the factors fails to demonstrate that low probability that the PHI has been compromised, breach no;fica;on is required.

I Example 1 If informason containing dates of health care service and diagnosis of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the informason pertains to specific employees based on the informason available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the protected health informason has been compromised.

I Example 2 If a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health informason on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the Covered EnSty could determine that the informason was not actually an unauthorized individual even though the opportunity existed.

I Example 3 If financial informason, such as credit card numbers or social security numbers was disclosed, the Covered EnSty may determine that a breach has occurred as unauthorized use or disclosure of such informason could increase the risk of idensty thef or financial fraud.

NotiIication Obligations in the II Event of a HIPAA Breach NoSficaSon to affected individuals NoSficaSon to the media NoSficaSon to the Secretary of the Department of Health and Human Services (the Secretary) Other nosficasons

NotiIication to Affected II Individuals All nosces to affected individuals must be wrihen in plain language and include: A brief descripson of what happened, including the date of the breach and the date of the discovery of the breach, if known; A descripson of the types of PHI (not the specific PHI) that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of informason were involved);

NotiIication to Affected II Individuals Any recommended steps individuals should take to protect themselves from potensal harm resulsng from the breach; A brief descripson of what the Covered EnSty is doing to invessgate the breach, to misgate harm to individuals and to protect against any further breaches; and Contact informason for the Privacy Officer of the Covered EnSty.

II Method of NotiIication The covered ensty must nosfy affected individuals by: 1. Wrihen nosficason by first- class mail to the individual at the last known address of the individual 2. If the individual agrees to electronic nosce and such agreement has not been withdrawn, by electronic mail

II Method of NotiIication In the case of minors or individuals who lack legal capacity due to a mental or physical condison, the parent or personal representasve should be nosfied. If the covered ensty knows that an individual is deceased, the nosficason should be sent to the individual's next of kin or personal representasve if the address is known.

II Method of NotiIication In urgent situasons where there is a possibility for imminent misuse of the unsecured PHI, addisonal nosce by telephone or other means may be made. However, direct wrihen nosce must ssll be provided.

II NotiIication to the Media If the breach of unsecured PHI involves more than 500 residents of a state or jurisdicson, prominent media outlet must be nosfied (most likely via a press release) without unreasonable delay and no later than 60 days afer discovery. PLEASE NOTE: The nosficason to the media is not a subsstute for the nosficason to the individual.

II NotiIication to the Secretary For breach of unsecured PHI that involves more than 500 individuals, the Secretary of the Department of Health and Human Services should be nosfied via ocrnosficasons.hhs.gov without unreasonable delay and no later than 60 days aber discovery.

II NotiIication to the Secretary If the breach of unsecured PHI involve less than 500 individuals, the Covered EnSty s Privacy Officer should maintain an internal log or other documentason of the breach. This informason should then be submihed annually (before March 1st) to the Secretary of HHS for the preceding calendar year via the website. The health care provider should maintain its internal log or other documentason of breaches for six years.

II

II

II

III Getting Your House in Order Review/update the pracsce s policies and procedures Provide training to all employees in: Updated policies Prompt reporsng EvaluaSon and documentason of breaches Create an ac;on plan to respond to security incidents and breaches Conduct regular internal audits Consider geyng insurance for HIPAA breaches

Most Common Forms of Breach Impermissible uses and disclosures of protected health informason Lack of safeguards of protected health informason Lack of pa5ent access to their protected health informason Uses or disclosures of more than the Minimum Necessary protected health informason Complaints to the covered ensty

OfIice of Civil Rights (OCR) III Audits OCR has completed audits for 115 ensses with a total of 979 audit findings and observasons: 293 regarding Privacy 592 regarding Security 94 regarding Breach No;fica;on An evaluason is currently underway to make audits a permanent part of enforcement efforts. Security Rule assessment will be highly scrusnized.

IV Social Security Numbers Most states have addisonal laws regulasng nosficason of unauthorized disclosure of social security numbers. These regulasons require that nosficason be provided in the most expedisous Sme possible and without unreasonable delay. The person that owns or licenses the computerized data must provide nosce to the individual.

IV Social Security Number Breach Typically the following must be done immediately afer discovery of the breach: Detailed nosce to affected residents within state NoSficaSon to other governmental agencies, including, but not limited to: State Ahorney General Department of State Consumer ReporSng Agencies PLEASE NOTE: The Ahorney General may bring a civil acson and the court may also award injuncsve relief.

V Credit- Monitoring According to the U.S. Federal Trade Commission, it takes an average of 12 months for a vicsm of idensty thef to nosce the crime. Credit- monitoring services will regularly alert the individual of any changes to their credit, helping stop thef before it gets out of control.

V Credit- Monitoring Covered ensses and others who maintain PHI may need to offer such services to affected individuals to misgate risk. Companies such as IdenSty Guard, Equifax, and Experian offer credit- monitoring, providing credit alerts to individuals every business day. The average cost of credit monitoring per person is $15 a month with credit alerts which will report new accounts, credit inquiries, address changes, changes to current accounts/account informason, etc.

Business Associate V Agreements Covered EnSSes should include indemnificason language in their Business Associate Agreement for any costs related to a breach including free credit- monitoring for affected individuals. A Covered EnSty may also consider requiring business associates to have data breach insurance.

VI Cyber/Breach Insurance A recent study by the Ponemon InsStute reported that 76% of parscipasng organizasons in the study who had experienced a security exploit ranked cyber security risks as high or higher than other insurable risks, such as natural disasters, business interrupsons, and fire. Many general liability insurance polices are excluding data breaches ad security compromises.

VI Cyber/Breach Insurance Data breach insurance may be necessary to cover the costs of responding to a breach and may include: Defense costs and indemnity for a statutory violason, regulatory invessgason, negligence or breach of contract Credit or idensty costs as part of a covered liability judgment, award or sehlement Forensic costs incurred in the defense of covered claim

VII Conclusion Thus far in 2013, 48 percent of reported data breaches in the United States have been in the medical/healthcare industry. In 2012, there were 154 breaches in the medical and healthcare sector, accounsng for 34.5 percent of all breaches in 2012, and 2,237,873 total records lost. ITRC Breach Report, IdenSty Thef Resource Center, May 2013 A plan of acson is crucial in order to appropriately handle a breach. Proper and Smely nosficason is necessary

HIPAA Compliance HITECH Attestation Risk Assessment Free Demo and 60 Day Evaluation www.compliancy- group.com HIPAA Hotline 855.85HIPAA 855.854.4722 Omnibus Rule Ready Meaningful Use core measure 15 Policy & Procedure Templates

Questions? VII

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback