RISK TRACK. Privacy and Data Protection

Similar documents
Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

AFTER THE OMNIBUS RULE

H E A L T H C A R E L A W U P D A T E

Determining Whether You Are a Business Associate

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

503 SURVIVING A HIPAA BREACH INVESTIGATION

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Interim Date: July 21, 2015 Revised: July 1, 2015

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Be Careful What You Wish For: The Final Rule Is Out

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

LEGAL ISSUES IN HEALTH IT SECURITY

HHS, Office for Civil Rights. IAPP October 11, 2012

Fifth National HIPAA Summit West

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

ARE YOU HIP WITH HIPAA?

Changes to HIPAA Privacy and Security Rules

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA The Health Insurance Portability and Accountability Act of 1996

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

The Impact of the Stimulus Act on HIPAA Privacy and Security

HIPAA and Lawyers: Your stakes have just been raised

OMNIBUS RULE ARRIVES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Compliance Guide

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Breach Notification Case Studies on What to Do and When to Report

Palmetto Paralegal Association

The HIPAA Omnibus Rule

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

ALERT. November 20, 2009

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Business Associate Agreement

HIPAA PRIVACY AND SECURITY AWARENESS

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

BREACH NOTIFICATION POLICY

HIPAA Background and History

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HEALTHCARE BREACH TRIAGE

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA, Privacy, and Security Oh My!

HIPAA Privacy & Security. Transportation Providers 2017

2016 Business Associate Workforce Member HIPAA Training Handbook

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Interpreters Associates Inc. Division of Intérpretes Brasil

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Management Alert Final HIPAA Regulations Issued

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA, HITECH & Meaningful Use

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

HIPAA Data Breach ITPC

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA Basic Training for Health & Welfare Plan Administrators

Getting a Grip on HIPAA

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS FINAL RULE

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

To: Our Clients and Friends January 25, 2013

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Business Associate Risk

Effective Date: 4/3/17

HIPAA STUDENT ASSOCIATE AGREEMENT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

ARRA 2009: Privacy and Security Provisions. Deven McGraw

Transcription:

RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: 310-794-6763 MArvin@mednet.ucla.edu Marti Arvin is the Chief Compliance Officer for UCLA Health Sciences. Previously, Marti served as the privacy officer for the University of Louisville for five years with oversight of privacy at the university level. She is an attorney with extensive experience in compliance and privacy. Prior to her position with the University of Louisville, Ms. Arvin was the Privacy and Compliance Officer for the University of Pittsburgh Physicians. Before that she held the same position at Indiana University School of Medicine. Ms. Arvin is an attorney. Before establishing herself in compliance and privacy, she practiced law with the Indiana Attorney General s Office handling federal civil rights and employment law cases. She has written and lectured extensively on compliance and privacy issues. She is on the Board of Directors for the Health Care Compliance Association, a member of the Compliance Certification Board, and chair of the Health Care Compliance Association s Compliance Focus Group on Privacy. She is a faculty member of the HCCA Basic, Advanced and Research Compliance Academies. She is on the faculty of the Society for Corporate Compliance and Ethics Compliance Academy. She is the recipient of the 2007 Health Care Compliance Association s Third Annual Compliance Professional s Compliance and Ethics Award. 2 1

Presenters George B. Breen Shareholder EpsteinBeckerGreen 1227 25th Street, NW Washington, DC 20037 Phone: 202-861-1823 gbreen@ebglaw.com George B. Breen is a Shareholder of Epstein Becker & Green, P.C. and a member of its Health Care and Life Sciences and Litigation practices. A litigator for over 20 years, Mr. Breen is co-chair of the firm s Litigation and Government Investigations practice group. Mr. Breen routinely represents clients in connection with matters brought by the U.S. Department of Justice, the Department of Health and Human Services Office of the Inspector General, State Attorneys General and other state and federal agencies. He also counsels clients on, and litigates, privacy, security and data breach matters. Mr. Breen speaks and writes frequently on issues related to trial practice and privacy and security issues. He is Peer Review Rated "AV" by the Martindale-Hubbell Law Directory and earlier this year, he was named an "Outstanding Healthcare Litigator" by Nightingale's Healthcare News in its January 2010 Special Report. 3 AGENDA Overview, background and what the future might hold Best practices in risk program development Managing privacy and data risks 4 2

Overview and Background Evolution over the past 10 years National Landscape Global Landscape Pending federal legislation Recent case law 5 STATE REPORTING REQUIREMENTS 6 3

Since 2003 California 1 st state to create data breach law in 2003 ChoicePoint breach draws country s attention In less than 5 years, 44 additional states adopt breach laws. Currently only Alabama, Kentucky, Mississippi, New Mexico, and South Dakota do not have statutes specifically addressing data security incidents. 7 State Law Basics Notification requirement based on residence of affected consumers/patients, not the company. States differ on requiring notice if based solely on acquisition of data or if harm from acquisition is reasonably likely. A limited number of states specifically protect medical Information; expected to grow. Many states require pre-breach preventative procedures. 8 4

Available at http://law2point0.com/wordpress/2009/09/15/50-state-securitybreach-notice-law/ Red Acquisition Based Black Risk Based Green -- None State Security Breach Notification Regulations 9 State Law Differences Many states have similar laws, however key differences can significantly impact response strategies. Reporting to AG, civil penalties, private rights of action. Personal Information - the definition of personal information protected by statute can vary significantly. How and when must you report 10 5

Federal Computer Security Laws Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 on February 17. Breach Reporting (HIPAA and PHRs); Standards for protection of PHI; Modifications to HIPAA Gramm- Leach-Bliley Act (P.L. 106-102, 15 USC Chpt. 94, 6801 et seq.) Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (P.L. 98-473, Title II, 2102(a), 18 USC 1030, as amended) Health Insurance Portability and Accountability Act of 1996, (P.L. 104-191, Title II, Subtitle F, Sec. 262, 42 USC 1320d et seq.) Sarbanes- Oxley Act of 2002 (P.L.107-204, 404) 11 HITECH Act Extends the reach of the HIPAA Privacy and Security Rules to business associates (BAs) Responds to concerns that a wide variety of organizations maintain and transmit PHI, but are not regulated by HIPAA Limits certain uses and disclosures of PHI Increases individuals' rights with respect to PHI maintained in EHRs Increases enforcement of, and penalties for, HIPAA violations Imposes breach notification requirements on covered entities (CEs) and BAs 12 6

Examples of Early Enforcement Efforts: Providence Health & Services On July 16, 2008, Providence entered into a resolution agreement with OCR whereby it agreed to pay $100,000 and implement a detailed Corrective Action Plan (CAP) to settle complaint stemming from its loss of unencrypted backup media and laptops in 2005 and 2006 The CAP requires: Revising policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; Training workforce members on the safeguards; Conducting audits and site visits of facilities; and Submitting compliance reports to HHS for a period of three years. * Pre-ARRA penalty caps kept settlement low, starting place for OCR negotiations will be higher in future 13 Examples of Early Enforcement Efforts: CVS Pharmacy January 16, 2009, CVS accepted $2,250,000 penalty and Corrective Action Plan (CAP) to settle complaint stemming from its practice of disposing of old prescriptions and prescription bottles The CAP requires: Revising and distributing its policies and procedures regarding disposal of protected health information; Sanctioning workers that do not follow the policies and procedures; Training workforce members on these new requirements; Conducting internal monitoring; Engaging a qualified, independent third-party assessor to conduct assessments of CVS compliance with the requirements of the CAP and render reports to HHS; New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and Submitting compliance reports to HHS for a period of three years. Subsequently, OCR issued PHI Disposal FAQs 14 7

Current Enforcement Efforts: Rite-Aid Pharmacy July 27, 2010, Rite-Aid agreed to pay $1,000,000 to HHS and enter into a Corrective Action Plan (CAP) to settle a complaint stemming from its practice of disposing of prescriptions and labeled pill bottles. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act The CAP requires: Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; Training workforce members on these new requirements; Conducting internal monitoring; Engaging a qualified, independent third-party assessor to conduct assessments of Rite- Aid s compliance with the requirements of the CAP and render reports to HHS; Rite Aid has also agreed to external, independent assessments of its pharmacy stores compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. 15 New Enforcement Authority under HITECH State Attorneys General Under new section to HIPAA - 42 USC 1320d-5(d)): State Attorneys General can bring civil actions in federal court on behalf of state residents threatened or adversely affected by a violation of the HIPAA Privacy or Security Rules. Available remedies and sanctions: injunctive relief; statutory damages of $100 per violation, not to exceed $25,000; and attorneys fees and costs. State Attorneys General are required to serve prior written notice on the Secretary of HHS, where feasible, in which case HHS can intervene in the action. If HHS brings prior action, it preempts an identical state action to enforce HIPAA. However, State Attorneys General remain able to bring actions under their own state laws that are not in conflict with HIPAA. 16 8

Post-HITECH: First Reported State Enforcement - CT v. Health Net Complaint Allegations: May 2009 - Health Net learns of lost portable disc drive with financial and PHI information of approx. 446,000 current and former CT enrollees. November 2009 Health Net notifies CT enrollees. January 2010 - CT AG files suit: 3 Causes of Action Pled: 1. Failure to comply with HIPAA. 2. Violation of CT Unfair Trade Practices Act. 3. Civil Penalties for Willful Violation of CT Unfair Trade Practices Act. Relief Sought: Injunctive relief under HIPAA and CT State law; Statutory damages for HIPAA violations, including costs and attorneys fees under HITECH; State CMPs (up to $5,000 per willful violation) and attorneys fees and costs under CT State law. 17 CT v. Health Net Stipulated Judgment Parties agree to entry of Stipulated Judgment on July 7, 2010 Judgment provides for: Guaranteed Payment of $250,000.00 to the State of Connecticut, with a contingent obligation to pay $500,000.00 if certain events occur Institution of a Corrective Action Plan which requires HealthNet to: encrypt all laptops and desktops train employees on encryption, storage and removable media annual employee training provide 2 years of Identity Theft Protection for affected members at HealthNet's expense If any member experiences identity theft, to provide services to restore the member's identity at no cost to member Stipulated Judgment reflects that HealthNet had incurred $7 million in costs in connection with the data breach 18 9

Other Enforcers Efforts Kaiser Permanente Northern California - January 2010 Medical records for about 15,500 N. California patients were compromised An external hard drive was stolen from an employee's car Employee was authorized to use medical records data, but should not have used an external drive AG has begun an investigation and will likely fine Kaiser for the breach Potential costs and fines are estimated at around $2 million Blue Cross/Blue Shield Tennessee - October 2009 58 hard drives were stolen from a training facility The hard drives contained audio and video files with identifying information for nearly 1M members The plan is notifying members about the data theft and is offering no-cost credit monitoring to individuals The plan has hired 700+ contractors and employees to help determine what data was contained on the hard drives Costs already more than $7M, and the plan will incur more as identity protection services are offered The plan notified AGs in 32 states about the breach 19 Proposed Modifications to HIPAA under the HITECH Act New regulations proposed by DHHS on 7/8/10. Highlights: Business Associates Have Direct Liability The standards, requirements, and implementation specifications of some of the HIPAA Rules now directly apply to business associates. Business associates can be held civilly and criminally liable for penalties for violations of those requirements. Subcontractors are Deemed Business Associates Subcontractors of a covered entity s business associates are also considered business associates to the extent that they require access to PHI. Existing Business Associate Agreements Must be Updated - New Provisions Business Associate must report breaches of unsecured PHI to the covered entity Business Associate will be compliant with the applicable provisions of the Security Rule Business Associate will enter into business associate agreements with its subcontractors Note: Covered Entity still directly liable for certain violations of HIPAA even if the violation is the fault of the business associate. Additions to Notice of Privacy Practices and Ability to Request Restriction of Use of PHI Effective Date - January 7, 2011 20 10

What Does the Future Hold: Previous Legislative Efforts July 2009: "The Personal Data Privacy and Security Act" Would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach Would require businesses to implement preventive security standards to guard against threats to their databases January 2009: "The Data Breach Notification Act" Would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised Would extend notification requirements to government agencies 21 What Does the Future Hold: Pending Legislation: On July 14, 2010 the "2010 Data Security Act" was introduced in Congress. The bill would apply to: 1. all businesses regulated by Gramm-Leach-Bliley 2. businesses covered by the Fair Credit Reporting Act 3. businesses that maintain or communicate sensitive account or personal information in providing services to covered financial entities The bill would pre-empt the 46 different state laws on data security The bill would only require notification to consumers of breaches of security when harm was reasonably likely -- not automatically after any breach 22 11

International Laws Canada Canada s Personal Information Protection and Electronic Documents Act Europe European Union Data Protection Directive (Directive 95/46/EC, enacted in 1995) Charter of Fundamental Rights of the European Union ( respect for private and family life and right to protection of personal data ) Asia Pacific Region Japanese Act on the Protection of Personal Information APEC Privacy Framework 23 US versus International The United States approaches privacy on a sectored basis, while other countries address it more comprehensively European Union adopted a Data Protection Directive in 1995 (Directive 95/46/EC of 24 October 1995) that provides broad powers to individuals to protect personally identifiable information EU s Charter of Fundamental Rights recognizes respect for private and family life and a right to protection of personal data as fundamental Discord between the United States sectored approach and that of other countries leads to business challenges 24 12

Canada Canada s Personal Information Protection and Electronic Documents Act includes privacy principles; provincial laws in Canada supplement that federal statute 25 Europe EU s Directive 95/46/EC on data protection requires legitimacy, data quality, proportionality, notice to persons whose data are collected, rights of information, access and rectification 26 13

Asia Pacific Region Japan s Personal Information Protection Act requires measures necessary and appropriate for preventing the unauthorized disclosure, loss or destruction of handled Personal Data Asia-Pacific Economic Cooperation countries developed APEC Privacy Framework 27 APEC Privacy Principles Preventing harm protection designed to prevent misuse of personal information Notice privacy statements Collection limitation collect only what s relevant to purpose of collection Use of information only for purposes of collection and related purposes as a rule Choice individuals should have clear choice regarding collection, use and disclosure of their information Integrity of information accurate, complete Security safeguards protect against risks Access and correction empower individuals Accountability personal information controller 28 14

Some global considerations Outsourcing Even of you don t have global operations do you outsource to another country? Sharing information You might not be able to share the same information globally that you can share nationally 29 Best Practices for Risk Program Development Be prepared Establish a process Know the right questions to ask for your organization and industry 30 15

Generic risk assessment questions for your consideration What data do you collect and maintain on? Customers Employees Others What format is the data in? Electronic Paper 31 Generic risk assessment questions for your consideration What laws and regulations apply to the collection and storage of data? State Federal International What laws and regulations govern the compromise of the data? State Federal International 32 16

Generic risk assessment questions for your consideration How is data electronic data stored? Behind a firewall encrypted Where is the data stored? Physically Electronically Geographically 33 Generic risk assessment questions for your consideration Do you require unique user names and passwords for systems containing restricted information? What are the means by which restricted information is accessed? Within your secure system Via the web Via VPN 34 17

Generic risk assessment questions for your consideration Who in your organization has access to the data? How is the level of access controlled? Physically electronically Who external to your organization has access to the data? Clients Vendors 35 Generic risk assessment questions for your consideration What policies and procedures exist regarding privacy and information security? What training and education is in place for workforce members? What background checks are done on personnel with key position related to privacy and information security? 36 18

Generic risk assessment questions for your consideration What areas have the external regulatory bodies been focusing on for your industry segment? Recent cases Recent regulatory actions 37 Risk Management Specifically Breach Handling Be prepared Do your legal research Establish a process Identify potential external resources early 38 19

Be Prepared Establish a process to identify who should be notified when a potential breach occurs Work with you internal bulk mailing to understand the process if they need to become involved. Know your legal obligations 39 Legal Obligations What laws apply? Are they based on industry or type of organization? What data elements must be involved? What timeframe are you dealing with? Does more than on law potentially apply? State Federal International 40 20

Pre-planning You might considered establishing a database that allows you to track the types of potential breaches you had and whether you were required to notify Particularly helpful if you are required to report breaches to regulators at set intervals 41 Pre-planning You should also consider whether you want have a retainer contract with a company that helps handle breaches. Many of them will allow a contract without payment unless services are used or nominal payment in retainer for possible future use 42 21

Pre-planning Think about the use of legal counsel Do you have internal expertise Do you want to do some due diligence before a breach occurs 43 Some Thoughts on Litigation Planning and Compliance Considerations 1. Be proactive; have a plan in place before a breach occurs. 2. Preparation for a data breach ought to be part of your compliance program. 3. Have an incident response team in place -- integrate legal and IT expertise -- what should your internal investigation should capture 4. Establish guidelines for communicating with outside parties; draft an incident response notice in advance. 5. Assume at the outset that there will be a lawsuit, or some form of government investigation, and act accordingly. 6. Create documents with the expectation that they will become exhibits in a lawsuit or enforcement action against you. 7. Do not assume that notification within the time period set out in the statute or regulation is sufficient. 8. Remember, you are preparing your defense as you respond to the breach. 44 22

QUESTIONS 45 Contact Information GEORGE B. BREEN 202-861-1823 GBREEN@EBGLAW.COM MARTI ARVIN 310-794-6763 MARVIN@MEDNET.UCLA.EDU 46 23

APPENDIX The following slides are for your information only and will not be discussed in the presentation. 47 HITECH: Breach In the event of a breach of unsecured PHI, a Covered Entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner that violates the Privacy Rule or Security Rule and which compromises the security or privacy of the [PHI]. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary. 48 24

HITECH: Reporting Standard Statute: unauthorized acquisition, use or disclosure which compromises the security, privacy or integrity (of PHI) Exceptions where inadvertent disclosure to or by workforce, BA or organized health care arrangement participant Regulation: does the breach compromise the security or privacy of the PHI and pose a significant risk of financial, reputational, or other harm to the individual 49 HITECH: Risk of Harm Standard The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. The preamble to the Breach Notification Rules specifically references a 2007 Memorandum (M-07-16) issued by the Office of Management and Budget for examples of the types of factors that may need to be taken into account in determining whether an impermissible use or disclosure presents a significant risk of harm to the individual. 50 25

HITECH: Notice Requirements Notice must be made to the affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach is considered to be discovered by the entity as of the first day on which the breach is known to the entity, or should have been known to the entity if it had exercised reasonable due diligence. 51 Notice Requirements (cont ) The notice must: If the breach of unsecured PHI involves more than 500 residents of a state, the Covered Entity must notify media outlets within that state. The Covered Entity must also notify the Secretary of any breach involving 500 or more people. If the breach occurs at or through a Business Associate, the Business Associate must notify the Covered Entity of the breach within 60 days of discovering the breach so that the Covered Entity is able to comply with its breach reporting obligations. 52 26

HITECTH: Civil Penalties Penalties for violations are tiered (1) Did Not Know...$100 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (2) Reasonable Cause...$1,000 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (3) Willful Neglect Corrected...$10,000 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (4) Willful Neglect Not Corrected $50,000 $1,500,000 (same calendar year total as above) 53 HITECH: Criminal Penalties HIPAA criminal penalties extended beyond CEs to: BAs BA (and CE) employees and agents Unauthorized individuals who obtain or disclose PHI maintained by CE (or BA) 54 27

HITECH: Criminal Penalties $50,000 and/or 1 year imprisonment For knowing violation $100,000 and/or 5 years imprisonment For violation committed under false pretenses $250,000 and/or 10 years imprisonment For violation committed with intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm 55 28

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback