Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Similar documents
HIPAA The Health Insurance Portability and Accountability Act of 1996

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Interim Date: July 21, 2015 Revised: July 1, 2015

AFTER THE OMNIBUS RULE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Changes to HIPAA Privacy and Security Rules

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Breach Notification Case Studies on What to Do and When to Report

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

503 SURVIVING A HIPAA BREACH INVESTIGATION

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

ARE YOU HIP WITH HIPAA?

HEALTHCARE BREACH TRIAGE

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

H E A L T H C A R E L A W U P D A T E

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

BREACH NOTIFICATION POLICY

Effective Date: 4/3/17

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

UCLA Policy 420: Breaches of Computerized Personal Information

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

The American Recovery Reinvestment Act and Health Care Reform Puzzle. Presentation Overview 2/27/2012

Determining Whether You Are a Business Associate

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA Compliance Under the Magnifying Glass

OMNIBUS RULE ARRIVES

Summary Comparison of Current Senate Data Security and Breach Notification Bills

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

Management Alert Final HIPAA Regulations Issued

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA: Impact on Corporate Compliance

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Privacy Rule - Complaint Investigations

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HITECH and Stimulus Payment Update

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Business Associate Agreement

Compliance Steps for the Final HIPAA Rule

ACC Compliance and Ethics Committee Presentation February 19, 2013

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Fifth National HIPAA Summit West

Be Careful What You Wish For: The Final Rule Is Out

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Compliance Guide

ALERT. November 20, 2009

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA OMNIBUS FINAL RULE

HIPAA, Privacy, and Security Oh My!

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

LEGAL ISSUES IN HEALTH IT SECURITY

Business Associate Risk

Interpreters Associates Inc. Division of Intérpretes Brasil

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

2016 Business Associate Workforce Member HIPAA Training Handbook

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

EXCERPT. Do the Right Thing R1112 P1112

It s as AWESOME as You Think It Is!

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

x Major revision of existing policy Reaffirmation of existing policy

What is HIPAA? (1 of 2)

Getting a Grip on HIPAA

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Palmetto Paralegal Association

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Omnibus Final Rule and Research

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

RISK TRACK. Privacy and Data Protection

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Compliance Steps for the Final HIPAA Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

Transcription:

Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1

Overview» Patient information confidentiality Grant requirements HIPAA» Data breach notification laws» Protecting intellectual property and trade secrets» President s Task Force on Cybersecurity» Questions and Answers 2

Accountability and oversight» Patients/research subjects» University (see BPM-1201-1205)» Granting agencies» Office of Civil Rights HIPPA» Department of Justice False Claims Act» Qui tam relators False Claims Act 3

HIPAA requirements» Privacy rule Covered entities must protect confidentiality of Protected Health Information» Security Rule (applies to EPHI) Administrative safeguards Physical safeguards Technical safeguards 4

HIPAA enforcement» Civil money penalties $100 - $50,000+ per violation $1,500,000 per calendar year cap» Criminal penalties for knowing violations Fines of $50,000 up $250,000 depending on circumstances Prison sentences of 1-10 years depending on circumstances 5

Examples» UCLA July 7, 2011 Employees inappropriately accessed patient records over 4-5 years $865,500 settlement and corrective action plan» Blue Cross and Blue Shield of Tennessee March 9, 2012 57 unencrypted hard drives were stolen $1,500,000 settlement and corrective action plan 6

Examples, cont.» Alaska Department of Health and Social Services June 26, 2012 Unencrypted USB drive was stolen $1,700,000 settlement and corrective action plan» Affinity Health Plan, Inc. August 14, 2013 Photocopiers returned to vendors with PHI of approximately 350,000 individuals $1,215,780 settlement and corrective action plan 7

HIPAA Data Breach Requirement» Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act» Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information 8

HIPAA Data Breach Requirement» Definition of Breach impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual 9

HIPAA Data Breach Requirement» Exceptions to Definition of Breach Unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a CE or BA. Inadvertent disclosure of protected health information from a person authorized to access protected health information at a CE or BA to another person authorized to access protected health information at the covered entity or business associate. 10

HIPAA Data Breach Requirement» Exceptions to Definition of Breach In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. 11

HIPAA Data Breach Requirement» Breach Notification Requirements for CE s Notify affected individuals following the discovery of a breach. Provide this individual notice in written form by firstclass mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. 12

HIPAA Data Breach Requirement» Breach Notification Requirements for CE s If CE has insufficient or out-of-date contact information for 10 or more individuals, provide substitute individual notice by either posting the notice on the home page of its web site or provide notice in major print or broadcast media where the affected individuals likely reside. 13

HIPAA Data Breach Requirement» Breach Notification Requirements for CE s If the CE has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. 14

Missouri Data Breach Requirement» Scope of Missouri Law» First name/initial and last name with unencrypted: Medical information, (any information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional). Health insurance information (health insurance policy number or subscriber ID number, any unique identifier used by a health insurer to identify individual). 15

Missouri Data Breach Requirement» Scope of Missouri Law» In addition to common elements of first name or initial and last name in combination with unencrypted SSN, DL, or account number, MO also includes unencrypted: Other Financial Information: Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual s financial account. 16

Missouri Data Breach Requirement» Notice Some discretion. If the entity conducts an appropriate investigation and determines that the risk of identity theft or fraud to the affected individual is not reasonably likely to occur as a result of the breach, no notice is required. However, the entity must maintain documentation supporting this determination for five years. 17

Missouri Data Breach Requirement» Notice Methods for Notice. Telephone, electronic means, in writing Substitute notice email, posting on the entity's website, or notice to major statewide media. If an entity maintains info but does not own it, they must notify the owner of the info if breach impacts more than 1,000 Missouri residents at one time, notice must be provided to the State AG office Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system. 18

Protecting Trade Secrets Trade Secrets are a common alternative to Patent Defined: Information, process, formula, method, technique Derives value from not being publically known; and Is subject to reasonable efforts to maintain secrecy. Key Point it doesn t matter how an alleged trade secret becomes public. Religious Technology Center v. Netcom religious group lost trade secret claim because trade secrets acquired through improper means were posted on the internet 19

President Obama s Cybersecurity Executive Order Calls for a Framework for cybersecurity intelligence sharing between government and the private sector Framework will allow intelligence to be gathered on cyberattacks and cyberthreats 20

President Obama s Cybersecurity Executive Order Framework will focus on Areas for Improvement Authentication Automated Indicator Sharing Conformity Assessment Data Analytics International Aspects, Impacts and Alignment Privacy Supply Chains and Interdependencies 21

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback