PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Transcription

1 PLEASE NOTE This is an interactive panel, and we will be conducting voting throughout. To make voting easy, please register NOW, before the panel starts. To register: - Text the phrase MICHAELBERWA428 to the number /23/2016 1

2 Handling Small Breaches: Policies, Procedures and Best Practices NCHICA Academic Medical Center Conference June, 2016

3 Panel Michael Berwanger - Director, Quality Management and Compliance, Medcost Patricia Corn - Privacy Program Manager, Wake Forest Baptist Medical Center JT Moser - Privacy Officer and Director Compliance- Wake Forest Baptist Medical Center Campbell Tucker - Director Privacy Office- Novant Health

4 Objectives Describe common pitfalls encountered when dealing with breaches. Discuss strategies for realizing consistency and efficiency in investigating privacy incidents and handling breaches. Explore how various functions - privacy, compliance, security, legal, and business areas- as well as peer organizations may collaborate to respond to and potentially reduce small incident and breach occurrences

5 Novant Health Privacy Office Information Security Office Privacy Director Legal Monitoring and Analytics Lead Privacy Office Manager Policies and Case Mgmt Patient Rights Coordinator Privacy Education Coordinator Monitoring & Analytics Specialist Investigations Specialist 5

6 Wake Forest Baptist Privacy Office Information Security Office Compliance Director Privacy Officer Legal Privacy Program Manager Privacy Analyst

7 MedCost Privacy Office General Counsel Privacy Official Information Security Official Human Resources Compliance Assistant

8 6/23/2016 8

9 Before the Incident Handling Small Breaches Making healthcare remarkable

10 Establish a process to ensure incidents are reported to the privacy office Educate about: What to report and when does staff have a sense of urgency? reporting to a central location Privacy Office Alert Line Business Associates agreement template should direct vendor where to report Does your discipline policy affect reporting?

11 Getting the information that you need Establish procedures and forms for recurring issues E.g., mailing/faxing errors Educate staff about being factual Avoid the subject line that begins with HIPAA violation Do you have audit logs for likely areas of vulnerability?

12 Assignment and Tracking Determine who will be primarily responsible to handle incidents and when Ensure there is continuous coverage Tracking Establish procedure to regularly review cases to ensure that matters are not dropped Case Management Tool

13 Line up resources ahead of time Call center Resolution services Credit bureau monitoring and id theft resolution Forensic support Legal assistance Contacts with law enforcement Internal reporting Get to know your peers at other organizations Cyber-insurance

14 Practice Establish a complaint policy for handling the everyday matters Document an incident response process for significant matters Practice the response process at least annually Ask team members to appear in person, away from an office Use simulation to drill, and to identify opportunities for improvement Report findings up Engage leaders who might not be familiar with the process

15 During the Incident Handling Small Breaches

16 During the Event Develop strategy/plan o Investigation plan Interview template? Interview report documentation Collection of Evidence o Documentation of investigation o Immediate mitigation Assemble the team o Role clarity/assignments

17 What Next? Immediate corrective actions o How did it happen? o How do we keep it from happening again? o Documentation Communication o Follow up with leaders o Follow up with complainant in reasonable time, if necessary

18 6/23/

19

20 20

21 21

22 22

23 A Data Breach Has Occurred NC Residents Involved? Yes Also Go Through Addendum A NO Involve PHI? YES Violate HIPAA Privacy Rule? YES NO No Reportable Breach NO We initially included an assessment for Breaches of the NC ID Protection Act. Since the harm standard is now different than the NC Act, we decided to move all of NC references to an appendix. NO Secured PHI? Qualify as exception? 1-Unintentional acquisition, access, or use of PHI by a workforce member 2- An inadvertent disclosure by a person who is authorized to access PHI 3- A disclosure where the person making the disclosure has a good faith belief that the unauthorized recipient would not reasonably be able to retain the PHI NO YES YES Exceptions were updated. Go Through Assessment 23

24 This tool can be used for documentation and reporting. Document your decision and rationale for defending your process later 24

25 Have you anticipated when you want to be notified by your BA? When was it discovered vs. when you found out? Have you indicated if they will perform an assessment on their own? Will you be instructing or monitoring their process? 25

26 We felt more was needed to help guide the question of secured or not secured. NIST added Exceptions added from the decision tree. Limited Data Sets were removed. 26

27 27

28 28

29 29

30 Again no score 30

31 31

32 Reportable Yes or No? If yes: odepending on the size- do you need resources? ohave an accountable person If no: odocument per your policies

33 Insert Medcost slide here After the Event

34 After the incident Your privacy and security program should be broader than individual incident management. To manage privacy and security risk, roll the individual incident into your broader framework to improve your organization and learn from the incident: 1. Finalize your documentation, follow your policies 2. Provide closure for the reporter 3. Keep leadership (including the Board) informed 4. Document your metrics 5. Learn and Educate

35 After the incident *Derived from NIST Special Pub rev. 2

36 Finalize Your Documentation HIPAA is a sliding scale of reasonableness based on the size and sophistication of the organization. Who does Privacy interact with, and how frequently to manage incidents? - HR - Legal - Security - etc

37 Finalize Your Documentation HIPAA is a sliding scale of reasonableness based on the size and sophistication of the organization. How are you intaking and managing incidents? - GRC platform - Shared Drive - - Use of templates

38 Periodically Report to Your Board The Board should receive regular reports regarding the organization s risk mitigation and compliance efforts... What statistics/ reports do you present to your board?

39 Track Your Metrics Identify the metrics that are important to your organization - Date of incident, date of report, close date, notice date (if applicable) - Reportable vs. not - Avoidable vs. not - Ex. Patient has provided an old address and you mail labs to their home address on file - Incident category - This will vary depending on size of organization, volume of reports, and other factors - Ex. , fax, laptop, thumb drive, paper, verbal - Ex. Electronic, Paper, Verbal

40 Track Your Metrics Identify the metrics that are important to your organization Ask your senior leadership/board of directors. What metrics will help drive change and improvements in your organization? o Malware events, outbound incidents, volumes, incident types, etc What is relevant in today s evolving environment? How do Security & Privacy present metrics in a distinct and collaborative fashion?

41 Education Education is more impactful if it is relevant, meaningful, and tailored for your organization s needs. Have at a minimum annual compliance training Start tracking metrics, and educate on some regular interval (monthly, bi-monthly, quarterly) based on need Consider gamification Have a quiz with a reward to increase readership Use free resources Gift cards!

42 Free education resources: Education 1.Have people return a screen shot of completed ransomeware game: 2.Send OCR settlements/penalties as newsletter via , include a quiz identifying an area you are interested in, ask people to respond to be entered for a gift card/coffee card. 3.Have managers host a training session to walk through ONC developed games for annual training:

43 Sanction Policy (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. 45 C.F.R (a)(1)(ii)(C).

44 Sanction Implementation osanction levels/process One size fits all sanction policy vs. discretion for circumstances owhere is sanction information stored for privacy matters as it pertains to the privacy incident file? oat what point does Privacy consult with HR?

45 QUESTIONS?

46 6/23/

47 6/23/