Federal Breach Notification Decision Tree and Tools

Similar documents
University of Wisconsin-Madison Policy and Procedure

HIPAA FOR BROKERS. revised 10/17

QUALITY HIPAA December 23, 2013

by Robert Hudock and Patricia Wagner April 2009 Introduction

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

A Panel Discussion. Nancy Davis

Security and Privacy Breach Notification

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Putting It All Together:

Breach Notification Remember State Law

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

HIPAA and HIPAA Compliance with PHI/PII in Research

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

HIPAA Privacy, Security and Breach Notification

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA-HITECH: Privacy & Security Updates for 2015

Audits Accounting of disclosures

HIPAA & Privacy Compliance Update

HIPAA Security and Privacy Policies & Procedures

Data Compromise Notice Procedure Summary and Guide

The HIPAA Omnibus Rule

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Employee Security Awareness Training Program

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Red Flags/Identity Theft Prevention Policy: Purpose

Summary Comparison of Current Data Security and Breach Notification Bills

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Beam Technologies Inc. Privacy Policy

HIPAA Omnibus Notice of Privacy Practices

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

HIPAA Federal Security Rule H I P A A

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Security Manual

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Revised January

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

HIPAA Tips and Advice for Your. Medical Practice

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Subject: University Information Technology Resource Security Policy: OUTDATED

NOTICE OF PRIVACY PRACTICES

Analysis of the Final Rule, August 25, 2009 Health Breach Notification

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Your Information. Your Rights. Our Responsibilities.

LCU Privacy Breach Response Plan

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

Red Flag Policy and Identity Theft Prevention Program

PRIVACY-SECURITY INCIDENT REPORT

Privacy Breach Policy

RETINAL CONSULTANTS OF ARIZONA, LTD. HIPAA NOTICE OF PRIVACY PRACTICES. Our Responsibilities. Our Uses and Disclosures

Ferrous Metal Transfer Privacy Policy

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Identity Theft Prevention Policy

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

( Utility Name ) Identity Theft Prevention Program

ecare Vault, Inc. Privacy Policy

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA For Assisted Living WALA iii

Consolidated Privacy Notice

PRIVACY POLICY Let us summarize this for you...

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Data Breach Response Guide

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

CTI BioPharma Privacy Notice

Data Use and Reciprocal Support Agreement (DURSA) Overview

Notice of Privacy Practices Page 1

Prevention of Identity Theft in Student Financial Transactions AP 5800

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

For any questions regarding this notice call: Meredith Damboise, Privacy Officer , ext. 17

Overview of Presentation

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Implementing an Audit Program for HIPAA Compliance

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

Credit Card Data Compromise: Incident Response Plan

Compliance & HIPAA Annual Education

PRIVACY STATEMENT. Effective Date 11/01/17.

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

HIPAA Privacy and Security Training Program

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Transcription:

Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers and their health care affiliates for their internal use, in connection with their efforts to comply with relevant legal rules and regulations. All other reproduction, transfer and use is prohibited without the express written consent of the LTCC. Neither the LTCC nor its members make any representation that use of these materials will ensure other legal compliance. LTCC Mission Statement To provide leadership and guidance to the long term care profession utilizing the member organizations collective knowledge, expertise and information resources to improve overall compliance efforts and reduce the overall burden of compliance through collaboration on important initiatives that are common to the profession. Breach Notification Overview On August 24, 2009, the Department of Health & Human Services Breach Notification for Unsecured Protected Health Information Interim Final Rule (Federal Breach Notification Rule) was published in the Federal Register as required by the American Recovery & Reinvestment Act of 2009. The new federal breach reporting requirements apply to HIPAA covered entities and their business associates. It requires covered entities to notify individuals whose unsecured protected health information (PHI) has been accessed, acquired or disclosed because of a breach, which is defined as the unauthorized acquisition, access, use or disclosure of PHI. The rule also outlines a few exceptions to the definition of a breach. To determine whether a breach has occurred, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the resident as a result of an impermissible use or disclosure. After a breach has been discovered, affected residents must be notified of the breach without unreasonable delay and no later than 60 days. Breaches affecting more than 500 residents must be reported immediately to HHS and the media. Breaches affecting less than 500 residents are logged and reported to HHS on an annual basis. When Page 1 of 16

calculating the number of affected residents, take into consideration the structure of the organization all reporting is at the covered entity level. The rule provides updated guidance specifying the technologies and methodologies that render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals and therefore not subject to the notification requirements because the information does not meet the unsecured protected health information criteria. Using the and Tools This document serves as a guide to determine if a reported incident involves a breach of PHI information in a manner that requires notification of the affected residents and what method of notification is required under the federal breach regulation. This document does not address state security breach notification requirements. Each decision references additional information on subsequent pages which may be useful throughout the assessment of an incident. You will need to document your assessment process to support your conclusions. Though you may conclude that notification is not required under federal law, you should review any applicable state laws as well as your organization s policies and procedures to assess whether it is prudent to proceed with notification even though it may not be required. Sample notification letters to affected residents and the media are available on the LTCC site for your reference. Page 2 of 16

Incident Assessment federal Incident report of potential breach (possible sources include internal, external, BA, etc) state Review state breach reporting requirements I-1 Did incident occur on or after 9/23/2009 I-2 Did incident involve PHI? I-3 Did incident involve unsecured PHI? Notification is not required per the Federal Breach Notification Interim Final Rule. I-4 Was there a breach? I-4 a Permitted uses and disclosures Was there a breach? b Exceptions to the breach definition Proceed with notification process c Harm determination Page 3 of 16

Identification of PHI breach which requires federal notification (refer to incident assessment decision tree) Notification Process N-1 Has law enforcement requested a notification delay? N-2 What is the method of the request? written Delay notification for the time period specified, then proceed. verbal no Delay notification for up to 30 days, then proceed. Deliver notification to affected parties (see sample letter for notification requirements) Written notice to be delivered via firstclass mail to last known address or electronic notice via email if agreed upon N-3 Does urgency exist because of possible imminent misuse? no Provide additional notice, such as by telephone These notifications must be delivered without unreasonable delay and in no case later than 60 days after breach discovery by the covered entity. In some instances, it may be unreasonable to wait 60 days. N-4 Is there out of date contact info for 10 or more individuals? Deliver substitute notice on CE website or media no N-5 Did breach involve more than 500 individuals? N-6 Did breach affect more than 500 residents from a state or jurisdication? no Track incident in breach log no Provide notice to Secretary HHS via website (insert link) Within 60 days of end of calendar year, deliver notification to Secretary, HHS Provide notice to Secretary HHS via website Deliver notification to prominent media outlet for state or jurisdiction. (See sample press release) Page 4 of 16

Incident Assessment Points The effective date of this interim final rule is September 23, 2009. Notification requirements apply to breaches that occurred on or after September 23, 2009. The HIPAA Rules define protected health information as the individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates. Excluded from the definition of PHI is de-identified information as defined in the HIPAA Privacy Rule and listed below: De-identified health information: Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information (see section 164.514(a) or glossary). Limited Data Sets: A limited data set is protected health information that excludes the direct identifiers of the individual or of relatives, employers, or household members of the individual. See the glossary for a list of the identifiers. The Federal Breach Notification Rule contains a narrow, explicit exception to a breach if the limited data set also excludes date of birth and zip code, because it does not compromise the security or privacy of PHI. Page 5 of 16

I-3 Did incident involve unsecured PHI? Due to the variations in each entity s environment, no uniform standards exist for secured Protected Health Information. Each covered entity must perform a risk assessment to determine if PHI is secured. The Federal Breach Notification Rule applies to unsecured PHI. The generally accepted definition of secured PHI is PHI that is rendered unusable, unreadable, or indecipherable to unauthorized individuals. Notification is not required for PHI that is considered secure. Section II in the Federal Breach Notification Rule contains guidance specifying the technologies and methodologies that render PHI secure. PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: 1. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of a(n) process to transform data into a form in which there is a low probability of assigning meaning (to the data) without use of a confidential process or key (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data that they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. These publications were cited as potentially valuable resources, although not required by CMS, for technical personnel having knowledge of the covered entity s IT environment with specific questions and concerns about securing PHI. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. 1 1 (http://www.csrc.nist.gov/) Page 6 of 16

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations 1 ; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs 1, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. 2. The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of destruction. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization 1 such that the PHI cannot be retrieved. In order for a use or disclosure of resident information to be considered a breach, the acquisition, use or disclosure of the PHI must be in violation of the HIPAA Privacy Rule. Permissible uses and disclosure under the Privacy Rule must fall into one of the categories below. The following are questions you must ask and answer as you document your efforts in confirming a breach or validating a permissible use or disclosure. PERMITTED USES AND DISCLOSURES 1. Was the PHI accessed, acquired, used or disclosed for treatment, payment or healthcare operations purposes (refer to your notice of privacy practices)? If No, go to question #2 Page 7 of 16

If Yes, and the purpose was for treatment, it is not a breach. If Yes, and the purpose was for payment or healthcare operations, was the PHI the minimum necessary amount for the given task? If Yes, it is not a breach. If No, go to the section Harm Determination. 2. Was the PHI acquired, used or disclosed incidental to a permitted use or disclosure? In order for a use or disclosure to be considered incidental, it must be related to a use or disclosure that is either permitted or required under the Privacy Rule and the amount of information must have been the minimum necessary for the intended purpose and reasonable safeguards must have been taken to keep the information confidential. For example, the following practices are permissible under the Privacy Rule, if reasonable precautions were taken to minimize the chance of incidental disclosures to others who may be nearby: a. Health care staff may orally coordinate services at nursing stations. b. Nurses or other health care professionals may discuss a resident s condition over the phone with a provider or legal representative. c. A health care professional may discuss lab test results with a resident or other provider in a joint treatment area. d. A physician may discuss a residents condition or treatment regimen in the resident s semi-private room. If Yes, it is not a breach. If No, go to question 3. 3. Was the PHI disclosed pursuant to and in compliance with a HIPAA-compliant authorization? If Yes, it is not a breach. If No, go to question 4. 4. Was the PHI accessed, acquired, used or disclosed for facility directory purposes in compliance with 164.510(a)? If Yes, it is not a breach. If No, go to question 5. Page 8 of 16

5. Was the PHI accessed, acquired, used or disclosed for involvement in the resident s care and notification purposes in compliance with 164.510(b)? If Yes, it is not a breach. If No, go to question 6. 6. Was the PHI accessed, acquired, used or disclosed pursuant to 164.512 uses and disclosures for which an authorization or opportunity to agree or object is not required? Was it: a. required by law, b. for public health activities, c. about victims of abuse, neglect or domestic violence, d. for health oversight activities, e. for judicial and administrative proceedings, f. for law enforcement purposes, g. about decedents, h. for cadaveric organ, eye or tissue donation purposes, i. for research purposes, j. to avert a serious threat to health or safety, k. for specialized government functions, OR l. for workers compensation purposes, AND m. in compliance with the requirements outlined in 164.512? If Yes, it is not a breach. If No, go to question 7. EXCEPTIONS TO THE BREACH DEFINITION Does the impermissible access, acquisition, use or disclosure fall under one of the following exceptions? 7. Was it an incidental access, use or disclosure by a workforce member of the covered entity or business associate: a. While acting under the organization s authority, and b. Made in good faith, and c. Within their scope of authority, and d. Does not result in a further use or disclosure? i. For example, a billing employee receives and opens an e-mail containing protected health information about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected e-mail, and then deletes it. The billing employee unintentionally accessed protected health information to which he was not authorized to have access. However, the billing employee s Page 9 of 16

If Yes, there is no breach. If No, go to question 8. use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule. 8. Was it an inadvertent disclosure: a. By a person who is authorized to access protected health information at a covered entity or business associate, b. To another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and c. The information received as a result of such disclosure is not further used or disclosed in a manner not permitted by the Privacy Rule? i. For example, a nurse calls a doctor who provides medical information on a resident in response to the inquiry. It turns out the information was for the wrong resident and the information was not further used or disclosed by the doctor. If Yes, there is no breach. If No, go to question 9. 9. Was it a disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information? i. For example, a medical records clerk hands a resident a copy of a medical record, but quickly realizes that it was another resident s record and requests the return of the record. In this case, if the medical records clerk can reasonably conclude that the resident could not have read or otherwise retained the information, then providing the medical record to the wrong resident does not constitute a breach. If Yes, there is no breach. If No, proceed to question 10. Page 10 of 16

HARM DETERMINATION 10. Was the PHI accessed, acquired, used or disclosed by another entity governed by the HIPAA Privacy and Security Rules or a Federal Agency obligated to comply with the Privacy Act of 1974 and Federal Information Security Management Act (FISMA) of 2002? If Yes, were immediate steps taken to mitigate the impermissible use/disclosure/acquisition? For example: a. Was the recipient contacted and were satisfactory assurances obtained assuring that the PHI would not be further used or disclosed or would be destroyed? Or b. Was the PHI not accessed, opened, altered, transferred or otherwise compromised? For example, a mailing is returned unopened or through analysis it is determined that information on a laptop or computer was not accessed. If Yes, and the steps above eliminated or reduced the risk of harm to the individual to a less than significant risk, then we interpret that the security and privacy of the information has not been compromised and, therefore, no breach has occurred. If No, go to question 11. 11. Does the type or amount of PHI accessed, acquired, used or disclosed pose a significant risk of financial, reputational or other harm to the resident? a. Was only minimal PHI acquired, accessed, used or disclosed such as just the patient name and the fact that services were received? b. Did the PHI include the resident s name and type of services received? For example: were services from a specialized facility such as an infectious disease clinic or substance abuse provider? c. Did the PHI include high risk information that could be used for identity theft such as name, social security number, date of birth, financial or credit card account numbers, driver's license number or state-issued identification card number or maiden name? d. Did the PHI include only a limited data set as defined by the Privacy Rule and the likelihood of re-identification is low? For example, if the information included the zip code for a metropolitan city vs. a rural location. If the type or amount of PHI that was accessed, acquired, used or disclosed DOES NOT pose a significant risk of financial, reputational or other harm to the resident, then we interpret that the security and privacy of the information has not been compromised and, therefore, no breach has occurred. Page 11 of 16

If the type or amount of PHI that was accessed, acquired, used or disclosed DOES pose a significant risk of financial, reputational or other harm to the resident, then there IS likely a breach. Continue the investigation and document your decision. Page 12 of 16

Notification Process Points N-1 Has law enforcement requested a notification delay? If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting would impede a criminal investigation, or cause damage to national security, notification should be delayed. Law enforcement requests are accepted in two formats: written statement or oral statement. If the type of request is oral, the covered entity should delay notification for a period of up to 30 days, then proceed with the notification process. If the request is written, the request should specify a time frame for the delay. The covered entity should honor the request and delay notice as specified. Page 13 of 16

In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured PHI, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to the standard notice. In the case where there is insufficient or out-of-date contact information for ten or more affected individuals, a substitute notice is required. This substitute notice must be provided in the form of a media announcement or conspicuous posting for a period of 90 days on the covered entity s web site home page. Based upon the number of individuals affected by the breach, additional notice may be required. Determine the number of affected individuals and proceed accordingly. Page 14 of 16

Where a breach affects more than 500 residents from a state or jurisdiction, additional notice is required. In that case, the covered entity shall notify prominent media outlets serving the state or jurisdiction. Page 15 of 16

REFERENCES American Recovery and Reinvestment Act of 2009 (ARRA): Final text of legislation (HITECH = Title VIII) http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf Federal Breach Notification Rule: General information http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index. html Interim final rule http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf Breach notification guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregist erbreachrfi.pdf Guidance for securing PHI http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguid ance.html o Encryption of data at rest NIST 800-111 o Encryption of data in motion (TLS) NIST 800-52 o Encryption of data in motion (VPN) NIST 800-113 o Guidelines for media sanitation NIST 800-88 http://www.csrc.nist.gov/publications/pubssps.html o Cryptographic security FIPS 140-2 http://www.csrc.nist.gov/publications/pubsfips.html Instructions for submitting notice to the secretary: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction. html Page 16 of 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback