How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Similar documents
University of Wisconsin-Madison Policy and Procedure

QUALITY HIPAA December 23, 2013

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Breach Notification Remember State Law

Federal Breach Notification Decision Tree and Tools

A Panel Discussion. Nancy Davis

Privacy & Information Security Protocol: Breach Notification & Mitigation

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Mobile Technology meets HIPAA Compliance Tuesday, March 28, 2017

by Robert Hudock and Patricia Wagner April 2009 Introduction

Security and Privacy Breach Notification

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA & Privacy Compliance Update

HIPAA FOR BROKERS. revised 10/17

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Policy and Procedure: SDM Guidance for HIPAA Business Associates

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

Cyber Security Issues

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

The HIPAA Omnibus Rule

Putting It All Together:

Employee Security Awareness Training Program

PTLGateway Data Breach Policy

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

HIPAA Security Manual

Electronic Communication of Personal Health Information

HIPAA For Assisted Living WALA iii

Cyber Risks in the Boardroom Conference

HIPAA Privacy, Security and Breach Notification

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

SECURITY & PRIVACY DOCUMENTATION

HIPAA Security and Privacy Policies & Procedures

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

PRIVACY-SECURITY INCIDENT REPORT

Data Use and Reciprocal Support Agreement (DURSA) Overview

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

HIPAA Tips and Advice for Your. Medical Practice

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Data Compromise Notice Procedure Summary and Guide

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Table of Contents. PCI Information Security Policy

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

HIPAA Security Checklist

HIPAA Security Checklist

Privacy Breach Policy

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Subject: University Information Technology Resource Security Policy: OUTDATED

What is Cybersecurity?

Red Flags/Identity Theft Prevention Policy: Purpose

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

CCISO Blueprint v1. EC-Council

Summary Comparison of Current Data Security and Breach Notification Bills

Information Governance, the Next Evolution of Privacy and Security

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Information Security Incident Response Plan

Security Breaches: How to Prepare and Respond

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

What to do if your business is the victim of a data or security breach?

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Information Security Incident Response Plan

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Data Breach Response Guide

HIPAA Security Rule Policy Map

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

CISO View: Top 4 Major Imperatives for Enterprise Defense

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Enforcement Training for State Attorneys General

ADIENT VENDOR SECURITY STANDARD

DATA BREACH NUTS AND BOLTS

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

Credit Card Data Compromise: Incident Response Plan

LCU Privacy Breach Response Plan

HIPAA Privacy, Security and Breach Notification 2017

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

DATA PROCESSING AGREEMENT

Cybersecurity and Hospitals: A Board Perspective

Schedule Identity Services

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Transcription:

How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016

This Webinar is Brought to You By.

About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are private, non-profit, community-based Quality Improvement Organizations (QIO) that have dedicated more than three decades to improving health and health care and are composed of locally governed organizations in: Alaska, Hawaii, Montana, Nevada, New Mexico, Oregon, Utah and Wyoming. As part of our efforts to assist hospitals and practices with HIPAA compliance, HealthInsight and Mountain-Pacific Quality Health teamed together to form HIPAA Privacy and Security Solutions, or HIPAA PASS, to offer affordable, easy and comprehensive Risk Analysis and Risk Management services.

Susan Clarke, HCISPP (ISC) 2 certified Health Care Information Security and Privacy Practitioner. 15+ years of Health Care Experience. 10+ years design and development EHR software, BS with computer science major. Served on joint commission steering committee at Mayo Clinic affiliated Health Care System. National Incident Management Systems Certificate. Served on IT Security and Disaster Recovery councils with experience as communications unit lead during Health Care system s ready and complete alerts. Received national recognition as a peer reviewer for ONC and has served as a peer reviewer for CMS and HRSA for health information technology proposals.

Mark Norby, CHP 15 Years of IT experience Eight Years as the CIO of the Community Health Center of Central Wyoming and University of Wyoming Family Medicine Residency Program Six Years as a HIPAA Compliance Officer Four Years as a HIPAA Compliance Consultant Provided help to more than 150 hospitals and clinics

Disclaimers The presenters are not attorneys and do not give legal advice There are many different interpretations of HIPAA regulations Materials referenced are meant to serve as examples and may not be suitable for every organization 6

Agenda Definitions Breach Exclusions Policy Statement Reporting and Responding to an Incident Responding to an Incident or Complaint The Four Factor Risk Assessment Evaluating and Incident or Complaint Action Plan

Breach Breach means the unauthorized acquisition, access, use, or disclosure of personal health information (PHI) in a manner not permitted by the Privacy Rule which compromises the security or privacy of such information. 8

Discovered Discovered means the first day on which the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity. 9

Security Incident Security incident means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. 10

Protected Health Information (PHI) Protected health information (PHI) generally means identifiable or potentially identifiable health information that is transmitted or maintained in electronic media or any other form or medium. (For the complete definition, please consult 45 CFR 160.103). 11

Unsecured PHI Unsecured PHI means PHI that is not secured through the use of a technology or methodology specified by the Secretary that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals. E.G. has not be encrypted or properly destroyed. 12

Where the Damage Comes From

Breach Exclusions Any unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. 14

Breach Exclusions Cont. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. 15

Breach Exclusions Cont. A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 16

Is It a Breach? Other than the exclusions listed above, an acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment covering at least four factors. to be covered shortly. 17

Ransomware is a Breach Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment. 18

Security Incident Policy Statement The practice shall outline its process for evaluating and reporting known or suspected privacy violations or security incidents. This process shall include a contact list indicating to whom reports of such incidents should be made, who should be involved in determining if a breach of unsecured PHI has occurred and if affected individual(s) should be notified. See Breach Notification Sample Policy 19

Potential Members of Contact List Corporate Legal Officer Practice Attorney Insurance Agent Privacy Officer Security Officer CIO or Systems Manager Public Affairs/Corporate Communications Local FBI Field Office (Cyber attacks should always be reported to the FBI) Local Law Enforcement IT Vendor/Provider Key Vendor Contacts (software, infrastructure, data center) Optional: Local Computer Forensics Contractor (funded, contracted) 20

Report Incidents and Complaints Practice workforce members shall immediately report known or suspected privacy violations or security incidents to the Practice s Compliance Officer. Have the reporting employee or witness fill out a Security Incident Report (see samples) 21

Responding to the Incident or Complaint Upon receipt of a Security Incident Report, an investigation into the incident shall be initiated. The Security Incident Investigation Report should be completed as thoroughly as possible by the Incident Handler and Investigators. 22

Responding to the Incident or Complaint As soon as possible, but not later than 45 calendar days following discovery of an incident, the Compliance Officer shall complete a risk assessment to determine the probability that PHI has been compromised and attach it to the report. The risk assessment shall include, at minimum, the following four factors: 23

Factor 1: Nature and Extent of PHI The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification A. Was PHI involved B. Type of PHI C. Does the incident meet the definition of breach D. Likelihood of re-identification 24

Factor 2: To Whom the Disclosure was Made A. Did the recipient have an obligation to protect the privacy and security of PHI? B. Was the acquisition, access or use of PHI by a workforce member or person acting under the authority of the Practice? C. Was such acquisition, access or use made in good faith? D. Does the recipient have the ability to re-identify the PHI? E. Was the acquisition, access or use within the recipient's scope of authority? F. Did the acquisition, access, use or disclosure result in further use or disclosure in a manner not permitted by the Privacy Rule? 25

Factor 3: Was the PHI Accessed A determination must be made of whether the PHI was actually acquired or viewed, or rather, the opportunity to acquire or view existed, but was not acted upon. A. Was the PHI encrypted using at least 128 bit encryption or destroyed by an acceptable method of destruction? B. Following a forensic examination, did evidence establish that the information was not accessed? 26

Factor 4: Risk Mitigation The extent to which the risk to the PHI has been mitigated. A. A satisfactory assurance has been received from the recipient stating that the PHI has or will not be further used or disclosed B. The efficiency of the mitigation effectively limited availability to the PHI C. Does an exception to the notification requirement exist? D. Do the affected individuals need to be notified? 27

Breach Notification Decision Tree Start Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule? No NOT A BREACH; document the incident fully with the determination of not a breach Yes Was the information secured according to HHS guidance, or destroyed? Yes NOT REPORTABLE; document the incident and determination of not a reportable breach No Was the potential breach a use internal to your organization, that was -unintentional, in good faith with no further use, or - inadvertent and within job scope? No Is there any way the breached information can be retained? Yes YOU HAVE A BREACH; determine if if there is low probability of compromise Yes No NOT A BREACH; document the incident and determination of not a breach NOT A REPORTABLE; document the incident and determination of not a breach

Evaluating an Incident or Complaint The reporting obligation for the practice is triggered when a breach of unsecured PHI occurs. In order to have a breach of unsecured PHI, there must be PHI + a violation of the HIPAA Privacy Rule + compromise of the privacy and security of the PHI + unsecured PHI and no breach exclusions. 29

Evaluating an Incident or Complaint A. PHI involved: If no PHI is involved, there is no breach of unsecured PHI and no obligation to notify. B. Violation of the Privacy Rule: If the Compliance Officer determines that the violation compromises the privacy and the security of PHI, then the violation is a "breach." C. Ability of Practice to mitigate the risk of harm: The risk of harm may depend upon the ability of the Practice to mitigate the effects of the breach. The Risk Assessment Analysis tool can be used to help clarify whether you have a breach or not. 30

Action Plan Inquire about your incident response plan and review it Call a stakeholder meeting to plan improvements to breach readiness Update incident response plan Initiate review of state and federal breach notification requirements Draft/customize all templates Finalize roles and responsibilities Test your incident response plans 31

Links http://www.hhs.gov/sites/default/files/ransomwarefactsheet.pdf 32

Join our Next Webinar Breach Notification Requirements Date TBD! Timing of Notice Content of Notice Substitute Notice Notice to the Secretary of Health and Human Services Notice to the Media Necessary Templates Notice to Business Associates Retention of Documentation 33

Questions? Mark Norby, Certified HIPAA Professional (307) 258-5322 mnorby@healthinsight.org Visit our website: www.healthinsight.org/hipaapass for more information about our Privacy and Security Solutions! Thank you and have a wonderful day!!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback