Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

Putting It All Together:

Data Compromise Notice Procedure Summary and Guide

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA & Privacy Compliance Update

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Security and Privacy Breach Notification

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA UPDATE. Michael L. Brody, DPM

Overview of Presentation

HIPAA Federal Security Rule H I P A A

HIPAA FOR BROKERS. revised 10/17

Cyber Security Issues

PRIVACY-SECURITY INCIDENT REPORT

HIPAA Security and Privacy Policies & Procedures

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA and HIPAA Compliance with PHI/PII in Research

A Panel Discussion. Nancy Davis

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Audits Accounting of disclosures

Privacy & Information Security Protocol: Breach Notification & Mitigation

QUALITY HIPAA December 23, 2013

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

American Academy of Audiology Responses to Questions from HIPAA Webinar

Federal Breach Notification Decision Tree and Tools

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Summary Comparison of Current Data Security and Breach Notification Bills

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Healthcare Privacy and Security:

EXHIBIT A. - HIPAA Security Assessment Template -

Table of Contents. PCI Information Security Policy

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Data Backup and Contingency Planning Procedure

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security Manual

Presented by: Jason C. Gavejian Morristown Office

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

University of Wisconsin-Madison Policy and Procedure

COMMENTARY. Information JONES DAY

PTLGateway Data Breach Policy

HIPAA For Assisted Living WALA iii

The HIPAA Omnibus Rule

Cyber Risks in the Boardroom Conference

Employee Security Awareness Training Program

Virginia Commonwealth University School of Medicine Information Security Standard

Seattle University Identity Theft Prevention Program. Purpose. Definitions

What to do if your business is the victim of a data or security breach?

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

IDENTITY THEFT PREVENTION Policy Statement

Keeping It Under Wraps: Personally Identifiable Information (PII)

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Building a Privacy Management Program

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

by Robert Hudock and Patricia Wagner April 2009 Introduction

HIPAA Compliance Checklist

Privacy Breach Policy

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Legal Considerations and Case Studies

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Beam Technologies Inc. Privacy Policy

The simplified guide to. HIPAA compliance

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Frequently Asked Question Regarding 201 CMR 17.00

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

HIPAA Cloud Computing Guidance

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Identity Theft Prevention Policy

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security Checklist

HIPAA Security Checklist

HIPAA Compliance & Privacy What You Need to Know Now

Transcription:

Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys

Disclaimer The information contained in this presentation has been prepared with the understanding that the author is not engaged in rendering legal, financial, medical or other professional advice. 2

Applicable Requirements HIPAA Privacy and Security Rules State Laws Requiring Notice of Security Breaches Involving Personal Information Laws Protecting Other Information Identity Theft and Crediting Reporting Laws (ITADA, FCRA, FACTA) Industry Standards (ISO, NIST, SAS 70) Other 3

Typical Scenarios Employee sold terminally ill patient IDs resulting in fraudulent mortgages Contractor stole patient IDs and obtained fraudulent credit Hospital ER imposter collected and sold patient IDs Consultant downloaded PHI to jump drive which was lost and never retrieved 4

More Typical Scenarios Employee had laptop stolen from her unlocked car Consultant pocket PC containing client file information left behind in restaurant Loaded CDs inadvertently thrown into trash Hacker accesses data through Internet website Malicious software (virus) takes down electronic information system Unencrypted PHI emailed to wrong address 5

PHI Protected by HIPAA Any health or demographic information collected from patient That is created or received by covered entity Which relates to an individual s past, present or future physical or mental health of patient and related treatment and payment functions For which there is a reasonable basis to believe the information can be used to identify the patient 6

PI Protected by State Law [e.g., IC 24-4.9-2] Unencrypted SSN (or) Name plus one or more of the following unencrypted or unredacted data: Drivers license number State identification card number Credit card number Financial account or debit card number plus security code, password or access code 7

PHI vs. PI HIPAA Covered Entity Security Incident Electronic Media Protected Health Information Safeguards Obligations State Security Breach Laws Data Base Owner Security Breach Electronic Media Personal Information Safeguards Obligations 8

Security Incident HIPAA Any attempted or successful (and) Unauthorized access, use, disclosure, modification or destruction (of) PHI, system operations, electronic media or other components of an information system containing PHI 9

Security Breach [e.g., IC 24-4.9-2-2] Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a person, but excludes: Good faith acquisition by authorized person for authorized purposes Unauthorized acquisition of portable electronic device that is password protected Computerized data includes data transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format 10

Disclosure of Security Breach [e.g., IC 24-4.9-3-1] if Learns that PI was or may have been acquired by unauthorized person and Knows, should know or should have known that the unauthorized acquisition has resulted in or could result in identity deception, identity theft or fraud. 11

Important Safeguards Laws and regulations, institutional policy Access and crowd control Marking and labeling documents Engaging counsel and asserting privilege at appropriate time BAAs and non-disclosure agreements Information and electronic media management 12

Laws, Regulations and Institutional Policy (Most stringent) laws and regulations Medicare conditions of participation State licensure HIPAA and other privacy/security laws (Adopted) institutional policy Reported HIPAA security incident Confirmed HIPAA security breach 13

Does Your HIPAA Policy Define All of These Terms? Access or Acquisition Availability Confidentiality Disclosure Electronic Media Encryption Identity Deception or Theft Integrity Personal Information Privacy Privacy Incident Protected Health Information Redacted Security Security Incident Unauthorized Access or Acquisition 14

Does Your HIPAA Policy Include These Provisions? How to report both HIPAA privacy and security incidents The members of the rapid response team How to implement contingency plan Essential steps to proper investigation Who decides whether The incident qualified as an unauthorized access and The unauthorized access has or could have resulted in identity deception or theft; fraud 15

Does Your HIPAA Policy Address Sanctions? Level 1: Careless Access to PHI Level 2: Intentional Access to PHI for Personal Reason or Gain Level 3: Intentional Access to PHI for Financial Gain or Malice 16

Access and Crowd Control Premises and workstations Keys and passwords Workforce, business associates and business visitors Mobile electronic media Communication in any form/medium Face to face Telephone, facsimile, email Mobile electronic media 17

Information and Electronic Media Management Inventory and Mapping Back-up Fixed vs. mobile Transmission Storage Transfer and re-use Retirement and destruction 18

Investigational Materials Segregated and Labeled Confirm applicable privilege Establish policy and procedure Separate investigational files Document footers claiming privilege Prepared in anticipation of litigation or administrative proceeding 19

Engaging Counsel and Asserting Privilege Timely Segregate privileged communications Only counsel and essential persons present for privileged communications Clear counsel reporting relationship Clearly labeled and contains legal advice No third party disclosures Work product created with intent to remain confidential 20

What If You Need to Engage an Expert? Types of Experts and Advisors Public Relations Forensic Specialists Other Engagement by Counsel Nature of Services Establish Communication Rules Don t Forget the BAA 21

Identity Theft Protections Report incident to credit reporting agencies Annual credit reports Credit protection services Identity theft insurance Other 22

Proper Use of Service Agreements and BAAs Parties Scope of services Scope of PHI access Safeguards required Reporting of inadvertent disclosures Indemnification Return or destruction of protected information Termination 23

Does Your BAA Incorporate All of These Terms? Comply With HIPAA and Other Laws Governing Privacy and Security of PHI and PI Institute Administrative, Physical and Technical Safeguards Protect Privacy of PHI and Security of EPHI Report Security Incidents Indemnify for Violations of HIPAA and Other Laws 24

Key Elements of an Effective (and Swift) Response Plan #1. Notify Your Key Need to Know Persons; Establish Phone Conference Schedule #2. Set Mitigation Experts in Motion #3. Notify Counsel and Engage Necessary Experts 25

Key Elements of an Effective (and Swift) Response Plan #4. Establish a Public Relations Plan #5. Conduct and Document a Confidential Investigation Process #6. Secure Evidence and Maintain Chain of Custody 26

Key Elements of an Effective (and Swift) Response Plan #7. Corrective Action Plan and Progress Reports #8. Determine Notification Obligations #9. HIPAA Accounting Obligations 27

Key Elements of an Effective (and Swift) Response Plan #10. Call Center Arrangements #11. Institute Identity Theft Precautions, If Necessary #12. Be Prepared to Respond To External Investigations 28

Resources www.hhs.gov/ocr/hipaa/ (OCR) www.cms.hhs.gov/educationmaterials/04_sec uritymaterials.asp#topofpage (CMS) http://www.consumersunion.org/campaigns/ Breach_laws_May05.pdf (State Laws) http://csrc.nist.gov/itsec/guidance_winxp.ht ml (NIST) http://www.consumer.gov/idtheft/ (FTC) sziel@kdlegal.com (Susan Ziel) 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback