Security and Privacy Breach Notification

Similar documents
University of Wisconsin-Madison Policy and Procedure

Privacy & Information Security Protocol: Breach Notification & Mitigation

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Policy and Procedure: SDM Guidance for HIPAA Business Associates

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Federal Breach Notification Decision Tree and Tools

HIPAA and HIPAA Compliance with PHI/PII in Research

PTLGateway Data Breach Policy

HIPAA-HITECH: Privacy & Security Updates for 2015

PRIVACY-SECURITY INCIDENT REPORT

The HIPAA Omnibus Rule

QUALITY HIPAA December 23, 2013

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Privacy Breach Policy

HIPAA FOR BROKERS. revised 10/17

A Panel Discussion. Nancy Davis

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

REGULATION BOARD OF EDUCATION FRANKLIN BOROUGH

HIPAA & Privacy Compliance Update

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

Virginia Commonwealth University School of Medicine Information Security Standard

Acceptable Use Policy

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Putting It All Together:

Employee Security Awareness Training Program

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

UTAH VALLEY UNIVERSITY Policies and Procedures

Data Privacy Breach Policy and Procedure

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Cyber Security Issues

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Breach Notification Remember State Law

Data Compromise Notice Procedure Summary and Guide

HIPAA Security Manual

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Cyber Security Program

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Red Flags/Identity Theft Prevention Policy: Purpose

Integrating HIPAA into Your Managed Care Compliance Program

Subject: University Information Technology Resource Security Policy: OUTDATED

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

FERPA & Student Data Communication Systems

HIPAA Tips and Advice for Your. Medical Practice

ecare Vault, Inc. Privacy Policy

Privacy Policy. I. How your information is used. Registration and account information. March 3,

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

HIPAA Privacy and Security Training Program

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

01.0 Policy Responsibilities and Oversight

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Acceptable Use Policy

University Policies and Procedures ELECTRONIC MAIL POLICY

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

LCU Privacy Breach Response Plan

Data Breach Incident Management Policy

POLICY 8200 NETWORK SECURITY

Acceptable Use Policy

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Privacy, Security and Breach Notification

II.C.4. Policy: Southeastern Technical College Computer Use

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

HIPAA Privacy, Security and Breach Notification 2018

SECURITY & PRIVACY DOCUMENTATION

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

EXHIBIT A. - HIPAA Security Assessment Template -

GM Information Security Controls

Information Security Incident Response and Reporting

HIPAA Privacy, Security and Breach Notification 2017

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Acceptable Use Policy (AUP)

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Overview of Presentation

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Federal Security Rule H I P A A

Legal notice and Privacy policy

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

The ABCs of HIPAA Security

Acceptable Use Policy

Audits Accounting of disclosures

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

ISSP Network Security Plan

Ferrous Metal Transfer Privacy Policy

HIPAA Security and Privacy Policies & Procedures

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Regulation P & GLBA Training

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Transcription:

Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains policies and procedures regarding how to detect and manage the investigation and reporting of a security or privacy incident or breach. In its role as a Business Associate to the Covered Entities that participate in the health information exchange, HSX is responsible for coordinating the evaluation of potential breaches in concert with the HSX Members/Participants. 2. Scope All employees, interns, contractors, members, participants, users, and third parties who may have access or exposure to HSX Data are required to comply with this policy. 3. Policy HSX complies with federal and state law regarding security breach notification requirements applicable to a Security Breach of Protected Health Information (PHI) or Personal Information (PI) as such terms are defined under the applicable laws. Specifically, in the event of a Security Breach of PHI and/or PI, the following applicable standards shall apply: The HITECH Act, and specifically 13402 (the Breach Statute ); HHS Final Rule for Breach Notification for Unsecured PHI (45 CFR Parts 160 and 164) (the Breach Notification Rule ); and Applicable State Breach Notification Laws. Collectively, these standards shall be referred to in this Policy as the Security Breach Notification Laws. HSX acts in concert with the requirements outlined in the Participation Agreement (PAR) and Business Associate Agreements (BAA) it has executed with its Members/Participants. Breach Notification Policy 5-17-2017.docx 1

The employees, interns, contractors and third parties of HSX participate in education and training sessions provided by HSX as per the Privacy and Security Awareness Education and Training policy. Initial training regarding security breach notification obligations of the employees, interns, agents, contractors and consultants shall have been completed no later than the date by which an end User gains access to PHI. HSX Members/Participants are required to stay abreast of HSX policies and to comply with them in accordance with the PAR. Security Incident Examples The following actions constitute misuse of HSX IS resources and are strictly prohibited. Prohibited actions include but are not limited to: Using HSX systems or information for personal financial gain or to solicit others for activities unrelated to HSX business. Browsing patient, personnel, financial or other corporate information without authorization (e.g., for the purpose of satisfying personal curiosity or with the intent of improperly disclosing that information). Intentionally interfering with the operations of any HSX computer system or using a HSX computer to disrupt or circumvent the security measures of any computing system. Altering or deleting information or software, except when performing authorized business functions. Creating, installing unapproved, unauthorized or illegally copied software, including games, on a computer and knowingly distributing software. Modifying or reconfiguring the software or hardware of any HSX IS resource without proper authorization. Attempting to circumvent, assisting someone else in circumventing or requesting that someone else circumvent any security measure or administrative access control that pertains to HSX IS resources. Permitting someone to use another person s User ID, or using someone else s User ID. This includes permitting IS administrators to use User IDs or passwords. Failing to protect a password from unauthorized use. Unapproved system cracking (hacking), password cracking (guessing), file decryption, or bootleg. Software copying, or similar unauthorized attempts to compromise security measures are unlawful, and will be considered serious violations of HSX policy and will result in disciplinary actions. Breach Notification Policy 5-17-2017.docx 2

Privacy Incident Examples 1801 Market Street, Suite 750 Philadelphia PA, 19103 www.hsxsepa.org The following actions constitute inappropriate use, disclosure and request of information assets and are strictly prohibited. Specific examples of privacy incidents or violations are better understood by understanding HSX privacy procedures. However, prohibited actions include but are not limited to: Unauthorized Disclosure Outside HSX Inappropriate Use Within HSX Unauthorized Use or Disclosure by Business Associate Failure to use reasonable safeguards when using or disclosing PHI Failure to adhere to any HSX privacy procedure 4. Procedures 1. Detection and Internal Reporting a. In accordance with its Audit and Monitoring Policy, HSX will establish mechanisms for detection of any privacy and/or security breaches. HSX will Implement reasonable and appropriate procedures to detect potential or actual Security Breaches. b. Any employee, intern, consultant, agent or vendor/subcontractor who obtains information or has reason to believe that a Security Breach and/or inadvertent data disclosure has or may have potentially occurred and involves PHI or PI created or maintained by HSX, shall be required to promptly report such information to HSX. c. As a downstream-business Associate (BA) of HSX participating organizations, contracted vendors shall report discovery of any Security Breaches as soon as reasonably practicable but in any case within the timeframe specified in its HIPAA BAA with HSX. Such information as required by the HIPAA BAA, and as required by HITECH, shall be provided in order for HSX to appropriately notify all required parties. d. HSX Members/Participants are required to report concerns related to any potential misuse of Data including suspected Security Breaches or inadvertent Data disclosures. e. HSX shall notify the Covered Entities with whom it has executed BAAs in accordance with the required time frames in the BAA of the discovery of any Security incidents. Breach Notification Policy 5-17-2017.docx 3

f. HSX shall work in concert with the Covered entities to ensure that when required by law, Individual(s) affected, and the Secretary of HHS, are notified. g. Vendors of HSX s shall require their Sub-Contractor Business Associates to report any Security Breaches as soon as reasonably practicable from the date of constructive or actual discovery of the Security Breach. h. HSX Privacy and Security Officer will follow the procedures outlined in the Incident Management Plan to conduct the investigation and risk assessment of a security breach. i. HSX shall use the Privacy and Security Incident Reporting Form (Appendix A) to report the incidents to Covered Entities in accordance with the Business Associate Agreements. 2. HIPAA Presumption of Breach and Risk Assessment It shall be presumed that an impermissible use or disclosure of PHI is a reportable Breach for purposes of HIPAA and HITECH unless HSX demonstrates that there is a low probability that the PHI was compromised. Notwithstanding the foregoing, HSX shall conduct a Risk Assessment to determine whether the impermissible use or disclosure resulted in a low probability that the PHI was compromised. If HSX determines that there is a low probability that the PHI was compromised as a result of the impermissible use or disclosure, HSX may conclude that a Breach did not occur. Nonetheless, the ultimate decision regarding whether or not a Breach occurred remains with the Covered Entities. At a minimum, HSX shall consider and assess the following factors when conducting a Risk Assessment: a. The Nature and Extent of the PHI. For this factor, HSX shall consider the type of PHI involved, such as if the PHI was of a more sensitive nature. An example is if credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud are involved, then this would cut against finding that there is low probability that the PHI was compromised. With respect to clinical information, consider things like the nature of the services, as well as the amount of information and details involved. Sensitive information is not just information such as STDS, mental health or substance abuse. b. The Unauthorized Person who Disclosed/Used the PHI. For this factor, HSX shall consider who the unauthorized recipient is or might be. For example, if the recipient person is someone at another participating organizations or HISP, then Breach Notification Policy 5-17-2017.docx 4

this may support a finding that there is a lower probability that the PHI has been compromised since Covered Entities and Business Associates are obligated to protect the privacy and security of PHI in a similar manner as the Covered Entity or Business Associate from where the breached PHI originated. Another example given is if PHI containing dates of healthcare service and diagnoses of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the information pertains to specific employees based on other information available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the PHI has been compromised. c. Whether the PHI was actually Acquired/Viewed. For this factor, HSX must investigate and determine if the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. One example given here is where a HSX mails information to the wrong individual who opens the envelope and calls the HSX to say that he/she received the information in error. In contrast, a lost or stolen laptop is recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise compromised, the HSX could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. d. Mitigation. For the fourth and final factor, HSX must consider the extent to which, and what steps need to be taken to mitigate, and once taken, how effective the mitigation was. For example, HSX may be able to obtain and rely on the assurances of an employee, affiliated entity, another HSX, or a HSX that the entity or person destroyed PHI it received in error, while such assurances from certain third parties may not be sufficient. 3. Response Procedures for Breaches. If it has been determined that there has been a Security Breach of PHI or PI as set forth, HSX shall be notified. Steps shall be taken to Mitigate any harm as best as reasonably possible. Corrective actions shall be taken, which shall be documented and retained by the Privacy or Security Officer for a period of seven (7) years. Reasonable and appropriate sanctions shall be assessed against violating employees in accordance with HSX s Sanctions Policy and Procedures. a. For Breaches of PHI ONLY (HIPAA HITECH): 1. Breaches Affecting 500 or More Patients: If a Security Breach affects 500 or more individuals, HSX will provide Covered Entity participating Breach Notification Policy 5-17-2017.docx 5

organizations with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach so that they may report such Breach to the Secretary of HHS as required by HIPAA. 2. Breaches Affecting Fewer than 500 Patients: If a Security Breach affects less than 500 individuals, HSX shall required the incident to be logged in a Security Breach Log (maintained by the Privacy and/or Security Officer) and HSX will notify covered entity participating organizations as required under the applicable HIPAA BAA. 5. Enforcement HSX supervisors shall be responsible for ensuring that their staff comply with this policy. Each member, participant and third party shall be responsible for ensuring that their respective physicians, care managers and other staff follow this policy. The CISO and Privacy Officer shall be responsible for enforcing compliance with this policy under the direction of the Executive Director. 6. Definitions For a complete list of definitions, refer to the Glossary. 7. References Regulatory References: HIPAA Regulatory Reference: HIPAA 164.400-414, HIPAA 164.308(a), HIPAA 164.314(a), HIPAA 164.530(e) HITRUST Reference: 11.a Reporting Information Security Events, 11.c Responsibilities and Procedures, 02.f Disciplinary Process Policy Owner Privacy and Security Officers Contact Daniel.wilt@hsxsepa.org Approved By HSX Management Team Approval Date May 17, 2017 Breach Notification Policy 5-17-2017.docx 6

Date Policy In Effect Original Issue Date December 23, 2013 December 23, 2013 Version # 1.1 Last Review Date May 17, 2017 Related Documents Glossary Incident Management Plan Information Security Management Program Policy Business Associate Agreement Participation Agreement Business Associate Policy Breach Notification Policy 5-17-2017.docx 7

Appendix A Privacy and Security Incident Reporting Form Date and Time of Incident Location of Incident (department, workstation, etc) Nature/description of Incident (include information system involved, hardware, software, data, physical threat or equipment, etc) Persons involved (include names of all parties involved) Person(s) immediately notified Immediate action taken Completed by Submitted to (check one) o Privacy/Security Official or designee o Special Investigations Unit (check here ONLY if you wish to report incident anonymously) Submission Date/Time Privacy and Security Incident Reporting Form Administrative Use Results of investigation (include statements made by parties involved and harm or potential harm to HSX or individuals) Corrective action immediately taken if any Recommendations for improvement, if any Completed By Date and Time Breach Notification Policy 5-17-2017.docx 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback