Breach Notification Remember State Law

Similar documents
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA-HITECH: Privacy & Security Updates for 2015

The HIPAA Omnibus Rule

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

QUALITY HIPAA December 23, 2013

A Panel Discussion. Nancy Davis

University of Wisconsin-Madison Policy and Procedure

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Privacy, Security and Breach Notification

Federal Breach Notification Decision Tree and Tools

HIPAA FOR BROKERS. revised 10/17

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Tips and Advice for Your. Medical Practice

Security and Privacy Breach Notification

HIPAA Cloud Computing Guidance

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Putting It All Together:

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

by Robert Hudock and Patricia Wagner April 2009 Introduction

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

PRIVACY-SECURITY INCIDENT REPORT

Security Lessons Learned from HIPAA Enforcement

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Audits Accounting of disclosures

Analysis of the Final Rule, August 25, 2009 Health Breach Notification

HIPAA Security & Privacy

HIPAA & Privacy Compliance Update

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Cyber Security Issues

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC


View the Replay on YouTube

HIPAA Comes of Age: 21 Years of Privacy and Security

When the Other Brother Steps Up: State Privacy Enforcement Actions

Data Breach Response Guide

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Integrating HIPAA into Your Managed Care Compliance Program

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA and HIPAA Compliance with PHI/PII in Research

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Latest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions

HIPAA For Assisted Living WALA iii

The Relationship Between HIPAA Compliance and Business Associates

Mastering Data Privacy, Social Media, & Cyber Law

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA Security Manual

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Hospital Council of Western Pennsylvania. June 21, 2012

Presented by: Jason C. Gavejian Morristown Office

Keeping It Under Wraps: Personally Identifiable Information (PII)

Performing HIPAA Security Reviews

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Regulation P & GLBA Training

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

HIPAA Summit Day II Afternoon Plenary Session: HIPAA Security

What s New with HIPAA? Policy and Enforcement Update

Summary Comparison of Current Data Security and Breach Notification Bills

HIPAA Security and Privacy Policies & Procedures

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Understanding the Impact of Data Privacy January 2012

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

EHR & HIPAA Managing Compliance & Progress. Agenda. Federal EHR Imperatives & Achieving Meaningful Use. EHR & HIPAA: Managing Compliance & Progress

SECURITY STATE OF THE INDUSTRY

Seven gray areas of HIPAA you can t ignore

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

SECURITY & PRIVACY DOCUMENTATION

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA Privacy, Security and Breach Notification 2018

Employee Security Awareness Training Program

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

HIPAA Privacy and Security Training Program

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA 101: What All Doctors NEED To Know

Red Flags/Identity Theft Prevention Policy: Purpose

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Abbie Miller, MCS-P. Ongoing Internal Auditing. Documentation Reviews 5/16/2015.

Data Compromise Notice Procedure Summary and Guide

Transcription:

Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates the PHR entities HHS regulates covered entities and business associates Interim Final Breach Notification Rule (August 2009) Omnibus Rule (2013) 2

Breach Notification Remember State Law 46 states (plus DC, Puerto Rico, and the Virgin Islands) have notification laws Evaluate state law as well as the Omnibus Rule requirements Trigger Timing Content Recipients 3

Data Breach Notification Overview Upon the discovery of a Breach of Unsecured Protected health information (PHI) Covered entities and business associates must make required notifications Subject to certain exceptions 4

Definition of Breach Breach Unauthorized acquisition, access, use, disclosure of unsecured PHI In a manner not permitted by the HIPAA Privacy Rule That compromises the security or privacy of the PHI So far so good, but... 5

Hello Omnibus Rule Presumption An impermissible acquisition, access, use, or disclosure of PHI is Presumed to be a reportable breach UNLESS the entity demonstrates that there is a low probability that the PHI has been compromised 6

Risk Assessment A documented risk assessment needs to demonstrate a low probability that PHI was compromised Four mandatory factors What PHI: Nature and extent of PHI involved Who: The unauthorized person who used the PHI or to whom the disclosure was made Acquired: Whether the PHI actually was acquired or viewed Mitigation: The extent to which the risk to the PHI has been mitigated Other factors may be considered Evaluation of overall probability 7

Risk Assessment Risk Assessment must be Thorough Completed in good faith Have reasonable conclusions Documented OCR: Type of analysis should not be new Discretion to provide notification without performing risk assessment 8

Goodbye Risk of Harm Interim final rule: Compromise meant a Risk of Harm Poses a significant risk of financial, reputational, or other harm to the individual Controversial from the beginning Omnibus Rule: Risk of harm goes out the window 9

Risk Assessment OCR views risk assessment as more objective Many questions remain, particularly with no definition of compromise the PHI Webster's Dictionary: a laying open to danger, suspicion, or disrepute; to endanger the interests of Comment: inappropriately viewed, re-identified, re-disclosed, or otherwise misused Guidance promised

Lose an Exception 11

Timing of Notice Notification must be made without unreasonable delay No more than 60 days after discovery Subject to law enforcement delay 12

Discovery Discovery of a breach occurs when: Entity has actual knowledge of a breach including through workforce member or agent (but not person committing the breach) or Using reasonable diligence, entity would have known of the breach Agency is based on federal common law 13

Examples of Timing Breach occurs Employee learns of breach Employee informs Privacy Officer Latest possible time to notify 60 days Oct. 1 Oct. 3 Nov. 15 Dec. 2 But remember without unreasonable delay Caveat: Clock starts when entity learns of or using reasonable diligence should have learned of the breach. Should the covered entity have learned of the breach earlier? 14

Business Associate Timing Issues Breach occurs Breach is discovered by Business Associate BA notifies CE Outside notification time (if BA is not an agent) Or is it? 60 days Oct. 1 Oct. 3 Dec. 1 Dec. 2 Jan. 29 60 days Business associate must notify without unreasonable delay, but in no event longer than 60 days Outside notification time (if BA is an agent) Caveat: When should the Business Associate/Covered Entity have learned of the breach? 15

One More Timing Consideration Enforcement Rule emphasizes Willful Neglect Highest level of civil culpability is violation for Willful Neglect that is not corrected within 30 days Should be consideration in breach response plan 16

Contents of Notice to Individuals Notices must contain: Brief description of what occurred Description of types of unsecured PHI involved (e.g., name, SSN, DOB, address) but not the actual PHI Steps individuals should take to protect themselves Brief description of what covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches Contact information for questions 17

Breach Notification Covered entity to notify affected individuals Written notice Substitute notice Covered entity to notify HHS Timing depends on size of the breach 500 or more = contemporaneous notification Small breaches (<500) = annual notification Within 60 days of the end of the calendar year in which the breach was discovered (not occurred) Considering less burdensome submission Covered entity may have to notify media if more than 500 residents in a State affected Business associate to notify covered entity 18

Administrative Requirements Policies and procedures Training Complaints Sanctions Refraining from intimidating or retaliatory acts No waiver of rights 19

We Keep the Burden of Proof Burden of proof is on the covered entity and business associate Documentation is crucial 20

How Does HHS Respond? Large breaches Wall of Shame Usually open a compliance review Even small breaches can lead to review and settlements Notification has resulted in settlements, e.g. Massachusetts Eye & Ear Blue Cross Blue Shield of Tennessee Alaska Medicaid Hospice of Northern Idaho 21

Practical Steps Revise breach notification policies and procedures Risk analysis revisit (or do) Develop or revisit incident response plan Pay special attention to portable media and personal devices OCR/ONC guidance on mobile devices 22

Practical Steps Train entire workforce Avoidance Alert to potential breaches Response to breach Prepare incident response team Be ready to respond to news media attention have a designated spokesperson Consider tightening business associate contracts, particularly for agents 23

Practical Steps Encryption! Make the most of the encryption safe harbor Verify document destruction Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Audit access to PHI and enforce policies 24

Questions?? Rebecca Williams, RN, JD Partner, Co-Chair, Health Information Practice Davis Wright Tremaine LLP beckywilliams@dwt.com (206) 757-8171 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback