Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Similar documents
Breach Notification Remember State Law

HIPAA-HITECH: Privacy & Security Updates for 2015

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

QUALITY HIPAA December 23, 2013

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

A Panel Discussion. Nancy Davis

The HIPAA Omnibus Rule

University of Wisconsin-Madison Policy and Procedure

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Privacy & Information Security Protocol: Breach Notification & Mitigation

Federal Breach Notification Decision Tree and Tools

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Privacy, Security and Breach Notification

HIPAA FOR BROKERS. revised 10/17

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Security and Privacy Breach Notification

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

HIPAA Cloud Computing Guidance

by Robert Hudock and Patricia Wagner April 2009 Introduction

Security Lessons Learned from HIPAA Enforcement

Cyber Security Issues

Analysis of the Final Rule, August 25, 2009 Health Breach Notification

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Tips and Advice for Your. Medical Practice

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA & Privacy Compliance Update

Audits Accounting of disclosures

Putting It All Together:

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

PRIVACY-SECURITY INCIDENT REPORT

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA Security & Privacy

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Data Breach Response Guide

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

When the Other Brother Steps Up: State Privacy Enforcement Actions

View the Replay on YouTube

HIPAA Summit Day II Afternoon Plenary Session: HIPAA Security


The ABCs of HIPAA Security

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Comes of Age: 21 Years of Privacy and Security

HIPAA Security Manual

Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare

Mastering Data Privacy, Social Media, & Cyber Law

HIPAA and HIPAA Compliance with PHI/PII in Research

Hospital Council of Western Pennsylvania. June 21, 2012

Presented by: Jason C. Gavejian Morristown Office

Healthcare Privacy and Security:

Keeping It Under Wraps: Personally Identifiable Information (PII)

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Performing HIPAA Security Reviews

Employee Security Awareness Training Program

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

HIPAA Security and Privacy Policies & Procedures

Integrating HIPAA into Your Managed Care Compliance Program

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA For Assisted Living WALA iii

Security Breaches: How to Prepare and Respond

Regulation P & GLBA Training

EHR & HIPAA Managing Compliance & Progress. Agenda. Federal EHR Imperatives & Achieving Meaningful Use. EHR & HIPAA: Managing Compliance & Progress

NYDFS Cybersecurity Regulations

HIPAA 101: What All Doctors NEED To Know

Data Use and Reciprocal Support Agreement (DURSA) Overview

The Relationship Between HIPAA Compliance and Business Associates

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

What s New with HIPAA? Policy and Enforcement Update

Data Compromise Notice Procedure Summary and Guide

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

PTLGateway Data Breach Policy

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

New Data Protection Laws

01.0 Policy Responsibilities and Oversight

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc.

SECURITY & PRIVACY DOCUMENTATION

Transcription:

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams, RN, JD Partner, Co-Chair, Health Information Practice Davis Wright Tremaine LLP beckywilliams@dwt.com (206) 757-8171

Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates the PHR entities HHS regulates covered entities and business associates Interim Final Breach Notification Rule (August 2009) Omnibus Rule (2013) 2

Breach Notification Remember State Law 46 states (plus DC, Puerto Rico, and the Virgin Islands) have notification laws Evaluate state law as well as the Omnibus Rule requirements Trigger Timing Content Recipients 3

Data Breach Notification Overview Upon the discovery of a Breach of Unsecured Protected health information (PHI) Covered entities and business associates must make required notifications Subject to certain exceptions 4

Definition of Unsecured PHI Not rendered unusable, unreadable, or indecipherable to unauthorized persons Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Encrypted or Shredded/Destroyed 5

Definition of Breach Breach Unauthorized acquisition, access, use, disclosure Of unsecured PHI In a manner not permitted by the HIPAA Privacy Rule That compromises the security or privacy of the PHI 6

Exceptions Unauthorized person not reasonably have been able to retain PHI Certain acquisition, access, or use by workforce in good faith and within scope of authority and no further impermissible uses and disclosures Certain inadvertent disclosures within the same covered entity, business associate, or organized health care arrangement and no further impermissible uses and disclosures Limited data sets without ZIP or DOB 7

Hello Omnibus Rule Presumption An impermissible acquisition, access, use, or disclosure of PHI is Presumed to be a reportable breach UNLESS the entity demonstrates that there is a low probability that the PHI has been compromised 8

Risk Assessment A documented risk assessment to demonstrate a low probability of compromise Four mandatory factors What PHI: Nature and extent of PHI involved Who: The unauthorized person who used the PHI or to whom the disclosure was made Acquired: Whether the PHI actually was acquired or viewed Mitigation: The extent to which the risk to the PHI has been mitigated Other factors may be considered Evaluation of overall probability 9

Risk Assessment Risk Assessment must be Thorough Completed in good faith Have reasonable conclusions Documented OCR views risk assessment as more objective Not mandatory: Discretion to provide notification without risk assessment Guidance promised/guidance welcome 10

Goodbye Risk of Harm Interim final rule: Compromise meant poses a significant risk of financial, reputational, or other harm to the individual Controversial from the beginning Omnibus Rule: Risk of harm goes out the window Also the definition of compromises the security or privacy of PHI 11

Timing of Notice Notification must be made without unreasonable delay No more than 60 days after discovery Subject to law enforcement delay 12

Discovery Discovery of a breach occurs when: Entity has actual knowledge of a breach including through workforce member or agent (but not person committing the breach) or Using reasonable diligence, entity would have known of the breach Agency is based on federal common law 13

Examples of Timing Breach occurs Employee learns of breach Employee informs Privacy Officer Latest possible time to notify 60 days Sept. 1 Oct. 3 Nov. 15 Dec. 2 But remember without unreasonable delay Caveat: Discovery. Clock starts when entity learns of or using reasonable diligence should have learned of the breach. Should the covered entity have learned of the breach earlier? 14

Timing with Business Associate Breach occurs Breach is discovered by Business Associate BA notifies CE Outside notification time (if BA is not an agent) Or is it? 60 days Oct. 1 Oct. 3 Dec. 1 Dec. 2 Jan. 29 60 days Notify without unreasonable delay, but in no event longer than 60 days Outside notification time (if BA is an agent) Caveat: When should the Business Associate/Covered Entity have learned of the breach? 15

Contents of Notice to Individuals Notices must contain: Brief description of what occurred Description of types of unsecured PHI involved (e.g., name, SSN, DOB, address) but not the actual PHI Steps individuals should take to protect themselves Brief description of what covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches Contact information for questions 16

Breach Notification Covered entity to notify affected individuals Written notice Substitute notice Covered entity to notify HHS Timing depends on size of the breach 500 or more = contemporaneous notification Small breaches (<500) = annual notification Within 60 days of the end of the calendar year in which the breach was discovered (not occurred) Considering less burdensome submission Covered entity may have to notify media if more than 500 residents in a State affected Business associate to notify covered entity 17

Administrative Requirements Policies and procedures* Recent settlement for failure to have policies even though notification was made Training* Complaints Sanctions Refraining from intimidating or retaliatory acts No waiver of rights 18

We Keep the Burden of Proof Burden of proof is on the covered entity and business associate Documentation is crucial 19

How Does HHS Respond? Large breaches Wall of Shame Usually open a compliance review Even small breaches can lead to review and settlements Notification has resulted in settlements, e.g. Massachusetts Eye & Ear Blue Cross Blue Shield of Tennessee Alaska Medicaid Hospice of Northern Idaho Idaho State University Affinity Health Plan Adult & Pediatric Dermatology, PC 20

Practical Steps Revise (or do) breach notification policies and procedures Risk analysis revisit (or do) Pay special attention to portable media and personal devices OCR/ONC guidance on mobile devices Revisit (or do) incident response plan Prepare incident response team 21

Practical Steps Train entire workforce Avoidance Alert to potential breaches Response to breach Be ready to respond to news media attention have designated spokesperson Consider tightening business associate contracts, particularly for agents 22

Practical Steps Make the most of the Secured PHI safe harbor Encryption! Verify document destruction Try to prevent breaches in first place Audit access to PHI and enforce policies 23

Questions?? Rebecca Williams, RN, JD Partner, Co-Chair, Health Information Practice Davis Wright Tremaine LLP beckywilliams@dwt.com (206) 757-8171 24

21160681_1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback