Breach Notification and Enforcement

Similar documents
Investigating Privacy Breaches under HITECH and HIPAA

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Model Business Associate Agreement

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

Government Investigations Into Cybersecurity Breaches In Healthcare

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

BUSINESS ASSOCIATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Current Developments in Privacy and Security Rule Enforcement

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

HIPAA Compliance During Litigation and Discovery

HIPAA DATA USE AGREEMENT

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

Right to Request Access to Designated Record Set

Limited Data Set Data Use Agreement

HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

Security Breach Notification Chart

TRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5

HIPAA Privacy Rule Compliance Issues

BUSINESS ASSOCIATE AGREEMENT

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

RESOLUTION AGREEMENT. I. Recitals

BUSINESS ASSOCIATE AGREEMENT

RENOWN HEALTH NETWORK POLICY

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH LEGISLATION SURVEY

State Data Breach Law Summary. November 2017

Site Access Agreement. (hereinafter referred to as the

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Sales Order (Processing Services)

West Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

Cops and Docs: Law Enforcement Access to Patients and Information

Provider Electronic Trading Partner Agreement

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

BUSINESS ASSOCIATE AGREEMENT

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Data Breach Charts. November 2017

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

Agent/Agency Agreement

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Selected Federal Data Security Breach Legislation

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

Intersections Data Breach. July

State Data Breach Notification Laws

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)

HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

Technology and the Threat to the Attorney- Client Privilege Suzanne Valdez

- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services

INDIANA UNIVERSITY Policy and Procedures on Research Misconduct DRAFT Updated March 9, 2017

Legal and Ethical Considerations (Chapter 3- Mosby s Dental Hygiene)

The Health Information Protection Act

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

Introduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement. Prepared by:

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

the general policy intent of the Privacy Bill and other background policy material;

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

APPENDIX I. Research Integrity Policy for Responding to Allegations of Scientific Misconduct

Ramifications of Fraud

Policy Title: FOIA Procedures and Guidelines Policy 104 Number:

PERSONAL INFORMATION PROTECTION ACT

Interstate Commission for Adult Offender Supervision

State Data Breach Notification Laws

INTEGRATED ASSESSMENT RECORD DATA SHARING AGREEMENT

DATA PROTECTION LAWS OF THE WORLD. South Korea

California Enacts Sweeping Consumer Privacy Law

S10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. This action originated with a medical malpractice complaint filed on

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Disclosing Medical Information to Law Enforcement Officials WENDY S. CEDOZ, J.D., RN CHIEF LEGAL OFFICER/GENERAL COUNSEL GENESIS HEALTHCARE SYSTEM

Guide to Managing Breaches of the Code of Conduct

Investigations and Enforcement

LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys

State Data Breach Laws

Transcription:

Breach Notification and Enforcement Sponsored by Health Information and Technology Practice Group June 14, 2012 Presenter: Patricia A. Markus, Esquire, Smith Moore Leatherwood LLP, Raleigh, NC, Trish.Markus@smithmoorelaw.com 1

Overview Definitions Is It A Breach? Discovery, Investigation, and Notification Breach Enforcement 2

Background/History of Breach Notification Under the Health Information Portability and Accountability Act of 1996 (HIPAA): No requirement to notify patients of breaches of Protected Health Information (PHI) The Health Information Technology for Economic and Clinical Health Act (HITECH): First federal law mandating breach notification for health care industry HITECH requirements must be compared to existing state breach notification requirements and, if they don t conflict, both rules must be followed HITECH applies to breaches of certain clinical and financial information 3

Breach Definitions What is a Breach? Key Elements Acquisition, access, use, or disclosure Unsecured PHI Not permitted by Privacy Rule Compromises security or privacy of the PHI 4

Breach Definitions Unsecured PHI : PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the U.S. Department of Health and Human Services Approved technologies/destruction methods are listed at 74 Fed. Reg. 42742 5

Breach Definitions Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the person whose PHI was the subject of the inappropriate access, use, or disclosure 6

Is It a Breach? A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised 7

Is It a Breach? Step 1: Unsecured PHI PHI is secured if: Encrypted or Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium) Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines 8

Is It a Breach? Step 2: Permitted Use/Disclosure A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule! 9

Is It a Breach? Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA 10

Is It a Breach? Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or business associate (BA) Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 11

Is It a Breach? Step 3: HITECH Exceptions Example: Billing employee receives and opens an email containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the email without further using or disclosing the information. Exception applies no breach. Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply potential breach. 12

Is It a Breach? Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and on whose cases she has not been asked to consult. Exception does not apply potential breach. 13

Is It a Breach? Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 14

Is It a Breach? Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach. Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply potential breach. 15

Is It a Breach? Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure of PHI to an unauthorized person: Where there is a reasonable good faith belief The unauthorized recipient would not reasonably have been able to retain the information 16

Is It a Breach? Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach. Example: The billing office, due to a lack of reasonable safeguards, sends a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply potential breach. 17

Is It a Breach? Step 4: Risk Assessment A breach must involve a significant risk of financial, reputational or other harm Requires a good faith judgment Made by business associate or covered entity Must include various relevant factors Must document basis for determination 18

Is It a Breach? Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA likely small risk of harm Lost/stolen information likely high risk of harm Disclosure to member of the general public likely high risk of harm 19

Is It a Breach? Step 4: Risk Assessment In what form was the PHI accessed or disclosed? Verbal or paper likely smaller risk of harm Electronic likely higher risk of harm What were the circumstances surrounding the disclosure? Unintentional disclosure likely smaller risk Intentional disclosure likely higher risk Lost/stolen information or hacking likely higher risk 20

Is It a Breach? Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Limited data set low risk of harm Information about fact of treatment: depends on treatment facility ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Type of treatment (oncology) likely higher risk of harm Type of treatment (sexually transmitted diseases, mental health, substance abuse, abuse victim) deemed to pose significant risk of reputational harm Information that assists in identity theft (Social Security number (SSN), account numbers, personal identification numbers) likely high risk of harm 21

Is It a Breach? Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtained recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm Would notice enable affected persons to protect themselves from harm? 22

If a significant risk of harm to the patient exists, the breach notification requirements must be followed. 23

Discovery and Investigation of Breach Incident starts the clock Discovery = First day where have actual knowledge of breach, including when by using reasonable diligence would have known Must notify individuals as soon as reasonably possible but no later than sixty days after discovery Reasonable diligence means Business care and prudence expected of one seeking to satisfy a legal requirement What is this, and how do you demonstrate it? 24

Notifications Written notice of a breach must be given to: Affected individuals Secretary Covered entity by business associate Sometimes the media Notice must be timely and adequate 25

Notifications To Individuals: No later than sixty days after discovery of breach, written notice must be provided to each affected individual by first-class mail Email notice ok if patient has agreed Notice to next-of-kin or personal representative for deceased patient Content What occurred and when Types of PHI Steps to protect individuals What is being done to investigate, mitigate Covered Entity (CE) contact information 26

Notifications Law enforcement exception: If law enforcement asks CE to delay providing notice because notice would impede criminal investigation or damage national security, CE may delay notification Length of delay: The time period specified in written notice by law enforcement, or Up to thirty days if oral request, unless law enforcement submits writing specifying time frame for delay 27

Notifications Substitute notice for insufficient/out of date address Less than ten individuals affected: alternate form of written notice, telephone, or other means Ten or more affected individuals: must provide substitute notice on home page of entity s website or in major print/broadcast media (include toll-free number) Need not be provided to next-of-kin or personal representative 28

Notifications Media notice: required if more than 500 residents affected in a single state/jurisdiction Secretary of the U.S. Department of Health and Human Services (HHS) notice: If 500 or more individuals affected, notice must be given to Secretary of HHS immediately by filing notice electronically on this form: http://transparency.cit.nih.gov/breach/index.cfm If fewer than 500 individuals affected, notice must be given to Secretary within sixty days of end of calendar year (CY) using same form as above (one form per breach) 29

Breach Enforcement HITECH breach notification rules Require self disclosure/reporting Invite investigation by the Office for Civil Rights (OCR) HITECH s enforcement Interim Final Rule Introduces strict liability unless violations are corrected within thirty days Tiers of penalties Tiers of culpability 30

Breach Enforcement Culpability Amounts by tier Cal. Yr. same violation max Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected Willful Neglect-Not Corrected $10,000-$50,000 $1,500,000 $50,000 $1,500,000 31

Breach Enforcement Civil penalties maximum $1.5M for all identical violations in CY If entity did not know violation occurred and by exercising reasonable due diligence would not have known Penalties from $100 to $50,000 per violation Violation due to reasonable cause and not to willful neglect Penalties from $1,000 to $50,000 per violation Violation due to willful neglect $10,000 to $50,000 per violation (for violations corrected within thirty days) Minimum of $50,000 per violation (for violations not corrected within thirty days) 32

HITECH Enforcement Developments Penalties apply to covered entities and business associates (lawyers included) Criminal penalties now apply to workforce members who use/disclose PHI without authorization Safe harbor for violations corrected in thirty days (assuming no willful neglect) Starting 2/17/11, OCR must investigate any complaint that may have resulted from willful neglect If violation found, OCR is required to impose civil monetary penalties (CMPs) 33

HITECH Enforcement Developments For HIPAA violations after 2/17/09, HITECH permits State Attorneys General (AGs) to bring civil actions on behalf of state residents to enjoin privacy/security violations or to obtain damages $100 per violation, maximum of $25,000 per year for identical violations Costs of suit and reasonable attorneys fees may be assessed against HIPAA violators and awarded to the state HHS held State AG training in spring 2011 on how to prosecute HIPAA violations 34

HITECH Enforcement Developments Secretary of HHS is required to perform periodic audits to ensure that CEs and their business associates are in compliance with HIPAA and HITECH requirements HHS paying KPMG $9.2 million to create audit program and up to 115 CEs and BAs compliance with HIPAA by end of 2012 HHS to establish regulations (by 2/17/12) that specify methodology under which an individual harmed by a HIPAA violation may receive a percentage of any monetary amount collected 35

HITECH Enforcement Examples OCR has issued eight Resolution Agreements and a huge CMP In Providence Resolution Agreement (July 2008), OCR imposed relatively small fine ($100,000) and no CMPs for loss of data of 386,000 patients on laptops and backup media In 2011 Resolution Agreements: Mass General Hospital: $1 million payment for paper records of 192 patients left on subway (no SSNs, Digital Living Networks (DLNs), or evidence that info ever was used improperly) University of California, Los Angeles (UCLA): $865,500 payment for repeated snooping in celebrity records where UCLA had neither policies prohibiting this conduct nor training on it 36

HITECH Enforcement Examples 2012 Resolution Agreements Blue Cross Blue Shield of Tennessee: Fine of $1.5 million for theft of fifty-seven hard drives containing PHI of over one million individuals, including SSNs Phoenix Cardiac Surgery: $100,000 for posting ephi of more than 1,000 on publicly-accessible, Internet-based calendar 37

HITECH Enforcement Examples Cignet Health CMP (February 2011) Fine of $4.351 million $3 million for failure to cooperate $1.3 million for failing to provide forty-one patients copies of their records A primer on how NOT to respond to OCR investigation Cignet ignored repeated government requests for information and discussion for over a year After receiving court order to produce records, Cignet produced thousands of original medical records of individuals unrelated to the investigation 38

Breach Enforcement Lessons OCR is enforcing, and penalties getting bigger State AGs will act and can obtain money Increasingly strict enforcement shows prevention, prompt identification, and correction of breaches is the best defense 39

Additional Resources Breach Notification for Unsecured Protected Health Information: Interim Final Rule 74 Fed. Reg. 42740 (Aug. 24, 2009) Available at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf For additional resources on conducting a breach notification risk assessment, please see the HITECH Breach Notification Evaluation at http://www.smithmoorelaw.com/files/publication/9e40dfb0-4a5c-4f43-a7d8- d1db82a76b2b/presentation/publicationattachment/88297303-93b3-46cb- 9c5a-d416768e0ced/Markus_HITBytesJan2010.pdf, along with AHIMA s Data Breach Investigation and Mitigation Checklist, available at http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_03624 5.pdf. For a more comprehensive breach notification risk assessment tool, see http://www.nchica.org/hipaaresources/samples/breachtool.doc. 40

Breach Notification and Enforcement 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 41

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback