UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Similar documents
Investigating Privacy Breaches under HITECH and HIPAA

Breach Notification and Enforcement

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

Model Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Government Investigations Into Cybersecurity Breaches In Healthcare

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

Limited Data Set Data Use Agreement

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Security Breach Notification Chart

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

Current Developments in Privacy and Security Rule Enforcement

HIPAA DATA USE AGREEMENT

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

Security Breach Notification Chart

BUSINESS ASSOCIATE AGREEMENT

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

State Data Breach Law Summary. November 2017

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans

BUSINESS ASSOCIATE AGREEMENT

Selected Federal Data Security Breach Legislation

HIPAA Privacy Rule Compliance Issues

BUSINESS ASSOCIATE AGREEMENT

STATE DATA SECURITY BREACH NOTIFICATION LAWS

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Right to Request Access to Designated Record Set

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

RESOLUTION AGREEMENT. I. Recitals

Sales Order (Processing Services)

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Cops and Docs: Law Enforcement Access to Patients and Information

STATE DATA SECURITY BREACH LEGISLATION SURVEY

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

Site Access Agreement. (hereinafter referred to as the

Arent Fox LLP Survey of Data Breach Notification Statutes

State Data Breach Notification Laws

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Data Breach Charts. November 2017

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

HIPAA Compliance During Litigation and Discovery

Agent/Agency Agreement

State Data Breach Notification Laws

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

TRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5

DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

Cumulative Identity Theft Statutes Updated as of July 26, 2011

Take me back to the Home Page. NotaryClasses.com Sample Notary Exam 1 FINES and PENALTIES

State Data Breach Notification Laws

Freedom of Information Act (FOIA) Procedures and Guidelines

KANSAS IDENTITY THEFT RANKING BY STATE: Rank 29, 61.0 Complaints Per 100,000 Population, 1694 Complaints (2007) Updated December 15, 2008

Legal and Ethical Considerations (Chapter 3- Mosby s Dental Hygiene)

HIPAA -- Compliance and Enforcement Issues

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

DATA PROTECTION LAWS OF THE WORLD. South Korea

(No. 97) (Approved June 19, 2008) AN ACT

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

Interstate Commission for Adult Offender Supervision

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

State Data Breach Laws

The following provides a brief summary of the salient provisions relating to forensic DNA:

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services

WASHINGTON COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

OKLAHOMA IDENTITY THEFT RANKING BY STATE: Rank 25, 63.9 Complaints Per 100,000 Population, 2312 Complaints (2007) Updated January 10, 2009

CODE OF ETHICS FOR THE POLICE SERVICE OF NORTHERN IRELAND

West Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011

NAID Complaint Resolution Council Guidelines

TEXAS ETHICS COMMISSION

A Compliance Guide for Covered Entities and Business Associates

Provider Electronic Trading Partner Agreement

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

BUSINESS ASSOCIATE AGREEMENT

The Lawyer s Ethical and Legal Duties to protect Private Information

POLICY STATEMENT. Topic: False Claims Act Date Effective: 10/13/08. X Revised New Section: Corporate Compliance Number: 10.05

Patient Any person who consults or is seen by a physician to receive medical care

Intersections Data Breach. July

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

2013 New Law Workbook

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

INVESTIGATIONS AND CASE MANAGEMENT Administrative General Order 3.0

Internet/Telephone Voting Procedures

Transcription:

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within 60 days. Further notification requirements of media and HHS if > 500 individuals. Requires Business Associates to notify Covered Entities of breach.

Why? Prior to the HITECH Act, this Rule did not exist. HITECH removed the harm threshold and replaced it with a more objective standard. The Rule strengthened the privacy and security protections for health information established under HIPAA.

What? Notification is required to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured protected health information (PHI). It establishes a uniform requirement to inform individuals and HHS when a breach of unsecured protected health information occurs.

What is a Breach? Generally, it is an impermissible use or disclosure that compromises the security or privacy of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

Responsibilities of the Covered Entity and Business Associate Both must have: Documented policies and procedures regarding breach notification; A training and awareness program for the workforce staff; A security incident response, reporting and management system; A risk assessment system to determine probability of breach and breach notification; and A sanction policy for those who do not comply with the policies/procedures.

Breach Excludes The unintentional acquisition, access or use of PHI by a workforce member acting under the authority of the CE or BA, if the acquisition, access or use was made in good faith and within the scope of their authority and does not result in further use or disclosure in a manner permitted by the Privacy Rule. This does not include snooping employees as this would be intentional and not in good faith.

#2 Exception The inadvertent disclosure of PHI from a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

#3 Exception If the CE or BA has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Examples of Exceptions A fax with PHI is misdirected to the wrong physician, and upon receipt, the receiving physician calls to say it was received in error and has been destroyed. A risk assessment may be able to determine a low risk that the information was compromised and would not constitute a breach. A lab report was mistakenly sent to the patient s brother with the same last name as the patient. Determining if this is a reportable breach will depend upon the relationship of the brother and patient, and whether the patient s brother actually viewed any of the patient s PHI.

Examples - Continued A letter was sent to the wrong address. The letter was returned unopened, as undeliverable. It can be concluded that the improper address could not reasonably have retained the information. A nurse hands discharge papers to the wrong patient and immediately recognizes the error and retrieves them. This would not constitute a breach as the person could not have retained the information.

Remember, notification is required if the breach involved unsecured PHI. Definition: PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized persons through the use of technology or methodology. Unsecured PHI Encryption and destruction are the technologies and methodologies that meet this definition.

Discovery of a Breach A breach of unsecured PHI shall be treated as discovered by a CE: On the first day the breach is known to the CE; At the time the workforce member or other agent has knowledge of the breach; By exercising reasonable diligence and would have been known to the CE; Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Breach Investigation The practice shall name an individual to act as the investigator (Privacy Officer, Security Officer, Risk Manager). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, documentation and coordinating with others in the organization. The investigator shall be the key facilitator for all breach notification processes to the appropriate entities. (e.g., HHS, patient, media, law enforcement, etc.)

Risk Assessment To determine if there is a low probability that the PHI has been compromised, a risk assessment needs to be performed. The assessment is to be fact specific and must address four factors: The nature and extent of the PHI involved including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the PHI was disclosed; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.

Timeliness of Notification Covered Entities must notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach (not when the investigation is complete). This allows the CE to take a reasonable amount of time to investigate the circumstances around the breach in order to collect and develop the information required to be included in the notice to the individual.

Delay of Notification If a law enforcement official determines that a notification, notice or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed. The law enforcement official must provide a written statement citing the reason for the delay and specify the time for which a delay is required.

Content of Notice The notice must be written in plain language and must contain the following information, to the extent possible: A brief description of what happened, including the date of the breach and the date of discovery, if known; A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved);

Content of Notice - Continued Any steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the CE involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information which shall include a toll-free telephone number, an e-mail address, Web site or postal address.

Content of Notification - Continued The breach notice must be: Written in plain language and at an appropriate reading level using clear language without extra material that would diminish the message. Written in a language the individual who is not English proficient understands. E.g., Spanish Written in accordance with the Disabilities Act of 1990 to ensure effective communication with disable individuals in such formats as Braille, large print or audio.

Methods of Notification Mail: First class to individual s last known address. Minors/Incapacitated Individuals: Notice may be provided to parents or personal representative of the individual. Deceased Individual: If the CE knows individual is deceased, notification can be sent to next of kin or personal representative. If the CE had no contact information or has out-of-date contact information for the next of kin/personal representative, the CE is not required to provide substitute notice.

Substitute Forms of Notice These are substitute notices that are reasonably calculated to reach the individual: E-mail: must have individual s consent to send. Telephone: if urgent notification is necessary due to potential for imminent misuse of unsecured PHI or individual refuses to accept written notice.

Notification Using Media If there is insufficient information for 10 or more individuals use as substitute form of notice. If breach has affected > 500 individuals: Notification within 60 calendar days to media. Notice must contain same information as individual notification. Must be in geographic area where affected individuals likely reside. This is in addition to, not a substitute for individual notice. Posting must be for 90 days.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ brinstruction.html - HHS breach notification site. Immediate notification if breaches affect > 500 individuals. Immediate: same time as individual notification Notification to HHS < 500 individuals: No later than 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. E.g., 2013 unsecured PHI breaches would have to be reported by March 1, 2014.

Breach Log The practice shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be logged: A description of what happened; date of breach; date of discovery, and # of individuals affected. A description of the type of PHI involved (such as name, SSN, DOB, address, etc.) A description of the action taken with regard to notification of patients.

Business Associate Responsibilities BA must notify the Covered Entity after the discovery of a breach. A breach is discovered on the day the BA, its employees, officer or agent knew or would have known of the breach by exercising reasonable diligence. Notice to CE must be provided without unreasonable delay and in no case later than 60 days after the breach notification obligations. Notification to CE automatically triggers CE s breach notification obligations. CE may delegate obligations to BA.

Burden of Proof After an impermissible use or disclosure of unsecured PHI, the CE and BA have the burden of demonstrating that all required notifications were made and that an impermissible use or disclosure did not constitute a breach. The CE has to show a low probability that the PHI was compromised with a risk assessment. The focus of the assessment is not on the patient s harm, but whether the information has been compromised. If it cannot be clearly determined there is a low probability, it has to be treated as a breach.

Civil Monetary Penalties Prior to 2/18/09 $100/violation with a maximum of $25,000 in a calendar year for the same violation. After 2/18/09 HITECH Act increased penalties up to $50,000/violation with a maximum of $1.5 million in a calendar year for the same violation.

Civil Monetary Penalties - Continued Now a 4 tiered liability structure: Tier 1: The offender did not know: $100 - $50,000/violation Tier 2: Violation due to reasonable cause, not willful neglect: $1,000 - $50,000/violation Tier 3: Violation was due to willful neglect and corrected: $10,000 - $50,000/violation Tier 4: Violation was due to willful neglect and NOT corrected: $50,000/violation

Factors in Determining Penalty The nature and extent of the violation, including the # of individuals affected. The nature and extent of the harms to the individual(s): physical, financial, reputation, ability to continue their healthcare. History of prior compliance and previous violations. The financial condition of the CE or BA.

Other Penalties State Attorney Generals may also pursue civil actions for a HIPAA breach. HIPAA establishes a criminal penalty of up to $50,000 and/or imprisonment for up to one year for any person who knowingly : Uses or causes to be used a unique health identifier; Obtains individually identifiable health information relating to an individual; or

Other Penalties - Continued Discloses individually identifiable health information to another person. If such offenses are committed under false pretenses, the penalty may be increased up to $100,000 and/or imprisonment up to 5 years. If the offense is committed with the intent of personal gain, the penalty is a fine up to $250,000 and/or imprisonment for up to 10 years. For criminal prosecution, the person charged had to have acted knowingly.

Further Information Arkansas Mutual Website HIPAA Survival Guide: Omnibus Rule: Breach Notification http://arkansasmutual.com/ HHS website: Breach Notification Rule http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/breachnotificationrule/ Rebecca.Tutton@arkansasmutual.com

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback