Investigating Privacy Breaches under HITECH and HIPAA

Similar documents
Breach Notification and Enforcement

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Model Business Associate Agreement

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

Limited Data Set Data Use Agreement

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

HIPAA DATA USE AGREEMENT

Government Investigations Into Cybersecurity Breaches In Healthcare

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

BUSINESS ASSOCIATE AGREEMENT

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

BUSINESS ASSOCIATE AGREEMENT

Security Breach Notification Chart

Security Breach Notification Chart

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

HIPAA Compliance During Litigation and Discovery

Security Breach Notification Chart

Security Breach Notification Chart

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

Current Developments in Privacy and Security Rule Enforcement

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Rule Compliance Issues

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

Agent/Agency Agreement

Security Breach Notification Chart

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Site Access Agreement. (hereinafter referred to as the

RESOLUTION AGREEMENT. I. Recitals

Right to Request Access to Designated Record Set

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Sales Order (Processing Services)

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

Selected Federal Data Security Breach Legislation

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

RENOWN HEALTH NETWORK POLICY

BUSINESS ASSOCIATE AGREEMENT

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

TRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Provider Electronic Trading Partner Agreement

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

STATE DATA SECURITY BREACH NOTIFICATION LAWS

State Data Breach Law Summary. November 2017

Interstate Commission for Adult Offender Supervision

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

STATE DATA SECURITY BREACH NOTIFICATION LAWS

State Data Breach Notification Laws

STATE DATA SECURITY BREACH LEGISLATION SURVEY

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

S10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. This action originated with a medical malpractice complaint filed on

Cops and Docs: Law Enforcement Access to Patients and Information

AIA Australia Limited

[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]

Arent Fox LLP Survey of Data Breach Notification Statutes

LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys

HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans

Introduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement. Prepared by:

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

A BILL. (a) the owner of the device and/or geolocation information; or. (c) a person to whose geolocation the information pertains.

Technology and the Threat to the Attorney- Client Privilege Suzanne Valdez

West Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011

REQUEST FOR PROPOSALS FOR ACCREDITATION CONSULTANT SNHD-9-RFP

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

Department of Health and Human Services DEPARTMENTAL APPEALS BOARD. Civil Remedies Division

Although we encourage your participation during the presentation, it is entirely voluntary.

State Data Breach Notification Laws

ADMINISTRATIVE REVIEWS AND GRIEVANCES Section 10. Overview. Definitions

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

ADMINISTRATIVE REVIEWS AND GRIEVANCES Section 10. Overview. Definitions

Attachment 2. Protected Information Practices and Procedures (PIPP) [SEE ATTACHED]

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

Patient Any person who consults or is seen by a physician to receive medical care

RIVERSIDE SCHOOL DISTRICT

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services

Dr. Richard M. Powers POWER OF ATTORNEY AND MEDICAL RELEASE

COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

Data Breach Charts. November 2017

PERSONAL INFORMATION PROTECTION ACT

HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

Role of PAS in the Privacy Act

Contract Assurances Attachment 4. Contract Assurances

Green Freight Asia Privacy Policy

DATA PROTECTION LAWS OF THE WORLD. South Korea

ACTION: Update and amend OPM/ GOVT 5, Recruiting, Examining, and Placement Records.

Transcription:

Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia 30309 T (404) 962-1027 F (404) 962-1200 Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina 17401 T (336) 378-5261 F (336) 378-5400 To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click Ask. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: After you click Ask, the button name will change to Edit. Questions will be queued and most will be answered at the end of the meeting as time allows.

What is HITECH? Health Information Technology for Economic and Clinical Health Act Enacted as part of the American Recovery and Reinvestment Act of 2009 ( Stimulus Bill ), P.L. 111-5

What is HITECH? Two primary components: Encourages implementation of health information technology and transition from paper records to EHR Amends HIPAA to impose significant new duties on covered entities and business associates to notify patients, the Federal Government, and the media of breaches of unsecured PHI

What is HITECH? Notification requirement went into effect on September 23, 2009 Enforcement begins on February 17, 2010 Recent Ponemon Institute survey of 77 health care organizations revealed that 94% will not be ready to comply with HITECH by February 2010.

Definitions Unsecured PHI : PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the Federal Department of Health and Human Services ( HHS ) Approved technologies/destruction methods are listed at 74 Fed. Reg. 42742

Definitions Breach : The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R. 164.500, et seq.) that compromises the security or privacy of the PHI

Definitions Significant Risk of Harm : Fact-based inquiry that focuses on financial, reputational, or other harm that may result to the patient as a result of the use or disclosure.

To Be or Not to Be... A Breach Should not assume every use/disclosure is a breach A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised

Step 1: Is the information unsecured PHI?

Step 1: Unsecured PHI PHI is secured: Encrypted (for approved encryption methods, see 74 Fed. Reg. 42742 list of National Institute of Standards and Technology publications, available at http://www.csrc.nist.gov) Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium)

Step 1: Unsecured PHI Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines

Step 1: Unsecured PHI Also not a breach if the PHI: Is de-identified pursuant to 45 C.F.R. 164.514(e)(2); and Does not include the patient s zip code; and Does not include the patient s date of birth.

Step 2: Is the acquisition, access, use or disclosure permitted under HIPAA?

Step 2: Permissible Use/Disclosure (HIPAA) A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule!)

Step 3: Does the acquisition, access, use or disclosure fit within one of the exceptions to HITECH?

Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA This is a departure from the order set forth in the regulation

Step 3: HITECH Exceptions

Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or BA Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

Step 3: HITECH Exceptions Example: Billing employee receives and opens an e-mail containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the e-mail without further using or disclosing the information. Exception applies no breach.

Step 3: HITECH Exceptions Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply breach.

Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and whose cases she has not been asked to consult. Exception does not apply breach.

Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach.

Step 3: HITECH Exceptions Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply breach.

Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure to an unauthorized person of PHI: Where there is a reasonable good faith belief That the unauthorized recipient would not reasonably have been able to retain the information

Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach.

Step 3: HITECH Exceptions Example: The billing office, due to a lack of reasonable safeguards, send a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply breach.

Step 4: Does the disclosure result in a significant risk of harm to the patient?

Step 4: Risk Assessment Must determine whether the patient is at significant risk of financial, reputational, or other harm as a result of the use or disclosure Involves a fact-specific weighing of various factors

Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA: likely small risk of harm Disclosure to member of the general public: likely high risk of harm

Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtain recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm

Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Information concerning STDs and abuse: deemed to be significant risk of reputational harm Information concerning fact of treatment: depends on nature of treatment ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Information that is vulnerable to identity theft (social security number, etc.): likely high risk of harm

If a significant risk of harm to the patient exists, the breach notification requirements must be followed

Breach Notification Breaches Involving Fewer than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/breachnotificationrule/brinstruction.html

Breach Notification Breaches Involving More than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/breachnotificationrule/brinstruction.html To the local media

Breach Notification Business associates now have an affirmative duty to notify the covered entity of a breach Business associate agreements, as well as agreements with subcontractors, should be revised to explicitly memorialize this duty to report

Breach Notification Notifications to individuals must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

Breach Notification Steps the individual should take to protect himself or herself from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which the individual can contact the covered entity about the breach (toll-free number, e-mail, web site)

Breach Notification Notifications to the media must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

Breach Notification Steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which individuals can contact the covered entity about the breach (toll-free number, e-mail, web site)

Breach Notification Notification to individuals must be sent via first-class mail or, if the person agreed to electronic notice, by e- mail Where the individual is deceased, notice should be sent to the next-of-kin

Breach Notification Substitute notice may be provided if no valid contact information: Fewer than 10 individuals: By telephone, alternate form of written notice, or other means More than 10 individuals: By conspicuous notice on the entity s web site or in local print or broadcast media; must include a toll-free information number valid for at least 90 days

Breach Notification Deadlines for notice key off date the breach was discovered Breach is discovered as of the first day on which the entity knew or should have known through the exercise of reasonable diligence that a breach occurred.

Breach Notification Notice to Individuals: Without unreasonable delay, and no later than 60 calendar days after discovery of the breach Notice to the Media: Without unreasonable delay, and no later than 60 calendar days after discovery of a breach involving 500 or more individuals

Breach Notification Notice to the Secretary: Fewer than 500 individuals: Covered entity must maintain a log and submit the log within 60 calendar days after the end of the calendar year More than 500 individuals: Notice must be provided contemporaneously with that provided to the individuals Reporting is to be done electronically

Breach Notification Notice by a Business Associate: A business associate must provide notice to the covered entity without unreasonable delay, and no later than 60 calendar days after discovery of the breach

Breach Notification HITECH permits covered entities and business associates to delay notification if law enforcement states that notification would impede a criminal investigation or damage national security Length of delay depends on manner in which law enforcement requests the delay

Breach Notification If the law enforcement statement is in writing and specifies the time for which delay is required, follow the written notification If the statement is made orally, document the statement and identity of the law enforcement official, then delay no more than 30 days from the date of the oral statement, unless a subsequent written statement is provided

Breach Penalties Four new penalty tiers have been implemented, effective November 30, 2009 For violations occurring on or after February 18, 2010: CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred;

Breach Penalties CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to reasonable cause and not willful neglect (reasonable cause = circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply );

Breach Penalties CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred

Breach Penalties CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred

Breach Penalties Penalties may be avoided if the entity can demonstrate: Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. 1320d-6; or Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate

Breach Penalties Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to reasonable cause, even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.

Action Steps Revise policies and procedures to reflect HITECH investigation and notification requirements Assemble privacy investigation team Train staff members on new breach requirements Scrutinize policies regarding the use of e-mail, laptops, and handheld devices to transmit or store PHI

Action Steps Work closely with IT staff to evaluate feasibility of encryption technologies Evaluate current IT systems for ability to track disclosures of e-phi Implement amended business associate agreements and subcontractor agreements Consult with insurance advisors regarding enhancing risk protections (increased coverage and limits for losses and defense costs)

Action Steps Evaluate and strengthen existing audit procedures Determine need for third party assistance (attorneys, IT specialists, consultants)

Action Steps Keep an eye out for additional HITECH rule updates and implementation specifications www.healthcarelawnote.com www.legalhimformation.com

HIPAA/HITECH Team Atlanta Barry Herrin (404) 962-1027 barry.herrin@smithmoorelaw.com Greensboro Maureen Demarest Murray (336) 378-5258 Allyson Jones Labban (336) 378-5261 maureen.murray@smithmoorelaw.com allyson.labban@smithmoorelaw.com Raleigh Trish Markus (919) 755-8850 trish.markus@smithmoorelaw.com

QUESTIONS?

Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia 30309 T (404) 962-1027 F (404) 962-1200 Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina 17401 T (336) 378-5261 F (336) 378-5400 Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F:

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback