Download Breach-Notification-final-revised

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts
no text concepts found
Transcript 
UNDERSTANDING
THE HIPAA/HITECH
BREACH
NOTIFICATION RULE
2/25/14
RULES




Issued August 19, 2009
Requires Covered Entities to notify individuals
of a breach as well as HHS “without
reasonable delay” or within 60 days.
Further notification requirements of media
and HHS if > 500 individuals.
Requires Business Associates to
notify Covered Entities of breach.
Why?



Prior to the HITECH Act, this Rule did not exist.
HITECH removed the “harm” threshold and
replaced it with a more objective standard.
The Rule strengthened the privacy and
security protections for health information
established under HIPAA.
What?


Notification is required to affected individuals and to
the Secretary of HHS following a discovery of a
breach of unsecured protected health information
(PHI).
It establishes a uniform requirement to inform
individuals and HHS when a breach of unsecured
protected health information occurs.
What is a Breach?


Generally, it is an impermissible use or disclosure
that compromises the security or privacy of PHI.
An impermissible use or disclosure of PHI is
presumed to be a breach unless the Covered Entity
or Business Associate demonstrates that there is a
low probability that the PHI has been compromised
based on a risk assessment.
Responsibilities of the Covered Entity
and Business Associate

Both must have:





Documented policies and procedures regarding breach
notification;
A training and awareness program for the workforce staff;
A security incident response, reporting and management
system;
A risk assessment system to determine probability of
breach and breach notification; and
A sanction policy for those who do not
comply with the policies/procedures.
Breach Excludes


#1 The unintentional acquisition, access or use of PHI
by a workforce member acting under the authority of
the CE or BA, if the acquisition, access or use was
made in good faith and within the scope of their
authority and does not result in further use or
disclosure in a manner permitted by the Privacy Rule.
This does not include snooping employees as this
would be intentional and not in good
faith.
#2 Exception
The inadvertent disclosure of PHI from a
person authorized to access PHI at a CE or
BA to another person authorized to access
PHI at the CE or BA.
 In both cases, the information cannot be
further used or disclosed in a manner not
permitted by the Privacy Rule.

#3 Exception

If the CE or BA has a good faith belief that the
unauthorized individual, to whom the
impermissible disclosure was made, would not
have been able to retain the information.
Examples of Exceptions


A fax with PHI is misdirected to the wrong physician, and
upon receipt, the receiving physician calls to say it was
received in error and has been destroyed. A risk assessment
may be able to determine a low risk that the information was
compromised and would not constitute a breach.
A lab report was mistakenly sent to the patient’s brother with
the same last name as the patient. Determining if this is a
reportable breach will depend upon the relationship of the
brother and patient, and whether the patient’s brother
actually viewed any of the patient’s PHI.
Examples - Continued


A letter was sent to the wrong address. The letter
was returned unopened, as undeliverable. It can be
concluded that the improper address could not
reasonably have retained the information.
A nurse hands discharge papers to the wrong patient
and immediately recognizes the error and retrieves
them. This would not constitute a breach as the
person could not have retained the information.
Unsecured PHI



Remember, notification is required if the
breach involved unsecured PHI.
Definition: PHI that has not been rendered
unusable, unreadable or indecipherable to
unauthorized persons through the use of
technology or methodology.
Encryption and destruction are the technologies and
methodologies that meet this definition.
Discovery of a Breach

A breach of unsecured PHI shall be treated as discovered by a
CE:
 On the first day the breach is known to the CE;
 At the time the workforce member or other agent has
knowledge of the breach;
 By exercising “reasonable diligence” and would have been
known to the CE;

Reasonable diligence means the business care and prudence
expected from a person seeking to satisfy a legal requirement
under similar circumstances.
Breach Investigation



The practice shall name an individual to act as the investigator
(Privacy Officer, Security Officer, Risk Manager).
The investigator shall be responsible for the management of
the breach investigation, completion of a risk assessment,
documentation and coordinating with others in the
organization.
The investigator shall be the key facilitator for all breach
notification processes to the appropriate entities. (e.g., HHS,
patient, media, law enforcement, etc.)
Risk Assessment


To determine if there is a low probability that the PHI has
been compromised, a risk assessment needs to be performed.
The assessment is to be fact specific and must address four
factors:




The nature and extent of the PHI involved including the types of identifiers
and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the PHI was disclosed;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
Factor One: Nature and Extent of the
PHI

Evaluate the types of identifiers and likelihood
of re-identification of the PHI:



Social security numbers, credit cards, financial
data (risk of identity theft or financial fraud)
Clinical data, diagnosis, treatment, medications
Mental health, substance abuse, sexually
transmitted diseases, pregnancy
Factor Two: Who Used the PHI and to
Whom Was It Disclosed To

Consider who the unauthorized person was
who used the PHI and to whom the
impermissible disclosure was made.


Does the unauthorized person who received the
information have obligations to protect its privacy
and security?
Does the unauthorized person who received the
PHI have the ability to re-identify it?
Factor Three: Was the PHI Actually
Acquired or Viewed

Determine if the PHI was actually acquired or
viewed or if only the opportunity existed for
the information to be acquired or viewed.

E.g., laptop was stolen and later recovered. IT
analysis shows that the PHI was never accessed,
viewed, acquired or transferred or compromised.
The entity could determine the PHI was not
actually acquired although the
opportunity existed.
Factor Four: What Extent was the Risk
to the PHI Mitigated?

Consider the extent to which the risk to the
PHI has been mitigated.

E.g. Obtain the recipient’s satisfactory assurance
that the information will not be further used or
disclosed (can use a confidentialigy agreement,
etc.) or will be destroyed (shredded).
Assessment Conclusion



Evaluate the overall possibility that the PHI
has been compromised.
If your evaluation of the factors fail to
demonstrate that a low probability of the PHI
has been compromised, breach notification is
required.
If your PHI was encrypted, no breach
notification is required.
Timeliness of Notification


Covered Entities must notify individuals of a breach
without unreasonable delay but in no case later than
60 calendar days from the discovery of the breach
(not when the investigation is complete).
This allows the CE to take a reasonable amount of
time to investigate the circumstances around the
breach in order to collect and develop the
information required to be included in the notice to
the individual.
Delay of Notification


If a law enforcement official determines that a
notification, notice or posting required under this
section would impede a criminal investigation or
cause damage to national security , such notification,
notice or posting shall be delayed.
The law enforcement official must provide a written
statement citing the reason for the delay and specify
the time for which a delay is required.
Content of Notice

The notice must be written in plain language and
must contain the following information, to the extent
possible:


A brief description of what happened, including the date
of the breach and the date of discovery, if known;
A description of the types of unsecured PHI that were
involved in the breach (such as whether full name, social
security number, date of birth, home address, account
number, diagnosis, or other types of information were
involved);
Content of Notice - Continued



Any steps individuals should take to protect themselves
from potential harm resulting from the breach;
A brief description of what the CE involved is doing to
investigate the breach, mitigate the harm to individuals,
and to protect against any further breaches; and
Contact procedures for individuals to ask questions or
learn additional information which shall include a toll-free
telephone number, an e-mail address, Web site or postal
address.
Content of Notification - Continued

The breach notice must be:



Written in plain language and at an appropriate reading
level using clear language without extra material that
would diminish the message.
Written in a language the individual who is not English
proficient understands. E.g., Spanish
Written in accordance with the Disabilities Act of 1990 to
ensure effective communication with disable individuals in
such formats as Braille, large print or audio.
Methods of Notification

Mail: First class to individual’s last known address.

Minors/Incapacitated Individuals: Notice may be
provided to parents or personal representative of the
individual.

Deceased Individual: If the CE knows individual is
deceased, notification can be sent to next of kin or personal
representative. If the CE had no contact information or has
out-of-date contact information for the next of kin/personal
representative, the CE is not required to provide
substitute notice.
Substitute Forms of Notice

These are substitute notices that are
reasonably calculated to reach the individual:
 E-mail: must have individual’s consent to
send.
 Telephone: if urgent notification is
necessary due to potential for “imminent
misuse of unsecured PHI” or individual
refuses to accept written notice.
Notification Using Media


If there is insufficient information for 10 or more
individuals – use as substitute form of notice.
If breach has affected > 500 individuals:





Notification within 60 calendar days to media.
Notice must contain same information as individual
notification.
Must be in geographic area where affected individuals
likely reside.
This is in addition to, not a substitute for
individual notice.
Posting must be for 90 days.
Notification to HHS


http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
brinstruction.html - HHS breach notification site.
Immediate notification if breaches affect >
500 individuals.
Immediate: same time as individual notification
< 500 individuals: No later than 60 days after the
end of the calendar year in which the breaches
were discovered, not the year in which the
breaches occurred. E.g., 2013 unsecured PHI


breaches would have to be reported by March 1, 2014.
Breach Log


The practice shall maintain a process to record or log
all breaches of unsecured PHI regardless of the
number of patients affected.
The following information should be logged:
 A description of what happened; date of breach;
date of discovery, and # of individuals affected.
 A description of the type of PHI involved (such as
name, SSN, DOB, address, etc.)
 A description of the action taken with
regard to notification of patients.
Business Associate Responsibilities





BA must notify the Covered Entity after the discovery of a
breach.
A breach is discovered on the day the BA, its employees,
officer or agent knew or would have known of the breach by
exercising reasonable diligence.
Notice to CE must be provided without unreasonable delay
and in no case later than 60 days after the breach notification
obligations.
Notification to CE automatically triggers CE’s breach
notification obligations.
CE may delegate obligations to BA.
Burden of Proof



After an impermissible use or disclosure of unsecured PHI, the
CE and BA have the burden of demonstrating that all required
notifications were made and that an impermissible use or
disclosure did not constitute a breach.
The CE has to show a low probability that the PHI was
compromised with a risk assessment. The focus of the
assessment is not on the patient’s harm, but whether the
information has been compromised.
If it cannot be clearly determined there is a low
probability, it has to be treated as a breach.
Civil Monetary Penalties


Prior to 2/18/09 – $100/violation with a
maximum of $25,000 in a calendar year for
the same violation.
After 2/18/09 – HITECH Act increased
penalties up to $50,000/violation with a
maximum of $1.5 million in a calendar year for
the same violation.
Civil Monetary Penalties - Continued

Now a 4 tiered liability structure:
 Tier 1: The offender did not know: $100 $50,000/violation
 Tier 2: Violation due to reasonable cause, not willful
neglect: $1,000 - $50,000/violation
 Tier 3: Violation was due to willful neglect and corrected:
$10,000 - $50,000/violation
 Tier 4: Violation was due to willful neglect and NOT
corrected: $50,000/violation
Factors in Determining Penalty




The nature and extent of the violation, including the
# of individuals affected.
The nature and extent of the harms to the
individual(s): physical, financial, reputation, ability to
continue their healthcare.
History of prior compliance and previous violations.
The financial condition of the CE or BA.
Other Penalties


State Attorney Generals may also pursue civil actions
for a HIPAA breach.
HIPAA establishes a criminal penalty of up to $50,000
and/or imprisonment for up to one year for any
person who knowingly :
 Uses or causes to be used a unique health
identifier;
 Obtains individually identifiable health
information relating to an individual;
or
Other Penalties - Continued
Discloses individually identifiable health
information to another person.
If such offenses are committed under false
pretenses, the penalty may be increased up to
$100,000 and/or imprisonment up to 5 years.
If the offense is committed with the intent of
personal gain, the penalty is a fine up to $250,000
and/or imprisonment for up to 10 years.




For criminal prosecution, the person
charged had to have acted knowingly.
Further Information





Arkansas Mutual Website – All Things HIPAA:
Omnibus Rule: Breach Notification
http://arkansasmutual.com/
HHS website: Breach Notification Rule
http://www.hhs.gov/ocr/privacy/hipaa/admin
istrative/breachnotificationrule/
[email protected]
Related documents
New Law Requires Businesses in California to Report Electronic Break-Ins
New Law Requires Businesses in California to Report Electronic Break-Ins
Step 2 - Potential Breach Report - American Health Care Association
Step 2 - Potential Breach Report - American Health Care Association
here - Phi Beta Psi Sorority
here - Phi Beta Psi Sorority
David J. Vining, MD Professor, Diagnostic Radiology ViSion for
David J. Vining, MD Professor, Diagnostic Radiology ViSion for
hipaa breach decision tool and risk assessment documentation form
hipaa breach decision tool and risk assessment documentation form
File - Western Ohio Psychological Services, LLC
File - Western Ohio Psychological Services, LLC
Street Law
Street Law
Notice of Privacy Practices for Protected Health Information
Notice of Privacy Practices for Protected Health Information
Notification of Infectious Disease form
Notification of Infectious Disease form
Notification Regulations
Notification Regulations