1 / 26

Data breach notification

Annual Meeting, April 22, 2010 Hope Hammond, Chief Privacy Officer Clark County, Nevada. HIPAA’s New Rule. Data breach notification. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted 2/17/09 included data breach notification legislation.

dionysius
Télécharger la présentation

Data breach notification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Annual Meeting, April 22, 2010 Hope Hammond, Chief Privacy Officer Clark County, Nevada HIPAA’s New Rule Data breach notification

  2. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted 2/17/09 included data breach notification legislation. The U.S. Department of Health and Human Services issued an interim final rule 8/24/09 and added a new part to the HIPAA regulations. Notification is required for breaches occurring on or after 9/23/09. The Data breach rule

  3. A breach is defined as:The acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. What is a data breach?

  4. Prepare to act fast. The law requires analysis of several factors to determine if the individuals affected will be notified. Notification must be done as soon as reasonably possible, but no more than 60 days from the date of discovery. • Law enforcement may request delays, requests must be documented. • A breach is considered discovered when the incident becomes known, not when the analysis is complete. data breach response requirements

  5. Determine if the data was unsecured. • Data is considered unsecured when it can be read or used by unauthorized people. • Electronic data is considered secured if it is encrypted as specified by the Secretary of HHS and encryption keys are on a separate device from the data they encrypt or decrypt. • Paper, film, or other hard copy media is secure if it has been shredded or destroyed preventing the PHI to be read or reconstructed. data breach response requirements

  6. Determine if the PHI was accessed or used in a way that violates the Privacy Rule’s permissable uses and disclosures. Determine if the impermissable use or disclosure compromises the security or privacy of the PHI. Is there a significant risk of financial, reputational, or other harm to the individual? data breach response requirements

  7. Document the risk assessment. Covered entities and business associates have the “burden of proof” in demonstrating that no breach notification was required. Determine if one of the three exceptions apply. A covered entity or business associate must document why a breach falls under of the exception. data breach response requirements

  8. Exception 1 – The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate. • An employee acting in good faith, and within the course and scope of their job, receives PHI intended for another employee, and there is no further use or disclosure of the PHI. data breach response requirements

  9. Exception 2 – The inadvertent disclosure of PHI from an authorized person to another person similarly authorized, as long as the recipient does not further use or disclosure the information. • An employee retrieves a report requested by a physician but retrieves another patient’s report. The physician recognizes the error and shreds the report. data breach response requirements

  10. Exception 3 – The unauthorized disclosure of PHI to an unauthorized person who would not reasonably been able to retain the information. • A nurse mistakenly gives a patient discharge papers belonging to another patient, but quickly realizes the mistake and recovers the papers before the patient has a chance to read the information. data breach response requirements

  11. Notices must be in writing by first-class mail to the affected individuals, or the next of kin if the individual is deceased. • Substitute notice must be provided when insufficient our out-of-date contact information is discovered. • May be by telephone, email, posting on the covered entity’s web site. • If 10 or more individuals are involved, the web site posting must be conspicuous and posted 90 days, or • A conspicuous posting if major print or broadcast media, and • A toll-free phone number, active for 90 days. data breach notice requirements

  12. Notices must contain: • A description of what happened, include the date of the breach and date of discovery, if known. • A description of the types of unsecured PHI, such as name, social security number, birth date, home address, account number, diagnosis, etc. • Any steps individuals should take to protect themselves from potential harm, such as credit monitoring services or reviewing explanation of benefits statements. data breach notice requirements

  13. Notices must contain: (continued) • A brief description of what is being done to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches. • Information about sanctions imposed on the workforce members involved in the breach. • Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free phone number, an email address, web site, or postal address. data breach notice requirements

  14. If more than 500 individuals are affected by the breach: • Notification to the media is required. • Notification to the Secretary of HHS is required concurrent with the notice to the individuals. • HHS is posting the submitted notices • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html • If less than 500 individuals, all breaches must be logged with HHS annually, within 60 days after the end of the calendar year. data breach notice requirements

  15. A breach can result from carelessness or from an intentional act. Some examples are: How to breaches occur? Failing to encrypt a message that is intercepted, or sending a message to the wrong person A mis-dialed fax transmission Giving the wrong paperwork to a person Disposing of PHI in a trash can.

  16. Stolen or lost laptops that are not encrypted How to breaches occur? Stolen or lost paperwork containing PHI Hackers Accessing or using PHI for personal reasons

  17. Inadvertent disclosure of deceased patient information General Hospital recently provided Mr. J. Smith with a copy of his complete medical record from his last visit. Accidently contained within the copies was the history and physical report of Robert Lewis. Mr. Smith, who is dissatisfied with General Hospital, called the HIM department to report the misdirected history and physical, complaining that the mistake was just another example of the substandard practices at General Hospital. Mr. Smith refused to return the history and physical. He insisted he would call Mr. Lewis personally to inform him of the hospital’s incompetence. Further investigation revealed that Mr. Lewis is deceased. The hospital’s records do indicate the name and address of Mr. Lewis’s next of kin. In response to this breach the hospital should: a. Do nothing, because Mr. Lewis is deceased. b. Notify the hospital attorney. Secure a court order and seize the records from Mr. Smith. c. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital. d. Arrange for a face-to-face meeting with Mr. Smith to seek return of the history and physical. Breach Notification ScenariosJournal of AHIMA, February 2010

  18. Inadvertent disclosure of deceased patient information Answer: C. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital. §164.404(d)(1)(ii) of the interim final rule requires that if the individual is deceased, notice must be sent to the last known address of the next of kin or personal representative, if the address is on file. Breach Notification ScenariosJournal of AHIMA, February 2010

  19. Missing back-up tape A hospital back-up tape containing unencrypted health information, names, and Social Security numbers of thousands of patients is lost or possibly stolen in delivery to off-site storage. The healthcare organization serves patients across a five-state area, with thousands of victims located in each of the states. In response to this security breach the organization should: a. Comply with the breach notification regulations of all five states. File a year-end report with the secretary of Health and Human Services. b. Comply with the breach notification regulations of the state in which healthcare organization is incorporated. Follow federal breach notification regulations by notifying victims and the secretary of Health and Human Services. Do not notify the media. c. Comply with all applicable federal breach notification requirements only. d. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay. Breach Notification ScenariosJournal of AHIMA, February 2010

  20. Missing back-up tape Answer: D. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay. Because the breach poses reasonable risk of harm, and because it involves more than 500 people in total, it requires notification of individuals (§164.404)and the HHS secretary (§164.408) without unreasonable delay. Because the breach involves more than 500 people in each state, §164.406 requires notification of major media in each state. Federal regulations do not preempt state laws, and entities thus must comply with state law as appropriate. Further, entities must comply with laws for those states within which the breach victims reside. Breach Notification ScenariosJournal of AHIMA, February 2010

  21. Misdirected e-mail within the network A clinical laboratory staff member accidently e-mails patient biopsy reports to the office of an urgent care center. The urgent care center is affiliated with the same healthcare network as the clinical laboratory. The employee of the urgent care center notifies the clinical laboratory supervisor of the misdirected e-mail. The supervisor instructs the employee to delete the e-mail, and the clinical laboratory receives a confirmation that the e-mail was deleted. In response to this misdirected e-mail, the organization should: a. Do nothing, because the e-mail has been deleted. b. Send a breach notification to every patients whose biopsy report was in the e-mail. c. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. d. Inform both employees that they are under investigation. Suspend the employee responsible for sending the misdirected e-mail pending a further forensic investigation. Seize the computer of the employee receiving the misdirected e-mail and perform an audit for inappropriate activity. Breach Notification ScenariosJournal of AHIMA, February 2010

  22. Misdirected e-mail within the network Answer: C. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. The misdirected e-mail was an unintentional access by a workforce member of the covered entity. It was made in good faith and within the scope of authority, and it did not result in further use or disclosures in a manner not permitted by the privacy rule. The clinical laboratory is responsible for documenting this determination, however. Breach Notification ScenariosJournal of AHIMA, February 2010

  23. Patient names disclosed outside the network A list of clinic patient names is accidentally sent to a physician’s office that is not affiliated with the clinic. The list does not include the name of the clinic, or any other identifying information about the patients. The doctor receiving the misdirected list mails it back to the clinic. No other use or disclosure was made of the list. In response to this incident the clinic should: a. Do nothing, because the list was returned. b. Send a breach notification to every patient on the list. c. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. d. Because the physician’s office viewed the list of patient names they would be required to issue breach notification letters to all individuals on the list. Breach Notification ScenariosJournal of AHIMA, February 2010

  24. Patient names disclosed outside the network Answer: C. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. The names on the list are not linked to a healthcare provider, diagnosis, or treatment. Thus no privacy rule violation or security breach resulting in harm to the individuals has occurred. The clinic is responsible for documenting this determination, however. Breach Notification ScenariosJournal of AHIMA, February 2010

  25. Review your incident response plan to include data breach response. Identify who needs to be notified when a data breach is reported and when. Determine how notices will be handled, smaller incidents can be handled internally. But for larger ones, there are several companies now offering such services, along with other products that may be needed to mitigate harm to the affected individuals. Data breach response plan

  26. Questions? Hope.Hammond@umcsn.com

More Related