1 / 25

Walking Through the Breach Notification Process - Beginning to End

Walking Through the Breach Notification Process - Beginning to End. HIPAA COW Presentation and Panel April 8, 2011. Panelists. Nancy Davis, Ministry Health Care Beth Malchetske, ThedaCare Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System. Overview.

sesquivel
Télécharger la présentation

Walking Through the Breach Notification Process - Beginning to End

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011

  2. Panelists • Nancy Davis, Ministry Health Care • Beth Malchetske, ThedaCare • Peg Schmidt, Aurora Health Care • Teresa Smithrud, Mercy Health System

  3. Overview • This presentation and panel discussion will address operationalizing the breach notification process within the covered entity. • Expert panelists will share best practices and lessons learned in the last year with compliance to HITECH’s breach notification requirement.

  4. Objectives • Identify Breach Notification Resources for Developing an Internal Process and Response • Walk Through the Breach Notification Process from Beginning to End • Review Any New HITECH Impacts if Applicable • Panelist Discussion on Lessons Learned and Best Practices Developed • Audience Participation and Discussion

  5. Resources • HIPAA COW HITECH Breach Notification Policy • All Inclusive Guidance • American Health Information Management Association (AHIMA) • North Carolina Healthcare Information and Communication Alliance (NCHICA) • Google!

  6. Breach • Acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. For purpose of this definition, “compromises the security or privacy of the PHI” means poses a significant risk of financial, reputational, or other harm to the individual. • A use or disclosure of PHI that does not include the identifiers listed at §164.514(e)(2), limited data set, date of birth, and zip code does not compromise the security or privacy of the PHI.

  7. Low-Risk HIPAA Violations – Exempt from Breach Notification • HITECH Guidance: Breach does not include: • Good faith, unintentional acquisition, access, or use of PHI by a workforce member of a CE, BA, or BA subcontractor • Inadvertent disclosure to another authorized person within the entity or its business associates • Recipient could not reasonably have retained the data • Data is limited to a limited data set that does not include dates of birth or zip codes 7

  8. Investigation • Review the circumstances regarding the breach, conduct an investigation, complete a risk assessment, and determine necessary actions including involvement of enterprise, local, and legal counsel resources. • Coordinate communications with all involved in the investigation, including patients, licensing and accrediting organizations, state and federal governmental agencies, etc.

  9. Investigation - Continued • Author, gather, maintain, and retain all related Breach investigation documentation (to be maintained for a minimum of six years). • Recommend resolution and corrective action steps (sanctions) to mitigate potential harm. • Report results of the investigation to involved persons, entities, and agencies as recommended and/or required by law.

  10. Risk Assessment • Who impermissibly used or to whom was the information impermissibly disclosed? • The type and amount of PHI involved? • The potential for significant risk of financial, reputational, or other harm?

  11. Risk Assessment - Resource North Carolina Healthcare Information and Communication Alliance (NCHICA)* • HITECH Act Breach Notification Risk Assessment Tool • Flow Chart • Report Form • Score Card/Risk Score *Nationally recognized nonprofit consortium dedicated to “improving health and care in North Carolina by accelerating the adoption of information technology and enabling policies.”

  12. Patient Breach Notification Letter Content – The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved) 12

  13. Letter - Continued Any steps the individual should take to protect themselves from potential harm resulting from the breach A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches Contact procedures for individuals to ask questions or learn additional information 13

  14. Breach Notification < 500 • Office for Civil Rights • For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually.  All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred (March 1, 2011).  • A separate form must be completed for every breach that has occurred during the calendar year. 

  15. Breach Notification 500+ • Office for Civil Rights • If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically. • Media • Notice shall be provided to prominent media outlets serving the state and regional area when the breach affects more than 500 patients.

  16. Panelist Portion

  17. Was Your Organization Ready for HITECH Breach Notification? How Did You Prepare? Policy Development Staff Training, Education, Awareness Business Associate Relationships

  18. What Was the Biggest Surprise in Implementing Breach Notification?

  19. What Was the Most Valuable Lesson Learned?

  20. What Best Practices Did You Develop?

  21. What Are Your Ongoing Concerns?

  22. Audience Participation

  23. Lessons Learned • Totally Underestimated Impact on Daily Job Responsibilities • 2008: 38 Internal Privacy Investigations • 2009: 98 Internal Privacy Investigations (48 Last Q) • 2010: 210 Internal Privacy Investigations • Initial Approach to Addressing “Harm” Was Probably Too Conservative • Partner with Collection Agency to Address Processes, Policies, Etc.

  24. Lessons Learned - Continued • Reach Out to Peers for Brain-Storming Best Practices • Be Open to New Directives/Interpretations • Contacting Patients to Determine “Harm” • Employee Breach Attestation

  25. Lessons Learned - Continued • Mitigation • Patient Requests • Organizational Offerings • Bookmark/Print Examples from Published Breaches • Notices • Press Releases • Website Communications • External Resources (Credit Card Agencies)

More Related