ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded.

Slides:



Advertisements
Similar presentations
HIPAA Health Insurance Portability and Accountability Act of 1996
Advertisements

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009.
Health Information Technology for Economic and Clinical Health Act (HITECH)
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.
Enforcement, Business Associates and Breach Notification. Oh my!
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Disability Services Agencies Briefing On HIPAA
Presentation transcript:

ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded and will begin in a few minutes. 1

ARRA/HITECH Update: Compliance with BAA Requirements HIPAA COW Webinar February 23, 2010 Presented By: Cathy Boerner, JD, CHC 2

Session to Cover: Overview of HITECH Business Associate Agreement (BAA) Provisions Strategies for BAA Compliance Review of HIPAA COW BAA Documents 3

Disclaimer The information provided in this presentation does not constitute legal advice and is intended to be used for guidance. If you require legal advice, please consult with an attorney. 4

Overview of HITECH Business Associate Agreement Provisions Feb. 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) Feb. 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) Title XIII of ARRA is Health Information Technology for Economic and Clinical Health Act (HITECH) Title XIII of ARRA is Health Information Technology for Economic and Clinical Health Act (HITECH) HITECH Subtitle D, Part 1 – Improved Privacy Provisions and Security Provisions 5

Overview of HITECH Business Associate Agreement Provisions The Office of Civil Rights (OCR) is developing regulations which HHS is issuing to implement provisions of the HITECH Act. It is important to keep up-to-date as the regulations come out in the Federal Register. Check the OCR What’s New website section at tml The Office of Civil Rights (OCR) is developing regulations which HHS is issuing to implement provisions of the HITECH Act. It is important to keep up-to-date as the regulations come out in the Federal Register. Check the OCR What’s New website section at tml tml tml 6

Overview of HITECH Business Associate Agreement Provisions HIPAA Security Provisions 13401(a) HIPAA Privacy Provisions 13404(a)(b) Enforcement 13401(b) & (c) Accounting of Disclosures (c)(3) Notification of Breaches 45 CFR

Overview of HITECH Business Associate Agreement Provisions HITECH requires covered entities to incorporate new business associate provisions into business associate agreements. HITECH Section 13401(a) & 13404(a) of the Act (42 U.S.C. § 17931) Effective February 17,

HITECH Provisions – HIPAA Security Sections , , , and of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. Sections , , , and of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931) 9

HITECH Provisions – HIPAA Security The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931) 10

HITECH Provisions – HIPAA Security – Administrative safeguards – Administrative safeguards – Physical safeguards – Physical safeguards – Technical safeguards – Technical safeguards – Policies and procedures and documentation requirements – Policies and procedures and documentation requirements 11

HITECH Provisions – HIPAA Security Current Business Associate Agreement language says: Current Business Associate Agreement language says: “Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.” 45 CFR “Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.” 45 CFR

HITECH Provisions – HIPAA Security For HITECH add: For HITECH add: …Business Associate shall document and keep these security measures current. Business Associate shall cooperate in good faith in response to any reasonable requests from Covered Entity to discuss, review, inspect, and/or audit Business Associates’ safeguards. …Business Associate shall document and keep these security measures current. Business Associate shall cooperate in good faith in response to any reasonable requests from Covered Entity to discuss, review, inspect, and/or audit Business Associates’ safeguards. 13

HITECH Provisions – HIPAA Privacy Sections (e) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. Sections (e) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. See HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931) 14

HITECH Provisions – HIPAA Privacy The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931) 15

HITECH Provisions – HIPAA Privacy (e) – Business Associate Contracts (e) – Business Associate Contracts 16

HITECH Provisions – HIPAA Privacy Current Business Associate Agreement language says: Current Business Associate Agreement language says: “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees to the same restrictions and conditions that apply to the business associate with respect to such information;” “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees to the same restrictions and conditions that apply to the business associate with respect to such information;” 17

HITECH Provisions – HIPAA Privacy For HITECH add: For HITECH add: “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees in writing to the same restrictions and conditions that apply to the business associate with respect to such information;” “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees in writing to the same restrictions and conditions that apply to the business associate with respect to such information;” 18

HITECH Provisions – Civil and Criminal Penalties In the case of a business associate that violates applicable provisions civil and criminal penalties shall apply to the business associate with respect to such violation in the same manner as a covered entity that violates such provision. See In the case of a business associate that violates applicable provisions civil and criminal penalties shall apply to the business associate with respect to such violation in the same manner as a covered entity that violates such provision. See HITECH Section 13401(b) of the Act (42 U.S.C. § 17931); See Section (c). 19

HITECH Provisions Accounting of Disclosures (HIPAA Privacy) 20

(HIPAA Privacy) HITECH Provisions – Accounting of Disclosures (HIPAA Privacy) BAA already state “Make available the information required to provide an accounting of disclosures in accordance with § ” 45 CFR § (e)(2)(ii)(G) ; (See HITECH BAA already state “Make available the information required to provide an accounting of disclosures in accordance with § ” 45 CFR § (e)(2)(ii)(G) ; (See HITECH Section 13405(c) of the Act (42 U.S.C. § 17931) 21

HITECH Provisions – Accounting of Disclosures HITECH added: HITECH added: (c)(1) If the covered entity uses an electronic health record then: – –The accounting of disclosures shall include those to carry out treatment, payment and health care operations – –During only the three years prior to the date on which the accounting is requested. 22

HITECH Provisions – Accounting of Disclosures HITECH added: HITECH added: (c)(3) In response to a request from an individual for an accounting, a covered entity shall elect to provide either an— In response to a request from an individual for an accounting, a covered entity shall elect to provide either an— ‘‘(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or ‘‘(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or 23

HITECH Provisions – Accounting of Disclosures 13405(c)(3) ‘‘(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and address). disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and address). A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.” A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.” 24

HITECH Provisions Business Associates Breach Notification 25

Notification of Covered Entity by Business Associate HITECH Provisions – Notification of Covered Entity by Business Associate A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. HITECH Section 13402(b) of the Act (42 U.S.C. § 17931); 45 CFR § (a)(1) – Notification by a business associate. 26

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. See HITECH Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. See HITECH Section 13402(b) of the Act (42 U.S.C. § 17931) 27

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Breaches treated as discovered. Breaches treated as discovered. “A breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.” “A breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.” 45 CFR (a) (2) 28

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Breaches treated as discovered. Breaches treated as discovered. “A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency).” “A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency).” 45 CFR (a) (2) 29

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Timeliness of notification. Timeliness of notification. Except as provided in § [Law Enforcement Exception], a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Except as provided in § [Law Enforcement Exception], a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 45 CFR (b) 30

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Content of notification. Content of notification. The notification required shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. The notification required shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. 45 CFR (c)(1) 31

Notification of Covered Entity by Business Associate HITECH Provisions - Notification of Covered Entity by Business Associate Content of notification. Content of notification. A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § (c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes. A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § (c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes. 45 CFR (c)(2) 32

Review of HIPAA COW BAA Documents - Addendum Current Business Associate Agreement language says: Current Business Associate Agreement language says: –“Report to the covered entity any security incident of which it becomes aware;” 45 CFR 314(a)(2)(i)(C) –“Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;” 45 CFR 504(e)(2)(ii)(C) HIPAA COW Sample BAA includes all three - Reporting of an Incident/Breach, Unauthorized Disclosures or Misuse of PHI (occurrence) Section 33

Strategies for BAA Compliance Update your Business Associate Agreements Send existing Business Associates new agreements or letter informing them of updates Emphasize your Breach Notification process with your Business Associates and consider providing a notification form Read the regulations when they are published 34

HIPAA COW Resources BUSINESS ASSOCIATE AGREEMENT TEMPLATE INCLUDING HITECH ACT REQUIREMENTS & BUSINESS ASSOCIATE NOTIFICATION LETTER (Updated 1/12/2010) 35

Review of HIPAA COW BAA Documents Sample Business Associate Notification Letter 36

Review of HIPAA COW BAA Documents - Addendum Definition Section (1) – –Breach – –Electronic Health Record – –Unsecured Protected Health Information Safeguarding of PHI Section (6 & Exhibit) Subcontractors and Agents (7) Reporting of an Incident/Breach, Unauthorized Disclosures or Misuse of PHI (occurrence) Section (11) Tracking of Accounting of Disclosures Section (14 D, E & F) 37

Contact Information Catherine Boerner, JD, CHC President (414)

Implementing Breach Notification – Lessons Learned HIPAA COW Webinar February 23, 2010 Presented By: Nancy Davis 39

Session to Cover: Overview of HITECH Breach Notification Provisions Strategies for Breach Notification Compliance Review of HIPAA COW Breach Notification Tools Case Examples 40

Disclaimer The information provided in this presentation does not constitute legal advice and is intended to be used for guidance. If you require legal advice, please consult with an attorney. 41

HITECH Provisions Require Covered Entities to Notify Individuals of a Breach as Well as HHS “without reasonable delay” or within 60 days – –All Breaches (<500) to be Reported to Secretary of DHS on Annual Basis – Year End Further Notification Requirements if > 500 Individuals Involved (Media Outlets) Requirements for Business Associates to Notify Covered Entity of Breach 42

What is a Breach? “Unauthorized acquisition, access, use, or disclosure of unsecured patient protected health information (PHI) which compro- mises the privacy, security, or integrity of the PHI. 43

Analysis of Breach Was the PHI Unsecured? Was the HIPAA Privacy Rule Violated? Does the breach pose a significant risk of financial, reputational, or other harm to the individual? If “Yes” to the Above, has the Risk been Mitigated? 44

Risk Assessment To determine if an impermissible use or disclosure of PHI constitutes a breach, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual. The risk assessment shall be fact specific and shall address: – –Consideration of who impermissibly used or to whom the information was impermissibly disclosed. – –The type and amount of PHI involved. – –The potential for significant risk of financial, reputational, or other harm. 45

Strategies for Breach Notification Compliance Have a Policy in Place Have a Policy in Place Educate Staff on Policy Educate Staff on Policy Develop Relevant Forms/Data Bases Develop Relevant Forms/Data Bases –Incident Report –Breach Log –Letter Template 46

Breach Investigation Report Incident Report Build in Risk Assessment Questions Use to Supplement Log Information 47

Breach Log Maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged: – –A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known. – –A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.). – –A description of the action taken with regard to notification of patients regarding the breach. 48

Business Associate Responsibilities The business associate (BA) of the organization shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify the organization of such breach. Notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. Business associate responsibility under ARRA/HITECH for breach notification should be included in the organization’s business associate agreement (BAA) with the associate. 49

HIPAA COW Resource BREACH NOTIFICATION POLICY PROTECTED HEALTH INFORMATION POLICY 50

Breach Notification Policy Background Definitions Attachments Policy Statements Applicable Federal and State Regulations 51

Attachments Examples of Breaches of Unsecured Protected Health Information Breach Penalties Sample Notification Letter to Patients Sample Notification Letter to Secretary of Health & Human Services Sample Media Notification Statement/Release Sample Talking Points Sample Breach Notification Log 52

Lessons Learned Workforce Awareness and Education – –Change in “Stakes” – –Snooping = Breach – –Social Media Develop and Maintain Breach Log that is Compatible with CMS Reporting Site 53

Lessons Learned - Continued Risk Assessment – Harm? Role of Business Associate Letter Template – –Requires Customization by Case 54

Lessons Learned - Continued Over 500 – –Know Resources Legal Support Public Relations Support Insurance Coverage/Issues Forensic Analysts Credit Card Monitoring Services 55

Lessons Learned - Continued Increase in Reporting of Breaches Increase in Investigations Increase in Documentation Requirements Increase in Overall Workload! 56

Case Study #1 A hospital accidentally faxes lab results to another hospital. Is this a breach? 57

Answer – Case Study #1 Probably not. While a violation of the HIPAA Privacy Rule, the disclosure would probably not compromise the patient’s privacy or security and thus not cause harm as the fax was received by another covered entity subject to HIPAA. 58

Case Study #2 A clinic accidentally faxes lab results to a public utility company instead of the provider it was intended for. Is this a breach? 59

Answer – Case Study #2 Yes. The HIPAA Privacy Rule was violated and the patient could suffer harm to his or her reputation based on the content of the fax. 60

Case #3 A provider’s laptop was stolen and it was determined that he had downloaded files on fifty patients to his hard-drive. The laptop was recovered by law enforcement and a forensic analysis determined that the laptop was not opened, altered or accessed. Is this a breach? 61

Answer – Case Study #3 No. The HIPAA Privacy Rule was violated, but the PHI was not compromised. There was no significant risk of reputational or financial harm to the patient. 62

Case #4 The privacy officer is notified by the patient that his son received the EOB for his (the father’s) recent ED encounter. Both individuals have exactly the same name with no Jr. or Sr. as a suffix. Is this a breach? 63

Answer – Case Study #4 The HIPAA Privacy Rule was violated but… – –Was there financial, reputational, or other harm to the individual? Depends – This will be based on how the patient expresses his concern? 64

Case #5 During the course of a random access audit, it is determined that one of organization’s workforce members has accessed family member records, including: – –10 y/o minor son – –17 y/o minor daughter – –42 y/o husband (required SSN to fill out open enrollment dental forms) Is this a breach? 65

Answer – Case Study #5 Access to minors’ records not a HIPAA violation, but may be a violation of organizational policy (may further be complicated by care the 17 y/o was receiving). Access to husband’s record a violation of HIPAA, but was there harm? 66

Questions 67

Is it a reportable breach when the patient is the one who notifies the organization of the unauthorized disclosure and there is no further need for notification on the part of the organization (other than a letter of acknowledgement and apology)? 68

How do you best determine harm? – –Does the patient’s reaction to the unauthorized disclosure impact determine status of “harm?” 69

Rogue Employees – Violate policies despite…. Criminal background checks Orientation, training, education Signed confidentiality agreements Established sanctions/corrective action process How does the organization protect itself? 70

Snooping – Identified through auditing processes… Snooping – Identified through auditing processes… –How do you disclose the results to the patients? –Do you include the name of the individual(s) found snooping? 71

With an inadvertent disclosure to the wrong recipient, how much assurance /proof do you need that something was discarded before it was opened, that copies have not been made, etc? Submitted by S. Coyne 72

Should access audits automatically be run on the EMR when a celebrity is admitted as an inpatient? When a fellow employee is admitted as an inpatient? Submitted by S. Coyne 73

In a shared record environment, how much say should one entity have about how the employees of another entity are sanctioned for breach? Submitted by S. Coyne 74

It seems clear that one way to avoid the willful level of penalty is to evidence full compliance with all new HITECH parameters - what are people doing with regard to training - who should attend, what topics should be covered? Submitted by S. Coyne 75

If a laptop is stolen and the laptop has a log- in process where you'd have to know a password to even get at the icons/start menu, how far does that get you down the road to "secured" - (probably not very far). How far does that get you in terms of reduced risk of harm? Submitted by S. Coyne 76

How are people operationally implementing safeguards where a patient requests a restriction of PHI flowing to payers for services paid out of pocket and ensuring that breaches (in the form of sending the information anyway) do not occur? If we sent the information anyway, presumably, that would require notification? Submitted by S. Coyne 77

Contact Information Nancy Davis, Director of Privacy/Security Officer Ministry Health Care 78

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.