Www.garfunkelwild.com We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey 07601 667 Broadway Albany,

Slides:



Advertisements
Similar presentations
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: Investigating Privacy Breaches.
Breach SHOULD Be a Four Letter Word HIPAA Omnibus.
1 HIPAA Privacy and Security Cindy Cummings, RHIT.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Responding to a Data Security Breach
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.
HIPAA Update – Significant Omnibus Rule Changes Rose Willis Billee Lightvoet Ward Dickinson Wright PLLC.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
From HIPAA to HITECH OMH Briefing.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Health Information Technology for Economic and Clinical Health Act (HITECH)
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
Breach vs. Security Incident A security incident is an actual or suspected occurrence of: Damage, destruction, unauthorized access or disclosure of.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
 Secure resident safety  Assess the resident, provide medical and/or psychosocial treatment as necessary  Examine the resident’s injury and/or psychosocial.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
How to Survive a HIPAA Audit Compliance Counsel February 2014.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.
WSOPP HIPAA Compliance
Enforcement, Business Associates and Breach Notification. Oh my!
Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.
Alabama Data Breach Notification Act: What 911 Districts Need to Know
Data Breaches in Employee Benefits
HITECH’s Impact on Research
Presentation transcript:

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany, New York Great Neck Road Suite 600 Great Neck, New York Bedford Street Suite 406A Stamford, Connecticut Andrew E. Blustein, Esq. (516) (201) (203)

2© 2015 GARFUNKEL WILD, P.C. Breach Notification Under HITECH, a Covered Entity (“CE”) is required to NOTIFY patients of Breaches of unsecured protected health information. Under HITECH, a Covered Entity (“CE”) is required to NOTIFY patients of Breaches of unsecured protected health information. In addition, a CE must inform the Office of Civil Rights (“OCR”) of such Breaches either in an annual report or, if such Breaches involve more than 500 people, immediately in writing. In addition, a CE must inform the Office of Civil Rights (“OCR”) of such Breaches either in an annual report or, if such Breaches involve more than 500 people, immediately in writing. Note: Breaches involving more than 500 people will be posted on the Department of Health and Human Services’ websiteNote: Breaches involving more than 500 people will be posted on the Department of Health and Human Services’ website If such Breaches involve less than 500 people, CEs must inform OCR of such breaches in an annual report If such Breaches involve less than 500 people, CEs must inform OCR of such breaches in an annual report

3© 2015 GARFUNKEL WILD, P.C. Breach Definition A Breach is an unauthorized access, use or disclosure of unsecured PHI that compromises the unsecured PHI. A Breach is an unauthorized access, use or disclosure of unsecured PHI that compromises the unsecured PHI. An unauthorized access, use or disclosure of unsecured PHI is considered to be a Breach unless the Covered Entity can demonstrate, through a written risk assessment, that there was a low probability that the information was compromised. An unauthorized access, use or disclosure of unsecured PHI is considered to be a Breach unless the Covered Entity can demonstrate, through a written risk assessment, that there was a low probability that the information was compromised.

4© 2015 GARFUNKEL WILD, P.C. Breach Notification When a potential Breach is identified it must be investigated to determine the cause and extent of breach. When a potential Breach is identified it must be investigated to determine the cause and extent of breach. Consider opportunities to mitigate. Consider opportunities to mitigate.

5© 2015 GARFUNKEL WILD, P.C. Breach Notification A CE must send written notification to affected individuals by first-class mail without unreasonable delay and in no case later than 60 calendar days after the Breach is discovered by the CE. A CE must send written notification to affected individuals by first-class mail without unreasonable delay and in no case later than 60 calendar days after the Breach is discovered by the CE. A Breach is considered to be discovered when the incident becomes known (or should have become known with reasonable diligence), not when the CE concludes the investigation. A Breach is considered to be discovered when the incident becomes known (or should have become known with reasonable diligence), not when the CE concludes the investigation.

6© 2015 GARFUNKEL WILD, P.C. Content of Notice The notice to the affected patients must include at least the following : The notice to the affected patients must include at least the following : A brief description of what happened (e.g., date of the breach, date of the discovery of the breach)A brief description of what happened (e.g., date of the breach, date of the discovery of the breach) A description of the types of unsecured PHI that were involved in the breachA description of the types of unsecured PHI that were involved in the breach Any steps individuals should take to protect themselves from potential harm resulting from the breachAny steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of what the CE involved is doing to investigate the breach, to mitigate the harm and to protect against any further breachesA brief description of what the CE involved is doing to investigate the breach, to mitigate the harm and to protect against any further breaches Contact procedures for individuals to ask questions or learn additional information (i.e., toll free telephone number which must remain active for at least 90 days)Contact procedures for individuals to ask questions or learn additional information (i.e., toll free telephone number which must remain active for at least 90 days) Note: Also need to comply with applicable state laws Note: Also need to comply with applicable state laws

7© 2015 GARFUNKEL WILD, P.C. HITECH Act Substitute Notice If there is insufficient contact information for some of the affected individuals or some notifications are returned undeliverable, the CE must provide substitute notice for the unreachable individuals (e.g., if greater than 10 individuals, conspicuous notice on the home page of the CE’s website for at least 90 days or conspicuous notice in prominent media outlets serving the State or jurisdiction where most of the affected individuals reside)

Breaches Involving 500 or More Individuals If there is a breach involving more than 500 individuals, in addition to providing direct notification to the affected individuals, the CE must also post notification of the Breach on the home page of its website and, through a press release, inform prominent media outlets serving the State or jurisdiction where individuals affected likely reside. Such notifications must include the same information required for the individual notice © 2013 GARFUNKEL WILD, P.C.

9© 2015 GARFUNKEL WILD, P.C. Mitigation Consider opportunities to mitigate Consider opportunities to mitigate Obtain written assurances that person who received information deleted it and didn’t share itObtain written assurances that person who received information deleted it and didn’t share it Offer credit monitoring servicesOffer credit monitoring services Take appropriate disciplinary action against employeesTake appropriate disciplinary action against employees Retrain staffRetrain staff Modify processes and implement new safeguards to prevent future breaches (e.g. fax numbers on speed dial, encrypted CDs, laptops, and thumb drives)Modify processes and implement new safeguards to prevent future breaches (e.g. fax numbers on speed dial, encrypted CDs, laptops, and thumb drives) Conduct additional audits on employeesConduct additional audits on employees

10© 2015 GARFUNKEL WILD, P.C. Risk Assessment If a CE determines that a Breach has not occurred, the CE must document a risk assessment If a CE determines that a Breach has not occurred, the CE must document a risk assessment Risk assessments should be documented when breach occurred as well (not required but OCR may ask for this documentation)Risk assessments should be documented when breach occurred as well (not required but OCR may ask for this documentation) The burden of demonstrating that no notice is required for a given Breach is on the CE The burden of demonstrating that no notice is required for a given Breach is on the CE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.