HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

Slides:



Advertisements
Similar presentations
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Training: Health Insurance Portability and Accountability Act.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Joe Dylewski, Managing Director Health Care Management Ph Tatiana Melnik, Attorney Melnik Legal PLLC Ph
HIPAA Regulations What do you need to know?.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
From HIPAA to HITECH OMH Briefing.
Health Information Technology for Economic and Clinical Health Act (HITECH)
HIPAA PRIVACY AND SECURITY AWARENESS.
Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.
Health Insurance Portability and Accountability Act (HIPAA)
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
PRIVACY AND HIPAA THE RIGHT THING TO DO. WHAT’S WRONG WITH THIS PICTURE? ? “ Did you hear that Jane from the 5 th floor is in the hospital?” “No!! Let’s.
Compliance Education Tulane University ( For Staff assigned to TUMG HIPAA Clinics ONLY )
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
Health Insurance portability and Accountability Act (HIPAA)‏
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA Privacy and Security Rules and the HITECH Act Training for Researchers By: Office of University Counsel February 2016.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.
HIPAA Privacy Rule Training
Enforcement, Business Associates and Breach Notification. Oh my!
Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
The Health Insurance Portability and Accountability Act
Presentation transcript:

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014

Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities can provide researchers access to and use of protected health information for research purposes. The HIPAA Privacy Rule does not replace or act in lieu of other federal regulations such as HHS Protection of Human Subjects and the FDA Protection of Human Subjects.

HIPAA Privacy Rule Covered Entity is a health plan, a health care provider or a health care clearinghouse that electronically transmits any health information in connection with transactions for which HHS has adopted standards. Protected Health Information (PHI):  Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.  Is transmitted or maintained in any form (electronic, paper, or oral representation).  Identifies, or can be used to identify the individual.

HIPAA Security Rule The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic PHI (e-PHI). e-PHI (electronic Protected Health Information) is computer-based patient health information that is used, created, stored, received or transmitted by a Covered Entity using any type of electronic information resource.

How Can Covered Entities Use and Disclose PHI for Research and Comply with the HIPAA Privacy Rule? PHI may be used and disclosed for research WITH an individual’s written permission in the form of an Authorization (OHR-B Informed Consent Form) PHI may be used and disclosed for research WITHOUT an Authorization in limited circumstances: (a) under a waiver of the Authorization requirement; (b) for research on decedents’ information; (c) preparatory to research; and (d) as a limited data set with a data use agreement

Protection of PHI Example: The IRB may waive Authorization upon the request of a researcher only if the use or disclosure of PHI involves not more than a minimal risk to the privacy of individuals, based on: An adequate plan to protect the identifiers A plan to destroy identifiers as soon as possible Adequate written assurances that the PHI will not be reused or disclosed to any other person Researchers must provide a plan to protect PHI and implement that plan

HITECH-Breach Notification Provisions The HITECH Act applies to breaches of “unsecured protected health information” Information must be encrypted or destroyed in order to be considered “secured”

HITECH-What Constitutes a Breach? A “breach” is an impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy Rule. Examples include: Laptop containing PHI is stolen Researcher who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment Researcher misplaces research documents with study subject PHI and social security number Researcher sends wrong sponsor study subject information including PHI Researcher sends sponsor more PHI than necessary Research office theft results in stolen PHI

HITECH-Breach Notification Obligations If a breach has occurred, a Covered Entity will be responsible for providing notice to: The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery) The Secretary of the U.S. Department of Health and Human Services (timing will depend on number of individuals affected by the breach) The media (only required if 500 or more individuals of any one state are affected) The OHR must consider reporting obligations.

Penalties for Violations A violation of federal regulations can result in civil money penalties or criminal penalties. Penalties can be imposed for underlying HIPAA Privacy Rule violation even if the breach is properly handled.

Civil Money Penalty Enhancement Unknowing Violations: $100 to $50,000 per violation Negligent Violations: $1,000 to $50,000 per violation Willful Neglect: “Conscious intentional failure or reckless indifference to the obligation to comply” – $10,000 to $50,000 per violation (if corrected within 30 days) – $50,000 per violation (if not corrected) $1.5M cap per calendar year for all violations of the same type

Enforcement $150,000 settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts for loss of unencrypted flash drive and not having policies to address breach notification provisions.

Enforcement $1,215,780 settlement with Affinity Health Plan for impermissibly disclosing PHI of 344,579 affected individuals when it returned multiple photocopiers to leasing agents without erasing the data on the copier hard drives.

Enforcement $1,700,000 settlement with Well Point for security weaknesses in an online application database that left the e-PHI of 612,402 individuals accessible to unauthorized individuals over the Internet. The data included names, dates of birth, addresses, social security numbers, telephone numbers and health information.

Enforcement $1.5M settlement with BCBS of TN over the loss of 57 hard drives containing 1M patient records $865,000 settlement with UCLA Medical Center after hospital employees allegedly accessed the records of two celebrity patients without authority $1M settlement with Mass General after employee left 192 HIV patients records on subway

Enforcement $50,000 settlement with Hospice of Northern Idaho after theft of laptop containing unencrypted PHI of 441 patients $1.5M settlement with Mass Eye & Ear after theft of laptop containing unencrypted PHI of 3,621 patients $1.7M settlement with Alaska DHHS after theft from employee’s vehicle of USB hard drive possibly containing PHI $100,000 settlement with Phoenix Cardiac Surgery which posted clinical and surgical appointments in Internet-based calendar that was publicly available

Questions?