Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Tale of Snooping: Lessons Learned the Hard Way Nebraska Rural Health Association September 21, 2015 Vickie B. Ahlers Baird Holm LLP vahlers@bairdholm.com.

Published byValerie Caldwell Modified over 6 years ago

Similar presentations

Presentation on theme: "A Tale of Snooping: Lessons Learned the Hard Way Nebraska Rural Health Association September 21, 2015 Vickie B. Ahlers Baird Holm LLP vahlers@bairdholm.com."— Presentation transcript:

1 A Tale of Snooping: Lessons Learned the Hard Way Nebraska Rural Health Association September 21, 2015 Vickie B. Ahlers Baird Holm LLP / Anna Turman, COO, CIO Chadron Community Hospital & Health Services

2

3 From OCR “Wall of Shame”

4 Snooping Data Breaches

5 Quiz: Forms of Snooping
It’s not snooping if it was “good intentioned”? It’s not snooping if it was family or a friend? It’s not snooping if it was “for educational purposes”? It’s not snooping if they used to be my patient

6 “It Won’t Happen Here” Many studies have found snooping still single most common occurrence of compromise to patient records If you think it isn’t happening, you aren’t looking hard enough Significant risk if you ignore the problem

7 Snooping and the Privacy Rule
Responsibility to protect from access by employee without job related reason requirement of the Privacy Rule Privacy Rule, 45 CFR § (c): Standard: “Covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI” Implementation Specification: “A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure”

8 Snooping and the Security Rule
Requirement to look for snooping is part of Security Rule Security Rule, 45 CFR§ (a)(1)(ii)(D) &§ (b): “Information system activity review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” “Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.”

9 Snooping and Auditing Access
Why Audit? Detect inappropriate access, use or disclosure of PHI (ongoing monitoring of potential breaches) Hold individuals accountable Accreditation standards (Joint Commission) Pattern of noncompliance (by an individual workforce member, department, etc.) Detect issue before it becomes widespread

10 Snooping and Auditing Access
Targeted Audits Did a patient complain? (Did a co-worker report?) High profile patient? User logged-on in more than one location? Is a user on vacation or sick leave? Accessing family or co-worker records? Physicians accessing outside of their specialty? Accessing records outside of department?

11 Lessons Learned at Chadron Community Hospital and Health Services
CCH experienced a snooping incident by a CCH employee Investigation at time of incident was significant and time-intensive Notification to 482 patients

12 Lessons Learned at Chadron Community Hospital and Health Services
Breach report to OCR was flagged for follow up investigation – even more time-intensive and expensive 25 page response letter to OCR 145 attachments based on OCR document request Based on thorough investigation and response by CCH, case closed by OCR without any further requirements What did we learn?

13 Anatomy of a Snooping Investigation and Response
Detection of possible incident Interviews(s) Auditing extent of possible snooping Sanctions Training New or revised policies Notification Documentation

14 Detection: Lessons Learned
Fellow employee complaint (could also be patient complaint) Take it seriously (but be mindful of ulterior motives by employees or patients) Make sure employees understand obligation to report Make sure employees have avenue to express complaints/concerns Can you explain to OCR – why was this inappropriate access not identified previously? (Have you been auditing?)

15 Interviews: Lessons Learned
Should conduct thorough interviews with: Complaining employee (or patient if that is the case) Other employees with potential for knowledge Managers/supervisors of department knowledge of what access would be appropriate Suspected snooping employee May need to repeat interviews after more information is learned Document interviews very thoroughly

16 Auditing Extent of Snooping: Lessons Learned
Two toughest questions: How far back do you run your audit? How do you know what access was appropriate?

17 Auditing Extent of Snooping: Lessons Learned
How far back do you run your audit? Some factors to consider? When was employee hired? Any changes in job responsibilities? Any changes in EHR or electronic record system? Can you explain limitations in your system’s audit capabilities? And your timeline/plan to remedy any limitation?

18 Auditing Extent of Snooping: Lessons Learned
How do you know what access was appropriate? Analysis of audit reports extremely time-intensive What level of “proof” is required? Proof to OCR that access was job-related? Proof that access was not job-related if firing? If no clear trail of job-related access, can you identify patterns or trends to suggest what access was business related and what was not?

19 Sanctions: Lessons Learned
Do you have a sanctions policy? Does sanctions policy give management flexibility to terminate? Zero-tolerance is trend but not absolute requirement under HIPAA

20 Training: Lessons Learned
Can you provide documentation of training dating back six years? Can you prove each individual employee has received training (sign in sheet for in-person training or computerized documentation)? Make sure training clearly addresses snooping – dispel any myths!

21 Policies: Lessons Learned
Do policies adequately address all required HIPAA requirements? Keep policies updated and retain all versions in effect for prior six years Are new or revised policies needed after incident? Should review risk assessment and if snooping is not addressed as risk, include it Revise any current policies that need revision Implement new policies that could prevent the incident from being repeated Train and document training on new policies

22 Notification: Lessons Learned
Letters to 482 patients Multiple versions: minors, deceased, guardians Maintain proof of date of mailing Focus by OCR on undeliverable letters If more than 10 are returned as undeliverable, requirement for media notice Preamble to Breach Notification Rule suggests all r ings must happen within 60 day timeline (very difficult standard)

23 Documentation: Lessons Learned
Important to maintain thorough documentation of entire process Timeline of events Incident report at conclusion – make your case at time of incident as if you will be required to defend actions to OCR OCR Document Request Significant increase in documents requested from early days of enforcement

24 Documentation: Lessons Learned
A written, detailed description of the incident(s) described on the first page of this letter to include the date and method of discovery. Please state whether you conducted an investigation concerning the incident(s) described on the first page of this letter. If so, please submit documents gathered during and related to the investigation as well as a copy of your findings. Documentation supporting any claims that your facility responded to the incident(s) and mitigated, to the extent practical, the harmful effects of the incident.

25 Documentation: Lessons Learned
A copy of the letter sent out notifying the affected individuals of the breach of their PHI, to include the date of mailing. A copy of your log, or similar document, indicating the individual notifications that were returned as undeliverable. A copy of CCH's policies and procedures for uses and disclosures of PHI. Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation.

26 Documentation: Lessons Learned
A copy of CCH's policies and procedures related to the minimum necessary requirements. See 45 CFR (b) and (d). Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation. 8. A copy of CCH's policies and procedures addressing how CCH administratively, technically, and physically safeguards patients' PHI.

27 Documentation: Lessons Learned
A copy of CCH's policies and procedures addressing how CCH administratively, technically, and physically safeguards patients' electronic PHI (ePHI). Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation. Copies of all CCH's risk analyses, with corresponding dates, in existence as of February 1, 2009, up to an including the present. If a risk analysis does not state the date on which it was prepared, please provide information as to the date or period during which the risk analysis was performed.

28 Documentation: Lessons Learned
Documentation evidencing CCH's security measures implemented to reduce risk and vulnerabilities identified through the above-noted risk analyses. A copy of CCH's policies and procedures implemented to ensure the application of appropriate sanctions against HIPAA-noncompliant workforce members. Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation.

29 Documentation: Lessons Learned
Documentation evidencing that CCH's policies and procedures implemented to ensure application of appropriate sanctions against HIPAA-noncompliant workforce members are consistently applied. A copy of CCH's policies and procedures pertaining to review of records of information system activity. Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related toits date of implementation.

30 Documentation: Lessons Learned
Documentation evidencing that CCH's policies and procedures pertaining to review of records of information system activity are consistently applied. A copy of CCH's policies and procedures implemented to ensure CCH's workforce has appropriate access to electronic protected health information (e-PHI) pursuant to § (a)(3)(i), the Workforce Security Standard; e.g., Are the procedures used by your workforce consistent with your access policies (i.e., do people who should have access actually have that access? Are people who should not have access prevented from accessing the information?) Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation.

31 Documentation: Lessons Learned
Documentation evidencing CCH's HIPAA-related workforce training, to include presentation materials, sign-in sheet(s) or other document(s) confirming workforce attendance and/or completion of training. A copy of the March 7, 2014 patient complaint alleging that a member of the CCH's workforce impermissibly accessed the patient's PHI.

32 Documentation: Lessons Learned
A copy of the CCH's policies and procedures related to audit controls, and evidence that these policies were implemented. Please submit all versions in effect from February 1, 2009, up to and including the present. If a document does not state the date of implementation, please provide information related to its date of implementation. 20. Submission of any other information that would be useful to OCR in this investigation.

33 Questions?

34 A Tale of Snooping: Lessons Learned the Hard Way Nebraska Rural Health Association September 21, 2015 Vickie B. Ahlers Baird Holm LLP / Anna Turman, COO, CIO Chadron Community Hospital & Health Services

Download ppt "A Tale of Snooping: Lessons Learned the Hard Way Nebraska Rural Health Association September 21, 2015 Vickie B. Ahlers Baird Holm LLP vahlers@bairdholm.com."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Accident Incident Policy Changes to Policy September 2007.

Accident Incident Policy Changes to Policy September 2007.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Similar presentations

Ads by Google