Presentation is loading. Please wait.

Presentation is loading. Please wait.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Similar presentations


Presentation on theme: "Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011."— Presentation transcript:

1 Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011

2 Panelists Nancy Davis, Ministry Health Care Beth Malchetske, ThedaCare Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

3 Overview This presentation and panel discussion will address operationalizing the breach notification process within the covered entity. Expert panelists will share best practices and lessons learned in the last year with compliance to HITECH’s breach notification requirement.

4 Objectives Identify Breach Notification Resources for Developing an Internal Process and Response Walk Through the Breach Notification Process from Beginning to End Review Any New HITECH Impacts if Applicable Panelist Discussion on Lessons Learned and Best Practices Developed Audience Participation and Discussion

5 Resources HIPAA COW HITECH Breach Notification Policy All Inclusive Guidance American Health Information Management Association (AHIMA) North Carolina Healthcare Information and Communication Alliance (NCHICA) Google!

6 Breach Acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. For purpose of this definition, “compromises the security or privacy of the PHI” means poses a significant risk of financial, reputational, or other harm to the individual. A use or disclosure of PHI that does not include the identifiers listed at §164.514(e)(2), limited data set, date of birth, and zip code does not compromise the security or privacy of the PHI.

7 Low-Risk HIPAA Violations – Exempt from Breach Notification HITECH Guidance: Breach does not include: Good faith, unintentional acquisition, access, or use of PHI by a workforce member of a CE, BA, or BA subcontractor Inadvertent disclosure to another authorized person within the entity or its business associates Recipient could not reasonably have retained the data Data is limited to a limited data set that does not include dates of birth or zip codes 7

8 Investigation Review the circumstances regarding the breach, conduct an investigation, complete a risk assessment, and determine necessary actions including involvement of enterprise, local, and legal counsel resources. Coordinate communications with all involved in the investigation, including patients, licensing and accrediting organizations, state and federal governmental agencies, etc.

9 Investigation - Continued Author, gather, maintain, and retain all related Breach investigation documentation (to be maintained for a minimum of six years). Recommend resolution and corrective action steps (sanctions) to mitigate potential harm. Report results of the investigation to involved persons, entities, and agencies as recommended and/or required by law.

10 Risk Assessment Who impermissibly used or to whom was the information impermissibly disclosed? The type and amount of PHI involved? The potential for significant risk of financial, reputational, or other harm?

11 Risk Assessment - Resource North Carolina Healthcare Information and Communication Alliance (NCHICA)* HITECH Act Breach Notification Risk Assessment Tool Flow Chart Report Form Score Card/Risk Score *Nationally recognized nonprofit consortium dedicated to “improving health and care in North Carolina by accelerating the adoption of information technology and enabling policies.”

12 Patient Breach Notification Letter Content – The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved) 12

13 Letter - Continued Any steps the individual should take to protect themselves from potential harm resulting from the breach A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches Contact procedures for individuals to ask questions or learn additional information 13

14 Breach Notification < 500 Office for Civil Rights For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually. All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred (March 1, 2011). A separate form must be completed for every breach that has occurred during the calendar year.

15 Breach Notification 500+ Office for Civil Rights If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach. This notice must be submitted electronically. Media Notice shall be provided to prominent media outlets serving the state and regional area when the breach affects more than 500 patients.

16 Panelist Portion

17 Was Your Organization Ready for HITECH Breach Notification? How Did You Prepare? Policy Development Staff Training, Education, Awareness Business Associate Relationships

18 What Was the Biggest Surprise in Implementing Breach Notification?

19 What Was the Most Valuable Lesson Learned?

20 What Best Practices Did You Develop?

21 What Are Your Ongoing Concerns?

22 Audience Participation

23 Lessons Learned Totally Underestimated Impact on Daily Job Responsibilities 2008: 38 Internal Privacy Investigations 2009: 98 Internal Privacy Investigations (48 Last Q) 2010: 210 Internal Privacy Investigations Initial Approach to Addressing “Harm” Was Probably Too Conservative Partner with Collection Agency to Address Processes, Policies, Etc.

24 Lessons Learned - Continued Reach Out to Peers for Brain-Storming Best Practices Be Open to New Directives/Interpretations Contacting Patients to Determine “Harm” Employee Breach Attestation

25 Lessons Learned - Continued Mitigation Patient Requests Organizational Offerings Bookmark/Print Examples from Published Breaches Notices Press Releases Website Communications External Resources (Credit Card Agencies)


Download ppt "Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011."

Similar presentations


Ads by Google