Presentation is loading. Please wait.

Presentation is loading. Please wait.

Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner.

Published byGervase Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner."— Presentation transcript:

1 Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769 beckywilliams@dwt.com Thomas E. Jeffry, Jr., Esq. Partner Davis Wright Tremaine LLP Los Angeles, CA 213-633-4265 thomasjeffry@dwt.com

2 Davis Wright Tremaine LLP 2 It Can Happen to Your Organization “Patient data stolen from Kaiser” Vallejo Times Herald, August 2006 “Computer Stolen From VA Subcontractor” Washington Post, August 2006 “Patient records stolen” Press Register, June 2006 “San Jose Arrest in theft of records South Bay patients' medical data stolen” San Francisco Chronicle, May 2005

3 Davis Wright Tremaine LLP 3 Finding the Balance Strong push to electronic health information Public and government outcry over privacy violations and identity theft Laws in place to protect health and electronic information and to notify in case of a breach

4 Davis Wright Tremaine LLP 4 Security Breaches Happen No such thing as perfect security Even with reasonable security measures, security breaches happen  Hackers  Lost or stolen technology, e.g., laptops, thumbdrives, PDAs  Disgruntled employees Need a prompt and effective response

5 Davis Wright Tremaine LLP 5 Know the Laws that May Apply: HIPAA HIPAA ­ criminal and civil penalties for violations of the statute, Privacy Rule and/or Security Rule No private right of action but … Privacy Rule prohibits uses and disclosures of PHI except as permitted or required by HIPAA Security Rule requires covered entities to  Protect against any reasonably anticipated Threats or hazards to the security or integrity of ePHI Impermissible uses and disclosure  Ensure confidentiality, availability and integrity of electronic PHI  Ensure compliance by a covered entity’s workforce

6 Davis Wright Tremaine LLP 6 Potentially Applicable Laws: HIPAA HIPAA Privacy Rule  Mitigation to the extent practicable  Sanctions HIPAA Security Rule  Mitigation of harmful effects of security incident No requirement to report

7 Davis Wright Tremaine LLP 7 Potentially Applicable Laws: FTC Act and State Consumer Protection Misrepresentation of privacy and security promises Failure to implement reasonable information security practices

8 Davis Wright Tremaine LLP 8 Potentially Applicable Laws: Data Breach Notification California S.B. 1386 enacted in August 2002 Increasing number of states enacting similar notification laws Specific triggers  Usually tied to security breach and electronic information  Sometimes requires notification only for breaches of unencrypted information  May be based on recipient Timing and content requirements

9 Davis Wright Tremaine LLP 9 Potentially Applicable Laws: Confidentiality Laws Specific confidentiality requirements, particularly health care and financial information Superconfidentiality requirements in health care  Substance abuse (State and Federal)  Mental health and developmental disabilities  AIDS, HIV  Genetic information Federal Privacy Act Other laws  Be aware

10 Davis Wright Tremaine LLP 10 Investigate the Breach Identify a single point person responsible for investigation Build a team  Identify needed expertise Inclusion of attorneys  In-house  Outside counsel Determine scope of breach Investigate fully Report internally

11 Davis Wright Tremaine LLP 11 Notify Law Enforcement? Determine whether a crime seems likely to have been committed If so, law enforcement notification generally is prudent Be sure disclosures to law enforcement comply with applicable law, such as HIPAA Verify with law enforcement before notifying workforce, people affected or the public  Do not want to impede an ongoing investigation

12 Davis Wright Tremaine LLP 12 Decision as to Whether to Notify Types of persons to be notified  Directors, members/shareholders  Workforce  Oversight agencies  Individuals whose information may have been affected  The public Each category requires a different analysis Considerations include:  Notification laws  Duties to mitigate (e.g., will notification diminish the chance of identity theft?)  Industry custom and practice  Ethical obligations  Preference of the organization

13 Davis Wright Tremaine LLP 13 Timely Notification as Appropriate Carefully craft notice; consider including  Basic information about breach  Measures taken to address breach  Guidance on actions affected persons can take to protect themselves  Corrective action plan to avoid similar problem in the future Timing and content may be dictated by data breach or other laws  If law enforcement is involved, verify whether notification will interfere with investigation Be prepared to respond to those notified  Phone banks  Website  Adequate and trained staffing Point person for dealing with media or public (may not be the same as the person running the investigation)

14 Davis Wright Tremaine LLP 14 SanctionsSanctions Did any workforce act or fail to act in a manner that should result in sanctions?  Up to any including termination  Sanctions to be consistently applied May prove helpful when dealing with oversight and enforcement agencies May want to consider a policy requiring workforce to cooperate fully in investigation (or face disciplinary action)

15 Davis Wright Tremaine LLP 15 Fixing and Mitigating Plan of correction  Need to assess causes of security breach What information was involved? Who was affected? How did it happen?  Address immediate actions to remedy the breach at hand HIPAA Privacy and Security Rules require mitigation  Need to determine what actions, if any, will mitigate adverse effects

16 Davis Wright Tremaine LLP 16 Plan of Correction to avoid similar future breaches  Ask questions Did all that information need to be on the laptop?  Security fixes  Revisit applicable policies, procedures, and protocols  Training/re-training of entire workforce  Concentrated training on more directly affected personnel  Other actions Fixing and Mitigating

17 Davis Wright Tremaine LLP 17 Contacting Outside Agencies/ Cooperating in Outside Investigation Decision as to whether to notify outside agencies  May be required  May be recommendable Types of parties to be notified  JCAHO  State licensure  Attorneys General offices But not OCR (no process for self- reporting)

18 Davis Wright Tremaine LLP 18 Continuing Operation Organization needs to continue operations while addressing security breach Often resources are strained

19 Davis Wright Tremaine LLP 19 QuestionsQuestions

Download ppt "Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.

Forming Your HIPAA Compliance Plan PRESENTED BY. Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
1 HIPAA Privacy & Security Overview Know HIPAA Presents.

1 HIPAA Privacy & Security Overview Know HIPAA Presents.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Similar presentations

Ads by Google