Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.garfunkelwild.com We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey 07601 667 Broadway Albany,

Published byBryan Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.garfunkelwild.com We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey 07601 667 Broadway Albany,"— Presentation transcript:

1 www.garfunkelwild.com We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey 07601 667 Broadway Albany, New York 12207 111 Great Neck Road Suite 600 Great Neck, New York 11021 350 Bedford Street Suite 406A Stamford, Connecticut 06901 Andrew E. Blustein, Esq. ablustein@garfunkelwild.com (516) 393-2218 (201) 883-1030 (203) 316-0493

2 2© 2015 GARFUNKEL WILD, P.C. Breach Notification Under HITECH, a Covered Entity (“CE”) is required to NOTIFY patients of Breaches of unsecured protected health information. Under HITECH, a Covered Entity (“CE”) is required to NOTIFY patients of Breaches of unsecured protected health information. In addition, a CE must inform the Office of Civil Rights (“OCR”) of such Breaches either in an annual report or, if such Breaches involve more than 500 people, immediately in writing. In addition, a CE must inform the Office of Civil Rights (“OCR”) of such Breaches either in an annual report or, if such Breaches involve more than 500 people, immediately in writing. Note: Breaches involving more than 500 people will be posted on the Department of Health and Human Services’ websiteNote: Breaches involving more than 500 people will be posted on the Department of Health and Human Services’ website If such Breaches involve less than 500 people, CEs must inform OCR of such breaches in an annual report If such Breaches involve less than 500 people, CEs must inform OCR of such breaches in an annual report

3 3© 2015 GARFUNKEL WILD, P.C. Breach Definition A Breach is an unauthorized access, use or disclosure of unsecured PHI that compromises the unsecured PHI. A Breach is an unauthorized access, use or disclosure of unsecured PHI that compromises the unsecured PHI. An unauthorized access, use or disclosure of unsecured PHI is considered to be a Breach unless the Covered Entity can demonstrate, through a written risk assessment, that there was a low probability that the information was compromised. An unauthorized access, use or disclosure of unsecured PHI is considered to be a Breach unless the Covered Entity can demonstrate, through a written risk assessment, that there was a low probability that the information was compromised.

4 4© 2015 GARFUNKEL WILD, P.C. Breach Notification When a potential Breach is identified it must be investigated to determine the cause and extent of breach. When a potential Breach is identified it must be investigated to determine the cause and extent of breach. Consider opportunities to mitigate. Consider opportunities to mitigate.

5 5© 2015 GARFUNKEL WILD, P.C. Breach Notification A CE must send written notification to affected individuals by first-class mail without unreasonable delay and in no case later than 60 calendar days after the Breach is discovered by the CE. A CE must send written notification to affected individuals by first-class mail without unreasonable delay and in no case later than 60 calendar days after the Breach is discovered by the CE. A Breach is considered to be discovered when the incident becomes known (or should have become known with reasonable diligence), not when the CE concludes the investigation. A Breach is considered to be discovered when the incident becomes known (or should have become known with reasonable diligence), not when the CE concludes the investigation.

6 6© 2015 GARFUNKEL WILD, P.C. Content of Notice The notice to the affected patients must include at least the following : The notice to the affected patients must include at least the following : A brief description of what happened (e.g., date of the breach, date of the discovery of the breach)A brief description of what happened (e.g., date of the breach, date of the discovery of the breach) A description of the types of unsecured PHI that were involved in the breachA description of the types of unsecured PHI that were involved in the breach Any steps individuals should take to protect themselves from potential harm resulting from the breachAny steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of what the CE involved is doing to investigate the breach, to mitigate the harm and to protect against any further breachesA brief description of what the CE involved is doing to investigate the breach, to mitigate the harm and to protect against any further breaches Contact procedures for individuals to ask questions or learn additional information (i.e., toll free telephone number which must remain active for at least 90 days)Contact procedures for individuals to ask questions or learn additional information (i.e., toll free telephone number which must remain active for at least 90 days) Note: Also need to comply with applicable state laws Note: Also need to comply with applicable state laws

7 7© 2015 GARFUNKEL WILD, P.C. HITECH Act Substitute Notice If there is insufficient contact information for some of the affected individuals or some notifications are returned undeliverable, the CE must provide substitute notice for the unreachable individuals (e.g., if greater than 10 individuals, conspicuous notice on the home page of the CE’s website for at least 90 days or conspicuous notice in prominent media outlets serving the State or jurisdiction where most of the affected individuals reside)

8 Breaches Involving 500 or More Individuals If there is a breach involving more than 500 individuals, in addition to providing direct notification to the affected individuals, the CE must also post notification of the Breach on the home page of its website and, through a press release, inform prominent media outlets serving the State or jurisdiction where individuals affected likely reside. Such notifications must include the same information required for the individual notice. 83140792© 2013 GARFUNKEL WILD, P.C.

9 9© 2015 GARFUNKEL WILD, P.C. Mitigation Consider opportunities to mitigate Consider opportunities to mitigate Obtain written assurances that person who received information deleted it and didn’t share itObtain written assurances that person who received information deleted it and didn’t share it Offer credit monitoring servicesOffer credit monitoring services Take appropriate disciplinary action against employeesTake appropriate disciplinary action against employees Retrain staffRetrain staff Modify processes and implement new safeguards to prevent future breaches (e.g. fax numbers on speed dial, encrypted CDs, laptops, and thumb drives)Modify processes and implement new safeguards to prevent future breaches (e.g. fax numbers on speed dial, encrypted CDs, laptops, and thumb drives) Conduct additional audits on employeesConduct additional audits on employees

10 10© 2015 GARFUNKEL WILD, P.C. Risk Assessment If a CE determines that a Breach has not occurred, the CE must document a risk assessment If a CE determines that a Breach has not occurred, the CE must document a risk assessment Risk assessments should be documented when breach occurred as well (not required but OCR may ask for this documentation)Risk assessments should be documented when breach occurred as well (not required but OCR may ask for this documentation) The burden of demonstrating that no notice is required for a given Breach is on the CE The burden of demonstrating that no notice is required for a given Breach is on the CE

Download ppt "Www.garfunkelwild.com We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey 07601 667 Broadway Albany,"

Similar presentations

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: Investigating Privacy Breaches.

© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: Investigating Privacy Breaches.
Breach SHOULD Be a Four Letter Word HIPAA Omnibus.

Breach SHOULD Be a Four Letter Word HIPAA Omnibus.
1 HIPAA Privacy and Security Cindy Cummings, RHIT.

1 HIPAA Privacy and Security Cindy Cummings, RHIT.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:

Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Similar presentations

Ads by Google