chris bennington, esq., incompliance consulting …ohiohospitals.org/oha/media/images/annual...

1

Chris Bennington, Esq., INCompliance ConsultingShannon DeBra, Esq., Bricker & Eckler LLP

Victoria Norton, R.N., J.D., M.B.A., UC Health

7093020v1© Bricker & Eckler 2015

Examples from theNews Review of HIPAA

Breach Regulations Walk-Through of an

Actual HIPAA Crisis Strategies and

Lessons Learned Q&A

2© Bricker & Eckler 2015

2



3


A breach is an impermissibleuse or disclosure of PHI thatcompromises the security orprivacy of the PHI.

Under Omnibus Final Rule, ause or disclosure of PHI in amanner not permitted underthe Rules is now presumed tobe a breach.


4

Unintentional acquisition, access, or use of PHI by aworkforce member, if such acquisition, access, oruse was made in good faith and within the scope ofauthority.

Inadvertent disclosure of PHI by a personauthorized to access PHI at a covered entity orbusiness associate to another person authorized toaccess PHI at the covered entity or businessassociate.

Impermissible disclosure, but the covered entity hasa good faith belief that the unauthorized person towhom the disclosure was made would not have beenable to retain the information.



Not all breaches arereportable.

If a breach is reportable, aCovered Entity must notifythe patient and HHS of thebreach.

If the breach involved 500 ormore patients, the CoveredEntity must also notify localmedia.

5

Covered entities and business associatesmust only provide the requirednotifications if the breach involvedunsecured PHI.

Unsecured PHI is PHI that has not beenrendered unusable, unreadable, orindecipherable to unauthorized personsthrough the use of a technology ormethodology specified by HHS.

A breach of secured PHI is not reportable.



A breach of unsecuredPHI is not reportable ifthe covered entitydemonstrates that thereis a low probability thatthe PHI has beencompromised based on arisk assessmentincluding at least thefour factors establishedby HHS.

6

1) The nature and extent of the PHIinvolved, including the types ofidentifiers and the likelihood of re-identification;

2) The unauthorized person who used thePHI or to whom the disclosure was made;

3) Whether the PHI was actually acquired orviewed; and

4) The extent to which the risk to the PHIhas been mitigated.



Fewer than 500Affected Individuals

500 or More AffectedIndividuals

Individual Notice Within 60 Days ofDiscovery

Within 60 Days ofDiscovery

Media Notice N/A Within 60 Days ofDiscovery

HHS Notice Within 60 Days of theEnd of the CalendarYear of Discovery

Within 60 Days ofDiscovery

7


Dear ________We are writing to notify you that some of your

health information maintained by [Insert Name ofOrganization] has been improperly disclosed oraccessed. [Insert Name of Organization] iscommitted to maintaining health information in asecure and confidential manner in accordance withfederal and state law, and we regret that thesestandards were not met in this instance.

What happened. We believe the breach of yourhealth information occurred on [Insert date ofbreach]. On that date [Insert a brief description ofwhat happened]. We discovered that this breachoccurred on [Insert date of discovery of breach].


What information was breached. Theinformation that was breached was your [Insert abrief description of the types of unsecuredprotected health information that were involvedin the breach (such as full name, Social Securitynumber, date of birth, home address, accountnumber, or disability code)].

What should you do. We believe that you maywish to take the following actions to help protectyourself from potential effects of this breach:

[Insert recommended mitigating steps].

8


What we are doing. We are taking this incident veryseriously. We are conducting an investigation into howthis occurred. We are taking steps to prevent any furtherbreaches of health information. Further, we are: [Insertmitigation actions]. Finally, we will be notifying the HHSof this incident

Who you can contact for more information. If you haveany questions or desire additional information you maycontact [Insert name of person to contact] at [Insert atleast one of the following for the contact: (1) toll-freetelephone number, (2) an e-mail address, (3) website, or(4) postal address].

Sincerely, [Name and Title]


Required Notifications

Employee Disciplinary Action

ProfessionalReputation/Licensure

Organizational Reputation

Government Investigation

Government CorrectiveActions/Fines

Substantial Financial andTime Expense

9

HHS investigates and imposes fines/correctiveaction for self-reported breaches.

HHS also learns of breaches through

complaints, which may be filed by anyone.

Fines vary; up to $1.5 million per year.

Associated costs can surpass $15 million.

Patients affected will soon receive part of the

fine/settlement (Regulations forthcoming).


18

10

Individual alleged that employees of UCMCaccessed her electronic protected healthinformation and posted a screen shot of herelectronic medical record to a Facebookgroup called “Team No Hoes.”

According to the reports, the screen shot wasalso disseminated in an email that was sent tothe approximately 2,200 members of theFacebook group.

© Bricker & Eckler 201519 19

Reports indicated thePHI depicted in thescreen shot allegedlyincluded her name andinformation about hersyphilis diagnosis.

Story picked up bymultiple TV channels andlocal newspaper


11

Complaint Received

Within a week -Response teamformed

Within a week-InvestigationCompleted

Shortly after– BreachNotification to HHS

21

Compliance

Privacy/Security Officer(s)

Legal

IT/Medical Records

Human Resources

Public Relations

Patient Relations

Risk Management

Quality/Safety

Contract Management (if BA)

12

June 5, 2014 - Media coverage oflawsuit filed

June 5, 2014 – OCR became awareof news reports

July 25, 2014 – OCR sentnotification letter to PrivacyOfficer of opened compliancereview Response due within 21 days

23


13

Carefully craft media notice

Ensure Public Relations staff are aware ofpotential for media inquiries

Prepare responses to likely questions inadvance

Distribute talking points to other stakeholders

Avoid additional breaches in media responses

Detailed description of the event

Risk analysis report

Evidence of security measures

Evidence of sanction policies and procedures

Evidence of authorization and/or supervisionof workforce members who work with ePHI

Evidence that workforce access to ePHI isappropriate

26

14

Evidence of workforce security awarenesstraining

Copy of policies and procedures to addresssecurity incidents

Copy of incident report in response to thetheft and any correction actions taken

Documentation that organization hadimplemented mechanisms that record andexamine activity information systems and anaudit of the medical record at issue

Copy of the letter sent to the affectedindividual

Copy of the Breach Notification to theSecretary

Copy of policies and procedures related to thepermissible use and disclosure anddocumentation that there are processes inplace to prevent the impermissible uses anddisclosures

Documentation of training

Evidence of mitigation

28

15

Data request submitted

Additional informationrequested and sent byencrypted email

Additional information sent viacertified mail

29

Detailed position statement

Policies and procedures

Training

Evidence of mitigation

Breach notification letter

Notification to Secretary

16

Be proactive

Get familiar with your EMR and all the waysdata can be accessed – keep in mind that thetraditional “audit trail” function may not showall accesses

Manage the message

Clearly define roles and responsibilities

Document, Document, Document!


chris bennington, esq., incompliance consulting …ohiohospitals.org/oha/media/images/annual...

Documents