chris bennington, esq., incompliance consulting …ohiohospitals.org/oha/media/images/annual...
TRANSCRIPT
1
Chris Bennington, Esq., INCompliance ConsultingShannon DeBra, Esq., Bricker & Eckler LLP
Victoria Norton, R.N., J.D., M.B.A., UC Health
7093020v1© Bricker & Eckler 2015
Examples from theNews Review of HIPAA
Breach Regulations Walk-Through of an
Actual HIPAA Crisis Strategies and
Lessons Learned Q&A
2© Bricker & Eckler 2015
2
3© Bricker & Eckler 2015
4© Bricker & Eckler 2015
3
5© Bricker & Eckler 2015
A breach is an impermissibleuse or disclosure of PHI thatcompromises the security orprivacy of the PHI.
Under Omnibus Final Rule, ause or disclosure of PHI in amanner not permitted underthe Rules is now presumed tobe a breach.
6© Bricker & Eckler 2015
4
Unintentional acquisition, access, or use of PHI by aworkforce member, if such acquisition, access, oruse was made in good faith and within the scope ofauthority.
Inadvertent disclosure of PHI by a personauthorized to access PHI at a covered entity orbusiness associate to another person authorized toaccess PHI at the covered entity or businessassociate.
Impermissible disclosure, but the covered entity hasa good faith belief that the unauthorized person towhom the disclosure was made would not have beenable to retain the information.
7© Bricker & Eckler 2015
8© Bricker & Eckler 2015
Not all breaches arereportable.
If a breach is reportable, aCovered Entity must notifythe patient and HHS of thebreach.
If the breach involved 500 ormore patients, the CoveredEntity must also notify localmedia.
5
Covered entities and business associatesmust only provide the requirednotifications if the breach involvedunsecured PHI.
Unsecured PHI is PHI that has not beenrendered unusable, unreadable, orindecipherable to unauthorized personsthrough the use of a technology ormethodology specified by HHS.
A breach of secured PHI is not reportable.
9© Bricker & Eckler 2015
10© Bricker & Eckler 2015
A breach of unsecuredPHI is not reportable ifthe covered entitydemonstrates that thereis a low probability thatthe PHI has beencompromised based on arisk assessmentincluding at least thefour factors establishedby HHS.
6
1) The nature and extent of the PHIinvolved, including the types ofidentifiers and the likelihood of re-identification;
2) The unauthorized person who used thePHI or to whom the disclosure was made;
3) Whether the PHI was actually acquired orviewed; and
4) The extent to which the risk to the PHIhas been mitigated.
11© Bricker & Eckler 2015
12© Bricker & Eckler 2015
Fewer than 500Affected Individuals
500 or More AffectedIndividuals
Individual Notice Within 60 Days ofDiscovery
Within 60 Days ofDiscovery
Media Notice N/A Within 60 Days ofDiscovery
HHS Notice Within 60 Days of theEnd of the CalendarYear of Discovery
Within 60 Days ofDiscovery
7
13© Bricker & Eckler 2015
Dear ________We are writing to notify you that some of your
health information maintained by [Insert Name ofOrganization] has been improperly disclosed oraccessed. [Insert Name of Organization] iscommitted to maintaining health information in asecure and confidential manner in accordance withfederal and state law, and we regret that thesestandards were not met in this instance.
What happened. We believe the breach of yourhealth information occurred on [Insert date ofbreach]. On that date [Insert a brief description ofwhat happened]. We discovered that this breachoccurred on [Insert date of discovery of breach].
14© Bricker & Eckler 2015
What information was breached. Theinformation that was breached was your [Insert abrief description of the types of unsecuredprotected health information that were involvedin the breach (such as full name, Social Securitynumber, date of birth, home address, accountnumber, or disability code)].
What should you do. We believe that you maywish to take the following actions to help protectyourself from potential effects of this breach:
[Insert recommended mitigating steps].
8
15© Bricker & Eckler 2015
What we are doing. We are taking this incident veryseriously. We are conducting an investigation into howthis occurred. We are taking steps to prevent any furtherbreaches of health information. Further, we are: [Insertmitigation actions]. Finally, we will be notifying the HHSof this incident
Who you can contact for more information. If you haveany questions or desire additional information you maycontact [Insert name of person to contact] at [Insert atleast one of the following for the contact: (1) toll-freetelephone number, (2) an e-mail address, (3) website, or(4) postal address].
Sincerely, [Name and Title]
16© Bricker & Eckler 2015
Required Notifications
Employee Disciplinary Action
ProfessionalReputation/Licensure
Organizational Reputation
Government Investigation
Government CorrectiveActions/Fines
Substantial Financial andTime Expense
9
HHS investigates and imposes fines/correctiveaction for self-reported breaches.
HHS also learns of breaches through
complaints, which may be filed by anyone.
Fines vary; up to $1.5 million per year.
Associated costs can surpass $15 million.
Patients affected will soon receive part of the
fine/settlement (Regulations forthcoming).
17© Bricker & Eckler 2015
18
10
Individual alleged that employees of UCMCaccessed her electronic protected healthinformation and posted a screen shot of herelectronic medical record to a Facebookgroup called “Team No Hoes.”
According to the reports, the screen shot wasalso disseminated in an email that was sent tothe approximately 2,200 members of theFacebook group.
© Bricker & Eckler 201519 19
Reports indicated thePHI depicted in thescreen shot allegedlyincluded her name andinformation about hersyphilis diagnosis.
Story picked up bymultiple TV channels andlocal newspaper
© Bricker & Eckler 201520 20
11
Complaint Received
Within a week -Response teamformed
Within a week-InvestigationCompleted
Shortly after– BreachNotification to HHS
21
Compliance
Privacy/Security Officer(s)
Legal
IT/Medical Records
Human Resources
Public Relations
Patient Relations
Risk Management
Quality/Safety
Contract Management (if BA)
12
June 5, 2014 - Media coverage oflawsuit filed
June 5, 2014 – OCR became awareof news reports
July 25, 2014 – OCR sentnotification letter to PrivacyOfficer of opened compliancereview Response due within 21 days
23
© Bricker & Eckler 201524 24
13
Carefully craft media notice
Ensure Public Relations staff are aware ofpotential for media inquiries
Prepare responses to likely questions inadvance
Distribute talking points to other stakeholders
Avoid additional breaches in media responses
Detailed description of the event
Risk analysis report
Evidence of security measures
Evidence of sanction policies and procedures
Evidence of authorization and/or supervisionof workforce members who work with ePHI
Evidence that workforce access to ePHI isappropriate
26
14
Evidence of workforce security awarenesstraining
Copy of policies and procedures to addresssecurity incidents
Copy of incident report in response to thetheft and any correction actions taken
Documentation that organization hadimplemented mechanisms that record andexamine activity information systems and anaudit of the medical record at issue
Copy of the letter sent to the affectedindividual
Copy of the Breach Notification to theSecretary
Copy of policies and procedures related to thepermissible use and disclosure anddocumentation that there are processes inplace to prevent the impermissible uses anddisclosures
Documentation of training
Evidence of mitigation
28
15
Data request submitted
Additional informationrequested and sent byencrypted email
Additional information sent viacertified mail
29
Detailed position statement
Policies and procedures
Training
Evidence of mitigation
Breach notification letter
Notification to Secretary
16
Be proactive
Get familiar with your EMR and all the waysdata can be accessed – keep in mind that thetraditional “audit trail” function may not showall accesses
Manage the message
Clearly define roles and responsibilities
Document, Document, Document!
32© Bricker & Eckler 2015