270 likes | 630 Views
Annual Meeting, April 22, 2010 Hope Hammond, Chief Privacy Officer Clark County, Nevada. HIPAA’s New Rule. Data breach notification. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted 2/17/09 included data breach notification legislation.
E N D
Annual Meeting, April 22, 2010 Hope Hammond, Chief Privacy Officer Clark County, Nevada HIPAA’s New Rule Data breach notification
Health Information Technology for Economic and Clinical Health Act (HITECH) enacted 2/17/09 included data breach notification legislation. The U.S. Department of Health and Human Services issued an interim final rule 8/24/09 and added a new part to the HIPAA regulations. Notification is required for breaches occurring on or after 9/23/09. The Data breach rule
A breach is defined as:The acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. What is a data breach?
Prepare to act fast. The law requires analysis of several factors to determine if the individuals affected will be notified. Notification must be done as soon as reasonably possible, but no more than 60 days from the date of discovery. • Law enforcement may request delays, requests must be documented. • A breach is considered discovered when the incident becomes known, not when the analysis is complete. data breach response requirements
Determine if the data was unsecured. • Data is considered unsecured when it can be read or used by unauthorized people. • Electronic data is considered secured if it is encrypted as specified by the Secretary of HHS and encryption keys are on a separate device from the data they encrypt or decrypt. • Paper, film, or other hard copy media is secure if it has been shredded or destroyed preventing the PHI to be read or reconstructed. data breach response requirements
Determine if the PHI was accessed or used in a way that violates the Privacy Rule’s permissable uses and disclosures. Determine if the impermissable use or disclosure compromises the security or privacy of the PHI. Is there a significant risk of financial, reputational, or other harm to the individual? data breach response requirements
Document the risk assessment. Covered entities and business associates have the “burden of proof” in demonstrating that no breach notification was required. Determine if one of the three exceptions apply. A covered entity or business associate must document why a breach falls under of the exception. data breach response requirements
Exception 1 – The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate. • An employee acting in good faith, and within the course and scope of their job, receives PHI intended for another employee, and there is no further use or disclosure of the PHI. data breach response requirements
Exception 2 – The inadvertent disclosure of PHI from an authorized person to another person similarly authorized, as long as the recipient does not further use or disclosure the information. • An employee retrieves a report requested by a physician but retrieves another patient’s report. The physician recognizes the error and shreds the report. data breach response requirements
Exception 3 – The unauthorized disclosure of PHI to an unauthorized person who would not reasonably been able to retain the information. • A nurse mistakenly gives a patient discharge papers belonging to another patient, but quickly realizes the mistake and recovers the papers before the patient has a chance to read the information. data breach response requirements
Notices must be in writing by first-class mail to the affected individuals, or the next of kin if the individual is deceased. • Substitute notice must be provided when insufficient our out-of-date contact information is discovered. • May be by telephone, email, posting on the covered entity’s web site. • If 10 or more individuals are involved, the web site posting must be conspicuous and posted 90 days, or • A conspicuous posting if major print or broadcast media, and • A toll-free phone number, active for 90 days. data breach notice requirements
Notices must contain: • A description of what happened, include the date of the breach and date of discovery, if known. • A description of the types of unsecured PHI, such as name, social security number, birth date, home address, account number, diagnosis, etc. • Any steps individuals should take to protect themselves from potential harm, such as credit monitoring services or reviewing explanation of benefits statements. data breach notice requirements
Notices must contain: (continued) • A brief description of what is being done to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches. • Information about sanctions imposed on the workforce members involved in the breach. • Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free phone number, an email address, web site, or postal address. data breach notice requirements
If more than 500 individuals are affected by the breach: • Notification to the media is required. • Notification to the Secretary of HHS is required concurrent with the notice to the individuals. • HHS is posting the submitted notices • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html • If less than 500 individuals, all breaches must be logged with HHS annually, within 60 days after the end of the calendar year. data breach notice requirements
A breach can result from carelessness or from an intentional act. Some examples are: How to breaches occur? Failing to encrypt a message that is intercepted, or sending a message to the wrong person A mis-dialed fax transmission Giving the wrong paperwork to a person Disposing of PHI in a trash can.
Stolen or lost laptops that are not encrypted How to breaches occur? Stolen or lost paperwork containing PHI Hackers Accessing or using PHI for personal reasons
Inadvertent disclosure of deceased patient information General Hospital recently provided Mr. J. Smith with a copy of his complete medical record from his last visit. Accidently contained within the copies was the history and physical report of Robert Lewis. Mr. Smith, who is dissatisfied with General Hospital, called the HIM department to report the misdirected history and physical, complaining that the mistake was just another example of the substandard practices at General Hospital. Mr. Smith refused to return the history and physical. He insisted he would call Mr. Lewis personally to inform him of the hospital’s incompetence. Further investigation revealed that Mr. Lewis is deceased. The hospital’s records do indicate the name and address of Mr. Lewis’s next of kin. In response to this breach the hospital should: a. Do nothing, because Mr. Lewis is deceased. b. Notify the hospital attorney. Secure a court order and seize the records from Mr. Smith. c. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital. d. Arrange for a face-to-face meeting with Mr. Smith to seek return of the history and physical. Breach Notification ScenariosJournal of AHIMA, February 2010
Inadvertent disclosure of deceased patient information Answer: C. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital. §164.404(d)(1)(ii) of the interim final rule requires that if the individual is deceased, notice must be sent to the last known address of the next of kin or personal representative, if the address is on file. Breach Notification ScenariosJournal of AHIMA, February 2010
Missing back-up tape A hospital back-up tape containing unencrypted health information, names, and Social Security numbers of thousands of patients is lost or possibly stolen in delivery to off-site storage. The healthcare organization serves patients across a five-state area, with thousands of victims located in each of the states. In response to this security breach the organization should: a. Comply with the breach notification regulations of all five states. File a year-end report with the secretary of Health and Human Services. b. Comply with the breach notification regulations of the state in which healthcare organization is incorporated. Follow federal breach notification regulations by notifying victims and the secretary of Health and Human Services. Do not notify the media. c. Comply with all applicable federal breach notification requirements only. d. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay. Breach Notification ScenariosJournal of AHIMA, February 2010
Missing back-up tape Answer: D. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay. Because the breach poses reasonable risk of harm, and because it involves more than 500 people in total, it requires notification of individuals (§164.404)and the HHS secretary (§164.408) without unreasonable delay. Because the breach involves more than 500 people in each state, §164.406 requires notification of major media in each state. Federal regulations do not preempt state laws, and entities thus must comply with state law as appropriate. Further, entities must comply with laws for those states within which the breach victims reside. Breach Notification ScenariosJournal of AHIMA, February 2010
Misdirected e-mail within the network A clinical laboratory staff member accidently e-mails patient biopsy reports to the office of an urgent care center. The urgent care center is affiliated with the same healthcare network as the clinical laboratory. The employee of the urgent care center notifies the clinical laboratory supervisor of the misdirected e-mail. The supervisor instructs the employee to delete the e-mail, and the clinical laboratory receives a confirmation that the e-mail was deleted. In response to this misdirected e-mail, the organization should: a. Do nothing, because the e-mail has been deleted. b. Send a breach notification to every patients whose biopsy report was in the e-mail. c. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. d. Inform both employees that they are under investigation. Suspend the employee responsible for sending the misdirected e-mail pending a further forensic investigation. Seize the computer of the employee receiving the misdirected e-mail and perform an audit for inappropriate activity. Breach Notification ScenariosJournal of AHIMA, February 2010
Misdirected e-mail within the network Answer: C. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. The misdirected e-mail was an unintentional access by a workforce member of the covered entity. It was made in good faith and within the scope of authority, and it did not result in further use or disclosures in a manner not permitted by the privacy rule. The clinical laboratory is responsible for documenting this determination, however. Breach Notification ScenariosJournal of AHIMA, February 2010
Patient names disclosed outside the network A list of clinic patient names is accidentally sent to a physician’s office that is not affiliated with the clinic. The list does not include the name of the clinic, or any other identifying information about the patients. The doctor receiving the misdirected list mails it back to the clinic. No other use or disclosure was made of the list. In response to this incident the clinic should: a. Do nothing, because the list was returned. b. Send a breach notification to every patient on the list. c. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. d. Because the physician’s office viewed the list of patient names they would be required to issue breach notification letters to all individuals on the list. Breach Notification ScenariosJournal of AHIMA, February 2010
Patient names disclosed outside the network Answer: C. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification. The names on the list are not linked to a healthcare provider, diagnosis, or treatment. Thus no privacy rule violation or security breach resulting in harm to the individuals has occurred. The clinic is responsible for documenting this determination, however. Breach Notification ScenariosJournal of AHIMA, February 2010
Review your incident response plan to include data breach response. Identify who needs to be notified when a data breach is reported and when. Determine how notices will be handled, smaller incidents can be handled internally. But for larger ones, there are several companies now offering such services, along with other products that may be needed to mitigate harm to the affected individuals. Data breach response plan
Questions? Hope.Hammond@umcsn.com