Add to collection(s) Add to saved
  1. Business
  2. Finance

Walking Through the Breach Notification Process

advertisement 
Walking Through the Breach
Notification Process Beginning to End
HIPAA COW
Presentation and Panel
April 8, 2011
Panelists

Nancy Davis, Ministry Health Care

Beth Malchetske, ThedaCare

Peg Schmidt, Aurora Health Care

Teresa Smithrud, Mercy Health System
Overview

This presentation and panel discussion
will address operationalizing the breach
notification process within the covered
entity.

Expert panelists will share best practices
and lessons learned in the last year with
compliance to HITECH’s breach
notification requirement.
Objectives

Identify Breach Notification Resources for
Developing an Internal Process and Response

Walk Through the Breach Notification Process
from Beginning to End

Review Any New HITECH Impacts if
Applicable

Panelist Discussion on Lessons Learned and
Best Practices Developed

Audience Participation and Discussion
Resources

HIPAA COW HITECH Breach Notification
Policy

All Inclusive Guidance

American Health Information Management
Association (AHIMA)

North Carolina Healthcare Information and
Communication Alliance (NCHICA)

Google!
Breach

Acquisition, access, use, or disclosure of protected
health information (PHI) in a manner not permitted
under the Privacy Rule which compromises the
security or privacy of the PHI. For purpose of this
definition, “compromises the security or privacy of the
PHI” means poses a significant risk of financial,
reputational, or other harm to the individual.

A use or disclosure of PHI that does not include the
identifiers listed at §164.514(e)(2), limited data set,
date of birth, and zip code does not compromise the
security or privacy of the PHI.
Low-Risk HIPAA Violations –
Exempt from Breach Notification

HITECH Guidance: Breach does not include:

Good faith, unintentional acquisition, access, or use of
PHI by a workforce member of a CE, BA, or BA
subcontractor

Inadvertent disclosure to another authorized person
within the entity or its business associates

Recipient could not reasonably have retained the data

Data is limited to a limited data set that does not
include dates of birth or zip codes
7
Investigation

Review the circumstances regarding the breach,
conduct an investigation, complete a risk
assessment, and determine necessary actions
including involvement of enterprise, local, and legal
counsel resources.

Coordinate communications with all involved in the
investigation, including patients, licensing and
accrediting organizations, state and federal
governmental agencies, etc.
Investigation - Continued

Author, gather, maintain, and retain all related
Breach investigation documentation (to be
maintained for a minimum of six years).

Recommend resolution and corrective action steps
(sanctions) to mitigate potential harm.

Report results of the investigation to involved
persons, entities, and agencies as recommended
and/or required by law.
Risk Assessment



Who impermissibly used or to whom was
the information impermissibly disclosed?
The type and amount of PHI involved?
The potential for significant risk of
financial, reputational, or other harm?
Risk Assessment - Resource
North Carolina Healthcare Information and
Communication Alliance (NCHICA)*

HITECH Act Breach Notification Risk
Assessment Tool



Flow Chart
Report Form
Score Card/Risk Score
*Nationally recognized nonprofit consortium dedicated to “improving
health and care in North Carolina by accelerating the adoption of
information technology and enabling policies.”
Patient Breach Notification Letter

Content – The notice shall be written in plain
language and must contain the following
information:


A brief description of what happened, including the
date of the breach and the date of the discovery of
the breach, if known
A description of the types of unsecured protected
health information that were involved in the breach
(such as whether full name, Social Security
number, date of birth, home address, account
number, diagnosis, disability code or other types of
information were involved)
12
Letter - Continued

Any steps the individual should take to protect
themselves from potential harm resulting from
the breach

A brief description of what the organization is
doing to investigate the breach, to mitigate
harm to individuals, and to protect against
further breaches

Contact procedures for individuals to ask
questions or learn additional information
Breach Notification < 500

Office for Civil Rights

For breaches that affect fewer than 500 individuals,
a covered entity must provide the Secretary with
notice annually. All notifications of breaches
occurring in a calendar year must be submitted
within 60 days of the end of the calendar year in
which the breaches occurred (March 1, 2011).

A separate form must be completed for every
breach that has occurred during the calendar
year.
Breach Notification 500+

Office for Civil Rights


If a breach affects 500 or more individuals, a
covered entity must provide the Secretary with
notice of the breach without unreasonable delay
and in no case later than 60 days from discovery of
the breach. This notice must be submitted
electronically.
Media

Notice shall be provided to prominent media outlets
serving the state and regional area when the
breach affects more than 500 patients.
Panelist Portion
Was Your Organization Ready
for HITECH Breach Notification?
How Did You Prepare?
Policy Development
Staff Training, Education, Awareness
Business Associate Relationships
What Was the Biggest Surprise in
Implementing Breach Notification?
What Was the Most Valuable
Lesson Learned?
What Best Practices Did You
Develop?
What Are Your Ongoing
Concerns?
Audience Participation
Lessons Learned

Totally Underestimated Impact on Daily Job
Responsibilities



2008: 38 Internal Privacy Investigations
2009: 98 Internal Privacy Investigations (48 Last
Q)
2010: 210 Internal Privacy Investigations

Initial Approach to Addressing “Harm” Was
Probably Too Conservative

Partner with Collection Agency to Address
Processes, Policies, Etc.
Lessons Learned - Continued

Reach Out to Peers for Brain-Storming
Best Practices

Be Open to New
Directives/Interpretations
Contacting Patients to Determine “Harm”
 Employee Breach Attestation

Lessons Learned - Continued

Mitigation
Patient Requests
 Organizational Offerings


Bookmark/Print Examples from
Published Breaches
Notices
 Press Releases
 Website Communications
 External Resources (Credit Card Agencies)

Related documents
Review, Grammar and Test
Review, Grammar and Test
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
Fee for Intervention
Fee for Intervention
Life Cycle of Work Equipment
Life Cycle of Work Equipment
security risks
security risks
Best Practices for Insuring Medical Practices from Cyber Risk
Best Practices for Insuring Medical Practices from Cyber Risk
Data Privacy and Data Security Compliance Issues
Data Privacy and Data Security Compliance Issues
here
here
Data Privacy and Data Security Compliance Issues
Data Privacy and Data Security Compliance Issues
Download
advertisement