SlideShare a Scribd company logo

Do You Know How to Handle a HIPAA Breach?

Compliancy Group, profile picture
Compliancy Group

The document provides guidance on handling HIPAA breaches, outlining obligations such as breach notification to affected individuals, the media, and the Secretary of Health and Human Services. It highlights the importance of conducting a risk assessment to determine whether a breach has occurred and discusses training and policies that organizations should implement to ensure compliance. The document emphasizes the necessity of credit monitoring services and cyber insurance to mitigate risks associated with breaches.

BusinessTechnology
Related topics:
Risk Assessment
1 of 35
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Do  You  Know  How  To   Handle  A  HIPAA   Breach?   Claudia  A.  Hinrichsen,  Esq.   The  Greenberg,  Dresevic,  Hinrichsen,  Iwrey,  Kalmowitz,  Lebow  &  Pendleton  Law  Group   (516)  492-­‐3390   chinrichsen@thehlp.com    
Industry  leading  Education   Certified  Partner  Program     •  Please  ask  questions   •  For  todays  Slides   http://compliancy-­‐group.com/slides023/   •  Todays  &  Past  webinars  go  to:   http://compliancy-­‐group.com/webinar/   Join  our  chat  on  Twitter           #cgwebinar  
Agenda   I.  DefiniSon  of  Breach  and  Risk  Assessment   II.  NoSficaSon  obligaSons  in  event  of  HIPAA   breach   III.  GeYng  you  own  “house  in  order”     IV.  What  to  do  when  social  security  numbers  are   disclosed   V.  Credit  monitoring  for  impacted  paSents   VI.  Insurance  for  HIPAA  breaches   VII.  QuesSons?  
I   HIPAA  Omnibus  Rule   • New  HIPAA  regulaSons  became  effecSve   on  September  23,  2013   • Significant  modificaSons  made  to  HIPAA   rules,  including  breach  noSficaSon,  among   other  things   • Harm  standard  removed   • Four  factors  must  be  considered  in  risk   assessment  
Determine  Whether  a  Breach   Occurred   •  Impermissible  use  or  disclosure  of  protected   health  informaSon  (PHI)  is  presumed  to  be  a   breach  unless  the  Covered  EnSty  is  able  to   demonstrate  that  there  is    “low  probability  that   PHI  has  been  compromised.”   •  Applies  to  “unsecured  PHI”  which  is  not   rendered  unusable,  unreadable,  or   indecipherable   I  
Determine  Whether  a  Breach   Occurred   At  least  the  four  following  factors  must  be  assessed:   1)  The  nature  and  extent  of  the  PHI  involved,  including  the   types  of  idenSfiers  and  the  likelihood  of  re-­‐ idenSficaSon;   2)  The  unauthorized  person  who  used  the  PHI  or  to  whom   the  disclosure  was  made;   3)  whether  the  PHI  was  actually  acquired  or  viewed;  and   4)  The  extent  to  which  the  risk  to  the  PHI  has  been   mi;gated.   I  
I   Results  of  Risk  Assessment   • If  evaluaSon  of  the  factors  fails  to   demonstrate  that  low  probability  that   the  PHI  has  been  compromised,   breach  no;fica;on  is  required.  
I   Example  1   •  If  informaSon  containing  dates  of  health  care   service  and  diagnosis  of  certain  employees  was   impermissibly  disclosed  to  their  employer,  the   employer  may  be  able  to  determine  that  the   informaSon  pertains  to  specific  employees   based  on  the  informaSon  available  to  the   employer,  such  as  dates  of  absence  from  work.       •  In  this  case,  there  may  be  more  than  a  low   probability  that  the  protected  health   informaSon  has  been  compromised.  
I   Example  2   •  If  a  laptop  computer  was  stolen  and  later   recovered  and  a  forensic  analysis  shows  that  the   protected  health  informaSon  on  the  computer   was  never  accessed,  viewed,  acquired,   transferred,  or  otherwise  compromised,  the   Covered  EnSty  could  determine  that  the   informaSon  was  not  actually  an  unauthorized   individual  even  though  the  opportunity  existed.  
I   Example  3   •  If  financial  informaSon,  such  as  credit  card   numbers  or  social  security  numbers  was   disclosed,  the  Covered  EnSty  may  determine   that  a  breach  has  occurred  as  unauthorized  use   or  disclosure  of  such  informaSon  could  increase   the  risk  of  idenSty  thef  or  financial  fraud.  
NotiIication  Obligations  in  the   Event  of  a  HIPAA  Breach   • NoSficaSon  to  affected  individuals   • NoSficaSon  to  the  media   • NoSficaSon  to  the  Secretary  of  the   Department  of  Health  and  Human   Services  (the  Secretary)   • Other  noSficaSons       II  
NotiIication  to  Affected   Individuals   •  All  noSces  to  affected  individuals  must  be   wrihen  in  plain  language  and  include:   •  A  brief  descripSon  of  what  happened,   including  the  date  of  the  breach  and  the  date   of  the  discovery  of  the  breach,  if  known;   •  A  descripSon  of  the  types  of  PHI  (not  the   specific  PHI)  that  were  involved  in  the  breach   (such  as  whether  full  name,  social  security   number,  date  of  birth,  home  address,  account   number,  diagnosis,  disability  code  or  other   types  of  informaSon  were  involved);   II  
NotiIication  to  Affected   Individuals   •  Any  recommended  steps  individuals  should   take  to  protect  themselves  from  potenSal   harm  resulSng  from  the  breach;   •  A  brief  descripSon  of  what  the  Covered  EnSty   is  doing  to  invesSgate  the  breach,  to  miSgate   harm  to  individuals  and  to  protect  against  any   further  breaches;  and     •  Contact  informaSon  for  the  Privacy  Officer  of   the  Covered  EnSty.   II  
II   Method  of  NotiIication   •  The  covered  enSty  must  noSfy  affected   individuals  by:   1.  Wrihen  noSficaSon  by  first-­‐class  mail  to  the   individual  at  the  last  known  address  of  the   individual   2.  If  the  individual  agrees  to  electronic  noSce   and  such  agreement  has  not  been   withdrawn,  by  electronic  mail  
II   Method  of  NotiIication   •  In  the  case  of  minors  or  individuals  who  lack   legal  capacity  due  to  a  mental  or  physical   condiSon,  the  parent  or  personal   representaSve  should  be  noSfied.   •  If  the  covered  enSty  knows  that  an  individual   is  deceased,  the  noSficaSon  should  be  sent  to   the  individual's  next  of  kin  or  personal   representaSve  if  the  address  is  known.  
II   Method  of  NotiIication   •  In  urgent  situaSons  where  there  is  a  possibility   for  imminent  misuse  of  the  unsecured  PHI,   addiSonal  noSce  by  telephone  or  other  means   may  be  made.  However,  direct  wrihen  noSce   must  sSll  be  provided.  
II   NotiIication  to  the  Media   •  If  the  breach  of  unsecured  PHI  involves  more   than  500  residents  of  a  state  or  jurisdicSon,   prominent  media  outlet  must  be  noSfied  (most   likely  via  a  press  release)  without  unreasonable   delay  and  no  later  than  60  days  afer  discovery.     PLEASE  NOTE:  The  noSficaSon  to  the  media  is  not   a  subsStute  for  the  noSficaSon  to  the  individual.  
II   NotiIication  to  the  Secretary   •  For  breach  of  unsecured  PHI  that  involves  more   than  500  individuals,  the  Secretary  of  the   Department  of  Health  and  Human  Services   should  be  noSfied  via  ocrnoSficaSons.hhs.gov   without  unreasonable  delay  and  no  later  than  60   days  aBer  discovery.    
II   NotiIication  to  the  Secretary   •  If  the  breach  of  unsecured  PHI  involve  less  than   500  individuals,  the  Covered  EnSty’s  Privacy   Officer  should  maintain  an  internal  log  or  other   documentaSon  of  the  breach.  This  informaSon   should  then  be  submihed  annually  (before   March  1st)  to  the  Secretary  of  HHS  for  the   preceding  calendar  year  via  the  website.     •  The  health  care  provider  should  maintain  its   internal  log  or  other  documentaSon  of   breaches  for  six  years.  
II  
II  
II  
III   Getting  Your  “House  in  Order”   •  Review/update  the  pracSce’s  policies  and   procedures   •  Provide  training  to  all  employees  in:   •  Updated  policies   •  Prompt  reporSng   •  EvaluaSon  and  documentaSon  of  breaches   •  Create  an  ac;on  plan  to  respond  to  security   incidents  and  breaches   •  Conduct  regular  internal  audits   •  Consider  geYng  insurance  for  HIPAA  breaches  
Most  Common  Forms  of   Breach   •  Impermissible  uses  and  disclosures  of   protected  health  informaSon   •  Lack  of  safeguards  of  protected  health   informaSon   •  Lack  of  pa5ent  access  to  their  protected   health  informaSon   •  Uses  or  disclosures  of  more  than  the   Minimum  Necessary  protected  health   informaSon   •  Complaints  to  the  covered  enSty  
OfIice  of  Civil  Rights  (OCR)   Audits   •  OCR  has  completed  audits  for  115  enSSes  with  a   total  of  979  audit  findings  and  observaSons:   •  293  regarding  Privacy   •  592  regarding  Security   •  94  regarding  Breach  No;fica;on   •  An  evaluaSon  is  currently  underway  to  make   audits  a  permanent  part  of  enforcement  efforts.   •  Security  Rule  assessment  will  be  highly   scruSnized.       III  
IV   Social  Security  Numbers   •  Most  states  have  addiSonal  laws  regulaSng   noSficaSon  of  unauthorized  disclosure  of  social   security  numbers.   •  These  regulaSons  require  that  noSficaSon  be   provided  in  the  most  expediSous  Sme  possible   and  without  unreasonable  delay.   •  The  person  that  owns  or  licenses  the   computerized  data  must  provide  noSce  to  the   individual.    
IV   Social  Security  Number  Breach   •  Typically  the  following  must  be  done  immediately  afer   discovery  of  the  breach:   •  Detailed  noSce  to  affected  residents  within  state   •  NoSficaSon  to  other  governmental  agencies,   including,  but  not  limited  to:   •  State  Ahorney  General   •  Department  of  State   •  Consumer  ReporSng  Agencies     PLEASE  NOTE:  The  Ahorney  General  may  bring  a  civil  acSon   and  the  court  may  also  award  injuncSve  relief.  
V   Credit-­‐Monitoring   •  According  to  the  U.S.  Federal  Trade  Commission,   it  takes  an  average  of  12  months  for  a  vicSm  of   idenSty  thef  to  noSce  the  crime.   •  Credit-­‐monitoring  services  will  regularly  alert   the  individual  of  any  changes  to  their  credit,   helping  stop  thef  before  it  gets  out  of  control.    
V   Credit-­‐Monitoring   •  Covered  enSSes  and  others  who  maintain  PHI  may  need   to  offer  such  services  to  affected  individuals  to  miSgate   risk.   •  Companies  such  as  IdenSty  Guard,  Equifax,  and   Experian  offer  credit-­‐monitoring,  providing  credit   alerts  to  individuals  every  business  day.   •  The  average  cost  of  credit  monitoring  per  person  is   $15  a  month  with  credit  alerts  which  will  report  new   accounts,  credit  inquiries,  address  changes,  changes  to   current  accounts/account  informaSon,  etc.  
Business  Associate   Agreements   •  Covered  EnSSes  should  include  indemnificaSon   language  in  their  Business  Associate  Agreement   for  any  costs  related  to  a  breach  including  free   credit-­‐monitoring  for  affected  individuals.   •  A  Covered  EnSty  may  also  consider  requiring   business  associates  to  have  data  breach   insurance.     V  
VI   Cyber/Breach  Insurance   •  A  recent  study  by  the  Ponemon  InsStute   reported  that  76%  of  parScipaSng  organizaSons   in  the  study  who  had  experienced  a  security   exploit  ranked  cyber  security  risks  as  high  or   higher  than  other  insurable  risks,  such  as  natural   disasters,  business  interrupSons,  and  fire.   •  Many  general  liability  insurance  polices  are   excluding  data  breaches  ad  security   compromises.  
VI   Cyber/Breach  Insurance   •  Data  breach  insurance  may  be  necessary  to   cover  the  costs  of  responding  to  a  breach  and   may  include:   •  Defense  costs  and  indemnity  for  a  statutory   violaSon,  regulatory  invesSgaSon,  negligence   or  breach  of  contract   •  Credit  or  idenSty  costs  as  part  of  a  covered   liability  judgment,  award  or  sehlement   •  Forensic  costs  incurred  in  the  defense  of   covered  claim  
VII   Conclusion   •  “Thus  far  in  2013,  48  percent  of  reported  data  breaches  in  the   United  States  have  been  in  the  medical/healthcare  industry.   In  2012,  there  were  154  breaches  in  the  medical  and   healthcare  sector,  accounSng  for  34.5  percent  of  all  breaches   in  2012,  and  2,237,873  total  records  lost.”   •  ITRC  Breach  Report,  IdenSty  Thef  Resource  Center,  May  2013   •  A  plan  of  acSon  is  crucial  in  order  to   appropriately  handle  a  breach.   •  Proper  and  Smely  noSficaSon  is  necessary        
  HIPAA  Compliance     HITECH  Attestation     Risk  Assessment     Omnibus  Rule  Ready     Meaningful  Use  core  measure  15     Policy  &  Procedure  Templates     Free  Demo  and  60  Day  Evaluation   www.compliancy-­‐group.com     HIPAA  Hotline       855.85HIPAA   855.854.4722    
VII   Questions?  

More Related Content

PDF
Hipaa journal com - HIPAA compliance guide
Felipe Prado
 
PPTX
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
PPTX
The Basics of HIPAA
DamianKnowles1
 
PDF
HIPAA Compliance for Developers
TrueVault
 
PDF
HIPAA for Dummies
hipaacompliance
 
PPTX
The Startup Path to HIPAA Compliance
Jim Anfield
 
PPTX
Annual HIPAA Training
Cynthia Holland
 
PDF
Application Developers Guide to HIPAA Compliance
TrueVault
 
Hipaa journal com - HIPAA compliance guide
Felipe Prado
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
The Basics of HIPAA
DamianKnowles1
 
HIPAA Compliance for Developers
TrueVault
 
HIPAA for Dummies
hipaacompliance
 
The Startup Path to HIPAA Compliance
Jim Anfield
 
Annual HIPAA Training
Cynthia Holland
 
Application Developers Guide to HIPAA Compliance
TrueVault
 

What's hot (20)

PPTX
HIPAA | HITECH
rcabarloc
 
PPTX
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
PPSX
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
PPT
Hippa slide show
heathercool
 
PPT
HIPAA Compliance
Manny Oliverez
 
PPTX
Hippa laws
Becky Bauer
 
PPTX
HIPAA Complaince
FarhatParveen10
 
PDF
HIPAA and How it Applies to You
Winston & Strawn LLP
 
KEY
HIPPA Compliance
dixibee
 
PPTX
HIPPA Security Presentation
Rebecca Norman
 
PPTX
Health insurance portability and act(hipaa)2
9535814851
 
PPTX
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
PPT
HIPAA
Karna *
 
PDF
Hipaa basics
MichaelRodriguesdosS1
 
PPTX
HIPAA Part I the Law Test
Sachiko Hurst
 
PPT
HIPAA Audio Presentation
Lisa Shannon, RN, BSN, JD.
 
PPT
Knowing confidentiality
jessie66
 
PPT
Hipaa
belziebub
 
PDF
Personal Health Records & HIPAA
Margery Lynn
 
PDF
HIPAA 101 for Startups
Obaa, Inc.
 
HIPAA | HITECH
rcabarloc
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
Hippa slide show
heathercool
 
HIPAA Compliance
Manny Oliverez
 
Hippa laws
Becky Bauer
 
HIPAA Complaince
FarhatParveen10
 
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPPA Compliance
dixibee
 
HIPPA Security Presentation
Rebecca Norman
 
Health insurance portability and act(hipaa)2
9535814851
 
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
HIPAA
Karna *
 
Hipaa basics
MichaelRodriguesdosS1
 
HIPAA Part I the Law Test
Sachiko Hurst
 
HIPAA Audio Presentation
Lisa Shannon, RN, BSN, JD.
 
Knowing confidentiality
jessie66
 
Hipaa
belziebub
 
Personal Health Records & HIPAA
Margery Lynn
 
HIPAA 101 for Startups
Obaa, Inc.
 
Ad

Similar to Do You Know How to Handle a HIPAA Breach? (20)

PPTX
DATA BREach notification of laws in health care.pptx
shaahidirfannew
 
PPTX
HIPAA – Where’s the Harm? Final Rule Update
Resilient Systems
 
PPTX
Ruggiero.hipaa training
Gina Ruggiero
 
PDF
HIPAA 2015 webinar
Polsinelli PC
 
PPTX
2017 HIPAA Clinical Research Training
Cynthia Holland
 
PPTX
Privacy and Security Awareness (2021).pptx
ferhatevliyaoglu1
 
PPTX
Privacy related power point presentation
ferhatevliyaoglu1
 
PPTX
Hitech changes-to-hipaa
geeksikh
 
PPT
HIPAA - Updated.ppt
EdwardHermann1
 
PPTX
Data Security and Privacy Practices
Springfield Clinic
 
PPTX
UNA HIPAA Training 8-13
University of North Alabama - Academic Affairs
 
PDF
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension Inc.
 
PPTX
Hipaa
pssurgery
 
PPTX
Return to office post covid 19
Denise Bailey
 
PPT
HIPAA PowerPoint Training.HIPAA PowerPoint Training
wondimagegndesta
 
PPTX
Hipaa-2015
pssurgery
 
PDF
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
PDF
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
PDF
CAHU EXPO Grove City, OH 2014
Jason Karn
 
PPT
Securing health information
Darla Moore
 
DATA BREach notification of laws in health care.pptx
shaahidirfannew
 
HIPAA – Where’s the Harm? Final Rule Update
Resilient Systems
 
Ruggiero.hipaa training
Gina Ruggiero
 
HIPAA 2015 webinar
Polsinelli PC
 
2017 HIPAA Clinical Research Training
Cynthia Holland
 
Privacy and Security Awareness (2021).pptx
ferhatevliyaoglu1
 
Privacy related power point presentation
ferhatevliyaoglu1
 
Hitech changes-to-hipaa
geeksikh
 
HIPAA - Updated.ppt
EdwardHermann1
 
Data Security and Privacy Practices
Springfield Clinic
 
UNA HIPAA Training 8-13
University of North Alabama - Academic Affairs
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension Inc.
 
Hipaa
pssurgery
 
Return to office post covid 19
Denise Bailey
 
HIPAA PowerPoint Training.HIPAA PowerPoint Training
wondimagegndesta
 
Hipaa-2015
pssurgery
 
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
CAHU EXPO Grove City, OH 2014
Jason Karn
 
Securing health information
Darla Moore
 
Ad

More from Compliancy Group (20)

PDF
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
PDF
HIPAA compliance tuneup 2016
Compliancy Group
 
PDF
How to safeguard ePHIi in the cloud
Compliancy Group
 
PDF
Business Associates: How to differentiate your organization using HIPAA compl...
Compliancy Group
 
PDF
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
PDF
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
PDF
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
Compliancy Group
 
PDF
How to prepare for OCR's upcoming phase 2 audits
Compliancy Group
 
PDF
Preparing for the unexpected in your medical practice
Compliancy Group
 
PDF
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
Compliancy Group
 
PDF
How to Survive a HIPAA Audit
Compliancy Group
 
PDF
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
Compliancy Group
 
PDF
Meaningful Use vs HIPAA
Compliancy Group
 
PDF
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
Compliancy Group
 
PDF
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Compliancy Group
 
PDF
The must have tools to address your HIPAA compliance challenge
Compliancy Group
 
PDF
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Compliancy Group
 
PDF
What you need to know about Meaningful Use 2 & interoperability
Compliancy Group
 
PDF
Just the Facts- Meaningful Use Stage 2 & ICD 10
Compliancy Group
 
PDF
Is Your EHR Safe? New Technologies for Auditing
Compliancy Group
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
HIPAA compliance tuneup 2016
Compliancy Group
 
How to safeguard ePHIi in the cloud
Compliancy Group
 
Business Associates: How to differentiate your organization using HIPAA compl...
Compliancy Group
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
Compliancy Group
 
How to prepare for OCR's upcoming phase 2 audits
Compliancy Group
 
Preparing for the unexpected in your medical practice
Compliancy Group
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
Compliancy Group
 
How to Survive a HIPAA Audit
Compliancy Group
 
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
Compliancy Group
 
Meaningful Use vs HIPAA
Compliancy Group
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
Compliancy Group
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Compliancy Group
 
The must have tools to address your HIPAA compliance challenge
Compliancy Group
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Compliancy Group
 
What you need to know about Meaningful Use 2 & interoperability
Compliancy Group
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Compliancy Group
 
Is Your EHR Safe? New Technologies for Auditing
Compliancy Group
 

Recently uploaded (20)

PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
IFRS Notes in your pocket for study all the time
jjj81507
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Business Management - unit 1 and 2
anithak410
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 

Do You Know How to Handle a HIPAA Breach?

  • 1. Do  You  Know  How  To   Handle  A  HIPAA   Breach?   Claudia  A.  Hinrichsen,  Esq.   The  Greenberg,  Dresevic,  Hinrichsen,  Iwrey,  Kalmowitz,  Lebow  &  Pendleton  Law  Group   (516)  492-­‐3390   chinrichsen@thehlp.com    
  • 2. Industry  leading  Education   Certified  Partner  Program     •  Please  ask  questions   •  For  todays  Slides   http://compliancy-­‐group.com/slides023/   •  Todays  &  Past  webinars  go  to:   http://compliancy-­‐group.com/webinar/   Join  our  chat  on  Twitter           #cgwebinar  
  • 3. Agenda   I.  DefiniSon  of  Breach  and  Risk  Assessment   II.  NoSficaSon  obligaSons  in  event  of  HIPAA   breach   III.  GeYng  you  own  “house  in  order”     IV.  What  to  do  when  social  security  numbers  are   disclosed   V.  Credit  monitoring  for  impacted  paSents   VI.  Insurance  for  HIPAA  breaches   VII.  QuesSons?  
  • 4. I   HIPAA  Omnibus  Rule   • New  HIPAA  regulaSons  became  effecSve   on  September  23,  2013   • Significant  modificaSons  made  to  HIPAA   rules,  including  breach  noSficaSon,  among   other  things   • Harm  standard  removed   • Four  factors  must  be  considered  in  risk   assessment  
  • 5. Determine  Whether  a  Breach   Occurred   •  Impermissible  use  or  disclosure  of  protected   health  informaSon  (PHI)  is  presumed  to  be  a   breach  unless  the  Covered  EnSty  is  able  to   demonstrate  that  there  is    “low  probability  that   PHI  has  been  compromised.”   •  Applies  to  “unsecured  PHI”  which  is  not   rendered  unusable,  unreadable,  or   indecipherable   I  
  • 6. Determine  Whether  a  Breach   Occurred   At  least  the  four  following  factors  must  be  assessed:   1)  The  nature  and  extent  of  the  PHI  involved,  including  the   types  of  idenSfiers  and  the  likelihood  of  re-­‐ idenSficaSon;   2)  The  unauthorized  person  who  used  the  PHI  or  to  whom   the  disclosure  was  made;   3)  whether  the  PHI  was  actually  acquired  or  viewed;  and   4)  The  extent  to  which  the  risk  to  the  PHI  has  been   mi;gated.   I  
  • 7. I   Results  of  Risk  Assessment   • If  evaluaSon  of  the  factors  fails  to   demonstrate  that  low  probability  that   the  PHI  has  been  compromised,   breach  no;fica;on  is  required.  
  • 8. I   Example  1   •  If  informaSon  containing  dates  of  health  care   service  and  diagnosis  of  certain  employees  was   impermissibly  disclosed  to  their  employer,  the   employer  may  be  able  to  determine  that  the   informaSon  pertains  to  specific  employees   based  on  the  informaSon  available  to  the   employer,  such  as  dates  of  absence  from  work.       •  In  this  case,  there  may  be  more  than  a  low   probability  that  the  protected  health   informaSon  has  been  compromised.  
  • 9. I   Example  2   •  If  a  laptop  computer  was  stolen  and  later   recovered  and  a  forensic  analysis  shows  that  the   protected  health  informaSon  on  the  computer   was  never  accessed,  viewed,  acquired,   transferred,  or  otherwise  compromised,  the   Covered  EnSty  could  determine  that  the   informaSon  was  not  actually  an  unauthorized   individual  even  though  the  opportunity  existed.  
  • 10. I   Example  3   •  If  financial  informaSon,  such  as  credit  card   numbers  or  social  security  numbers  was   disclosed,  the  Covered  EnSty  may  determine   that  a  breach  has  occurred  as  unauthorized  use   or  disclosure  of  such  informaSon  could  increase   the  risk  of  idenSty  thef  or  financial  fraud.  
  • 11. NotiIication  Obligations  in  the   Event  of  a  HIPAA  Breach   • NoSficaSon  to  affected  individuals   • NoSficaSon  to  the  media   • NoSficaSon  to  the  Secretary  of  the   Department  of  Health  and  Human   Services  (the  Secretary)   • Other  noSficaSons       II  
  • 12. NotiIication  to  Affected   Individuals   •  All  noSces  to  affected  individuals  must  be   wrihen  in  plain  language  and  include:   •  A  brief  descripSon  of  what  happened,   including  the  date  of  the  breach  and  the  date   of  the  discovery  of  the  breach,  if  known;   •  A  descripSon  of  the  types  of  PHI  (not  the   specific  PHI)  that  were  involved  in  the  breach   (such  as  whether  full  name,  social  security   number,  date  of  birth,  home  address,  account   number,  diagnosis,  disability  code  or  other   types  of  informaSon  were  involved);   II  
  • 13. NotiIication  to  Affected   Individuals   •  Any  recommended  steps  individuals  should   take  to  protect  themselves  from  potenSal   harm  resulSng  from  the  breach;   •  A  brief  descripSon  of  what  the  Covered  EnSty   is  doing  to  invesSgate  the  breach,  to  miSgate   harm  to  individuals  and  to  protect  against  any   further  breaches;  and     •  Contact  informaSon  for  the  Privacy  Officer  of   the  Covered  EnSty.   II  
  • 14. II   Method  of  NotiIication   •  The  covered  enSty  must  noSfy  affected   individuals  by:   1.  Wrihen  noSficaSon  by  first-­‐class  mail  to  the   individual  at  the  last  known  address  of  the   individual   2.  If  the  individual  agrees  to  electronic  noSce   and  such  agreement  has  not  been   withdrawn,  by  electronic  mail  
  • 15. II   Method  of  NotiIication   •  In  the  case  of  minors  or  individuals  who  lack   legal  capacity  due  to  a  mental  or  physical   condiSon,  the  parent  or  personal   representaSve  should  be  noSfied.   •  If  the  covered  enSty  knows  that  an  individual   is  deceased,  the  noSficaSon  should  be  sent  to   the  individual's  next  of  kin  or  personal   representaSve  if  the  address  is  known.  
  • 16. II   Method  of  NotiIication   •  In  urgent  situaSons  where  there  is  a  possibility   for  imminent  misuse  of  the  unsecured  PHI,   addiSonal  noSce  by  telephone  or  other  means   may  be  made.  However,  direct  wrihen  noSce   must  sSll  be  provided.  
  • 17. II   NotiIication  to  the  Media   •  If  the  breach  of  unsecured  PHI  involves  more   than  500  residents  of  a  state  or  jurisdicSon,   prominent  media  outlet  must  be  noSfied  (most   likely  via  a  press  release)  without  unreasonable   delay  and  no  later  than  60  days  afer  discovery.     PLEASE  NOTE:  The  noSficaSon  to  the  media  is  not   a  subsStute  for  the  noSficaSon  to  the  individual.  
  • 18. II   NotiIication  to  the  Secretary   •  For  breach  of  unsecured  PHI  that  involves  more   than  500  individuals,  the  Secretary  of  the   Department  of  Health  and  Human  Services   should  be  noSfied  via  ocrnoSficaSons.hhs.gov   without  unreasonable  delay  and  no  later  than  60   days  aBer  discovery.    
  • 19. II   NotiIication  to  the  Secretary   •  If  the  breach  of  unsecured  PHI  involve  less  than   500  individuals,  the  Covered  EnSty’s  Privacy   Officer  should  maintain  an  internal  log  or  other   documentaSon  of  the  breach.  This  informaSon   should  then  be  submihed  annually  (before   March  1st)  to  the  Secretary  of  HHS  for  the   preceding  calendar  year  via  the  website.     •  The  health  care  provider  should  maintain  its   internal  log  or  other  documentaSon  of   breaches  for  six  years.  
  • 20. II  
  • 21. II  
  • 22. II  
  • 23. III   Getting  Your  “House  in  Order”   •  Review/update  the  pracSce’s  policies  and   procedures   •  Provide  training  to  all  employees  in:   •  Updated  policies   •  Prompt  reporSng   •  EvaluaSon  and  documentaSon  of  breaches   •  Create  an  ac;on  plan  to  respond  to  security   incidents  and  breaches   •  Conduct  regular  internal  audits   •  Consider  geYng  insurance  for  HIPAA  breaches  
  • 24. Most  Common  Forms  of   Breach   •  Impermissible  uses  and  disclosures  of   protected  health  informaSon   •  Lack  of  safeguards  of  protected  health   informaSon   •  Lack  of  pa5ent  access  to  their  protected   health  informaSon   •  Uses  or  disclosures  of  more  than  the   Minimum  Necessary  protected  health   informaSon   •  Complaints  to  the  covered  enSty  
  • 25. OfIice  of  Civil  Rights  (OCR)   Audits   •  OCR  has  completed  audits  for  115  enSSes  with  a   total  of  979  audit  findings  and  observaSons:   •  293  regarding  Privacy   •  592  regarding  Security   •  94  regarding  Breach  No;fica;on   •  An  evaluaSon  is  currently  underway  to  make   audits  a  permanent  part  of  enforcement  efforts.   •  Security  Rule  assessment  will  be  highly   scruSnized.       III  
  • 26. IV   Social  Security  Numbers   •  Most  states  have  addiSonal  laws  regulaSng   noSficaSon  of  unauthorized  disclosure  of  social   security  numbers.   •  These  regulaSons  require  that  noSficaSon  be   provided  in  the  most  expediSous  Sme  possible   and  without  unreasonable  delay.   •  The  person  that  owns  or  licenses  the   computerized  data  must  provide  noSce  to  the   individual.    
  • 27. IV   Social  Security  Number  Breach   •  Typically  the  following  must  be  done  immediately  afer   discovery  of  the  breach:   •  Detailed  noSce  to  affected  residents  within  state   •  NoSficaSon  to  other  governmental  agencies,   including,  but  not  limited  to:   •  State  Ahorney  General   •  Department  of  State   •  Consumer  ReporSng  Agencies     PLEASE  NOTE:  The  Ahorney  General  may  bring  a  civil  acSon   and  the  court  may  also  award  injuncSve  relief.  
  • 28. V   Credit-­‐Monitoring   •  According  to  the  U.S.  Federal  Trade  Commission,   it  takes  an  average  of  12  months  for  a  vicSm  of   idenSty  thef  to  noSce  the  crime.   •  Credit-­‐monitoring  services  will  regularly  alert   the  individual  of  any  changes  to  their  credit,   helping  stop  thef  before  it  gets  out  of  control.    
  • 29. V   Credit-­‐Monitoring   •  Covered  enSSes  and  others  who  maintain  PHI  may  need   to  offer  such  services  to  affected  individuals  to  miSgate   risk.   •  Companies  such  as  IdenSty  Guard,  Equifax,  and   Experian  offer  credit-­‐monitoring,  providing  credit   alerts  to  individuals  every  business  day.   •  The  average  cost  of  credit  monitoring  per  person  is   $15  a  month  with  credit  alerts  which  will  report  new   accounts,  credit  inquiries,  address  changes,  changes  to   current  accounts/account  informaSon,  etc.  
  • 30. Business  Associate   Agreements   •  Covered  EnSSes  should  include  indemnificaSon   language  in  their  Business  Associate  Agreement   for  any  costs  related  to  a  breach  including  free   credit-­‐monitoring  for  affected  individuals.   •  A  Covered  EnSty  may  also  consider  requiring   business  associates  to  have  data  breach   insurance.     V  
  • 31. VI   Cyber/Breach  Insurance   •  A  recent  study  by  the  Ponemon  InsStute   reported  that  76%  of  parScipaSng  organizaSons   in  the  study  who  had  experienced  a  security   exploit  ranked  cyber  security  risks  as  high  or   higher  than  other  insurable  risks,  such  as  natural   disasters,  business  interrupSons,  and  fire.   •  Many  general  liability  insurance  polices  are   excluding  data  breaches  ad  security   compromises.  
  • 32. VI   Cyber/Breach  Insurance   •  Data  breach  insurance  may  be  necessary  to   cover  the  costs  of  responding  to  a  breach  and   may  include:   •  Defense  costs  and  indemnity  for  a  statutory   violaSon,  regulatory  invesSgaSon,  negligence   or  breach  of  contract   •  Credit  or  idenSty  costs  as  part  of  a  covered   liability  judgment,  award  or  sehlement   •  Forensic  costs  incurred  in  the  defense  of   covered  claim  
  • 33. VII   Conclusion   •  “Thus  far  in  2013,  48  percent  of  reported  data  breaches  in  the   United  States  have  been  in  the  medical/healthcare  industry.   In  2012,  there  were  154  breaches  in  the  medical  and   healthcare  sector,  accounSng  for  34.5  percent  of  all  breaches   in  2012,  and  2,237,873  total  records  lost.”   •  ITRC  Breach  Report,  IdenSty  Thef  Resource  Center,  May  2013   •  A  plan  of  acSon  is  crucial  in  order  to   appropriately  handle  a  breach.   •  Proper  and  Smely  noSficaSon  is  necessary        
  • 34.   HIPAA  Compliance     HITECH  Attestation     Risk  Assessment     Omnibus  Rule  Ready     Meaningful  Use  core  measure  15     Policy  &  Procedure  Templates     Free  Demo  and  60  Day  Evaluation   www.compliancy-­‐group.com     HIPAA  Hotline       855.85HIPAA   855.854.4722