Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.

Published byHortense McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq."— Presentation transcript:

1 Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq. Security Breach Notification HITECH & New Jersey Law

2 Security Breach Notification © 2009 Fox Rothschild HITECH Breach Notification Laws  § 13402 Health Information Technology for Economic and Clinical Health Act (“HITECH”) (February 17, 2009).  Breach Notification Guidance and RFI (74 FR 19006, April 17, 2009).  Breach Notification for Unsecured Protected Health Information – HHS’ Interim Final Rule (74 FR 42740, August 24, 2009).  FTC also released rules for “Vendors” of PHRs.

3 Security Breach Notification © 2009 Fox Rothschild HITECH Breach Notification Laws  Effective date is September 23, 2009; however, HHS will not enforce compliance with penalty assessments until February 22, 2010.  The “Harm” threshold controversy - Letter from Congress to HHS Secretary re: repeal “harm” threshold (October 1, 2009). - Letter from AHA to HHS Secretary re: “harm” threshold should remain (October 23, 2009).  Comments to Interim Final Rule were due October 23, 2009.  Remains to be seen if Interim Final Rule will be modified….

4 Security Breach Notification © 2009 Fox Rothschild New Jersey Breach Notification Law  New Jersey Identity Theft Prevention Act, NJSA. 56:8-161 et seq. (“NJITPA”) (effective January 1, 2006).  NJITPA Rule, NJAC 13:45F, reserved Subchapter 3 - Breach of Security Provisions (adopted April 7, 2008).  Notice of Notice of Pre-Proposal - Identity Theft, Written Security Programs and Violations (issued December 15, 2008). Comments were due February 13, 2009. No final rule yet…….

5 Security Breach Notification © 2009 Fox Rothschild HITECH-State Law Preemption With regard to Security Breach Notification requirements, HHS specifically stated in its Interim Final Rule: “covered entities will need to analyze relevant State laws with respect to this regulation to understand the interaction and apply this preemption standard appropriately.” 74 FR at 42756.

6 Security Breach Notification © 2009 Fox Rothschild HITECH Preemption Standard § 13421 of HITECH: A provision or requirement under HITECH will supersede any contrary provision of a state law except if the provision of State Law: (a) is a provision the Secretary determines— (i) is necessary: to prevent fraud and abuse; or to ensure appropriate State regulation of insurance and health plans; or for State reporting on health care delivery or costs; or for other purposes; or (ii) addresses controlled substances; or (b) relates to the privacy of individually identifiable health information and imposes a more stringent standard or requirement than HITECH.

7 Security Breach Notification © 2009 Fox Rothschild Compliance Checklist  Complete preemption analysis of security breach notification standards under HITECH and HHS Interim Final Rule, and NJITPA  Develop and implement Security Breach Policies and Procedures.  Develop Risk Assessment for documenting “Harm” assessments.  Develop and Use a “Notification Letter” for notifying individuals.  Assign a “1-800” number to receive questions about breaches.  Revise Business Associate Agreements.  Revise HIPAA policies and procedures.  Train Employees.  Enforce Sanctions.

8 Security Breach Notification © 2009 Fox Rothschild Complete Preemption Analysis  Compare Definitions of Terms, Scope of Applicability and Procedural Requirements.  Detail intensive legal analysis.  Any two items that are not “contrary to” one another need to both be followed.

9 Security Breach Notification © 2009 Fox Rothschild Who Who Does the Law Apply To? HITECHNew Jersey  Covered Entities  Business Associates  Businesses  Public Entities

10 Security Breach Notification © 2009 Fox Rothschild What What Info Is Covered? HITECHNew Jersey  “Protected Health Information” (almost everything, excluding de- identified data, and Limited Data Sets minus DOB and Zip).  Broader.  “Personal Information” (only individual’s name or first initial and last name linked with 3 pieces of data).  Much Narrower.

11 Security Breach Notification © 2009 Fox Rothschild Medium What Medium is Covered? HITECHNew Jersey  Electronic.  Paper.  Oral.  Electronic only!

12 Security Breach Notification © 2009 Fox Rothschild Breach What Constitutes a “Breach” HITECHNew Jersey compromises  Unauthorized acquisition, access, use or disclosure [i.e., in violation of Privacy Rule] of [unsecured] PHI which compromises the security of PHI.  There is a significant “Risk of Harm.” [controversial] compromises  Unauthorized access to electronic files, media or data containing [unsecured] PI that compromises the security, confidentiality or integrity of such PI.  “Misuse” reasonably possible.

13 Security Breach Notification © 2009 Fox Rothschild Secured “Secured” PHI HITECHNew Jersey  Unusable, unreadable or indecipherable by: - Encryption - Destruction - Per NIST’s standards  Firewalls, Access Controls, Redaction are NOT enough.  Encryption  “Any other method or technology that renders the PI unreadable or unusable.” [“any other method” if not recognized under HITECH would be preempted]

14 Security Breach Notification © 2009 Fox Rothschild Unauthorized Unauthorized Use or Access HITECHNew Jersey  Violates the Privacy Rule.  Not specifically defined.

15 Security Breach Notification © 2009 Fox Rothschild Exceptions What are the Exceptions? HITECHNew Jersey  “Unintentional.”  “Inadvertent.”  “Not Retained.”  “Good Faith Acquisition” by employee or agent.  Legitimate business purpose.  Not further used or disclosed.

16 Security Breach Notification © 2009 Fox Rothschild HITECH Breach Exceptions 1.UNINTENTIONAL acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or a BA, if in good faith and within the scope of authority and does not result in further use or disclosure in violation of the Privacy Rule. 2.INADVERTENT disclosures by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same CE or BA or OHCA in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in violation of the Privacy Rule 3.RETENTION NOT POSSIBLE although disclosure of PHI was to an unauthorized person. CE or BA must have a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

17 Security Breach Notification © 2009 Fox Rothschild Know When You Are Deemed to “Know” HITECHNew Jersey  Actual knowledge of the Breach.  By exercising reasonable diligence “should have known” about the Breach.  Imputed knowledge of employees and agents!!  Actual discovery of the Breach.  Upon receipt of notice regarding the breach.

18 Security Breach Notification © 2009 Fox Rothschild Potential Required Notices HITECHNew Jersey  Individual  HHS  Media  Individual  Consumer Reporting Agencies  Division of State Police

19 Security Breach Notification © 2009 Fox Rothschild Timing of Individual Notice HITECHNew Jersey No unreasonable delay 60 days  No unreasonable delay, in no case longer than 60 days.  Delay for Law Enforcement only if receive written communication that notice to individuals must be delayed for specific time period, or if oral, then document and delay no more than 30 days.  Most expedient time possible, without unreasonable delay.  Must wait for law enforcement to make determination re: if investigation would be compromised (preempted, if causes delay more then 30 days).

20 Security Breach Notification © 2009 Fox Rothschild Form of Individual Notice HITECHNew Jersey  U.S. Mail.  E-mail only if individual has specified.  Substitute Notice only if: - Out of date info - Lack info for 10 or more Individuals - Urgent Notice (i.e. by phone) if possible imminent misuse.  First class mail  e-Mail  Substitute notice if: - cost of written notice would exceed $250K (preempted) - class of persons to be notified exceeds 500,000 (preempted)

21 Security Breach Notification © 2009 Fox Rothschild Content of Individual Notice HITECHNew Jersey  Brief description of what happened.  What type of unsecured PHI was involved.  Steps for individual to take.  What is being done to investigate and mitigate.  Contact information, including toll-free number, e-mail, Website or postal.  Description of categories of PI involved (e.g., SS#s).  Information about FTCs website and its toll free number.  Steps for individual to take.  Steps being taken to prevent further breaches.  Toll-free number or other means of contact for further info.

22 Security Breach Notification © 2009 Fox Rothschild Notice to Agencies HITECHNew Jersey Secretary of HHS  Less than 500 Individuals - Annual Log must be submitted to Secretary of HHS of all security breaches involving less than 500 individuals.  500 or More Individuals – Any breach involving 500+ individuals must be immediately reported to Secretary of HHS. HHS will post on their website. Dept. of Consumer Affairs,  Less than 1000 Individuals - Breaches where notices given to individuals shall be documented and made available for inspection by Dept. of Consumer Affairs, upon request.   1000 or more Individuals – must notify Consumer Reporting Agencies.

23 Security Breach Notification © 2009 Fox Rothschild Notice to HHS: 500 or More  Without unreasonable delay.  HHS website is set up for CE to submit notice at http://transparency.cit.nih.gov/breach/index.cfm  The notice must be submitted electronically by following the HHS link and completing all information required on the breach notification form.  If a CE submitted a breach notification form to HHS and then discovers additional information to report, CE may submit an additional form, checking the appropriate box to signal that it is an updated submission.

24 Security Breach Notification © 2009 Fox Rothschild Notice to HHS: < 500  Annual Notice must be submitted within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1, 2010.  The notice must be submitted electronically by following the HHS link http://transparency.cit.nih.gov/breach/index.cfm  A separate form must be completed for every breach that has occurred during the calendar year.

25 Security Breach Notification © 2009 Fox Rothschild Notice to Media Outlets HITECHNew Jersey  If a security breach involves the PHI of 500 or More Individuals, – “prominent media outlets” serving the State or jurisdiction of such 500 or more Individuals must be provided.  No equivalent.

26 Security Breach Notification © 2009 Fox Rothschild Notices to Law Enforcement HITECHNew Jersey  There is no mandatory notification of law enforcement under HITECH.  In advance of providing any Individual with notice, the security breach must be reported to the New Jersey Division of State Police.

27 Security Breach Notification © 2009 Fox Rothschild Develop and Implement Security Breach Policies and Procedures:  Auditing  Reporting Procedures  Training  Business Associate  Investigating  Risk Assessment (evaluating “Harm”)  Decision Tree  Notifying Affected Individuals  Notifying Law Enforcement  Notifying federal and state agencies  Mitigating Harm  Corrective Action

28 Security Breach Notification © 2009 Fox Rothschild Other Items on Checklist  Documenting “Harm” assessments  Notification Letter” for notifying individuals  “1-800” to receive questions about security breaches.  Revise Business Associate Agreements - define procedures for security breach notification; allocate responsibility and liability for: 1.failure to detect breach, 2.failure to notify, 3.costs associated with fault, 4.liability for penalties and other damages.  Revise HIPAA policies and procedures (e.g., mitigation).  Train Employees (very important due to imputed knowledge)  Enforce Sanctions.

29 Security Breach Notification © 2009 Fox Rothschild Questions? Helen Oscislawski, Esq. Attorney at Law Fox Rothschild LLP 997 Lenox Drive, Bldg. 3 P.O. Box 5231 Princeton, NJ 08543-5231 609.895.3310 - direct hoscislawski@foxrothschild.com View my blog at: http://hipaahealthlaw.foxrothschild.com

Download ppt "Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Similar presentations

Ads by Google