Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009.

Published byJocelin Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009."— Presentation transcript:

1 Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009

2 Objectives Provide an Overview of ARRA/HITECH Breach Notification Requirements Review the HIPAA COW Policy on Breach Notification as a Compliance Tool Customizable for Covered Entities Discuss Implementation Strategies for Breach Notification by Participating Panelists

3 Participants Moderator Nancy Davis, Co-Chair Privacy Networking Group Panelists   Holly Schlenvogt, Privacy Officer, ProHealth Care   Jim Sehloff, Caretech Solutions, Holy Family Memorial Medical Center   Carol Weishar, Aurora Advanced Healthcare

4 Why? Breach Notification Requirement Establishes a uniform requirement to inform individuals of when their unsecured protected health information has been improperly used or disclosed and may lead to financial damage, harm to the individual’s reputation, or other harm.

5 RULES Issued August 19, 2009 (121 Pages) Require Covered Entities to Notify Individuals of a Breach as Well as HHS “without reasonable delay” or within 60 days All Breaches to be Reported to Secretary of DHS on Annual Basis Further Notification Requirements if > 500 Individuals Involved (Media Outlets) Requirements for Business Associates to Notify Covered Entity of Breach

6 Breach The acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted which compromises the security or privacy of the PHI. For purpose of this definition, compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual.

7 Breach Excludes Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

8 Unsecure PHI Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the HHS Secretary.

9 Discovery of Breach A breach of unsecured PHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to the organization (includes breaches by the organization’s business associates. The organization shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent (business associate) of the organization.

10 Breach Investigation Breach Investigation: The organization shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate. The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.).

11 Risk Assessment To determine if an impermissible use or disclosure of PHI constitutes a breach, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual. The risk assessment shall be fact specific and shall address: Consideration of who impermissibly used or to whom the information was impermissibly disclosed. The type and amount of PHI involved. The potential for significant risk of financial, reputational, or other harm.

12 Timeliness of Notification The notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach by the organization involved or the business associate involved. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.

13 Delay of Notification If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed

14 Content of Notice The notice shall be written in plain language and must contain the following information: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved).

15 Content of Notice - Continued Any steps the individual should take to protect themselves from potential harm resulting from the breach. A brief description of what the organization is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, Web site, or postal address.

16 Methods of Notification Individuals 1 st Class Mail Media > 500 Patients DHS Secretary > 500 Patients < Breach Log

17 Breach Log The organization shall maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged: A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.). A description of the action taken with regard to notification of patients regarding the breach.

18 Business Associate Responsibilities The business associate (BA) of the organization that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify the organization of such breach. Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.[[ Business associate responsibility under ARRA/HITECH for breach notification should be included in the organization’s business associate agreement (BAA) with the associate.

19 Penalties Penalties for violations of HIPAA have been established under HITECH. The penalties do not apply if the organization did not know (or by exercising reasonable diligence would not have known) of the violation or if the failure to comply was due to a reasonable cause and was corrected within thirty days. Penalties will be based on the organization’s culpability for the HIPAA violation. The Secretary still will have the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation. The maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.

20 Penalties - Continued The minimum civil monetary penalties are tiered based upon the entity's perceived culpability for the HIPAA violation, as follows: Tier A – If the offender did not know $100 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $25,000. Tier B – Violation due to reasonable cause, not willful neglect. $1,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $100,000.

21 Penalties - Continued Tier C – Violation due to willful neglect, but was corrected. $10,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $250,000. Tier D – Violation due to willful neglect, but was NOT corrected. $50,000 for each violation, total for all violations of an identical requirement during a calendar year cannot exceed $1,500,000.

22 Effective Dates Effective 30 Days After Publication Date of August 19, 2009 (September 22, 2009) Effective 30 Days After Publication Date of August 19, 2009 (September 22, 2009) However…. However…. Enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days. Enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days.

23 HIPAA COW Resource BREACH NOTIFICATION POLICY UNSECURED PROTECTED HEALTH INFORMATION POLICY www.hipaacow.org

24 Breach Notification Policy Background Background Definitions Definitions Attachments Attachments Policy Statements Policy Statements Applicable Federal and State Regulations Applicable Federal and State Regulations

25 Attachments Examples of Breaches of Unsecured Protected Health Information Breach Penalties Sample Notification Letter to Patients Sample Notification Letter to Secretary of Health & Human Services Sample Media Notification Statement/Release Sample Talking Points Sample Breach Notification Log

26 Workgroup Members Julie Coleman, (GHC-SCW) Nancy Davis, Ministry Health Care Chris DuPrey, Caris Innovation Claudia Egan, Von Briesen & Roper, S.C. Mary Evans, Meriter Health Services Bill French, Marshfield Clinic/ Ministry Health Care Monica Hocum, Hall & Render Kathy Johnson, WI DHS Carla Jones, Marshfield Clinic Chrisann Lemery, WEA Trust L. Allen Mundt, Waukesha County Holly Schlenvogt, ProHealth Care

27 Workgroup Members Peg Schmidt, Aurora Health Care Jim Sehloff, Holy Family Memorial Medical Center LaVonne Smith, Tomah Memorial Hospital Teresa Smithrud, Mercy Health System Matthew Stanford, WHA Jodie Swoboda, North Central Health Care Kerry Taylor, Saint Vincent’s Hospital Carol Weishar, Aurora Advanced Healthcare Kirsten Wild, Sinaiko Healthcare Consulting, Inc. Barbara Zabawa, Whyte Hirschboeck, Dudek, S.C.

28 Questions for Panelists 1. 1. What changes will you implement at your organizations to comply with breach notification requirements? Changes in Policies and Procedures? Changes in Staff Responsibilities/Resources? Staff Education and training Other?

29 Questions for Panelists 2. 2. Do you recommend “HIPAA Sanctions” as part of your organization’s corrective disciplinary policy? As a consultant to HR/leadership? Through a guidance document? Will you be making any changes to your established recommendations?

30 Questions for Panelists 3. Do you anticipate an increase in: Breach Occurrences? Auditing?

31 Questions for Panelists 4. 4. Open Question from Audience to be Requested

Download ppt "Breach Notification Protected Health Information Under ARRA/HITECH HIPAA COW Fall Meeting September 11, 2009."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: Investigating Privacy Breaches.

© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: Investigating Privacy Breaches.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.

Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google