Anatomy of a HIPAA Breach

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Privacy, Security, Confidentiality, and Legal Issues
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
© Chery F. Kendrick & Kendrick Technical Services.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
HIPAA Privacy What Every Staff Member Needs to Know.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA Privacy and Security
HIPAA PRIVACY & SECURITY TRAINING
HIPAA THE PRIVACY RULE Reviewed December 2012.
HIPAA Online Student Orientation
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Move this to online module slides 11-56
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
The Health Insurance Portability and Accountability Act
Presentation transcript:

Anatomy of a HIPAA Breach Maureen D’Agostino SVP, Quality, Service and Performance Excellence Colleen McClorey Associate General Counsel, University of Michigan Health System Legal Office

I. Omnibus HIPAA Changes Breach notification Business Associates and Subcontractors Agency Enforcement Determining Breach Day to Day Electronic Perils EMR; Laptops; Social Media Encryption Administrative, Technical Physical Safeguards Other Horror Stories What To Do Management Strategies Training Notice of Privacy Practices Data Needed Privilege vs. Non-privilege Investigation OCR Response

Important Dates – Omnibus Rule Published in Federal Register – January 25, 2013 Effective Date – March 26, 2013 Compliance Date – September 23, 2013 Transition Period to Conform BA contracts – Up to September 22, 2014, for Qualifying Contracts

Breach Notification Revised definition of breach Revised risk assessment approach CE or BA must rebut presumption of breach Focus on harm to data rather than to individual How will this work??

Considerations The nature and extent of the PHI involved The unauthorizied person who used access or received the PHI Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated

Business Associates and Subcontractors Revised definition of “business associate” Subcontractors “all the way down the chain” are now BAs BAs and subcontractors directly liable under HIPAA BAAs still required – but how to revise? Staggered deadlines for new BAAs

Business Associates and Subcontractors Reassessment of existing BA relationships BAs with direct access to ePHI BA liability considerations “Satisfactory assurances” regarding safeguarding of PHI by subcontractors

Agency Agency relationship affects liability, breach notification timing for CEs and BAs Use federal common law of agency Who controls conduct? Will more control = more liability?

Enforcement Makes permanent the increased CMP amounts and tiered levels of culpability form 2009 IFR Clarifies “reasonable cause” tier Willful neglect cases do not require informal resolution Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties Audit authority is added

Common Breach Pitfalls Faxes can lead to extortion! Before faxing: Confirm you have the correct number and it is entered correctly Review and update programmed numbers on a regularly basis Use an appropriate cover sheet with confidentiality clause on it and contact number at your site After faxing: Confirm receipt by contacting party, do not simply rely on the fax machine transmission report Promptly retrieve improperly faxed documents if possible Special Alert: monitor and update auto fax numbers embedded in EHRs and other record systems/software – these are often easily forgotten – e.g., auto fax of record to PCP from specialists office, lab or radiology

Common Breach Pitfalls Medical Record release can lead to extortion too and $’s: Record copy given/sent to wrong party Record copy sent contained another patient’s information that was not found or corrected from an entry error or registration error Incorrect patient selection at registration due to common first and last names – train registration to ask patient for information and not simply recite file information to patient; registration should request photo id and compare information/picture to presenting patient Discharge instruction with demographic information given to wrong patient Patient wristband with some data present given to wrong patient due to registration error

Common Breach Pitfalls - EMR Caution 1: The pitfalls mentioned are HIPPA/HITECH issues but even more important – clinical issues. Patient identification verification at all levels is critical to minimizing the impact of human error. Caution 2: OCR complaint investigator demanded copies of discharge instructions and sample of wristbands looking for demographic information to evaluate risk to patient. Caution 3: Bolt on systems/software and interfaces to the main EMR often make record correction difficult and labor intensive. Caution 4: Allegations of neglect and abuse require special handling of vulnerable adult and minor records to protect the patient post-hospitalization. Flagging sensitive records may be the only means of identifying these records such that the record service knows to take precautions before release.

Common Breach Pitfalls – After the Elevator! Patient Bedside Verbal Breaches Speaking with family or friends present without determining patient wishes Assuming all care conversations may occur in front of family or friends are ok based on past patient response - even ones with sensitive information? Not inquiring of person’s relationship to patient in surgical waiting – assuming person is family! Having clinical conversations while patient family in next bed are present never requesting politely for them to leave the room Staff not asking the patient for permission to talk with family and friends present and later finding this was not acceptable when the OCR complaint inquiry comes

Determining a Breach – FAX Case Analyze telephone/fax number and address used in “fax to” – authorized person (physician, clinic, etc) or not (commercial business, home). Reverse look-ups are often helpful Identify person who holds information if different from above Identify type of document and contents; check audit trails if you have a staff name Was demographic, clinical or other identification information accessed or released. Recall Medicare beneficiary number is the SS# with only modest change – a alphabetic letter typically! Locate where the fax or record was sent from (“fax from”) – not always easy with trunk lines and auto fax built into record Retrieve incorrectly faxed information if possible, even if that means going to the home or business yourself Determine approx. length of time in wrong person’s possession Assuming identifying or clinical data compromised was there opportunity for the unauthorized part to retain the documents and does this present risk to the patient – our latest interactions suggest OCR takes a near worst case scenario perspective Following the internal assessment that there is risk to the patient, notify the patient. What do you offer with notification (free credit checks)? Take and document remedial actions (policy, protocols, system changes, education, discipline) as appropriate. If unable to pinpoint fax locations have IT/Telecommunications disable the erroneous fax phone number – prevents call out. Effective disabling may require disabling the number in all trunk lines or “switches,” not just the one thought to be involved DON’T PAY THE RANSOM! File your lawsuit to retrieve documents and get a retraining order to put risk on party if there is further disclosure! We did agree to pay for expense for ink and paper. Finally, don’t forget to file your report with OCR. FYI, in one case OCR in complaint notification letter advised they would expect a report to be filed.

Determining a Breach - Basics Starts with the complaint or is raised by audit question Complaint drives next steps in analysis Audit may reveal what appears to be excessive access, printing or ‘break the glass’ activity – little or no charting Evaluate job duties, assignment, hours of work and/or work unit Determine type of access was it for treatment, payment or operations (“TPO”) Was access/disclosure comply with ‘need to know’ and/or minimum necessary rule if applicable If unauthorized access/disclosure occurred or likely occurred based on above, did the access/disclosure present risk or better, did the access/disclosure fit within the HIPAA/HITECH definition of breach If yes, take action to minimize risk to patient and consistent with HIPAA/HITECH and organizational policy and past practice Be mindful not to violate by policy or practice NRLA General Counsel opinions on ‘concerted activity.’ Focus only on the HIPAA/HITECH rule issues not on dialogue that ties to conditions of work or discussion of the work environment File OCR of the breach as required. Recommend doing breach reports including those that fall below the 500 person level at the time of the breach determination even though you may file an annual report. Data is readily at hand and facts are fresh in mind and doing filing on a case by case basis is more efficient than re-reviewing cases at year end

Electronic Perils EMR; Laptops; Social Media (employees right in NLRA) Guidance Policies and Procedures Security Protocols BAAs Audit Encryption

Administrative, Technical and Physical Safeguards Firewalls, tracking devices, strong password controls, tools that will activate to destroy hard drives

Breaches Involving the Feds Government agency makes appointment to come in to talk to Compliance Officer who are wearing guns Presents a subpoena for documents Gives little information about reason Does state that other government agencies are involved Presents a list of patient names (300) to verify that yes, they were our patients

Federal Breaches Gives us 2 weeks to confirm patients and compile all documents of subpoena including sequestering the computer and do a “forensic” copy of all drives and memory An encrypted secured government email for document delivery

So How Did This Happen Management level employee As part of their job has access to patient demographics Selectively based on diagnoses steals their demographics and passes the information on to a third party outside the organization Third party submits fraudulent documents and receives government reimbursement

Continued Additional names begins to reach close to or may exceed the 500 required to do a report to the OCR. Question are these 500 distinct events or does this trigger the 500 rule in HIPAA/HITECH for OCR notification purposes let alone public notice Government agency allows us to conduct our own internal investigation (beware of the obstruction argument) and to do whatever we thought appropriate with the employee Also told to record all conversations. Investigation is quickly done and employee is fired

Continued Employee office was searched and computer and files confiscated. All electronic sign-on’s were immediately closed down prior to termination. Multiple patient demographics found, that employee would have no reason to have As employee is exiting states, “ I guess I got caught up with the wrong crowd”

Continued Open felony investigation Government agency states may take years to conclude. Also states, “that we are way down the road in the investigation for us to come here” So how did the agency pick up on this: a agent noticed the same name at the same address was too frequent and many were elderly! Internal investigation is on hold because we are not allowed to disturb the forensic information

Strategies: How to Manage Training from entry level position to executives, including physicians which includes privacy and security policies and process Monitoring -audit trails of electronic information that is continuous such as, break the glass, same last name, address proximity locator, frequency and breath of access and printing quantification Hiring: entry into the workplace because of data access not because of healthcare interest-think, identity theft. Firewall protection Attorney-Client Privileged information versus non-privileged-assess the potential damage, anticipate poor outcomes and negative results, media implications, regulatory implications and investigations How to determine if you need an investigation-start with a review or probe of information, if can’t conclude then full investigation How to conduct one for EHR non Fax- audit reports, complaint typically received, who accessed and what they accessed along with their role, personnel who accessed, their organizational role (think in terms of TPO) treatment, payment and operations, conduct interviews, take action as appropriate with employee

Notice of Privacy Practices Providers and plans must update NPPs Authorization required for disclosure of psychotherapy notes, marketing communications, sale of PHI Right to breach notification Right to opt out of fundraising Right to restrict disclosure sot plans Most plans cannot use generic info to make underwriting decisions

Notice of Privacy Practices -- General Clarifications on delivery of revised NPPs by providers and plans More time likely required to change underlying policies and train than to revise NPPs

Attorney/Client Privilege – When to Use it

Investigation Central point of contact Follow-up Set time frames Try to complete and notify within a reasonable time (30) days

Questions?